Trond Jakob Sjøvang

All vibes, no QA!

Thu, 09 Apr 2026 19:58:19 GMT

The week before easter I visited Microsoft's HQ in Redmond for the annual MVP Summit. Naturally, as you probably expect, the topic of everything AI was almost impossible to avoid (I tried) and when I woke up on Saturday morning, with hours to spare before we had to drag our weary butts and heavy luggage to the airport I was having some shower thoughts: There must be something in this whole AI thing right? "Everyone" who's raving about the amazing opportunities and possibilities can't all be wrong, can they? I have no problems to admit I am a sceptic. When people try to sell me something too hard it makes my spider sense tingle. The myriad of examples where people have vibed away and ended up with amazing catastrophes have made me laugh (out loud), and my own attempts at using various AI assistants for work has been "sometimes may be good, sometimes may be shit" to quote the Milan legend Gattuso. Maybe it's just me being too old and grumpy to be interested in the new stuff. It's been some years since I pass that magic 35 year old marker Douglas Adams described after all: “I've come up with a set ...

Replacing Terraform (for fun and profit?)

Mon, 16 Mar 2026 16:12:17 GMT

The client I’m currently spending most (all) of my working time with have a lot of Terraform code. And I mean a lot. Like, you will spend a solid amount of time getting an overview of where everything is before you start being productive, a lot. And we are currently working on replacing most, if not all, of it. But why?, some would ask? Finally!, others will shout from some dark corner. So I thought I’d begin with this first post in what possibly might be a series as I dig myself into a rabbit hole. Starting with the reasons for why this might be a good (or bad) idea. But why?! It’s not because terraform is shit It really isn’t. Terraform is fine for the problems it wants to solve. And naturally it is a bad fit for problems that are out of scope. Just about every week there is some dude pushing a slopped together hot-take on why Terraform is shit and how he has found the silver bullet to solve it. Usually followed by a mix of equally ignorant dudes replying “this is insightful” and brave veterans telling him he’s so far up his own ass he can’t see sunlight. Terraform isn’t ...

A new colophon for 2026

Sun, 15 Feb 2026 09:18:14 GMT

You might be unfamiliar with the word “colophon”, and I admit it’s pretty niche. Merriam Webster’s definition is: “an inscription at the end of a book or manuscript usually with facts about its production”. And because it’s a new year, and I spent the weekend cooking up a big batch of changes to this website it’s only fair to include a post on how it’s built, and my reasoning behind the choices I made. A bit of background Like most things in IT that isn’t maintained well, the repository for my website also turned into a bit of a mess. Builds were starting to get too slow for comfort, updates to dependencies would break the build more often than not, and old decisions became obstacles for implementing new ideas. In short: the interest rate on old technical debt was becoming a pain and it doesn’t spark joy to spend a lot of time refactoring. I do enough refactoring in my day-job where I’m actually getting paid, and would prefer to avoid it for hobby projects. This is what I kept using All content is still in Sanity. I like having a “content lake” where I can get data, transform it, and end up with ...

Great technology should be invisible and nice to use

Mon, 12 Jan 2026 10:34:14 GMT

I was thinking about that Steve Jobs keynote from 2007 where Apple launched the iPhone this week. If you have been living in a cave, or for various other reason haven’t seen it you can watch it on YouTube: Steve Jobs MacWorld Keynote in 2007. I wasn’t thinking about it in some kind of romantic nostalgic way though. I just remembered the (small) group of telecom analysts that got out of their beds on the wrong side and started to spew out words on how shit Apple’s new device was. The specs were bad! it didn’t have 3G! It didn’t support MMS (archaic service to send grainy dick pics)! Pro-users wanted a keyboard with buttons! $400 was soooo expensive! ad nauseam… The funny thing about all this is: NO USER EVER CARED. The first iPhone was a massive success from day one. People queued up for hours and when a friend asked me if I wanted one because his father was commuting between Norway and USA at the time it took me like 10 seconds to say yes, send over the money, jailbreak it to activate outside of US networks and about 3 more minutes to be impressed by how nice ...

