aztfexport - Challenges!!

[IbrahimUmar]

Hi ,
I am trying to reverse engineer my azure subscription to terraform code. Definitely , i expect that aztfexport tool will do this for me.

This is very common practices that every subscription must be followed by Microsoft recommended azure security restrictions at enterprise level.

Unfortunately aztfexport failed in this scenario.

This tool works best for toy subscription where not enough security restrictions are implemented.

Question: Is there any tool or work around where we can reverse engineer the azure subscription exported to terraform code. Goal is to templating and throw new subscriptions when needed.

I am also very convinced that How Microsoft will develop a tool which will break self created rules and enterprise security best practices But at another end , there must be some workarounds where we can understand the exact meanings of export. Right now , it is partial export.

Looking forward to hearing from you.

Thank You!

[magodo]

Hi @IbrahimUmar Thank you for reaching out!

Regarding your question:

Is there any tool or work around where we can reverse engineer the azure subscription exported to terraform code. Goal is to templating and throw new subscriptions when needed.

Can you elaborate more about your scenario and what makes you think this tool can't help you? We'd like to hear feedback about any missing features and would be love to improve the tool to fill these gaps.

[stemaMSFT]

Hey @IbrahimUmar we have a flag --mask-sensitive for this exact sort of scenario I believe. Is your concern that the flag is not enabled by default? As you've said, this is a preview tool and not meant to be trusted fresh-out-of-the-box to be production ready code.

[IbrahimUmar]

Thanks for your feedback

Let me share a scenario , I want to export out my azure subscription to terraform code using aztfexport

It works normally !!

We have 10 resource group and worked fine for 70-80% of them !!

Definitely , azure subscription having multiple services and some services are behind enterprise security rules/ policies and restrictions !!

Aztfexport unable to export this resource groups!!

Questions :- what is the work around for such scenarios ?

Am I missing something which can help to cover this scenarios ?

I don't want to bypass enterprise security restrictions !!
Hope I explained

Looking farward to hearing from you !

Regards

[IbrahimUmar]

@stemaMSFT --mask-sensitive

I am unable to export restricted resources and sensitive information out from azure subscription to terraform code :) -
This is something different from what you mentioned !!

Resources that are behind the security policies and enterprise restrictions unable to exported into terraform !!

Goal is to baseline / Template , azure subscription so in future. I can create new subscription replicas with minor changes !!

Regards

[magodo]

@IbrahimUmar Can you elaborate more on these security restrictions? E.g. If your principal lacks of permissions to terraform import a specific resource type, then it is beyond the scope of this tool.

[IbrahimUmar]

Please explain this

[magodo]

E.g. if you don't have a read permission for a storage account, you can't import an azurerm_storage_account, otherwise you'll hit 403 error. This is not a problem of this tool or any tool provided by Azure.