I am currently using terraform to deploy azure resources and would like to point to a DDOS protection plan in a different subscription than the vnet is deployed to. The code is as follows:
resource "azurerm_virtual_network" "example" {
for_each = var.virtual_networks
name = each.value.vnet_name
location = each.value.vnet_location
resource_group_name = data.azurerm_resource_group.this[each.value.resource_group_key].name
address_space = each.value.vnet_address_space
tags = each.value.vnet_tags
ddos_protection_plan {
id = each.value.ddos_protection_plan_id
enable = true
}
}
I have referenced other subscriptions using azure provider for resources that the entire block will exist in a new subscription. https://samcogan.com/deploying-to-multiple-azure-subscriptions-with-terraform/
But running into trouble referencing another subscription for a (sub?)resource within a block.
TLDR: want to deploy VNET in one sub, reference ddos protection plan in another. is it possible?
Related
I am having my azure infrastructure created using terraform.
Now I want to add few resources to existing resource group.
When I did same it is giving error like resources group is already exists.
How can I refer existing resource and no changes to existing resources and tfstate file.
There is a couple of ways to refer existing resource in Azure without making changes.
Use Terraform import
Use Terraform data resource
Terraform import example:
resource "azurerm_resource_group" "example" {
# ...instance configuration...
name = "MyResourceGroup"
}
Run command: terraform import azurerm_resource_group.example \ /subscriptions/MySubscriptionNumber/resourceGroups/MyResourceGroup
Terraform data resource example:
data "azurerm_resource_group" "example" {
name = "MyResourceGroup"
}
#provider azurem.mgmt is Subscription A.
#prodiver azurem.corpapps is Subscription B.
I am trying to create nsg rule in Subscription A with Provider azurerm.mgmt. Here the destination application security group is in Subscription B with Provider azurerm.corpapps in this subscription.
provider "azurerm" {
client_id = "${var.client_id}"
client_secret = "${var.client_secret}"
tenant_id = "${var.tenant_id}"
subscription_id = "${var.subscription}"
alias = "mgmt"
}
provider "azurerm" {
client_id = "${var.client_id}"
client_secret = "${var.client_secret}"
tenant_id = "${var.tenant_id}"
subscription_id = "${var.subscription_B}"
alias = "corpapps"
}
Then i use the provider to get my asg from Subscription B as shown:
Then i use that reference in my nsg rule
However, i get error - saying the ASG is not found:
But, in azure portal the resource is already there as shown:
I have tried to assign the SP which has owner role on both subscriptions or using Azure account with CLI but it's no luck. Also, as the comment points out, there is a limitation that NSG does not reference ASG in different location. After my validation, you can not add the ASG from another subscription even it's in the same region as the NSG or targets VNet.
Moreover, when you add this ASG as the target source or destination in the NSG rules, you will see
Select an application security group (ASG) as the security rule
source. ASGs enable fine-grained network security policies based on
workloads or applications instead of IP addresses or CIDR blocks.
Rules specifying an application security group are only applied to
network interfaces that are members of the application security group
on the same virtual network.
I am having one resource group in my azure subscription name "demoterraform"
Now I would like to create one windows VM in this resource group, So I don't deploy new VM in existing resource group.
Use the azurerm_resource_group data source.
data "azurerm_resource_group" "demo" {
name = "demoterraform"
}
in the rest of the code you can refer to it with a similar expression data.azurerm_resource_group.demo.id.
Hi im currently working on trying to figure out how to assign an application as contributor within a specific resource group in azure with Terraform.
any working examples is much appreciated.
If you want to assign a given Principal (User or Application) to a given Role with Terraform. You can use azurerm_role_assignment and Data Source: azurerm_resource_group, azurerm_client_config
Example Usage, Create a built-in role as a contributor within a specific resource group.
data "azurerm_resource_group" "primary" {}
data "azurerm_client_config" "test" {}
resource "azurerm_role_assignment" "test" {
scope = "${data.azurerm_resource_group.primary.id}"
role_definition_name = "Contributor"
principal_id = "${data.azurerm_client_config.test.service_principal_object_id}"
}
In Azure, I'm trying to create a Windows VM using Terraform. I have done this through Powershell previously using Template.json file. Now I have to do with terraform, which I'm completely new to. So I have searched for some Sample scripts which creates VM in Azure and found this.
In this link, there is a sample Terraform script to spin a Linux VM. But I need to spin a windows VM from an Image. Where should I give the Image details. My complete requirement is:
Create a Windows VM from an Image (have resource Id)
I already have Resource group, Virtual network, Subnet created. I just need to pass those values and create them.
We have already defined the Subnet address prefix, Vnet address space from the portal itself. So do I have to give again in the script or can I skip it.
The business requirement is that no VMs should have public IP and DNS name, So if I remove "# Create public IPs" section, will that not create public IP?
The script for creating a Linux machine is here, which I'm taking it as reference.
Below is an example of how to use data to use already existing resources in terraform, also there is a code block to create a windows VM. You will need to get the existing VNET and create a NIC
Use the data directive to get the VNET azurerm_virtual_network, you can see the syntax below for the resource group. You will need to add the resource group and possibly location into this block.
Create a azurerm_network_interface resource using the VNET ID
Add the network interface ID to the VM (network_interface_ids = [])
Example TF Code to Create and load balance VMs
variable "subscription_id" {}
variable "client_id" {}
variable "client_secret" {}
variable "tenant_id" {}
provider "azurerm" {
tenant_id = "${var.tenant_id}"
subscription_id = "${var.subscription_id}"
client_id = "${var.client_id}"
client_secret = "${var.client_secret}"
}
data "azurerm_resource_group" "resource_group" {
name = "learning-tf-web-rg"
}
resource "azurerm_virtual_machine" "web_server" {
name = "server"
location = "westus2"
resource_group_name = "${data.azurerm_resource_group.resource_group.name}"
network_interface_ids = []
vm_size = "Standard_B2s"
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter-Server-Core-smalldisk"
version = "latest"
}
storage_os_disk {
name = "server-os"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "server"
admin_username = "server"
admin_password = "Passw0rd1234"
}
os_profile_windows_config {
}
}
From Terraform's perspective, a Windows VM is really quite similar to a Linux VM. The #1 difference in my opinion is that the Windows VM requires a os_profile_windows_config attribute, while the Linux VM needs os_profile_linux_config.
The TF code you found on the Microsoft site is a fine start. Additionally, you may look in the Terraform Registry. For example, here's a module for a Linux VM.
I strongly recommend reading through all of the options in the VM resource. I know it's a lot, but you should understand what choices you have.
Lastly, there's no substitute for writing some code and testing it. If you do something wrong, either Terraform and/or the Azure API will tell you, and if it's unclear, a web search will pop up an answer or a pointer in the right direction.