-
Manually provision:
terraform init -backend-config=/c/conf/demoadminsa.conf terraform validate terraform plan terraform apply
If running pipeline on Windows, apply via below to properly set Docker host:
terraform plan -var="is_windows=true" terraform apply -var="is_windows=true"
-
Enable automatic provisioning by connecting repo to Azure DevOps and adding
azure-pipelines.ymlto pipeline:- Connect Key Vault secrets as variable group within Azure Devops
- Static code check via Checkov
-
Wait 10m and confirm container logs in container instance say
Server running at http://localhost: 3000.
-
Input
az login az account list
az account set --subscription="SUB_ID" # Recommend narrower permissions with custom role for production az ad sp create-for-rbac --scopes="/subscriptions/SUB_ID" role="Contributor"
-
Output
# Creating 'Contributor' role assignment under scope '/subscriptions/SUB_ID' { "appId": "APP_ID", "displayName": "azure-cli-2021-09-14-10-09-48", "password": "PASSWORD", "tenant": "TENANT" }
These values map to Terraform variables like so:
- appId = client_id
- password = client_secret
- tenant = tenant_id
-
Test service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT
-
Apply additional registry permissions to service principal
az role assignment create --assignee APP_ID --role acrpull
-
Located in permanent resource group (not managed by terraform)
-
Confirm that you have disabled public blob access.
az storage account create \ --name demoadminsa \ --resource-group demo-admin-rg \ --kind StorageV2 \ --sku Standard_LRS \ --https-only true \ --allow-blob-public-access false
-
Create
adminblob container in storage account
- Located in permanent resource group (not managed by terraform)
-
Connect Key Vault secrets as variable group within Azure Devops
az keyvault create \ --name "demo-admin-kv" \ --resource-group "demo-admin-rg" \ --location "eastus2"
-
Add service principal secrets to key vault to authenticate Azure changes:
- kv-arm-subscription-id
- kv-arm-client-id
- kv-arm-client-secret
- kv-arm-tenant-id
-
Add storage account secrets to key vault to store TF state file:
- kv-tf-state-blob-account
demoadminsa - kv-tf-state-blob-container
admin - kv-tf-state-blob-file
project.tfstate - kv-tf-state-sas-token
?xxx
- kv-tf-state-blob-account
-
Add storage account secrets to a local
demoadminsa.conffile:-
Make sure either outside repo or included in
.gitignorestorage_account_name="demoadminsa" container_name="admin" key="project.tfstate" sas_token="?xxx"
-
Run Terraform locally with a remote state file via
-backend-config=demoadminsa.conf
-
-
Error message: state blob is already locked:
terraform force-unlock ID_OF_LOCK_SHOWN_IN_ERROR
Terraform will remove the lock on the remote state. This will allow local Terraform commands to modify this state, even though it may be still be in use.
-
Container stuck in "waiting":
Caused when redeploying container as same name. Resolve using a dynamic name.
-
Resource time_sleep does not trigger for all changes:
Set a trigger that detects a change, such as a file hash
filesha1(format("%s/build/Dockerfile", path.root)). -
Terraform target a single resource if necessary:
terraform apply -target=module.initial_resources.docker_registry_image.user
- Log Analytics Workspace is created, but not yet connected.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent