Use RBAC for your Azure Terraform Backend Are you using Azure RBAC to access your Azure Terraform state? Are you sure 😉? Have you tried turning off access keys & does everything still work? Hopefully it’s obvious why storage account access keys should be avoided, but just in case - they are long-lived tokens that provide full access to your storage account, without requiring the need to authenticate to your Azure tenancy. SAS tokens are constrained, so a bit better, but Entra ID is the way.

Regardless of whether you are writing AVM modules, or simply using them, it is useful to understand the “shared interfaces”, as described on the AVM website. Each module must implement the following interfaces if they are supported by the underlying resource: What does this mean as a module consumer? It means there should be a module input available for each of these: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 module "keyvault" { source = "Azure/avm-res-keyvault-vault/azurerm" version = "0.5.1" name = module.naming.key_vault.name_unique location = azurerm_resource_group.this.location resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.this.tenant_id sku_name = "standard" role_assignments = { # define the role assignments } lock = { # define the resource locks } private_endpoints = { # define the private endpoints } diagnostic_settings = { # define the diagnostic settings } // etc tags = var.tags } Whether you use them, is optional. Lets dive into some examples!

This is a post about writing your first Azure Verified Modules, for those interested in the background about AVM, check out this recent intro on YouTube. This is recommended as a learning exercise to familiarise yourself with AVM. I strongly encourage contributing to the official resource modules Microsoft is in the process of building. We’re going to focus on writing a resource module: It is recommended to use a unix-based system for writing AVM modules (e.g. either WSL2, a Mac, a Linux variant, or GitHub codespaces).

newres is a command line utility that helps you write Terraform modules faster. It supports multiple cloud providers (e.g. azure, aws, gcp), and several other providers too (e.g. kubernetes & tls). Usage To use, is as easy as: 1 newres -dir [DIRECTORY] [-u] [-r RESOURCE_TYPE] …e.g. for an Azure Resource Group: 1 newres -dir ./ -r azurerm_resource_group This will create the ‘main.tf’ and ‘variables.tf’ covering the arguments from the schema documentation. The example screenshot below shows the start of main.tf for a cognitive services account resource, illustrating the coverage and the use of dynamics for optional blocks.

Privacy is normal Privacy is for good guys. It’s for mums and bike messengers and foodies. Privacy is for business meetings and voting booths. It’s why we have shower curtains. It’s why we have that little padlock icon in our browser bar. Privacy protects you from discrimination and from identity theft, and it keeps your food-delivery history under wraps. It can also shield you from those creepy somebody-has-definitely-been-listening-to-my-thoughts ads on social media apps.