feat: improve mi example (#123)

* feat: improve mi example

* Add more content and improve example

* updates and fixes

* tidy

Author: jaredfholgate

.gitignore

@@ -49,3 +49,4 @@ avm.tflint_module.merged.hcl
 examples/*/policy
 *.mptfbackup
 .avm
+examples/managed_instance/scripts.zip

examples/managed_instance/README.md

@@ -14,6 +14,10 @@ terraform {
   required_version = ">= 1.9, < 2.0"
 
   required_providers {
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.7"
+    }
     azapi = {
       source  = "Azure/azapi"
       version = "~> 2.4"
@@ -338,19 +342,26 @@ resource "azurerm_key_vault_secret" "registry_string" {
 resource "azurerm_key_vault_secret" "registry_dword" {
   key_vault_id = azapi_resource.key_vault.id
   name         = "registry-dword-value"
-  value        = "23FE" # Hexadecimal string for DWORD value of 35
+  value        = "336" # Must be an Integer
 
   depends_on = [azapi_resource.role_assignment_kv_secrets_officer]
 }
 
+data "archive_file" "scripts" {
+  type             = "zip"
+  source_dir       = "${path.module}/scripts"
+  output_path      = "${path.module}/scripts.zip"
+  output_file_mode = "0644"
+}
+
 # Upload scripts.zip as a placeholder for the install script package.
-# Replace the source with your own scripts.zip file.
 resource "azurerm_storage_blob" "scripts_zip" {
   name                   = "scripts.zip"
   storage_account_name   = azapi_resource.storage_account.name
   storage_container_name = azapi_resource.blob_container.name
   type                   = "Block"
-  source                 = "${path.module}/scripts.zip"
+  content_md5            = data.archive_file.scripts.output_md5
+  source                 = data.archive_file.scripts.output_path
 
   depends_on = [azapi_resource.role_assignment_blob_reader, azapi_resource.role_assignment_blob_contributor_current_user]
 }
@@ -363,8 +374,7 @@ resource "azapi_resource" "role_assignment_blob_contributor_current_user" {
   type      = "Microsoft.Authorization/roleAssignments@2022-04-01"
   body = {
     properties = {
-      principalId = data.azapi_client_config.this.object_id
-      #principalType    = "User"
+      principalId      = data.azapi_client_config.this.object_id
       roleDefinitionId = "/subscriptions/${data.azapi_client_config.this.subscription_id}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe"
     }
   }
@@ -373,8 +383,7 @@ resource "azapi_resource" "role_assignment_blob_contributor_current_user" {
   depends_on = [azapi_resource.blob_container]
 }
 
-# This is the module call
-# Windows Managed Instance uses isCustomMode, install scripts, and plan default identity
+# This is the module call to create the App Service Managed Instance plan with custom configuration using install scripts, registry adapters, and storage mounts.
 module "test" {
   source = "../.."
 
@@ -384,9 +393,10 @@ module "test" {
   parent_id        = azapi_resource.resource_group.id
   enable_telemetry = var.enable_telemetry
   # Install scripts - references the scripts.zip blob in the storage account
+  # The install script logs can be found in C:\InstallScripts on the VM instances
   install_scripts = [
     {
-      name = "FontInstaller"
+      name = "CustomInstaller"
       source = {
         type       = "RemoteAzureBlob"
         source_uri = "https://${azapi_resource.storage_account.name}.blob.core.windows.net/${azapi_resource.blob_container.name}/scripts.zip"
@@ -406,14 +416,14 @@ module "test" {
   # Registry adapters - configure Windows registry keys via Key Vault references
   registry_adapters = [
     {
-      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp/Config" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
+      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp1/RegistryAdapterString" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
       type         = "String"
       key_vault_secret_reference = {
         secret_uri = "https://${azapi_resource.key_vault.name}.vault.azure.net/secrets/${azurerm_key_vault_secret.registry_string.name}"
       }
     },
     {
-      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp/DWordData" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
+      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp1/RegistryAdapterDWORD" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
       type         = "DWORD"
       key_vault_secret_reference = {
         secret_uri = "https://${azapi_resource.key_vault.name}.vault.azure.net/secrets/${azurerm_key_vault_secret.registry_dword.name}"
@@ -455,6 +465,7 @@ resource "azapi_resource" "web_app" {
     properties = {
       serverFarmId = module.test.resource_id
       siteConfig = {
+        alwaysOn            = true # NOTE: If the web app is not deployed and running, you will not be able to RDP onto the instances
         netFrameworkVersion = "v10.0"
         metadata = [
           {
@@ -477,6 +488,8 @@ The following requirements are needed by this module:
 
 - <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (>= 1.9, < 2.0)
 
+- <a name="requirement_archive"></a> [archive](#requirement\_archive) (~> 2.7)
+
 - <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) (~> 2.4)
 
