Skip to content

Instantly share code, notes, and snippets.

View geekzter's full-sized avatar

Eric van Wijk geekzter

120 followers · 89 following
View GitHub Profile
@geekzter
geekzter / scale-set-agent-aks-peering.tf
Last active May 24, 2021 09:02
Terraform VNet peering from Azure VM scale set agent
data azurerm_virtual_network peered_network {
name = element(split("/",var.peer_network_id),length(split("/",var.peer_network_id))-1)
resource_group_name = element(split("/",var.peer_network_id),length(split("/",var.peer_network_id))-5)
count = var.peer_network_id == "" ? 0 : 1
}
resource azurerm_virtual_network_peering peer_to_network {
name = "${azurerm_virtual_network.network.name}-from-peer"
resource_group_name = data.azurerm_virtual_network.peered_network.0.resource_group_name
@geekzter
geekzter / scale-set-agent-terraform-input-vars.yaml
Last active May 24, 2021 08:35
Azure VM scale set environment variables for Terraform input
- pwsh: |
# 1. Use pipeline agent VNet as network to peer from
$env:TF_VAR_peer_network_id ??= $env:GEEKZTER_AGENT_VIRTUAL_NETWORK_ID
# 2. Set random CIDR (to reduce the risk of clashing VNet peerings with agent VNet)
$env:TF_VAR_address_space ??= "$([IPAddress]::Parse(`
[String] (`
167772160 + (`
65536*(`
Get-Random -Minimum 0 -Maximum 255 -SetSeed $(Build.BuildId)`
@geekzter
geekzter / scale-set-agent-aks-app-deployment.yaml
Last active May 24, 2021 08:46
Azure VM scale set app deployment to VNet peered AKS
- task: TerraformCLI@0
displayName: 'Terraform output'
inputs:
command: 'output'
workingDirectory: '$(terraformDirectory)'
environmentServiceName: '$(subscriptionConnection)'
runAzLogin: true
allowTelemetryCollection: true
- task: KubectlInstaller@0
@geekzter
geekzter / scale-set-cloudinit-race-condition-fix.tf
Created May 4, 2021 12:39
Azure VM scale set cloudinit race condition fix
resource azurerm_virtual_machine_scale_set_extension cloud_config_status {
name = "CloudConfigStatusScript"
virtual_machine_scale_set_id = azurerm_linux_virtual_machine_scale_set.linux_agents.id
publisher = "Microsoft.Azure.Extensions"
type = "CustomScript"
type_handler_version = "2.0"
settings = jsonencode({
"commandToExecute" = "/usr/bin/cloud-init status --long --wait ; systemctl status cloud-final.service --full --no-pager --wait"
})
}
@geekzter
geekzter / generate-random-cidr.ps1
Created May 2, 2021 08:48
Generate random CIDR
# Set random CIDR (to reduce the risk of clashing VNet peerings with agent VNet)
$env:TF_VAR_address_space ??= "$([IPAddress]::Parse([String] (167772160 + (65536*(Get-Random -Minimum 0 -Maximum 255 -SetSeed $(Build.BuildId))))) | Select-Object -ExpandProperty IPAddressToString)/16"
@geekzter
geekzter / pipeline-agent-cloud-config.tf
Last active May 4, 2021 12:25
Azure Pipeline Agent Cloud Config (Terraform merge)
data cloudinit_config user_data {
gzip = false
base64_encode = false
part {
content = templatefile("${path.root}/../cloudinit/cloud-config-userdata.yaml",
{
# Propagate virtual network information, so cloudinit can set up environment variables
subnet_id = azurerm_subnet.agent_subnet.id
virtual_network_id = azurerm_virtual_network.pipeline_network.id
@geekzter
geekzter / pipeline-agent-cloud-config.yaml
Last active May 4, 2022 03:50
Azure Pipeline Agent Cloud Config
#cloud-config
bootcmd:
- sudo apt remove unattended-upgrades -y
# Prevent race condition with VM extension provisioning
- while ( fuser /var/lib/dpkg/lock >/dev/null 2>&1 ); do sleep 5; done;
- while ( fuser /var/lib/apt/lists/lock >/dev/null 2>&1 ); do sleep 5; done;
# Get apt repository signing keys
- sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key C99B11DEB97541F0 # GitHub
- sudo apt-add-repository https://cli.github.com/packages
- curl https://baltocdn.com/helm/signing.asc | sudo apt-key add - # Helm
@geekzter
geekzter / acr-private-endpoint.tf
Last active May 2, 2021 07:36
Azure Container Registry Private Endpoint
resource azurerm_private_dns_zone acr {
name = "privatelink.azurecr.io"
resource_group_name = var.resource_group_name
}
resource azurerm_private_dns_zone_virtual_network_link acr {
name = "${var.resource_group_name}-registry-dns-link"
resource_group_name = var.resource_group_name
private_dns_zone_name = azurerm_private_dns_zone.acr.name
virtual_network_id = var.virtual_network_id
}
@geekzter
geekzter / denied-outbound-http-traffic.csl
Last active May 1, 2021 07:04
Azure Firewall denied outbound HTTP traffic
AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| where msg_s contains("Deny")
| project TimeGenerated, msg_s
| order by TimeGenerated desc
@geekzter
geekzter / isolated-aks.tf
Last active May 13, 2021 09:45
Network Isolated AKS
resource azurerm_kubernetes_cluster aks {
# ...
addon_profile {
# ...
# 3. Ingress via Application Gateway
ingress_application_gateway {
enabled = true
subnet_id = var.application_gateway_subnet_id
}