We are trying to provision azurerm_data_factory_linked_service_data_lake_storage_gen2 and wanted to set the url to a parameterised variable in ADF. It is possible to do this in the Azure Data Factory user interface however, the resource provider's url component forces us to use https: to pass its validation so we cannot put in a parameter.
url = "#Dataset().ST_URL"
Is there a way to disable the url check in terraform for this one field?
resource "azurerm_data_factory_linked_service_data_lake_storage_gen2" "example" {
name = "example"
data_factory_id = azurerm_data_factory.example.id
service_principal_id = data.azurerm_client_config.current.client_id
service_principal_key = "exampleKey"
tenant = "11111111-1111-1111-1111-111111111111"
url = "#Dataset().ST_URL"
}
This line appears to force a requirement for https:
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/datafactory/data_factory_linked_service_data_lake_storage_gen2_resource.go#L55
Related
Working to fully code the aws sso set up
So far coded via Terraform I have all permission-sets and using scim to pull in groups.
Allocation of the permission sets to groups in accounts (I have over 100 accounts) is done by hand. I want to allocate permission sets to groups in selected accounts via IaC (Terraform) but I cant for the life of me find working code.
Ive tried using
aws_sso_permission_set_group_assignment,
aws_sso_permission_set_group_attachment,
aws_sso_group_permission_set_assignment,
aws_sso_group_permission_set_attachment,
aws_sso_permission_set_attachment,
aws_sso_permission_set_assignment,
These i found in some old docs but they dont work :( giving The provider hashicorp/aws does not support resource type
Does anyone have any advice they can offer of how to remedy this or how they managed to surmount this issue
Here is example of code tried
resource "aws_sso_group_permission_set_attachment" "example" {
group_id = "93sd433ee-cd43e4b-cfww-434e-re33-707a0987eb"
permission_set_id = "arn:aws:sso:::permissionSet/ssoins-63456a11we432d8/ps-1231ded3d42fcrr2"
account_id = "8765322052550"
}
resource "aws_sso_group_permission_set_attachment" "example" {
permission_set_arn = "arn:aws:sso:::permissionSet/ssoins-63456a11we432d8/ps-1231ded3d42fcrr2"
group_name = "93sd433ee-cd43e4b-cfww-434e-re33-707a0987eb"
account_id = "8765322052550"
}
ssoadmin_account_assignment resource is something which you might be looking for, please go through all the available attributes in the resource to match your needs.
resource "aws_ssoadmin_account_assignment" "example" {
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
permission_set_arn = "arn_of_the_permission_set" # replace this with actually permission set arn
principal_id = "group_id" # replace this with groupID
principal_type = "GROUP"
target_id = "012347678910" # replace with account ID
target_type = "AWS_ACCOUNT"
}
I have a module defined in our enterprise for creating App Service Plan along with Azure Web Apps. But now i would like to use the "azurerm_app_service" resource block as mentioned in the link : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service
In our module the connection strings are defined under the argument :
app_settings = {
AzureAd__ClientSecret = <Connection String of the App SP stored in Azure KV>
DbConnection__ConnectionString = <Azure SQL DB Connection String stored in Azure KV>
CosmosDb__Account = <Connection String of the Cosmos DB Account stored in Azure KV>
CosmosDb__Key = <Connection String of the Cosmos DB Account Key stored in Azure KV>
}
Now in the resource block for "azurerm_app_service" as per the URL above there is an argument called connection_string as shown in the URL :
connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
So i would like to know as to how i can define my 4 connection strings in the resource block against the "connection_string" argument and what are the types i should choose for each of my connection strings?
Will it be ok if i continue to define my connection strings as they are in the module now under "app_settings", or that will be a problem if i do that in the new resource block structure?
Looking for some help on this
For your requirement, you can use the dynamic block to define the multiple connection_string in the azurerm_app_service resource block. The example code here for you:
resource "azurerm_app_service" "webapp" {
...
dynamic "connection_string" {
for_each = var.connection_strings
content {
name = each.value.name
type = each.value.type
value = each.value.value
}
}
...
}
So you see, you'd better use a variable to configure all the necessary things of the connection_strings, and then use it in the dynamic block.
In interface I can go to COS Bucket Access Policies and easily assign policy that then looks more or less like:
Cloud Object Storage service
serviceInstance string equals foo-bar, resource string equals foo-bar-pcaps, resourceType string equals bucket
I'm struggling to find a way to do the same via terraform because whenever I try with the proper TF code like:
resource "ibm_iam_service_policy" "policy_pcaps" {
iam_service_id = ibm_iam_service_id.serviceID_pcaps.id
roles = ["Writer"]
resources {
service = "cloud-object-storage"
resource = ibm_cos_bucket.pcaps.id
}
}
I'm ending up with
Cloud Object Storage service
resource string equals crn:v1:bluemix:public:cloud-object-storage:global:a/27beaaea79a<redacted>34dd871b:8b124bc6-147c-47ba-bd47-<redacted>:bucket:foo-bar-pcaps:meta:rl:us-east
The problem is that the Writer policy that is required here does not work properly with that policy details.
