How, if possible, to add "Archive to a storage account" in terraform? - azure-keyvault

Is there an option to enable "Archive to a storage account" in Keyvault diagnostic in Azure provider of Terraform?


If you want to configure diagnostic settings for Azure Key Vault, we can use the azurerm_monitor_diagnostic_setting resource to configure it. For more details, please refer to here
For example
Create a service principal
az login
az account set --subscription "SUBSCRIPTION_ID"
az ad sp create-for-rbac --role "Contributor" --scopes "/subscriptions/<subscription_id>"
Script
provider "azurerm" {
version = "~>2.0"
subscription_id = ""
client_id = "sp appId"
client_secret = "sp password"
tenant_id = "sp tenant"
features {}
}
data "azurerm_storage_account" "mystorage" {
name = ""
resource_group_name = ""
}
data "azurerm_key_vault" "mykey" {
name = ""
resource_group_name =""
}
resource "azurerm_monitor_diagnostic_setting" "example" {
name = "example"
target_resource_id = data.azurerm_key_vault.mykey.id
storage_account_id = data.azurerm_storage_account.mystorage.id
log {
category = "AuditEvent"
enabled = false
retention_policy {
enabled = false
}
}
metric {
category = "AllMetrics"
retention_policy {
enabled = false
}
}
}

Related

Azure event hub using terraform

I have question related to terraform code for azure event hub.
What are the security principles and policies that we need to take care while deploying azure event hub securely through terraform?. If possible please share the terraform code also.
Thanks
I have checked few docs but unable to understand it.

I tried to reproduce the same in my environment to create an Azure event hub using Terraform:
Terraform Code:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "venkyrg" {
name = "venkyrg1"
location = "West Europe"
}
resource "azurerm_eventhub_namespace" "example" {
name = "venkatnamespace"
location = azurerm_resource_group.venkyrg.location
resource_group_name = azurerm_resource_group.venkyrg.name
sku = "Standard"
capacity = 1
tags = {
environment = "Production"
}
}
resource "azurerm_eventhub" "example" {
name = "venkateventhub"
namespace_name = azurerm_eventhub_namespace.example.name
resource_group_name = azurerm_resource_group.venkyrg.name
partition_count = 2
message_retention = 1
}
#Event hub Policy creation
resource "azurerm_eventhub_authorization_rule" "example" {
name = "navi"
namespace_name = azurerm_eventhub_namespace.example.name
eventhub_name = azurerm_eventhub.example.name
resource_group_name = azurerm_resource_group.venkyrg.name
listen = true
send = false
manage = false
}
# Service Prinicipal Assignment
resource "azurerm_role_assignment" "pod-identity-assignment" {
scope = azurerm_resource_group.resourceGroup.id
role_definition_name = "Azure Event Hubs Data Owner"
principal_id = "74cca40a-1d7e-4352-a66c-217eab00cf33"
}
Terraform Apply:
Once ran the code resources are created with event hub policies in Azure successfully, like below.
Policy Status:
Azure Built-in roles for Azure Event Hubs
Reference: Azurerm-eventhub with Terraform

How to create multiple alerts for single resource in azure using terraform

How to create multiple alerts for single resource in azure using terraform (i.e CPU, Memory & Disk I/O alerts of a VM)

Please check this below code to create multiple alerts for single resource
provider "azurerm"
features{}
}
resource "azurerm_resource_group" "rgv" {
name = "<resource group name>"
location = "west us"
}
resource "azurerm_monitor_action_group" "agv" {
name = "myactiongroup"
resource_group_name = azurerm_resource_group.rgv.name
short_name = "exampleact"
}
resource "azurerm_monitor_metric_alert" "alert" {
name = "example-metricalert"
resource_group_name = azurerm_resource_group.rgv.name
scopes = ["/subscriptions/1234XXXXXX/resourceGroups/<rg name>/providers/Microsoft.Compute/virtualMachines/<virtualmachine name>"]
description = "description"
target_resource_type = "Microsoft.Compute/virtualMachines"
criteria {
metric_namespace = "Microsoft.Compute/virtualMachines"
metric_name = "Percentage CPU"
aggregation = "Total"
operator = "GreaterThan"
threshold = 80
}
action {
action_group_id = azurerm_monitor_action_group.agv.id
}
}
Reference: hashicorp azurerm_monitor_metric_alert

