Use a Parameter to Assign User Assigned Managed Identities to Resources with Bicep

Isn’t that title a mouthful.

Coming from Terraform, there are somethings that seem strange in Bicep. One of those is the way that the Resource Manager API handles assigning User Assigned Managed Identities (UAMIs). If you look at the API documentation for a resource (in this case we are going to use an Event Hub Namespace, but this applies to all resources that can have a UAMI assigned) you will see that the userAssignedIdentities value of the identity property looks lkie this:

Logic App (Standard) and API Connections

I have recently had the pleasure (You keep using that word. I do not think it means what you think it means.) of deploying Logic App workflows on a Logic App (Standard) instance. For those not familiar with Logic App (Standard), they are the single-tenant instance of Logic Apps. They provide the ability to host your workflows within a virtual network, something that cannot be done with a consumption Logic App. Under the hood, standard Logic Apps are a completely different beast to consumption Logic Apps. Consumption apps can only have a single Workflow in the app (which makes sense when you consider you also pay by the execution), while standard apps are deployed into an App Service plan and can therefore have multiple workflows in a single Logic App.

Allow Traffic Manager Probes Through Azure Firewall

Traffic Manager is an essential component of any resilient deployment within Azure. Whether you have a multi-region behemoth, or simply want a simple way to activate DR instances should the primary go down, Traffic Manager has a configuration for you. One key component of Traffic Manager is its probes—by frequently checking the status of your application, Traffic Manager can make intelligent decisions about where to direct the traffic.

As with all services, there are a specific set of IP addresses from which the probes will originate. Microsoft even helpfully provide a Service Tag AzureTrafficManager which is kept up-to-date with the latest IP addresses used by Traffic Manager probes. They even tell us that this Service Tag is supported for use in Azure Firewall.¹ Except… that is not the whole story.

Deploying Terraform via a DevOps Pipeline

Not everyone is privileged to be able to use Terraform Cloud for deploying their Terraform infrastructure. This means that teams need to use their existing DevOps tooling to deploy their infrastructure via Terraform.

While I’ve seen many examples of pipelines for deploying Terraform code with various services, it felt like something was missing. Most example pipelines were designed to just run once a code review had occurred, and often would automatically deploy the changed code without any intervention. This wasn’t going to fly for us in a recent project. We needed a more robust plan for deployment, one that would cater for not only deployment of the infrastructure, but an opportunity to wait for approval of a specific plan, plus checks to make sure that the newly-committed code was up to standard.

Authenticating Terraform with a GitHub App

In my current role, I configured Terraform to manage our GitHub organisation. As with all providers, we need need to provide credentials for authentication. I didn’t want to use an access token, as they are tied to an individual user and will cause breakage should the user depart the organisation. Thankfully, GitHub supports using an application for authentication.

Create the GitHub Application

The first step in the process is to create a new GitHub application. While this can be done either in a personal account or within an organisation, I recommend doing this within the organisation. That way, if someone leaves the organisation the application doesn’t go with.

Automatic Virtual Network CIDR Assignments with Azure IPAM and Bicep

Recently Microsoft announced a public preview of native IP Address Management in Azure, powered by Virtual Network Manager. Being new technology, and with a new landing zone to build, I decided to test and see if we could use it to make IP management simpler.

The starting point was to completely miss the documentation and try and work it out myself. Sadly, the API documentation has yet to be updated to cover the new properties, and tracing the portal requests didn’t help either, since it uses a slightly different flow (sigh!).

Access Terraform Private Modules in GitHub Actions

In a recent project we used GitHub Actions to deploy our Terraform code. While not the best way to deploy Terraform, we had it working nicely.

One of the biggest challenges we encountered was how to download the private Terraform modules we had created. In a GitHub Actions workflow you can specify the permissions that the runner should be granted. However, these permissions are scoped to the repository that the Action is running on, and it is not possible to add additional repos to the permission set.