[danielovichdk]

I use Azure.

When I need to provision anything I have a powershell script that interacts with Azure CLI.

My script sets up a new resource group for every service we create, logging, key vault, webapp/functions, and if needed some kind of data storage or queuing.

In my powershell script I can via a variable indicate which environment I want to spin up: dev, staging, prod.

I have one yaml file which is for my build and a build trigger which points to the above powershell script with the given environment.

All environments: dev, staging or prod are setup manually with manual user assignments for deployment access etc.

It's really lightweight but I also believe it's lightweight because we run a small services setup where each service takes care of its own provisioning.

Terraform and Yaml are so verbose but that's not the most problematic. You can't execute those files from your local machine.

[gnulinux]

> Terraform and Yaml are so verbose but that's not the most problematic. You can't execute those files from your local machine.

Have you ever actually used terraform? You execute it from your own local computer, or from CI/CD. It runs in a compute resource you own, not the cloud provider.

[jen20]

> You can't execute those files from your local machine.

You can execute terraform from local machine just as easily as a powershell script. I dare say you could even make it work a shebang if you wanted (though I’ve never tried that).

[flanked-evergl]

> When I need to provision anything I have a powershell script that interacts with Azure CLI.

Sounds painful, as you have to make it declarative yourself, while Terraform (which runs perfectly fine on my local machine) is already declarative.

[naavis]

Why not Bicep?

https://learn.microsoft.com/en-us/azure/azure-resource-manag...

I have found it quite joyful to use with Azure.

[awoimbee]

Looks to me like a vendor specific language with limited capabilities compared to others. Just use Pulumi TypeScript (self hosted). I'm not affiliated with Pulumi, it's just that unjustified vendor lock-in infuriates me.

[flanked-evergl]

Bicep has limitations which makes it non-declarative even though it is marketed as declarative: https://learn.microsoft.com/en-us/azure/azure-resource-manag...

MSFT is trying to add features to make this better, but it is not in production yet: https://github.com/Azure/bicep/issues/10460

Additionally, Bicep does not support interacting with Azure Active Directory: https://github.com/Azure/bicep/issues/7724

So it really is not very useful. Terraform is better in almost every single conceivable way.

[naavis]

We use it in our company to provision all our cloud resources. Granted, you can't create app registrations and such with it (yet) like you mentioned, and there are rough spots, but I think that is quite far from "not very useful".

[flanked-evergl]

I also worked for a company that used it, but the reasons they used it seemed almost entirely political.

Also, the issues I highlighted are quite old, I don't think deployment stacks will exist before 2024.

And not deleting resources, including role assignments, when they are deleted from your IAC source files makes it sub-optimal by Microsoft's own reckoning https://learn.microsoft.com/en-us/devops/deliver/what-is-inf...

> IaC should use declarative definition files if possible.

Bicep just is not good. It may be better than nothing, but there are better alternatives.

[awoimbee]

Just use pulumi (self-hosted in blob storage). Using a custom script is not the good choice when you could use the right tool for the job.

[firesteelrain]

You can execute Terraform from within Azure or a machine external to Azure. Just need a service principal

[flanked-evergl]

> Just need a service principal

You can execute it also on your computer, and when an individual runs it, it really should not use a service principal, as those are intended for IAM of automated systems, not people.

I run terraform against my Azure sandbox from my computer with nothing more than azure CLI credentials that were stored after I logged in with az.

[firesteelrain]

I don’t know if it particular to Azure Stack but I need a service principal