Skip to content

Instantly share code, notes, and snippets.

@cahitihac

cahitihac/azure-terraform.md

Last active February 13, 2024 17:19
Show Gist options
  • Save cahitihac/7c9010078b7050206bec9b1eb05c5eb2 to your computer and use it in GitHub Desktop.
Save cahitihac/7c9010078b7050206bec9b1eb05c5eb2 to your computer and use it in GitHub Desktop.
Download ZIP
Azure & Terraform
Raw
azure-terraform.md

encode pfx file into base64 (useful for saving in GitHub secrets)

base64 -i SPN-certificate.pfx -o SPN-certificate.txt

create pem file for auth with azure cli using a service principle (SPN)

openssl pkcs12 -in SPN-certificate.pfx -out SPN-certificate.pem -nodes -password pass:'password'

Re-create a pfx file from the existing one

In some cases, the pfx file may not be accepted by Terraform due to this issue.

The solution is to re-create the pfx file. Run the following commands respectively.

openssl pkcs12 -in pfx-cert-name.pfx -out key-file-name.key -nodes -password pass:'password' -nocerts
openssl pkcs12 -in pfx-cert-name.pfx -out crt-file-name.crt -nodes -password pass:'password' -nokeys

openssl pkcs12 -export -out "pfx-cert-name.pfx" -inkey "key-file-name.key" -in "crt-file-name.crt" -macalg sha1 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -password pass:'password'

log in to Azure via Azure CLI using an SPN and certificate

az login --service-principal --username $ARM_CLIENT_ID --tenant $ARM_TENANT_ID --password ./SPN-certificate.pem

Terraform init with remote backend (for state) configurations for GitHub Actions

terraform init \
  -backend-config='resource_group_name=${{ secrets.RESOURCE_GROUP_NAME }}' \
  -backend-config='storage_account_name=${{ secrets.STORAGE_ACCOUNT_NAME }}' \
  -backend-config='container_name=${{ secrets.STORAGE_CONTAINER_NAME }}' \
  -backend-config='key=${{ vars.ENV_NAME }}.terraform.tfstate'

the following is needed in main.tf when using the above

terraform {
  backend "azurerm" {}
}

import an existing resource from Azure into the Terraform state

terraform import azurerm_key_vault_access_policy.policy1 "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.KeyVault/vaults/xxx/objectId/xxx"

delete a resource from the state

terraform state rm azurerm_key_vault_access_policy.policy1

Some limitations on function apps

https://www.garyjackson.dev/posts/azure-function-app-conflicting-plans/

https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#limitations-for-creating-new-function-apps-in-an-existing-resource-group

Set a default subscription

az account set --subscription "subscriptionId"

List all blobs in a container

az storage blob list --account-name storage_account_name --container-name container_name

Delete a blob from a container

az storage blob delete --account-name storage_account_name --container-name container_name --name "blob_file_name"

Break a lease on a blob

az storage blob lease break --account-name storage_account_name --container-name container_name --blob-name "blob_file_name"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment