December 8, 2021•483 words
I've been struggling to get some resources in the cloud stood-up today, and it's made me think a bit more about the empowerment of people to be able to operate in the business environment. In my opinion, everybody should have access to the tools and training they need to do their jobs, without having to go through others every time. But this story starts with Microsoft Azure.
Azure Front Door is a reverse proxy/CDN similar to CloudFlare, and I've been trying to set it up for a new product at work. It took many attempts and three different set-backs before throwing in the towel for the day.
The first set-back was that it requires a CNAME record for custom domains, it won't operate with any other record type. That's a problem, because the product is hosted on the apex of the DNS zone - to which CNAME is unsupported at the specification level. Fortunately I was able to get around this by using a service alias in Azure DNS, where you can create an A record and Azure does something weird to make it point to the resource.
Second set-back involved the setup. I'm creating and configuring this resource with Terraform, which exposes the configuration as a single atomic resource which must contain all configuration - including custom domains. This presents a problem, because you can't create the Front Door without the DNS record, and you can't create the DNS record (which needs to point to an existing service as above) without a Front Door. A cyclical dependency, again courtesy of Microsoft. I managed to figure out that you can use a CNAME mapped to the same location, but prefixed with
afdverify. - the real DNS record can then be created afterwards.
Finally, the last set-back and the part where I gave up for that day, was that Front Door just straight-up won't manage SSL certificates for custom domains if they're at the apex - you have to buy your own and manage it with Key Vault. When I finally came across that, I though "fuck it" and logged out.
Interacting with certificate registries is not something that the typical developer is enabled to just go out and do - I don't have a company credit card, and I certainly don't want to use mine. I would have to go to my manager or IT to get it sorted, which throws a real spanner in the works.
That's why I really prefer cloud provider-managed resources - I have the mandate and permission to create resources in Azure that I think are necessary and can """provide value""", and the invoice at the end of the month is handled by finance. Access to certificate registries is not managed by IAM, so I have to ask the one guy who has an account at DigiCert for our company to pretty please do it for me. Great.