Azure Terraform Web App private Endpoint virtual network

I am trying to automate the deployment of an azure virtual network and azure web app.
During the deployment of those resources, everything went just fine and no errors. So I wanted to try to activate the private endpoint on the web app. This is my configuration on terraform.
resource "azurerm_virtual_network" "demo-vnet" {
name = "virtual-network-test"
address_space = ["10.100.0.0/16"]
location = var.location
resource_group_name = azurerm_resource_group.rg-testing-env.name
}
resource "azurerm_subnet" "front_end" {
name = "Front_End-Subnet"
address_prefixes = ["10.100.5.0/28"]
virtual_network_name = azurerm_virtual_network.demo-vnet.name
resource_group_name = azurerm_resource_group.rg-testing-env.name
delegation {
name = "testing-frontend"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
And on the web app itself, I set this configuration
resource "azurerm_app_service_virtual_network_swift_connection" "web-app-vnet" {
app_service_id = azurerm_app_service.app-test.example.id
subnet_id = azurerm_subnet.front_end.id
}
NOTE: On my first deployment, the swift failed because I had not delegation on the virtual network, so I had to add the delegation on the subnet to be able to run terraform.
After setting in place all the configuration, I run my terraform, everything run just smoothly, no errors.
After the completion, I checked my web app Private Endpoint and that was just off.
Can please anyone explain me what am I doing wrong here?. I thought that the swift connection was the block of code to activate the Private endpoint but apparently I am missing something else.
Just to confirm my logic workflow, I tried to do the manual steps in the portal. But surprisingly I was not able because I have the delegation on the subnet, as you can see.
Thank you so much for any help and/or explanation you can offer to solve this issue

I have used the below code to test the creation of VNET and Web app with private endpoint.
provider "azurerm" {
features{}
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
# Virtual Network
resource "azurerm_virtual_network" "vnet" {
name = "ansumanapp-vnet"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
address_space = ["10.4.0.0/16"]
}
# Subnets for App Service instances
resource "azurerm_subnet" "appserv" {
name = "frontend-app"
resource_group_name = data.azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.4.1.0/24"]
enforce_private_link_endpoint_network_policies = true
}
# App Service Plan
resource "azurerm_app_service_plan" "frontend" {
name = "ansuman-frontend-asp"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
kind = "Linux"
reserved = true
sku {
tier = "Premium"
size = "P1V2"
}
}
# App Service
resource "azurerm_app_service" "frontend" {
name = "ansuman-frontend-app"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
app_service_plan_id = azurerm_app_service_plan.frontend.id
}
#private endpoint
resource "azurerm_private_endpoint" "example" {
name = "${azurerm_app_service.frontend.name}-endpoint"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.appserv.id
private_service_connection {
name = "${azurerm_app_service.frontend.name}-privateconnection"
private_connection_resource_id = azurerm_app_service.frontend.id
subresource_names = ["sites"]
is_manual_connection = false
}
}
# private DNS
resource "azurerm_private_dns_zone" "example" {
name = "privatelink.azurewebsites.net"
resource_group_name = data.azurerm_resource_group.rg.name
}
#private DNS Link
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "${azurerm_app_service.frontend.name}-dnslink"
resource_group_name = data.azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.vnet.id
registration_enabled = false
}
Requirements:
As you can see from the above code the Private Endpoint , Private DNS and Private DNS Link block are required for creating the private endpoint and enabling it for the app service.
The App service Plan needs to have Premium Plan for having Private
endpoint.
The Subnet to be used by Private Endpoint should have
enforce_private_link_endpoint_network_policies = true set other
wise it will error giving message as subnet has private endpoint network policies enabled , it should be disabled to be used by Private endpoint.
DNS zone name should only be privatelink.azurewebsites.net as you are creating a private endpoint for webapp.
Outputs:

