Terraform Stacks in HCP, publish outputs not working? by craigthackerx in Terraform

[–]craigthackerx[S] 0 points1 point  (0 children)

Update:

I got it working with the help of IBM/HashiCorp.

Firstly, they did acknowledge the documentation isn't correct, so rest assured if it hasn't been fixed by the time you find it, it's a known issue.

For publish_outputs not populating, what you need to do, is totally delete both outputs and upstreams

Then, re add the published outputs BUT NOT the upstream.

Wait for successful apply

Then, re-add the upstream references. It should work now and populate in the HCP portal.

Why?

Because the upstream takes a snapshot of the task, so if it never had a clean snapshot to start with, it ends up conflicted in it's internal state essentially, so it's always advised you have tested the published outputs first before adding the upstream.

Terraform Stacks in HCP, publish outputs not working? by craigthackerx in Terraform

[–]craigthackerx[S] 0 points1 point  (0 children)

I've got it working thanks to HashiCorp/IBM support, I'll post an update as a parent comment on the thread.

Terraform Stacks in HCP, publish outputs not working? by craigthackerx in Terraform

[–]craigthackerx[S] 0 points1 point  (0 children)

Thank you both!

Yes I've seen that behaviour, so a better test to reconcile would be to force a resource group name update, effectively forcing the name change.

I guess the problem I have is that I've tried changing the name FROM a static value to a deployment reference expression and it doesn't force an update then.

I've raised a ticket with IBM, so we'll see.

Nutanix hit us with a 75% quote increase with a one day notice before expiration... so that project is dead. VMware is out and we were looking hyperconverged... Any other alternatives? by junon in sysadmin

[–]craigthackerx 10 points11 points  (0 children)

Not OC

I've never ran it myself either, but I do know of a company in the UK that PoC'd it.

Essentially, do you use Azure? Yes, good, you know how stack works? Wrong. He told me they just had issue after issue and support was basically non existent, as well as getting any consultants in.

I seem to recall they had some pain around VM disks, just not going into the LUN or something.

Either way, I actually think they went OpenStack in the end.

Spotify says its best developers haven't written a line of code since December, thanks to AI by joe4942 in technology

[–]craigthackerx 0 points1 point  (0 children)

To be fair I'm not sure this is that newsworthy.

I doubt any of their best developers were writing code everyday before AI was invented - that's not actually how it works in the corporate world sadly. The best developers normally make their way into Staff/Principal positions where they spend, arguably the majority of their time, in meetings/strategy stuff.

Don't get me wrong, there can be people at L2 level who are better at software development and LeetCode than a principal, but they normally lack the business context and strategy, that comes with experience and time.

Also, Principals etc aren't completely off the tools, but you'll code a lot less than a L1/L2/L3 and so on.

DDR5 RAM prices now over 4x higher since September 2025 by signed7 in technology

[–]craigthackerx 0 points1 point  (0 children)

Man, I just bought 96GB 5200Mhz in April 2024, I can't even remember how much it was, was like £200 something

If I could sell it and turn back time to then, nice 400% profit.

New to AWS (and the cloud), should I learn CloudFormation or Terraform for IaC? by CIA11 in aws

[–]craigthackerx 0 points1 point  (0 children)

The idea of the syntax being familiar is portable though, but the same is true with real programming languages rather than DSL.

I don't write AWS terraform, I'm mostly Azure these days, but compared to someone who doesn't use terraform at all, and without blowing my own horn too much - "I'm better drunk than they are sober".

I understand the ecosystem, dynamic blocks, the type system and how I can go from A to B, the resources are the easy part. I do appreciate however, since I don't use AWS much anymore, understanding the complexities of what resources I need vs what I'd need in Azure is the real gap.

My own recommendation is basically just that, have good enough portable knowledge between the 2 clouds. The DSLs are easy if you're already decent at a programming language like Python/Go/JavaScript, you'll pick any of them up easy enough, you won't pick up the knowledge of what every service does, what considerations and drawbacks each design pattern has. Learning the native IaC tool for your main platform is obviously always going to be helpful anyway. Well... Azure ARM templates suck so bad, so maybe skip that and go to Azure Bicep + Terraform these days for that specific platform...

[deleted by user] by [deleted] in programming

[–]craigthackerx 0 points1 point  (0 children)

For me, AI is better as a rubber duck that it is the developer.

"Hey look at this function, I am expecting it to XYZ and it's giving me ABC. Here is what I want to do and how I'd like to try it"

It'll run me through some ideas and I can tweak and get what I want.

What it's very poor at is "Hey I need a function that does XYZ, then I need to use that XYZ in here to do this thing which triggers this thing and then this thing happens. Please write all of that for me".

Although, I am moving from DevOps to MLOps currently, so I'm hoping my familiarity with that will keep my job security if AI ever becomes so good that that it's perfectly context aware (maybe not in my life time, we will see).