 - <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (>= 3.0, < 5.0)
@@ -508,6 +521,7 @@ The following resources are used by this module:
 - [azurerm_key_vault_secret.storage_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) (resource)
 - [azurerm_storage_blob.scripts_zip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_blob) (resource)
 - [random_integer.region_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)
+- [archive_file.scripts](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) (data source)
 - [azapi_client_config.this](https://registry.terraform.io/providers/Azure/azapi/latest/docs/data-sources/client_config) (data source)
 - [azapi_resource_action.storage_account_keys](https://registry.terraform.io/providers/Azure/azapi/latest/docs/data-sources/resource_action) (data source)
 

examples/managed_instance/main.tf

@@ -2,6 +2,10 @@ terraform {
   required_version = ">= 1.9, < 2.0"
 
   required_providers {
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.7"
+    }
     azapi = {
       source  = "Azure/azapi"
       version = "~> 2.4"
@@ -326,19 +330,26 @@ resource "azurerm_key_vault_secret" "registry_string" {
 resource "azurerm_key_vault_secret" "registry_dword" {
   key_vault_id = azapi_resource.key_vault.id
   name         = "registry-dword-value"
-  value        = "23FE" # Hexadecimal string for DWORD value of 35
+  value        = "336" # Must be an Integer
 
   depends_on = [azapi_resource.role_assignment_kv_secrets_officer]
 }
 
+data "archive_file" "scripts" {
+  type             = "zip"
+  source_dir       = "${path.module}/scripts"
+  output_path      = "${path.module}/scripts.zip"
+  output_file_mode = "0644"
+}
+
 # Upload scripts.zip as a placeholder for the install script package.
-# Replace the source with your own scripts.zip file.
 resource "azurerm_storage_blob" "scripts_zip" {
   name                   = "scripts.zip"
   storage_account_name   = azapi_resource.storage_account.name
   storage_container_name = azapi_resource.blob_container.name
   type                   = "Block"
-  source                 = "${path.module}/scripts.zip"
+  content_md5            = data.archive_file.scripts.output_md5
+  source                 = data.archive_file.scripts.output_path
 
   depends_on = [azapi_resource.role_assignment_blob_reader, azapi_resource.role_assignment_blob_contributor_current_user]
 }
@@ -351,8 +362,7 @@ resource "azapi_resource" "role_assignment_blob_contributor_current_user" {
   type      = "Microsoft.Authorization/roleAssignments@2022-04-01"
   body = {
     properties = {
-      principalId = data.azapi_client_config.this.object_id
-      #principalType    = "User"
+      principalId      = data.azapi_client_config.this.object_id
       roleDefinitionId = "/subscriptions/${data.azapi_client_config.this.subscription_id}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe"
     }
   }
@@ -361,8 +371,7 @@ resource "azapi_resource" "role_assignment_blob_contributor_current_user" {
   depends_on = [azapi_resource.blob_container]
 }
 
-# This is the module call
-# Windows Managed Instance uses isCustomMode, install scripts, and plan default identity
+# This is the module call to create the App Service Managed Instance plan with custom configuration using install scripts, registry adapters, and storage mounts.
 module "test" {
   source = "../.."
 
@@ -372,9 +381,10 @@ module "test" {
   parent_id        = azapi_resource.resource_group.id
   enable_telemetry = var.enable_telemetry
   # Install scripts - references the scripts.zip blob in the storage account
+  # The install script logs can be found in C:\InstallScripts on the VM instances
   install_scripts = [
     {
-      name = "FontInstaller"
+      name = "CustomInstaller"
       source = {
         type       = "RemoteAzureBlob"
         source_uri = "https://${azapi_resource.storage_account.name}.blob.core.windows.net/${azapi_resource.blob_container.name}/scripts.zip"
@@ -394,14 +404,14 @@ module "test" {
   # Registry adapters - configure Windows registry keys via Key Vault references
   registry_adapters = [
     {
-      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp/Config" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
+      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp1/RegistryAdapterString" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
       type         = "String"
       key_vault_secret_reference = {
         secret_uri = "https://${azapi_resource.key_vault.name}.vault.azure.net/secrets/${azurerm_key_vault_secret.registry_string.name}"
       }
     },
     {
-      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp/DWordData" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
+      registry_key = "HKEY_LOCAL_MACHINE/SOFTWARE/MyApp1/RegistryAdapterDWORD" # Registry key must start with HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, or HKEY_USERS and contain at least one forward slash.
       type         = "DWORD"
       key_vault_secret_reference = {
         secret_uri = "https://${azapi_resource.key_vault.name}.vault.azure.net/secrets/${azurerm_key_vault_secret.registry_dword.name}"
@@ -443,6 +453,7 @@ resource "azapi_resource" "web_app" {
     properties = {
       serverFarmId = module.test.resource_id
       siteConfig = {
+        alwaysOn            = true # NOTE: If the web app is not deployed and running, you will not be able to RDP onto the instances
         netFrameworkVersion = "v10.0"
         metadata = [
           {