AZURE VM EXTENSIONS: PART 3 Refactoring our code : Gregor Suttie

Reader
June 12, 2023
AZURE VM EXTENSIONS: PART 3 Refactoring our code
by: Gregor Suttie
blow post content copied from  Azure Greg
click here to view original post

In this last part of talking about Azure VM Extensions I will make a couple of changes to refactor and make things better. Once you have more time, go back and refactor your code, its a good feeling to go back and improve upon the code.

So in this case I wanted to use Managed Identities for the CustomScriptExtension and I couldn’t get it working at first and due to time pressures I resorted to using SAS tokens. The thing I soon realised was that this is not the best way to go and I really wanted to revisit the codebase and get Managed Indentites working.

I see a lot of people created System Assigned Managed Identities and I try my best not to use these as they are tied to a resource, I always create a Managed Identity from the Azure Portal or Bicep first and then use that.

So I refactor my Bicep code for the CustomScriptExtension to use the Managed Identity Ive created and now the code is no longer needing to make use of a new SAS token each time it ran and then use this, its more secure to use a User Assigned Managed Identity.

@description('Deploy required userManagedIdentity')
module userManagedIdentity './modules/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep' =  {
  scope: resourceGroup(multiTenantResourceGroupName)
  name: userManagedIdentityName
  params: {
    name: userManagedIdentityName
    location: location
    tags: tags
  }
  dependsOn: resourceGroups
}

The above Bicep code creates our User Assigned Managed Identity and then we can make use of this within our CustomScriptExtension like so.

module virtualMachineName_ZabixxInstaller './modules/Microsoft.Compute/virtualMachines/extensions/deploy.bicep' = {
    scope: resourceGroup(multiTenantResourceGroupName)
    name: 'ZabixxInstaller'
    params: {
      enableAutomaticUpgrade: false
      name: 'ZabixxInstaller'
      publisher: 'Microsoft.Compute'
      type: 'CustomScriptExtension'
      typeHandlerVersion: '1.10'
      virtualMachineName: virtualMachineNameBackend
      location: location
      autoUpgradeMinorVersion: true
      settings: {
         fileUris: [ 
          'https://${storageAccountName}.blob.core.windows.net/${containername}/InstallZabbixAgent.ps1'
          'https://${storageAccountName}.blob.core.windows.net/${containername}/zabbix.zip'
          ]
      }
      protectedSettings: {
        commandToExecute: 'powershell.exe -ExecutionPolicy Unrestricted -File InstallZabbixAgent.ps1'
        managedIdentity: {
          objectId : userManagedIdentity.outputs.principalId
        }
      }
    }
    dependsOn: [
      resourceGroups
      virtualMachineBackend
    ]
  }

Summary

In summary we went from generating a SAS token off of the Azure Storage account to changing this to use a User Assigned Managed Identity which is more secure.

Don’t forget to subscribe to my YouTube Channel. And my Newsletter

The post AZURE VM EXTENSIONS: PART 3 Refactoring our code appeared first on Azure Greg.


June 12, 2023 at 12:30AM
Click here for more details...

=============================
The original post is available in Azure Greg by Gregor Suttie
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================

Salesforce