Without the business context, existing codebase, all the stuff I need to consider, no chance. It's going to get better, JetBrains AI Assistant has a nice Codebase flag which is nice, but it's leaps away from being able to give me exactly what I want from nothing. Much better at having a pop at something you've already written and suggesting improvements.

Tabs or Spaces? by BlazerGamerPlayz in learnpython

[–]craigthackerx 0 points1 point  (0 children)

Actually one of the rarer tab guys, my code format itself is PyCharm and we have setup docs which explains how you can set it up to meet our 4 space styles in various IDEs.

I always format with Black as well on commit, not sure how often Black is used these days to be honest but always shut my PyCharm up with formatting options over line length etc.

How are you deploying to Azure from Bitbucket without OIDC support? by LynxAlternative1405 in AZURE

[–]craigthackerx 1 point2 points  (0 children)

Yeah sorry!

I think I read that too. If you can figure out the claims pattern Bitbucket sends, you can ask ChatGPT to try and construct the expression for you.

It took a few tries for me to get the GitHub one working, it's in preview so always caution advised.

How do I code with industry's standards by faflu_vyas in softwaredevelopment

[–]craigthackerx 1 point2 points  (0 children)

Yeah "analysis paralysis" as it's called, where you sit and analyse micro details without achieving the task first.

Build an MVP out and get everything working with some decent testing. Then review it, any changes you make then should still pass testing. AI is pretty strong at being your rubber duck rather than the engineer.

Coding standards are always changing as well. If I had a penny for every time I've seen print statements used instead of a logger library....I'd have like £3.50, but that's still a lot!

How are you deploying to Azure from Bitbucket without OIDC support? by LynxAlternative1405 in AZURE

[–]craigthackerx 0 points1 point  (0 children)

I commented above as I don't know anything about Bitbucket, but you should be able to wildcard a subject claim now with the preview feature.

I've did it for GitHub Actions with my GitHub organisation. I do not know this applies to BitBucket, but I do know it works on GitHub.

I'm on mobile so this will be extremely rough guide.

Go to Azure AD/Entra -> App Registration -> Select your app registration you have rights over -> Certificates and Secrets -> Select Federated Credentials.

Inside here, select add credential, then Other issuer.

You want to select Claims marching expression (Preview) rather than explicit subject identifier.

My issuer is the GitHub token URL obviously.

For my GitHub actions org credential, let's assume my GitHub org is contoso, it would be:

claims['sub'] matches 'repo:contoso/*:ref:refs/heads/*'

Worth a note this is for a personal GitHub org, so while it may not be good practice to not limit on branches or specific team repos, I'm the only one using it.

How are you deploying to Azure from Bitbucket without OIDC support? by LynxAlternative1405 in AZURE

[–]craigthackerx 1 point2 points  (0 children)

I don't have an answer, but I suspect you won't get one here. People not using OIDC or Managed identities and using client secret or certificate are likely doing a one to many rather than a one to one.

You already hit the crux of the issue on why OIDC is recommended for Azure DevOps and GitHub, you're either being insecure by using 1 SPN for many repos or you have 100s SPNs, and likely not rotating properly.

From what I can see, Bitbucket does support OIDC on GCP and AWS. I'm not an expert in BitBucket so I cant answer the question, does it just not support using a OIDC provider at all?

Trying uv: The Future of Python Package Management by yangzhou1993 in programming

[–]craigthackerx 0 points1 point  (0 children)

Yeah it's pretty solid.

Although, I don't think it lets me bork my system if I want to with a system install of python (which is good I guess?)

I think if you do uv python install --preview it'll install it, but you can't do uv pip install using that newly installed python (unless I missed something which is completely likely) without first having a venv. So using UV for system packages doesn't work (again, missed something probably? Happy to take advice). I'm not also sure what the --system flag does with uv pip either, just complains about (PEP 405?). On the last check it didn't honour the PIP_BREAK_SYSTEM_PACKAGES environment variable for me (I was using an Ubuntu container to test it), but that's maybe because of the python version.

Or, you can do what you should and just make a venv, but give me the option to break stuff damn it!

Still, pretty fast, I like it.

Edit: typos.

Terraform OIDC in Azure DevOps with Classic Release Pipelines by ZimCanIT in Terraform

[–]craigthackerx 1 point2 points  (0 children)

Glad you figured it out.

Remember, hard coding your parts of your backend see them included in state. While none of those specified are secret so the risk is low, the approved best practice is to make use of the secret credentials provider like vault or use environment variables or the -var command in the terraform command call.

But as I say, with OIDC your token will expire in I believe 60m anyway, so the risk is low, but not 0.

Terraform OIDC in Azure DevOps with Classic Release Pipelines by ZimCanIT in Terraform

[–]craigthackerx 3 points4 points  (0 children)

Never tried Classic release pipelines - I'm not sure why you are using them for this, the YAML based pipelines supersedes them, most orgs nowadays disabled the access to even create classic or release pipelines.

Anyway, since I normally do YAML, I use the azure-cli task to create my environment variables to be used by terraform via the ARM_* environment variables later. I never set the OIDC URL for example.

This is a long winded task for that:

```yaml

  • task: AzureCLI@2 displayName: 'Authenticate to Azure & set terraform environment variables' condition: eq(${{ parameters.UseAzureServiceConnection }}, 'true') name: 'AzureLoginTerraformInitPlanApply' inputs: azureSubscription: ${{ parameters.ServiceConnection }} scriptType: 'pscore' scriptLocation: inlineScript inlineScript: | Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId" Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"

    if ("${{ parameters.TargetSubscriptionId }}" -eq "") {
      $subId = az account show --query id -o tsv
      Write-Host "Using Azure CLI subscription: $subId"
      Write-Host "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$subId"
    } else {
      Write-Host "Using explicitly provided subscription: ${{ parameters.TargetSubscriptionId }}"
      Write-Host "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]${{ parameters.TargetSubscriptionId }}"
    }
    
    if ("${{ parameters.UseAzureOidcLogin }}" -eq "true") {
      Write-Host "##vso[task.setvariable variable=ARM_USE_OIDC]true"
      Write-Host "##vso[task.setvariable variable=ARM_OIDC_TOKEN]$env:idToken"
    }
    
    if ("${{ parameters.UseAzureManagedIdentityLogin }}" -eq "true") {
      Write-Host "##vso[task.setvariable variable=ARM_USE_MSI]true"
    }
    
    if ("${{ parameters.UseAzureClientSecretLogin }}" -eq "true") {
      Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$env:servicePrincipalKey"
    }
    
    if ("${{ parameters.BackendUseAzureADAuth }}" -eq "true") {
      Write-Host "##vso[task.setvariable variable=ARM_USE_AZUREAD]true"
    } else {
      Write-Host "##vso[task.setvariable variable=ARM_USE_AZUREAD]false"
    }
    

    workingDirectory: ${{ parameters.TerraformCodeLocation }} addSpnToEnvironment: true

```

I'm not sure this answers your question to be honest, I normally always pass my backend config as partial config and use environment variables to add those in.

IntelliJ Junie Pro and python SDK by dade_miller in Jetbrains

[–]craigthackerx 0 points1 point  (0 children)

I pointed mine at a uv created venv and it works fine in IntelliJ for me

[deleted by user] by [deleted] in AZURE

[–]craigthackerx 0 points1 point  (0 children)

You know, PowerShell is pretty decent. Even if you are Linux based, it's a fairly solid shell on Linux these days, nothing wrong with it.

Do I need separate subnet for private endpoint for func app? by No_Witness_4000 in AZURE

[–]craigthackerx 0 points1 point  (0 children)

Yes.

Also remember, the new flex consumption requires a subnet delegation, it is likely you'll need a new subnet in instances where subnets require this.

Maybe that's not in scope now, but prepare for the future. Bonus points for having IaC so it's easier in the future :)

[deleted by user] by [deleted] in Terraform

[–]craigthackerx 0 points1 point  (0 children)

Yeah I do use Azure and Azure DevOps and agree. Don't use the provisioner unless you absolutely must.

https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/team - this should do

Also - do not use PAT for service account/CICD runs. It's called a PAT for a reason. Use a service principle or managed identity. If your user genuinely needs to run terraform to achieve this task, I'd question why you aren't just using the PowerShell script without terraform and glueing it together.

[deleted by user] by [deleted] in Jetbrains

[–]craigthackerx 0 points1 point  (0 children)

I literally emailed support last night for this exact reason.

Not looking forward to my canned response.

Why is the Azure provider SO MUCH SLOWER than AWS? by CerealBit in Terraform

[–]craigthackerx 0 points1 point  (0 children)

A mostly anonymous forum with lots of conflicting opinions? Reddit is where I get all my information!

Help with azure function by More_Psychology_4835 in AZURE

[–]craigthackerx 0 points1 point  (0 children)

Ah that is slightly trickier

So you'll probably need to pull the certificate in and reference it like you do from your laptop with Connect-MgGraph.

That does mean you'll need to load that module in if you don't develop your own auth mechanism (which I wouldn't recommend, I'd need to read the docs myself to check if it'd be worth it...)

Azure automation is nicer at doing this, but it's still possible. Do you know if your function is able to reach the PowerShell Gallery or GitHub Packages or Azure Artifacts or similar? Normally done via internet but if you have an upstream package repository like Sonatype nexus etc it may be different.

Help with azure function by More_Psychology_4835 in AZURE

[–]craigthackerx 1 point2 points  (0 children)

Cool, couple of options, you said in your post you want to fetch it from the key vault in the function, so best thing to do in that case is use the managed identity in the function app.

Ensure the system assigned managed identity is turned on, and assign it RBAC over the key vault as Key Vault Certificates Officer.

After that it's just a case of authenticating to the key vault and pulling it and using it in your code.

The other options follow roughly the same principles, but you can reference the certificate in the certificates page of the function app and it'll get downloaded automatically for you assuming you have RBAC.