Deleting An Azure Resource That Is Stuck In A 'Deleting Resource' Status
I have recently been working with some of Azure’s Artifical Intelligence (AI) resources, and had built out a lab in Terraform only to find when destroying it the resource was stuck in a ‘Deleting Resource’ state. I wasn’t able to remove it via the portal or via Terraform & couldn’t find a solution online either. So this post is to capture what I did in the hope it helps someone in the future.Continue Reading...Creating A Modern Azure Diagnostics Policy That Generative AI Couldn't - Yet!
I have recently been working with an organisation who wanted to improve their security posture in Azure by using Azure Policy to configure Diagnostic Settings for their Azure resources at scale. They wanted to make use of Category Groups to dynamically collect all available logs and metrics and simplify the policy logic so it could be reused across multiple resources. I thought ‘that sounds simple enough as there will be a built in policy that does all that’, but there wasn’t, so I set to work.Continue Reading...Modifying An Existing Azure Policy
There may well come a time when there isn’t a Built In Azure Policy that meets your needs, and you need to either modify an existing policy, or create new a policy from scratch. Creating custom policies should always be a last resort, as the BuiltIn policies Azure provides are kept up to date and version controlled by Microsoft. As soon as you create a custom policy, you are responsible for maintaining it when capability is added or deprecated.
Continue Reading...Exporting Azure Management Group Activity Logs
I’ve been working with Management Groups a lot recently in my day job and have really seen the benefit of being able to enforce governance by assigning RBAC roles and policies once, and have all new subscriptions inherit them. However, I soon realised there was no way in the Azure Portal or the native Azure RM Terraform provider to export the Activity Logs to a Log Analytics Workspace for use with Sentinel, so I decided to figure out a solution to this.
Continue Reading...Creating A Working Powershell Based Azure Function With Terraform
This is a post I’ve wanted to write for a while, but was one of those side projects I’ve picked up and put down a few times due to other priorities getting in the way. This idea came about because I wrote a PowerShell script to perform some housekeeping actions in Azure and I wanted it to run unattended on a scheduled basis.
Continue Reading...How I Protect Secrets In Terraform Configurations
I have already touched on the importance of Terraform state in a previous post, but I wanted to expand on this from a security perspective. Let’s get this out the way now, Terraform stores secrets in its state file in plain text! There I said it. So how do I protect against secrets being revealed that could allow an attacker to compromise my systems? Well, I use a defence in depth strategy in a number of ways.Continue Reading...How I Minimise Terraform Admin Effort & Manage The Constant Change
In a previous post I explained why I don’t advocate the use of child modules, but I wanted to quickly explain how I keep Terraform admin overhead to a minimum when creating standard resources whilst also working with the constant rate of change that cloud brings.
Continue Reading...