Mult-subscription Terraform deployment and Azure DevOps Service Connections
While it is understood that Terraform templates can facilitate multi-subscription deployment through the 'alias' concept, as outlined in the documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription#example-usage---creating-a-new-alias-and-subscription-for-an-enrollment-account, how does this integration function within the framework of Azure DevOps pipelines? To illustrate, consider the scenario where you aim to execute the 'terraform apply' command for a template using AZ CLI, deploying resources across multiple subscriptions. AZ CLI requires a service connection object mapped to a specific Azure subscription, leading to deployment failures in other subscriptions, even if the same service connection has access. Is there a better approach to address this issue or what is the recommendation in terms of creating service connections so that such template deployment could work?Revolutionizing Azure Resource Lifecycle with Terraform v1.7.0: Introducing the 'Removed' Block
Context: Let's say you have an Azure environment managed by Terraform, and it includes several Azure Virtual Machines (VMs). Over time, you decide to decommission a VM, but you don't want to destroy it immediately. Instead, you prefer to remove it from Terraform's state management while keeping the VM intact in Azure for archival or auditing purposes. Traditional Approach: Previously, you would have to use terraform state rm to manually remove the VM from the state file, a process that can be error-prone and lacks the visibility of Terraform's planning phase. Using the removed Block: With the new removed block, you can now handle this scenario more elegantly and safely. Here's how you might write the Terraform configuration for this: resource "azurerm_virtual_machine" "example_vm" { # ... (VM configuration details) ... } # New 'removed' block usage removed { from = azurerm_virtual_machine.example_vm lifecycle { destroy = false } } Explanation: The azurerm_virtual_machine.example_vm represents an existing Azure VM in your Terraform configuration. The removed block is used to indicate that this VM should be removed from Terraform's state management. The destroy = false within the lifecycle sub-block tells Terraform not to destroy the actual VM in Azure when applying this change. Benefits: Safety and Predictability: You can run terraform plan to see how this change will impact your infrastructure without any immediate effect on the actual resources. Ease of Use: This approach is more intuitive and reduces the risk of manual errors compared to using terraform state rm. Better State Management: It provides a declarative way to manage the lifecycle of resources, aligning with Terraform's philosophy. Conclusion: This example demonstrates how the removed block can be used to manage Azure resources more effectively. It offers a safer and more predictable way to handle resource lifecycles, especially for resources that are being decommissioned but not immediately destroyed.
Azure waf policy terraform checkov scan is failing
Hello All / __| '_ \ / _ \/ __| |/ / _ \ \ / / | (__| | | | __/ (__| < (_) \ V / \___|_| |_|\___|\___|_|\_\___/ \_/ By bridgecrew.io | version: 2.4.39 Update available 2.4.39 -> 2.4.48 Run pip3 install -U checkov to update terraform scan results: Passed checks: 1, Failed checks: 1, Skipped checks: 0 Check: CKV_AZURE_122: "Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes" PASSED for resource: azurerm_web_application_firewall_policy.main File: \main.tf:1-65 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-application-gateway-uses-waf-in-detection-or-prevention-modes.html Check: CKV_AZURE_135: "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell" FAILED for resource: azurerm_web_application_firewall_policy.main File: \main.tf:1-65 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-application-gateway-waf-prevents-message-lookup-in-log4j2.html Code lines for this resource are too many. Please use IDE of your choice to review the file. log4j scan is failing resource "azurerm_web_application_firewall_policy" "main" { name = var.name resource_group_name = var.resource_group_name location = var.location tags = var.tags policy_settings { enabled = var.waf_enabled file_upload_limit_in_mb = var.file_upload_limit_mb max_request_body_size_in_kb = var.max_request_body_size_kb mode = var.firewall_mode } dynamic "custom_rules" { for_each = var.custom_policies content { name = custom_rules.value.name priority = custom_rules.value.priority rule_type = custom_rules.value.rule_type action = custom_rules.value.action dynamic "match_conditions" { for_each = var.match_conditions content { dynamic "match_variables" { for_each = var.match_variables content { variable_name = match_variables.value.match_variable selector = match_variables.value.selector } } operator = match_conditions.value.operator negation_condition = match_conditions.value.negation_condition match_values = match_conditions.value.match_values } } } } managed_rules { managed_rule_set { type = var.rule_set_type version = var.rule_set_version dynamic "rule_group_override" { for_each = var.managed_policies_override content { rule_group_name = rule_group_override.value.rule_group_name disabled_rules = rule_group_override.value.disabled_rules } } } dynamic "exclusion" { for_each = var.managed_policies_exclusions content { match_variable = exclusion.value.match_variable selector = exclusion.value.selector selector_match_operator = exclusion.value.selector_match_operator } } } }Azure web application firewall policy terratest is failing
hello All Creating Application Gateway Web Application Firewall Policy: (Name "test-waf-policy-13" / Resource Group "rg--devops-01"): network.WebApplicationFirewallPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayFirewallMatchValueNoCollection" Message="Custom Rule 'customruletest' doesn not have a valid collection match variable 'RemoteAddr' which support selector in its condition in context 'properties.customRules[0].matchConditions[0].matchVariables[0]'." Details=[] Below is the tfvars file "waf_policy_rglocation": "northeurope", "waf_policy_custom_rules_name" : "customruletest", "waf_policy_custom_rules_priority" : "1", "waf_policy_custom_rules_rule_type" : "MatchRule", "waf_policy_match_variable_name" : "RemoteAddr", "waf_policy_operator" : "IPMatch", "waf_policy_negation_condition" : false, "waf_policy_match_values" : []string{"192.168.1.0/24"}, "waf_policy_custom_rules_action" : "Block", "waf_policy_enabled" : true, "waf_policy_mode" :"Prevention", "waf_policy_request_body_check" : true, "waf_policy_file_upload_limit_in_mb" : 100, "waf_policy_match_variables_selector" : "UserAgent", "waf_policy_managed_rules_variable" : "RequestHeaderNames", "waf_policy_managed_rules_selector" : "x-company-secret-header", "waf_policy_managed_rules_operator" : "Contains", "waf_policy_set_type" :"OWASP", "waf_policy_version" : "3.2", "waf_policy_managed_rules_rule_group_name" : "REQUEST-944-APPLICATION-ATTACK-JAVA", "waf_policy_override_rule_id" : "944130", "waf_policy_rule_enabled" : true, "waf_policy_rule_action" : "Block",
assign an logic apps system assigned managed identity to a role with terraform and arm template
Hi there, i am trying to assign an logic apps system assigned managed identity to a role for starting/stopping a virtual machine. i use terraform to deploy the logic app template like this: resource "azurerm_template_deployment" "myterraformscheduledvmdown" { name = "scheduledvmdown" resource_group_name = "j14t23resources" template_body = <<DEPLOY { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { }, "variables": { }, "resources": [ { "type": "Microsoft.Logic/workflows", "apiVersion": "2019-05-01", "name": "scheduledvmdown", "location": "westus2", "identity": { "type": "SystemAssigned" }, "properties": .... } } ], "outputs": { "appid": { "type": "string", "value": "[reference(resourceId('Microsoft.Logic/workflows/', 'scheduledvmdown'), '2019-05-01', 'Full').Identity.tenantId]" } } } DEPLOY parameters = { } deployment_mode = "Incremental" } output "appid" { value = "${lookup(azurerm_template_deployment.myterraformscheduledvmdown.outputs, "appid")}" } resource "azurerm_role_assignment" "scheduletovmdown" { scope = azurerm_linux_virtual_machine.myterraformvm.id role_definition_name = "Virtual Machine Contributor" principal_id = azurerm_template_deployment.myterraformscheduledvmdown.outputs["appid"] } i get the following error message while trying to deploy: Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalNotFound" Message="Principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory xxxxx-x-x-x-xxxx." my assumption is, that i do not get the right id with the templates Output: "[reference(resourceId('Microsoft.Logic/workflows/', 'scheduledvmdown'), '2019-05-01', 'Full').Identity.tenantId]" do you have any idea what i did wrong? or a nicer approach to assign the apps generated identity to a vm? thanks tbz