homelab automation with pyinfra

Sun, 11 Jan 2026 15:14:21 GMT

During the Christmas break I crawled into the storage / datacenter / Harry Potter-esque bedroom under my stairs and retrieved an Intel Nuc that had been powered off for a year++, added an additional SSD, and installed Arch Linux to setup a small lab for learning new things and brushing up forgotten skills. As I do love breaking my lab equipment I also needed to automate most of my configuration to make it easier to return to a known good state, but which one? Ansible? No, I have written enough playbooks in my career Chef? No. Not a fan of the master-client architecture, or their Ruby DSL Puppet? No. Again not a fan of the master-client architecture and too complicated for what I need SaltStack? Never been a fan, and I'm not going to touch anything owned by Broadcom unless there is (a lot) of money involved CFEngine? It's still alive? wow! But no. I do not want to re-learn that thing So what did I end up using? After browsing half the internet for various alternatives I decided to go with pyinfra. It's open source, easy and uncomplicated, agentless, and I like python. After playing around with it a bit and writing my first deployments I understand ...

DNSSEC and DNS child zones in Azure

Sun, 04 Jan 2026 00:00:00 GMT

Before christmas holidays set in we had a feature request in my work life where owners of a landing zone in Azure wanted access to manage records in public dns. After a bit of thinking, discussions with the team posting the request, and understanding their use case better we discovered that what they really wanted was to not deal with the existing process of manually ordering/renewing a publicly trusted certificate, store it in a key vault, and then forget about it until it expired one year later. Instead they wanted to automate the process with Let's Encrypt. In the end we settled on a design where the subscription vending has a feature flag for enabling a DNS child zone in the new subscription and create the necessary delegations in the parent zone. This essentially gives a team a subdomain with its own DNS zone they have full control over, while also not creating any complicated role assignments to avoid granting too wide credentials and allow someone to modify records outside of their own scope. To implement this pattern with terraform/opentofu we ran across a few challenges, so here is a short example (with notes) on how you can achieve the same thing Setup ...

Configure settings for EntraID roles in Privileged Identity Management with Terraform

Sat, 20 Sep 2025 00:00:00 GMT

When I last wrote about the new msgraph provider for Terraform my conclusion was that the preview release was not yet really usable, partly due to missing features. Well, one month later, and version 0.2.0 was shipped this week with one major update to change a lot of that and help us solve some (imho) pretty big problems with the old azuread provider the new msgraph_update_resource function! While the first release provided support for HTTP GET and POST requests, the new msgraph_update_resource adds support for sending HTTP PATCH requests to the API. This greatly expands the coverage of endpoints we can now manage, and most importantly for this post: we can now configure role settings used in Privileged Identity Management to configure requirements for users who need to elevate their permissions to Entra ID roles. PIM explained like you're 5 If you're not familiar with the concept of Privileged Identity Management in Entra ID or Azure, it is functionality that lets you avoid assigning privileged (i.e. dangerous) permissions to users and have them active 24/7. Instead, you can let your users elevate their permissions when they need them for specific tasks. You can use PIM for group memberships, Azure roles, and Entra ID roles. e.g ...

A new terraform provider for Entra ID

Tue, 05 Aug 2025 00:00:00 GMT

Last month, in the middle of everyone's summer holidays, Microsoft released a new Terraform provider for the Graph API. I have been waiting for this for quite some time after first hearing about the development in one of the "Terraform on Azure" community calls. (which you can sign up for at https://aka.ms/aztfcommunity), as I have been a bit annoyed and frustrated with the existing provider maintained by Hashicorp. To put it bluntly: The development and maintenance of terraform-provider-azuread seems to be stuck in some kind of virtual marshland, where issues are left unanswered, pull requests doesn't get merged, and the gap in functionality keeps growing larger and larger. A bit of background If we compare this with working on Azure resources, we have the option of using terraform-provider-azapi instead of terraform-provider-azurerm to mitigate a lot of the same issues. Where azurerm has been the default experience for a long time, providing stability and ease of use, it has at time struggled with providing day 1 support for new functionality, and it would not be fair to the development team to add the additional burden of keeping up with functions for preview services. azapi solves this by taking a different approach. Instead of a ...