How to copy a file from local machine to a storage account using Terraform

I have created a storage account and created a file share in it too using Terraform. I want to copy some files from my local machine to that storage account using Terraform. Is that possible? If yes, then how?
Here is my code-
provider "azurerm" {
# whilst the `version` attribute is optional, we recommend pinning to a given version of the Provider
version = "=2.0.0"
subscription_id = "xxx-xxxx-xxxx-xxxx"
tenant_id = "xxxxx-xxxxx-xxxx-xxxx"
features {}
}
resource "azurerm_resource_group" "example" {
name = "azuretest"
location = "West Europe"
}
resource "azurerm_storage_account" "example" {
name = "asdfghjklteststorage"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_storage_share" "example" {
name = "sharename"
storage_account_name = azurerm_storage_account.example.name
quota = 50
acl {
id = "xxx-xxx-xxx-xxx"
access_policy {
permissions = "rwdl"
start = "2020-05-10T09:38:21.0000000Z"
expiry = "2020-07-02T10:38:21.0000000Z"
}
}
}
resource "null_resource" "uploadfile" {
provisioner "local-exec" {
command = <<-EOT
$storageAcct = Get-AzStorageAccount -ResourceGroupName "${azurerm_resource_group.example.name}" -Name "${azurerm_storage_account.example.name}"
Set-AzStorageFileContent `
-Context $storageAcct.Context `
-ShareName "${azurerm_storage_share.example.name}" `
-Source "C:\Users\xxx\xxx\xxx\Untitled.png" `
-Path "Untitled.png"
EOT
interpreter = ["PowerShell", "-Command"]
}
}

You could use local-exec provisioner invokes a local executable after a resource is created. See upload a file to Azure file share with PowerShell.
For example,
resource "azurerm_storage_share" "example" {
name = "sharename"
storage_account_name = azurerm_storage_account.example.name
quota = 50
acl {
id = "xxxxxxxxxxxxxxx"
access_policy {
permissions = "rwdl"
start = "2020-05-10T09:38:21.0000000Z"
expiry = "2020-07-02T10:38:21.0000000Z"
}
}
}
resource "null_resource" "uploadfile" {
provisioner "local-exec" {
command = <<-EOT
$storageAcct = Get-AzStorageAccount -ResourceGroupName "${azurerm_resource_group.example.name}" -Name "${azurerm_storage_account.example.name}"
Set-AzStorageFileContent `
-Context $storageAcct.Context `
-ShareName "${azurerm_storage_share.example.name}" `
-Source "C:\Users\xxx\terraform\test.txt" `
-Path "test.txt"
EOT
interpreter = ["PowerShell", "-Command"]
}
}
Result
For more information, you could read this blog.

For anyone coming from Google, it's worth pointing out you that in early 2022 should now be able to use azurerm_storage_share_file. This worked great for me to upload a single file. To upload multiple files it looks like you will require multiple resources
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share_file
resource "azurerm_storage_share_file" "example" {
name = "test.txt"
storage_share_id = azurerm_storage_share.example.id
source = "${path.root}/TestFiles/test.txt"
}

how do I add virtual network to api management with terraform?

how do I add virtual network to api management?
https://www.terraform.io/docs/providers/azurerm/r/api_management.html#virtual_network_configuration
A virtual_network_configuration block supports the following:
subnet_id - (Required) The id of the subnet that will be used for the API Management.

Just add the subnet Id as it shows in Terraform. Here is an example code:
provider "azurerm" {
features {}
}
data "azurerm_subnet" "example" {
name = "default"
virtual_network_name = "vnet-name"
resource_group_name = "group-name"
}
resource "azurerm_api_management" "example" {
name = "example-apim"
location = "East US"
resource_group_name = "group-name"
publisher_name = "My Company"
publisher_email = "company#terraform.io"
sku_name = "Developer_1"
virtual_network_type = "Internal"
virtual_network_configuration {
subnet_id = data.azurerm_subnet.example.id
}
policy {
xml_content = <<XML
<policies>
<inbound />
<backend />
<outbound />
<on-error />
</policies>
XML
}
}
And you can change the virtual network type as you need, also for other properties. I use the existing Vnet, you can create a new one or also use the existing one, it all depends on yourself.

Resources