I am trying to create a virtual machine from a template in Azure, there are two fields which is blocking me (CIDR field), can someone please have a look into it. unable to by-pass the notion.
you must specify you address as a string, not an array:
"10.0.0.0/24"
not sure about the second one, probably the same issue
CIDR: https://es.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Well looking at question, comment and an answer that was provided.
First the problem why you template errored out was because of the values that you put in the template. If you do not specify a value you should be able to just put the information like 10.0.0.0/24 when filling out template and that will work.
Note that the subnets section is only asking for CIDR notation for subnet range.
Related
What is the proper way to create a resource group in terraform for azure that can be shared across different modules? I've been banging my head against this for a while and it's not working. As you can see in this image. I have a resource group in a separate folder. In my main.tf file i load the modules appservice and cosmosdb. I cant seem to figure out how to make the appservice and cosmosdb tf files reference the resource group here that is in this location. How is this done? Any suggestions would be greatly appreciated. Thank you.
In general, it is not recommended to have a module with a single resource like you have organized your code. However, in this situation, you would need to provide the exported resource attributes as an output for that module. In your resource_group module:
output "my_env_rg" {
value = azurerm_resource_group.rg
description = "The my-env-rg Azure resource group."
}
Then, the output containing the map of exported resource attributes for the resource becomes accessible in a config module where you have declared the module. For example, in your root module config (presumably containing your main.tf referenced in the question):
module "azure_resource_group" {
source = "resource-group"
}
would make the output accessible with the namespace module.<MODULE NAME>.<OUTPUT NAME>. In this case, that would be:
module.azure_resource_group.my_env_rg
There's two different kinds of sharing that require different solutions. You need to decide which kind of sharing you're looking for because your example isn't very illustrative.
The first is where you want to make a pattern of creating things that you want to use twice. The goal is to create many different things, each with different parameters. The canonical example is a RDS instance or an EC2 instance. Think of the Terraform module as a function where you execute it with different inputs in different places and use the different results independently. This is exactly what Terraform modules are for.
The second is where you want to make a thing and reference it in multiple places. The canonical example is a VPC. You don't want to make a new VPC for every autoscaling group - you want to reuse it.
Terraform doesn't have a good way of stitching the outputs from one set of resources as inputs to another set. Atlas does and Cloudformation does as well. If you're not using those, then you have to stitch them together yourself. I have always written a wrapper around Terraform which enables me to do this (and other things, like validation and authentication). Save the outputs to a known place and then reference them as inputs later.
I'm working on a service that I want to use to monitor tags and enforce tagging policies.
One planned feature is to detect resources that are tagged with a value that is not allowed for the respective key.
I can already list the ARNs of resources that have a certain tag-key and I am now looking to filter this list of resources according to invalid values. To do that I want to query a list of each resources tags using its ARN and then filter by those that have invalid values in their tags.
I have
[{
"ResourceArn":"arn:aws:ec2:eu-central-1:123:xyz",
"ResourceType":"AWS::Service::Something
}, ...]
and I want to do something like
queryTags("arn:aws:ec2:eu-central-1:123:xyz")
to get the tags of the specified resource.
I'm using nodejs, but I'm happy to use a solution based on the AWS cli or anything else that can be used in a script.
You can use that through awscli.
For example, EC2 has the command describe-tags for listing the tags of resources and I think other resources also have command like this. It also has options that meet your need.
https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-tags.html
I'm reviewing firewall rules. The rules appear to be attached by tag, is there a way to identify firewall rules to which there is no corresponding resource?
Objects "VM instance" and "Firewall rule" have a "Network tag" attribute, that logically binds them:
CloudShell:$ gcloud compute instances describe lamp-1-vm --zone=us-central1-f
...
tags:
items:
- lamp-1-deployment
CloudShell:$ gcloud compute firewall-rules describe my-http-enable
...
targetTags:
- lamp-1-deployment
You may use gcloud and some shell scripting to build a list of firewall rules with network tags, and a list of instances with tags, and then use a loop to seek for firewall rules whose tags are not in use.
