HackMD
DevOps Training Session 8: Cloud - IAM
tags: devops reliable research
Hello btb from previous session, we meet some trouble for authentication so reach this session, i want show how i process some issue about IAM, how to get permission for VM and provisioning again for VM with customstring, so enjoy it –>
Image Not Showing
Possible Reasons
Learn More →
Step and resource for run goal with searching
Note: This functionallity is cost to much time to process with expectation so –> If you want to do what exactly you want, you need to give time to correct it, my script is just my opinion and will meet some trouble can guess
So on my opinion, i just put down some rule for connection my resource from azure by using user-managed identity so what we got
- We need create the user-managed-identity for first
resource "azurerm_user_assigned_identity" "main" {
location = data.azurerm_resource_group.current.location
name = "Identity_for_VM"
resource_group_name = data.azurerm_resource_group.current.name
}
- This require one need to stay in resource group and so you must to do it first or reference into the DOC for read more information
- After that, you need reach to next step on create rule or using the exist rule like
# Defination custom role for resource group
resource "azurerm_role_definition" "read_container_registry" {
name = "rg_read_container_registry"
scope = data.azurerm_resource_group.current.id
permissions {
actions = [ "Microsoft.ContainerRegistry/checkNameAvailability/read",
"Microsoft.ContainerRegistry/locations/operationResults/read",
"Microsoft.ContainerRegistry/operations/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/agentpools/read",
"Microsoft.ContainerRegistry/registries/builds/read",
"Microsoft.ContainerRegistry/registries/buildTasks/read",
"Microsoft.ContainerRegistry/registries/buildTasks/steps/read",
"Microsoft.ContainerRegistry/registries/deleted/read",
"Microsoft.ContainerRegistry/registries/listPolicies/read",
"Microsoft.ContainerRegistry/registries/listUsages/read",
"Microsoft.ContainerRegistry/registries/metadata/read",
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/runs/read",
"Microsoft.ContainerRegistry/registries/taskruns/read",
"Microsoft.ContainerRegistry/registries/tasks/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/eventGridFilters/read",
"Microsoft.ContainerRegistry/registries/exportPipelines/read",
"Microsoft.ContainerRegistry/registries/importPipelines/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read"]
not_actions = []
data_actions = []
not_data_actions = []
}
}
-
This rule used for read the Container registry, other resource we need to generate the authentication to connect into that kind
-
So the end we got to do somekind like assign this for target. In this situation, for easy case i assign this rule for Resource group for two reason
- First, the inheritance which the most of case, Resource group is the biggest but another is bigger than is Subcription but this kind is don't want give the rule for all kind can access my repo –> Trust zero for this resource group - quite easy
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- Second, it easy to managed –> U can understand when you give it for this for one boundary –> Anything can remove and update easily
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- First, the inheritance which the most of case, Resource group is the biggest but another is bigger than is Subcription but this kind is don't want give the rule for all kind can access my repo –> Trust zero for this resource group - quite easy
Custom script for VM
Question we meet on situation how to custom for startup data, when we bring up the VM we got service inside. Like Example
#!/bin/bash
apt update
apt install docker-compose -y
apt install pass gnupg2 -y
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az login --identity
az acr login --name devopsorient
az storage blob download --auth-mode login --account-name <blob_storage_name> -c docker -n docker-compose.yaml > docker-compose.yaml
docker-compose up -d
- So we want to execute this script on startup with cloudinit we need using this kinds and we need this Doc to understand what we need to do
- So after that we can add on some script with this kind like
resource "azurerm_virtual_machine_extension" "start_up_script" {
name = "${local.environment}StartUpScript"
virtual_machine_id = azurerm_linux_virtual_machine.my_terraform_vm.id
publisher = "Microsoft.Azure.Extensions"
type = "CustomScript"
type_handler_version = "2.0"
settings = <<SETTINGS
{
"script": "${base64encode(file("${abspath(path.root)}/startup.sh"))}"
}
SETTINGS
tags = local.common_tags
}
So after that we got the service can create with terraform like what you want with shell script
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Behind the scene
- Anything kind on that IAM can reffer that container, blob, … –> So this kind you can understand what we need to do on next step is create the VM
- Get the goal LOLImage Not Showing Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Example:
References
Doc: azurerm_virtual_machine_extension
Azure virtual machine extensions and features
Azurerm virtual machine extension example
Custom script example
Grep with next line
Error retrieving Azure Storage Account
Custom Script Linux
