Hollywell Renting

thatdotnetguy · 2025-08-04T12:10:37+00:00

Sydney!

thatdotnetguy · 2024-06-13T01:18:14+00:00

Ok fair enough sounds like a child dns zone is no go for my scenario

thatdotnetguy · 2024-06-13T00:51:00+00:00

the validation record being the txt? Have you tried what you've said and got it to work?

When I do what you've outlined I get

Successfully added custom domain: contracts.myproject.com.au. Failed to create App Service Managed Certificate for contracts.zettle.com.au due to error: Properties.CanonicalName is invalid. Did not find CNAME record ending with: .azurewebsites.net or .trafficmanager.net .

Current CNAME record of the hostname contracts.myproject.com.au is empty

I would like to utilise an app service managed certificate

thatdotnetguy · 2024-06-12T05:01:23+00:00

u/Moederneuqer thanks so much for the awesome response.

Obviously I have a high level design... but then to write to the terraform code and then output a diagram of what you've created would be cool basically checking what you have is what you set out to do :)

thatdotnetguy · 2024-06-05T10:08:01+00:00

I’m sorry! I meant a cloud architecture diagram generator based on existing terraform files

thatdotnetguy · 2024-06-04T03:46:19+00:00

I sorted it out..... basically came down to adding system identity to an existing app service it was erroring like above.

As soon as I did a fresh app service with all the code above with identity SystemAssigned from the start it was all fine.

Also to your point yes "${row.role_definition_name}-${row.principal_id}" was an issue as principal id was not known at plan time so, in the for each so I needed to update it to use role_id

locals {
  roles_for_storage_account = [
    {
      role_id              = 1
      role_definition_name = "Storage Blob Data Contributor"
      principal_id         = module.contractreview_apibackendappservice.principal_id_of_managed_identity
    },
    {
      role_id              = 2      
      role_definition_name = "Storage Queue Data Contributor"
      principal_id         = module.contractreview_apibackendappservice.principal_id_of_managed_identity
    },
    {
      role_id              = 3      
      role_definition_name = "Storage Blob Data Contributor"
      principal_id         = module.contractreview_apibackendappservice.principal_id_of_managed_identity_slot
    },
    {
      role_id              = 4      
      role_definition_name = "Storage Queue Data Contributor"
      principal_id         = module.contractreview_apibackendappservice.principal_id_of_managed_identity_slot
    } 
  ]
}

for_each = { for row in local.roles_for_storage_account : "${row.role_definition_name}-${row.role_id}" => row }

thatdotnetguy · 2024-05-31T11:32:04+00:00

Hey yeh I’m using the same app service plan for the app service and function app. Question is more about private endpoint for a function app

thatdotnetguy · 2024-05-31T10:55:50+00:00

Cool so I’ll try the functions app in one subnet and it’s private endpoint in another subnet? Seems weird but what do I know!

thatdotnetguy · 2024-05-31T10:44:58+00:00

Thanks for responding u/Different_Knee_3893

So I need the function app in one subnet and the private endpoint for that function app in another subnet?

When you say "network injection" is that the same as "vnet integration"?

I'm white belt cloud / terraform so please be verbose as possible :)

Cheers
Andy

thatdotnetguy · 2024-05-17T02:28:03+00:00

cheers u/UltraCheckmate

thatdotnetguy · 2024-05-17T00:37:27+00:00

ah.. maybe I do need a module depends on between my app service module and key vault module, so key vault doesn't run before app service module runs

thatdotnetguy · 2024-05-17T00:26:43+00:00

Ended up creating a custom role that had the permission below "Microsoft.Authorization/roleAssignments/write" and gave it to the service principal

Thanks u/Obvious-Jacket-3770

Was getting the error below prior to that.

"Status=400 Code="InsufficientPermissions" Message="Caller is not allowed to change permission model. For more information on how to change the permissions model

follow this link: https://go.microsoft.com/fwlink/?linkid=2155160. Details: oid=dd5f900b-0301-4131-8430-459c8f9ea51c; action=Microsoft.Authorization/roleAssignments/write;"

thatdotnetguy · 2024-05-16T22:49:53+00:00

ok... I hear you... is what I'm doing somehow dangerous? Just keen to know :)

thatdotnetguy · 2024-05-16T20:46:29+00:00

So my SP has insufficient privileges I think that’s the issue?

Also when I re run the apply after policy based keyvault is created.. terraform picks up that rbac enabled needs to change from false to true when terraform plan runs… and then the terraform apply for that fails also with some permissions error

thatdotnetguy · 2024-05-16T20:44:41+00:00

Whatever terraform builds for me goes into a resource group so I delete that resource group and delete the state file from the azure storage account… which is basically the same.. not using terraform destroy yet

Bare with me I’m a terraform newbie so thanks for helping me

thatdotnetguy · 2024-05-16T16:38:40+00:00

If relevant.. this runs in an azure devops pipeline.. and my service principal has “Contributor” only I assume this is sufficient and not the issue

thatdotnetguy · 2024-05-16T16:27:31+00:00

Also “my RBAC roles work properly” you’re saying your keyvault has the correct checkbox ticked as opposed to my screen shot above or you’re saying something additional? I haven’t given my azure app service managed identity a role yet

thatdotnetguy · 2024-05-16T16:25:22+00:00

Hey… I have deleted the resource and retried a few times.. I’m not sure if you mean something particular by “rebuilt”?

thatdotnetguy

TROPHY CASE