Here you'll find some useful examples:
Filtering and formatting fun with gcloud, GCP’s command line interface
I had a go at building a solution to this puzzle which can be found in the public repo here:
https://github.com/kolban-google/firewall-instances
The docs for it are:
Within a GCP project we can define firewall rules. These rules can be associated with compute
engine instances through the use of tags. In a firewall rule, we can specify a set of one or more
named tags and the rule will be applied only if a tag in the firewall rule matches a tag associated
with a compute engine. As our project grows, we may end up with lots of firewall rules and we may
find ourselves asking the question "Are there any firewall rules which have no matching
compute engine instances?". We can manually examine each firewall rule and then look to see if
there are any matching instances but this is laborious and error prone. In this project we describe
a sample tool that dynamically retrieves the current firewall rules and then automatically searches
for matching compute engine instances that have the corresponding tag.
To run the tool download and then:
npm install
node index.js --projectNum [projectNum]
where projectNum is the numeric id of a project. The result is a JSON string of the format:
[
{
"name": "[FIREWALL_RULE_NAME]",
"instances": [
"INSTANCE_NAME",
...
]
},
...
]
If a firewall rule has no matching instances, the instances field will not be populated.
From an algorithm perspective:
Get the list of all firewall rules;
For each of the firewall rules {
Get the networkTags for that rule;
Search for all compute instances that have one or more of those tags;
List the rule and the associated compute instances that have the tags;
}
This project is provided as-is as an example.
In the Azure Portal I can look up a Storage Account and go to the Settings/Properties section and see the list of properties which contains PRIMARY STATIC WEBSITE ENDPOINT. Alternatively I can see the same information in the Settings/Static Website section marked as Primary endpoint
How do I get that with the Azure PowerShell "Az" module?
Alternatively, I can piece together the URL if I can find the zone information from somewhere. e.g. From this template https://<ACCOUNT_NAME>.<ZONE_NAME>.web.core.windows.net/<FILE_NAME>
Or is there another way I can get the information I need easily from within a PowerShell script?
You can get the PRIMARY STATIC WEBSITE ENDPOINT details using Az module with the below command or snippet.
(Get-AzStorageAccount -ResourceGroupName <RESOURCEGROUPNAME> -Name <STORAGEACCOUNTNAME>|select PrimaryEndpoints).PrimaryEndpoints.Web
For illustration, please see below screenshot.
Hope this helps!! Cheers!!
I've found a sort of solution. It doesn't feel ideal. I would hope that there is a more concise and less fragile way to get this information but the following gets me what I am looking for in PowerShell, after a fashion.
I had to install an additional PowerShell module, that I would have thought be installed already, but...
Install-Module Az.ResourceGraph
And then I was able to use the Search-AzGraph function like this:
(Search-AzGraph -Subscription <SubscriptionGuidHere> `
-Query "where type == 'microsoft.storage/storage
accounts' | where name == '<StorageAccountName>' | limit 1")`
.aliases `
.'Microsoft.Storage/storageAccounts/primaryEndpoints.web'
I don't know if this is the best query syntax, as I managed to cobble it together from a variety of documentation I've only just found and a bit of brute force and ignorance.
The above is also a little fragile - I suspect there is caching going on somewhere, or maybe where this function gets its information from simply hasn't got the latest information. If you run this too quickly after creating the storage account you get nothing back, but wait a few seconds and it returns the information. The longest I've had to wait for the above to bring back results is about 30 seconds.
If anyone has a better solution, I'd love to go down that route instead, as Search-AzGraph is probably okay for monitoring, but not good when you want to get the name of an end point so the next part of a script can use that to continue what it is doing.
As per documentation of Microsoft.Automation/automationAccounts/modules (https://learn.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts/modules#ContentLink) it's expecting URI parameter. What exactly supposed to be at the end of that parameter? I want to push my custom module and it's possible through UI via ZIP file and I expected that I can specify ZIP with custom DSC resource but it did not work. There is no documentation I was able to find what shall appear in that URI.
You need to provide uri to your zipped dsc module ;) There are a bunch of article online that you can salvage data from. Like this.
Also, take a look here