How to achieve something similar to the first policy with Terraform?
Thanks
You can achieve this similar to this example Service Policy by using attributes.
I created a policy through the UI for Cloud Object Storage and specified the policy to contain a bucket name. Then I used:
ibmcloud iam access-group-policy GROUP_NAME POLICY_ID --output JSON
to get a better understanding of the policy.
With that I created this sample terraform snippet and tested it. It is creating the IAM access group + policy:
resource "ibm_iam_access_group" "accgrp_cos" {
name = "test_cos"
}
resource "ibm_iam_access_group_policy" "policy" {
access_group_id = ibm_iam_access_group.accgrp_cos.id
roles = ["Writer"]
resources {
service = "cloud-object-storage"
attributes = {
resourceType = "bucket"
resource = "tf-test-cos"
}
}
}
I am using Terraform + Cloudflare provider.
I created a page rule the fist time I ran terraform plan + terraform apply.
Running the same command a second time returns the error:
Error: Failed to create page rule: error from makeRequest: HTTP status 400: content "{"success":false,"errors":[{"code":1004,"message":"Page Rule validation failed: See messages for details."}],"messages":[{"code":1,"message":".distinctTargetUrl: Your zone already has an existing page rule with that URL. If you are modifying only page rule settings use the Edit Page Rule option instead","type":null}],"result":null}"
TLDR: How can I make Terraform to update an existing page rule only by changing the definition in this file? Isn't it how this was supposed to work?
This is the terraform.tf file:
provider "cloudflare" {
email = "__EMAIL__"
api_key = "__GLOBAL_API_KEY__"
}
resource "cloudflare_zone_settings_override" "default_cloudflare_config" {
zone_id = "__ZONE_ID__"
settings {
always_online = "on"
always_use_https = "off"
min_tls_version = "1.0"
opportunistic_encryption = "on"
tls_1_3 = "zrt"
automatic_https_rewrites = "on"
ssl = "strict"
# 8 days
browser_cache_ttl = "691200"
}
}
resource "cloudflare_page_rule" "rule_bypass_wp_admin" {
target = "*.__DOMAIN__/*wp-admin*"
zone_id = "__ZONE_ID__"
priority = 2
status = "active"
actions {
always_use_https = true
always_online = "off"
cache_level = "bypass"
disable_apps = "true"
disable_performance = true
disable_security = true
}
}
Add the following line in your Page rule definition:
lifecycle {
ignore_changes = [priority]
}
This will instruct Terraform to ignore any changes in this field. That way when you run a terraform apply Terraform picks up the changes as an update to the existing resources as opposed to creating new resources.
In this case, Terraform tries to create a new Page rule which conflicts with Cloudflare limitation that you cannot have multiple page rules acting on the same resource path
TIP: Run terraform plan -out=tfplan this will print out the plan that will be applied on screen and to file. You then get some insight into the changes that Terraform will make and a chance to spot some unintended changes.
I still can't update via Terraform, so I used Python to delete it before recreating.
# Delete existing page rules using API before readding with Terraform
# For some reason, it I could not update then with Terraform without deleting first
# https://stackoverflow.com/questions/63942345/cloudflare-page-rules-using-terraform-cloudflare-provider-does-not-update-page-r
page_rules = cf.zones.pagerules.get(zone_id)
print(page_rules)
for pr in page_rules:
cf.zones.pagerules.delete(zone_id, pr.get('id'))
page_rules = cf.zones.pagerules.get(zone_id)
if page_rules:
exit('Failed to delete existing page rules for site')
Try removing the always_use_https argument so your actions block looks like this:
actions {
always_online = "off"
cache_level = "bypass"
disable_apps = "true"
disable_performance = true
disable_security = true
}
Today I discovered that there is some issue with this argument, it looks like a bug.
I want to create a pagerule to ensure all the incoming http traffic will be converted to https
Here is my rule:
resource "cloudflare_page_rule" "https-only" {
zone = "${var.domain}"
domain = "${var.domain}"
target = "http://*${self.domain}/*"
priority = 1
actions = {
always_use_https = true
}
}
The target line is based on the example provided by terraform
However when I run the terraform file, I get this error
Error: resource 'cloudflare_page_rule.https-only' config: cannot contain self-reference self.domain
Is the example no longer valid? If so, what is the proper syntax?