Add an overview of Terraform changes to GitHub Actions

Thu, 28 Nov 2024 00:00:00 GMT

I have had a small itch for a while when using GitHub Actions to run Terraform deployments where I had no easy way to get a very quick overview of which resources that will be created, changed, or deleted if I approve and merge a pull request. So I spent a little time scratching that itch and figuring out a small solution using Python to parse the output of terraform plan and direct the output to GitHub's job summary. The end result of implementing these steps will look similar to this: In this post I will skip over how to setup the GitHub Action to trigger on pull requests or merges to the main, and the setup and init stages of Terraform. A complete example can be found on gist.github.com Run terraform plan The first addition to our usual steps when running terraform deployments in CI/CD is to use terraform show to convert our plan into json, a format more suitable for exploring than capturing stdout or the binary format outputted by terraform plan: Set up python and install dependencies Next up we need to setup a Python environment in our job and install two depencies. Pandas is a wonderful library for analysis and manipulation of ...

Azure subscription vending machine with Github and Terraform

Fri, 27 Sep 2024 00:00:00 GMT

This week we kicked off the first of six events in our Atea Community tour and I am lucky enough to be asked to host a session again this year. With more time, and a more technical fun stuff! One of my demo's in this session is using issue templates and actions in GitHub to create a very basic "vending machine" where users can request a new landing zone subscription without any knowledge about Git, CI/CD, automation tools or Landing Zone Architectures, and just a tiny bit of admin/bureaucracy (basically having your pull request approved and merged by an adult). Please note that the example described in this post is not exactly production ready. Because it is made in the context of fitting demo's into a 40 minute session shortcuts have been taken, some of the fields in the issue template form should use external lookups and not be user inputs, and the Terraform module being used have a lot of optional inputs to provide more flexibility and customization that are not used. Issue Templates in GitHub Issue and pull request templates gives us tools to make sure that relevant information is entered by users when they submit bugs, feature requests, security vulnerabilities, ...

Don’t try to sell me a Ferrari when I’m looking for a Fiat

Fri, 16 Aug 2024 00:00:00 GMT

With irregular intervals I notice streaming providers, especially the ones that have paid wild amounts of money for broadcasting rights to the most valuable sports events, turn on their lobbying machine and produce variations of the same story: Don’t use IPTV, you’re supporting organized crime. And every single time I get slightly annoyed. Not because I condone criminal activity, nor am I unwilling to pay for access to content, but because the only service that is available for me to purchase is both so ridiculously priced, and also it’s nowhere near the service I am actually interested in! This is especially evident when it comes to the most valuable broadcasting rights. Due to historic reasons, football is extremely focused on Premier League, and back in 2020 Viaplay spent an absurd amount of money to secure the exclusive rights from 2022/23 until 2027/28 across the Nordic countries and replace TV2 who had held the rights since 2010. Rumors say the price for the whole party was 20.000.000.000 NOK. Since then, the bubble has thoroughly burst, the shareholder value of Viaplay has taken a dive worthy of an Olympic athlete, and with a new Premier League season starting this weekend it’s a bit puzzling to ...

Writing better and more re-usable code in Terraform

Thu, 01 Aug 2024 00:00:00 GMT

Over the years I have, on numerous occasions, received questions from colleagues or customers if I could help them out with a bit of QA or tips on some Terraform code they have written. Typically these questions comes from people who have recently started using infrastructure as code, gone through the tutorials, deployed their first workloads, and are now hitting their first problems where their code starts to become harder to maintain and they feel like automation isn't giving them the increased productivity and quality of life the marketing promised. I usually end up re-using many of the same tips I have given to others earlier, so I thought I might as well make a post out of it. Follow established conventions and good practices Every language and technology has their own conventions and good practices that should be followed unless you have good reasons to deviate from them. We seldom work alone in a vacuum where the outside world does not affect us, and when we are required to scale up with more people, invite outside collaborators or hand over our code to other people it makes it significantly easier if our repositories feel familiar and are easy to navigate. I usually recommend ...

