DevOps Training Session 8: Cloud - IAM

# DevOps Training Session 8: Cloud - IAM ###### tags: `devops` `reliable` `research` Hello btb from previous session, we meet some trouble for authentication so reach this session, i want show how i process some issue about IAM, how to get permission for VM and provisioning again for VM with customstring, so enjoy it --> [:coffee:]() ## Step and resource for run goal with searching Note: This functionallity is cost to much time to process with expectation so --> If you want to do what exactly you want, you need to give time to correct it, my script is just my opinion and will meet some trouble can guess - So on my opinion, i just put down some rule for connection my resource from azure by using user-managed identity so what we got - We need create the user-managed-identity for first ``` resource "azurerm_user_assigned_identity" "main" { location = data.azurerm_resource_group.current.location name = "Identity_for_VM" resource_group_name = data.azurerm_resource_group.current.name } ``` - This require one need to stay in resource group and so you must to do it first or reference into the [DOC](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) for read more information - After that, you need reach to next step on create rule or using the exist rule like ``` # Defination custom role for resource group resource "azurerm_role_definition" "read_container_registry" { name = "rg_read_container_registry" scope = data.azurerm_resource_group.current.id permissions { actions = [ "Microsoft.ContainerRegistry/checkNameAvailability/read", "Microsoft.ContainerRegistry/locations/operationResults/read", "Microsoft.ContainerRegistry/operations/read", "Microsoft.ContainerRegistry/registries/read", "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read", "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read", "Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/read", "Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/operationStatuses/read", "Microsoft.ContainerRegistry/registries/agentpools/read", "Microsoft.ContainerRegistry/registries/builds/read", "Microsoft.ContainerRegistry/registries/buildTasks/read", "Microsoft.ContainerRegistry/registries/buildTasks/steps/read", "Microsoft.ContainerRegistry/registries/deleted/read", "Microsoft.ContainerRegistry/registries/listPolicies/read", "Microsoft.ContainerRegistry/registries/listUsages/read", "Microsoft.ContainerRegistry/registries/metadata/read", "Microsoft.ContainerRegistry/registries/operationStatuses/read", "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read", "Microsoft.ContainerRegistry/registries/pull/read", "Microsoft.ContainerRegistry/registries/quarantine/read", "Microsoft.ContainerRegistry/registries/runs/read", "Microsoft.ContainerRegistry/registries/taskruns/read", "Microsoft.ContainerRegistry/registries/tasks/read", "Microsoft.ContainerRegistry/registries/connectedRegistries/read", "Microsoft.ContainerRegistry/registries/eventGridFilters/read", "Microsoft.ContainerRegistry/registries/exportPipelines/read", "Microsoft.ContainerRegistry/registries/importPipelines/read", "Microsoft.ContainerRegistry/registries/pipelineRuns/read", "Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read", "Microsoft.ContainerRegistry/registries/replications/read", "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read", "Microsoft.ContainerRegistry/registries/scopeMaps/read", "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read", "Microsoft.ContainerRegistry/registries/tokens/read", "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read", "Microsoft.ContainerRegistry/registries/webhooks/read", "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read", "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read", "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read"] not_actions = [] data_actions = [] not_data_actions = [] } } ``` - This rule used for read the Container registry, other resource we need to generate the authentication to connect into that kind - So the end we got to do somekind like assign this for target. In this situation, for easy case i assign this rule for Resource group for two reason - First, the inheritance which the most of case, Resource group is the biggest but another is bigger than is Subcription but this kind is don't want give the rule for all kind can access my repo --> Trust zero for this resource group - quite easy ![](https://i.imgur.com/UURU1Ld.png) ![](https://i.imgur.com/MWurxDC.png) - Second, it easy to managed --> U can understand when you give it for this for one boundary --> Anything can remove and update easily ![](https://i.imgur.com/MjshpYe.png) ## Custom script for VM Question we meet on situation how to custom for startup data, when we bring up the VM we got service inside. Like Example ``` #!/bin/bash apt update apt install docker-compose -y apt install pass gnupg2 -y curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash az login --identity az acr login --name devopsorient az storage blob download --auth-mode login --account-name <blob_storage_name> -c docker -n docker-compose.yaml > docker-compose.yaml docker-compose up -d ``` - So we want to execute this script on startup with cloudinit we need using [this kinds](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) and we need this [Doc](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux) to understand what we need to do - So after that we can add on some script with this kind like ``` resource "azurerm_virtual_machine_extension" "start_up_script" { name = "${local.environment}StartUpScript" virtual_machine_id = azurerm_linux_virtual_machine.my_terraform_vm.id publisher = "Microsoft.Azure.Extensions" type = "CustomScript" type_handler_version = "2.0" settings = <<SETTINGS { "script": "${base64encode(file("${abspath(path.root)}/startup.sh"))}" } SETTINGS tags = local.common_tags } ``` So after that we got the service can create with terraform like what you want with shell script :coffee: ## Behind the scene - Anything kind on that IAM can reffer that container, blob, ... --> So this kind you can understand what we need to do on next step is create the VM - Get the goal :coffee: LOL :smile: `Example:` ![](https://i.imgur.com/7Tq2uLb.png) ## References [Doc: azurerm_virtual_machine_extension](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) [Azure virtual machine extensions and features](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview) [Azurerm virtual machine extension example](https://stackoverflow.com/questions/54088476/terraform-azurerm-virtual-machine-extension) [Custom script example](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows) [Grep with next line](https://unix.stackexchange.com/questions/320706/grep-search-next-line) [Error retrieving Azure Storage Account ](https://github.com/hashicorp/terraform-provider-azurerm/issues/12470) [Custom Script Linux](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux)