Using hashicorp/azurerm provider I want to set up a webhook that would trigger a deployment.
I have a web app that loads the newest Docker image on restart. However, I need a scmUri of the resource to setup the webhook:
resource "azurerm_linux_web_app" "web" {
app_settings = {
DOCKER_REGISTRY_SERVER_URL = url
DOCKER_REGISTRY_SERVER_USERNAME = data.azurerm_key_vault_secret.acr-service-principal-id.value
DOCKER_REGISTRY_SERVER_PASSWORD = data.azurerm_key_vault_secret.acr-service-principal-password.value
...
}
...
}
resource "azurerm_container_registry_webhook" "webhook" {
service_uri = "<scm URL of the azurerm_linux_web_app.web>/docker/hook"
...
}
I have found a way to query the scmUri using various other languages... but nothing using the azurepm provider:
REST: https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/list-publishing-credentials
Bicep: https://github.com/Azure/bicep/discussions/3352#discussioncomment-976818
Pulumi: Add Azure Web App Service web hook to Azure Container Registry for continuous deployment
After everything is deployed I can also copy the scmUri manually from Azure, but I would prefer a fully automated setup:
Related
I understand there is a difference between a service account and a service agent for different services such as composer.
How do you enable a service agent via terraform?
What I'm trying to do is this :
# TODO : Maybe enable this service agent somehow via gcloud? It got enabled when trying to manually create the composer env from the console
# Step 4 (Src2) - Host project GKE service account: service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com
# Need 'container.serviceAgent' in the host project
resource "google_project_iam_member" "dev-omni-orch-gke-project-lvl-roles-t2" {
provider = google.as_super_admin
for_each = toset([
"roles/container.serviceAgent",
])
role = each.value
member = "serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com"
# member = "serviceAccount:service-${google_project.main-shared-vpc-host.number}#container-engine-robot.iam.gserviceaccount.com"
# project = google_project.dev-main-code-base.project_id
project = google_project.main-shared-vpc-host.project_id
}
I get
Request `Create IAM Members roles/container.serviceAgent serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com for project "<shared-vpc-host-project-id>"` returned error: Batch request and retried single request "Create IAM Members roles/container.serviceAgent serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com for project \"<shared-vpc-host-project-id>\"" both failed. Final error: Error applying IAM policy for project "<shared-vpc-host-project-id>": Error setting IAM policy for project "<shared-vpc-host-project-id>": googleapi: Error 400: Service account service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com does not exist., badRequest
But when I try to do it via the console manually, there is a prompt that asks me if I want to enable this service agent, which I do, but I want to be able to do this on terraform.
The said prompt :
The service-[PROJECT_ID]#cloudcomposer-accounts.iam.gserviceaccount.com service agent will only exist after the Cloud Composer API has been enabled.
This can be done in Terraform using the google_project_service resource, for example:
resource "google_project_service" "project" {
project = "your-project-id"
service = "composer.googleapis.com"
}
Once the API has been enabled, the service agent should exist and you should be able to grant it the required permissions.
I have got an Azure HTTP Function App deployed via Terraform, I would like to manage access to the HTTP function via API management. I can see how to created API management via Terraform, however I cannot see how to marry my function app upto my API management. Via the console this is very simple. How can I do this via terraform?
Below is the terraform code to add your Azure function as a backend to Azure API Management:
resource "azurerm_api_management_backend" "example" {
name = "sample-backend"
resource_group_name = data.azurerm_resource_group.example.name
api_management_name = data.azurerm_api_management.example.name
protocol = "http"
url = "https://${azurerm_function_app.example.name}.azurewebsites.net/api/"
credentials {
header = {
"x-functions-key" = "${data.azurerm_function_app_host_keys.example.default_function_key}"
}
}
}
Refer to Royarin blog article for more information on adding the Functions or Web API as an API in Azure APIM as backend.
In my primary Azure region, East US 2, I have FrontDoor, a virtual network, and 4 premium function apps. These work perfectly fine but I am trying to set up the functions in a secondary region, Central US according to this diagram.
My thoughts were that I would have a second App Service Plan (EP1), a second virtual network, and a second premium function app for each of my functions. I was able to get this to mostly work but my pipeline fails when deploying the first functions app settings. The error I get is: Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.
In my main bicep file I have:
var appSettings = {
APPINSIGHTS_INSTRUMENTATIONKEY: appInsights.properties.InstrumentationKey
APPLICATIONINSIGHTS_CONNECTION_STRING: appInsights.properties.ConnectionString
WEBSITE_RUN_FROM_PACKAGE: '1'
AzureWebJobsStorage__accountName: '${storageAccount.name}'
BuyingDBCosmosURL: 'https://${cosmosAccountName}.documents.azure.com:443/'
FUNCTIONS_EXTENSION_VERSION: '~3'
FUNCTIONS_WORKER_RUNTIME: 'dotnet'
AzureWebJobsStorage: <connection string>
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: <connection string>
}
#batchSize(1)
module appServiceFunction '../modules/applications/app-service.bicep' = [for (item, i) in config.functionApps: if (deployFN || rebuildEnvironment) {
name: '${prefixAppServices}-${item.name}-fn'
params: {
appServiceKind: 'functionapp'
appServiceName: '${prefixAppServices}-${item.name}-fn'
appServicePlanId: (deployFN) ? appServicePlan.outputs.appServicePlanId : (rebuildEnvironment) ? appServicePlan.outputs.appServicePlanId : ''
appServiceAuth: item.appAuth
appServiceSiteConfig: {
healthCheckPath: '/api/${item.name}/healthCheck'
}
appServiceSettings: union({
WEBSITE_CONTENTSHARE: '${prefixAppServices}-${item.name}-fn'
}, appSettings)
ipSecurityRestrictions: fnIpSecurityRestrictions
virtualNetworkSubnetId: subnetFunction.id
location: location
tags: appTags
logAnalyticsRetention: logAnalyticsRetention
actionGroupId: (deployFN) ? actionGroup.outputs.actionGroupId : (rebuildEnvironment) ? actionGroup.outputs.actionGroupId : ''
}
dependsOn: [
cosmos
]
}]
And in a separate file where I create the resource, we use a config resource to define the app settings in key/value pairs (I also tried passing the app settings in directly to the function and received the same error):
resource appSettings 'Microsoft.Web/sites/config#2021-01-15' = if (!empty(appServiceSettings)) {
name: 'appsettings'
parent: appService
properties: appServiceSettings
}
I'm not exactly sure where the issue is as high availability and disaster recovery is new to me so I added some pictures of the configuration. Please let me know if I can add anything to this question!!
Edit: If I navigate to the storage account networking tab and change "Allow access from Selected Networks" to "Allow access from All Networks", then I am able to deploy the function apps and their app settings no problem.
Add WEBSITE_CONTENTOVERVNET=1 setting in azure function app settings and then try. This worked for me.
Few things need to check:
Storage account should be on selected network.
You should have blob, file private endpoints in the same VNET where azure function is deployed.
check DNS zone and a record for storage account pe.
I am trying to provision some IBM Watson Assistant services using the terraform provider for IBM.
I am currently using the ibm_service_instance along with ibm_service_key resources from the IBM provider.
The relevant piece of terraform code can be found below.
# create service
resource "ibm_service_instance" "wa_test_service_instance_name" {
count = var.wa_template_service_counter
name = "Test-${var.wa_test_service_instance_name}-${var.app_name}-${count.index + 1}"
space_guid = var.space_guid
service = var.service_offering
plan = var.plan
}
# create credentials
resource "ibm_service_key" "wa_test_service_key" {
count = var.wa_template_service_counter
name = var.service_key_name
service_instance_guid = ibm_service_instance.wa_test_service_instance_name[count.index].id
depends_on = [ibm_service_instance.wa_test_service_instance_name]
}
The service instance is created successfully along with the credentials and the CF alias. The problem is that for the CF alias, the created credentials are not having iam_role_crn manager which is the required setup in my configuration.
If I manually add the credentials from IBM cloud dashboard for the CF alias, they are created with the iam_role_crn Manager. Also, the resource instance for which is this alias has in its credentials iam_role_crn = Manager.
I could not find a way of specifying such a parameter when the ibm_service_key or ibm_service_instance gets created.
https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/service_key
Is there a way to create the credentials for the alias of the service with this parameter iam_role_crn setup as Manager or is there a work-around to achieve this?
I looked at the documentation of both azurerm_app_service and azurerm_application_insights and I just do not see a way to tie them.
Yet on the App Service page in the portal there is a link to Application Insights, currently grayed out:
So, how do I enable it with terraform?
You need numerous app settings to get this to work properly as intended. The ones I had to add to get it all working were:
"APPINSIGHTS_INSTRUMENTATIONKEY"
"APPINSIGHTS_PROFILERFEATURE_VERSION"
"APPINSIGHTS_SNAPSHOTFEATURE_VERSION"
"APPLICATIONINSIGHTS_CONNECTION_STRING"
"ApplicationInsightsAgent_EXTENSION_VERSION"
"DiagnosticServices_EXTENSION_VERSION"
"InstrumentationEngine_EXTENSION_VERSION"
"SnapshotDebugger_EXTENSION_VERSION"
"XDT_MicrosoftApplicationInsights_BaseExtensions"
"XDT_MicrosoftApplicationInsights_Mode"
It seems that enabling application insights using Terraform is not working yet currently. There is a Feature Request: Attach azurerm_application_insights to a azurerm_app_service in Github.
It might be possible to set a tag on the azurerm_application_insights resource,
resource "azurerm_application_insights" "test" {
tags {
"hidden-link:/subscriptions/<subscription id>/resourceGroups/<rg name>/providers/Microsoft.Web/sites/<site name>": "Resource"
}
}
Usually, if you need to enable application insights component in your app service, you need to add APPINSIGHTS_* environment variables to the app_settings of your web app.
For example,
app_settings {
"APPINSIGHTS_INSTRUMENTATIONKEY" = "${azurerm_application_insights.test.instrumentation_key}"
}
See argument reference even it's about Azure function.
ref:
https://www.olivercoding.com/2018-06-24-terraform/
https://github.com/terraform-providers/terraform-provider-azurerm/issues/2457