I reinvented the wheel, again

Tue, 23 Jul 2024 00:00:00 GMT

It is somewhat of a trend of mine. As time goes by, my urge to reinvent the wheel and "fix" my website by completely rewriting the whole things is asymptotic to one. So this is a summary of how, and why, I did it this time around. The beginning of this whole thing was a modest little idea of adding a section for some of the many pictures I have taken over the years. After my last trip to New Zealand I used the Adobe Portfolio included in Creative Cloud, but I was never very impressed with it and it was always going to be a temporary solution. After looking around for alternatives I figured out that I might as well build it myself, as it seems that is the only way to retain full control over both content and presentation these days. My first idea was to simply extend the site I have with a new section and continue to use Hugo as the static site generator and Azure Static Web Apps for hosting, but I quickly ran into the storage limitations where the free and standard plans only give you 250/500mb. It does not take a lot of content to ...

Use archetype_config_overrides to set role assignments in Azure landing zones Terraform module

Sun, 19 Feb 2023 00:00:00 GMT

Using terraform-azurerm-caf-enterprise-scale and custom landing zone archetypes makes it easy to modify role assignments by using the access_control block under parameters. To set role assignments for the built-in management groups is a bit different, and not very clearly documented in the repository wiki. To override the role assignments for the built-in management groups you need to use the archetype_config_overrides block. The block requires you to set the archetype_id, parameters and acess_control: A list of built-in archetype definitions can be found by in terraform-azurerm-caf-enterprise-scale/modules/archetypes/lib/archetype_definitions/. By selecting the definition relevant archetype definition we can add our own acess_control configuration like this: The above example will add three separate groups with the Owner, Contributor and Reader role to the Platform management group (which contains the Connectivity, Identity and Management groups/subscriptions). I prefer to always assign permissions to groups to make administration easier. And then I can expand this example with access reviews for group memberships as well as combining it with Privileged Identity management for just-in-time membership/ownership (although it should be mentioned that the azuread-provider has no support for access reviews and privileged identity management) Use module outputs to assign permissions If role assignments are added before the landing zones architecture is deployed the first time running terraform ...

Assign policy definitions from Azure landing zones Terraform module

Mon, 06 Feb 2023 00:00:00 GMT

A little while back I spent an hour or so writing an Azure policy, only to discover that the Azure landing zones Terraform module already has a policy definition that does exactly what I wanted to accomplish, but no assignments linked to it. It took me another hour of confusion and frustration to figure out how to actually assign the policy, as there is a step I completely overlooked. So here is a quick summary of how to use these policies so you can save yourself the trouble. Set the library_path First off we need to make sure the library_path variable is set to make sure the Azure landing zones-module can find our customizations. This is a requirement for adding custom landing zone archetypes, policy definitions, policy assignments etc. First, create a new folder named lib in the root of your Terraform project. Then, in the main.tf-file, add the following line to your module block: Create the policy assignment Under the lib-folder, create a new folder named policy_assignments and add a new file named policy_assignment_.tf. The Azure landing zones-module will pick up all files prefixed with policy_assignment_, but the rest of the name is only important for your own mental health. Name if ...

Own your own content

Sun, 01 Jan 2023 00:00:00 GMT

For some time I have reflected over the evolution of social media and their efforts to present me with content I am not interested in. Maybe I am somewhat special kind of grumpy, but the amount of “Suggested posts”, reels, recommended posts, etc. that is presented to me when I open an app instead of giving me a chronological feed of content from the people I actively choose to follow only makes me disengaged and less likely to publish anything at all. In a discussion over the holidays someone linked a post by Chris Coyier titled Bring Back Blogging and it reminded me about an earlier post by Scott Hanselman on why ownership of your own content is important. And still you tweet giving all your life’s precious remaining keystrokes to a company and a service that doesn’t love or care about you It has been years since I cleaned out everything from my facebook account (but kept it purely for the messenger app to keep in touch with people), with Elon Musk’s recent purchase of Twitter, and new competitors either failing miserably in short time or being more spyware than anything else (hello TikTok) I feel the message of the Scott Hanselman’s ...

