7. Self-guided Challenges

Self-guided Challenges

After completing all the labs, try tackling the following challenges from scratch, without relying on existing Terraform code. Each challenge is independent—pick the one that interests you most!

Challenge #1: Upgrade azurerm Provider Version (Entry Level)

In the Azure Workshop, an outdated version of the azurerm Terraform provider (v3.117.1) was used. In this challenge, you’ll modernize the code base.

Objectives

Using Terraform, complete the following tasks:

  • Upgrade the Terraform code to use the latest version of the azurerm provider
  • Identify any deprecated or removed resources and either migrate them to supported alternatives or re-provision the components

Challenge #2: GitLab Runner Deployment (Intermediate)

In many CI/CD workflows, it’s standard practice to use dedicated GitLab Runners. This challenge guides you through provisioning a configurable number of runners using Terraform.

Objectives

Using Terraform, implement the following:

  • Initialize a new Terraform stack at $LAB_ROOT/gitlab_runner
  • Generate a GitLab Runner token from your GitLab instance (either gitlab.com or a self-hosted GitLab)
    • Runners can be registered at the group or project level—even for private projects
  • Provision a Linux VM configured via cloud-init:
    • Register the gitlab-runner using the GitLab Runner token
    • Ensure the runner service starts on boot
  • Confirm successful registration of the runner in your GitLab group or project settings

Bonus

  1. Store the GitLab Runner token securely in Azure Key Vault as a secret and reference the secret from the cloud-init template instead sourcing from a variable
  2. Create a GitLab CI pipeline in a demo project to verify that the self-hosted Azure runner can execute jobs

Challenge #3: Azure Key Vault + External Secrets Operator (Advanced)

Kubernetes applications often require access to sensitive credentials. Rather than passing them during deployment, this challenge uses External Secrets Operator to securely replicate secrets from Azure Key Vault into Kubernetes.

Objectives

Using Terraform, implement the following:

  • Use the existing “Azure Workshop” Terraform stack at $LAB_ROOT/azure
  • Create an Azure Key Vault instance
  • Add a new secret to Key Vault
    • Manually modify the secret later via the Azure Portal
  • Configure AKS OIDC (OpenID Connect) to enable Federated Identity for workload authentication
  • Deploy the External Secrets Operator to the AKS cluster
    • Grant permissions to the operator via an Azure User-Assigned Managed Identity
  • Manually create an ExternalSecret custom resource to sync the Key Vault secret into a target Kubernetes namespace
Last modified November 20, 2025: Merge a800e4e55cf2425215577b97e985cd9f47f7723a into 559c28db8dbb36a1df5f6a40d4720f5b7e20e9e1 (8cd4478)