Use the AzAPI provider to deploy Virtual Network Manager with Terraform

Thu, 04 Aug 2022 00:00:00 GMT

I believe most of us who works with Azure have felt the frustration of managing virtual networks as they grow in complexity. It’s easy to make mistakes when configuring peering and route tables and end up spending too much time running queries in Network Watcher to figure out what’s going on. Azure Virtual Network Manager aims to make this a lot easier and let us configure both Hub-Spoke and Mesh networks, as well as central management of security rules for all virtual networks. As this new service is still in preview, there is no support for using the AzureRM provider in Terraform to configure it, but by using the AzAPI we can get up and running without diving into scripty shenanigans that breaks or otherwise declarative approach to infrastructure as code Let’s start our example with defining our required providers, some basic configuration, and deploy a resource group, a hub network and two spoke networks. To save some typing (and make it a bit easier when creating a network group later on) we define the spoke networks in a local value and use for_each to create multiple networks. Deploy Network Manager We can then proceed with the more interesting part and deploy our Azure ...

Azure Static Web Apps, gohugo.io and TailwindCSS

Mon, 23 Aug 2021 00:00:00 GMT

Recently I spent a few (too many) hours to rebuild my personal website. It still use Hugo and Tailwind CSS, but I have changed hosting from using a storage account in Azure to using Azure Static Web Apps. The change has brought along some limitations, but it has also made the build pipeline a lot easier. If you’re not familiar with static site generators in general, or Hugo spesifically I advice you to spend a few minutes checking their documentation. To explain this very quickly, a static site generator’s purpose is to render content into static HTML files. This enables you to write content in a more comfortable format (like Markdown), use a framework of templates to describe how the content will be displayed, and upload the output to basicly any hosting provider. The end result is cheap hosting that can easily be cached by a CDN for great performance compared to when rendering is done dynamically. Typically the process of using a static site generator will look something like this: Write content on your local machine Run the static site generator to generate HTML Upload the generated HTML to a hosting provider As we don’t like manual labor we can automate step 2 and 3 ...

Pi-hole and Docker on MacOS to get rid of pesky advertising

Wed, 21 Aug 2019 00:00:00 GMT

When I'm at home I have setup a Raspberry Pi to run [Pi-hole](https://pi-hole.net/) and block pesky advertising. But. I am not always at home. I also bring my Macbook to work, customers, airports & hotels. I didn't want to clutter up my system and install Pi-hole natively, so instead I used [Docker](https://docs.docker.com/docker-for-mac/) To make starting/stopping Pi-hole easier I created a small shell script: More documentation on the Docker image can be found on GitHub: https://github.com/pi-hole/docker-pi-hole/#running-pi-hole-docker ...

Static Website Hosting With Azure and Hugo

Thu, 30 Aug 2018 00:00:00 GMT

Earlier this summer Microsoft announced Static Website Hosting for Azure Storage in public preview. An affordable way of hosting websites where you don’t need any server side logic. Instead of paying for, securing and updating my own Virtual Machine I decided to check it out. This of course led me deep down a rabbit hole thinking about resurrection my personal website in some way. Instead of doing this the boring way and just upload some good, old fashioned, HTML I thought why not #RubDevOpsOnIt and use a build pipeline in Visual Studio Team Services and a static site generator to create something cool? Emerging from this rabbit hole a month or so later is this article (and this website). Prerequisites A Microsoft Azure account A Visual Studio Account Hugo installed on your machine A GPv2 storage account with “Static Website (preview)” enabled An empty project in VSTS for your website. Create a new site with Hugo Start off with creating a new Hugo site locally. https://gohugo.io/getting-started/quick-start/ has a quick and easy to follow tutorial on how you can do this. Note that Hugo itself does not ship with a default theme so you can either go along with Ananke as described in the tutorial, or you can choose a different ...

Certificates with Ansible, Letsencrypt and Cloudflare

Fri, 02 Dec 2016 00:00:00 GMT

The example use Cloudflare for DNS, but any provider with an ansible module works. To use the example, add your own email, api token and domain name to variables. To receive a certificate with an actual trusted root, change ACME Directory to https://acme-v02.api.letsencrypt.org/directory ...