Showing posts from July, 2019

Azure WebDeploy and Kudu

Regardless of whether it is Azure or not, when you use WebDeploy, you're using port 8172 to do your deployment. Unlike zip deployment, webdeploy does not use Kudu service.

That also means any service like VSTS that uses webdeploy, do not use Kudu.

Why is this important? When security team starts to knock on your door asking everything to be locked, you need to know which port is important

Kudu service uses port 80 / 443.

How does Kudu deploy

Function app ASE

ASE (Application service environment) is an isolated environment for you to run your code on.

If you use Terraform 

Unfortunately if you're using terraform, you get error message trying to provision a function app that ties to a service plan  (ASE).

Status code nil, nil - Not a very helpful message

Issue is tracked here.

If you still want to use terraform, get it to create service plan and stop. Don't provision your function app. That service plan you just created are tied to an environment id.

Then use Az Cli to create a function app and manually ties it to the service plan created locally.

You also need to setup system identity and somehow add that into resources like keyvault and all the goodies.

If you use Az Cli

Creating a service plan that ties to a ASE is not supported. Look up the service plan, you cannot create Isolated using az cli.

Microsoft has just move this into their backlog

Powershell AZ 2.4

The only option is to use Powershell AZ.

My case 

Since i am using Terraf…

Azure devops - debugging pipeline using System.Debug

One cool feature that you can turn on whenever you try to troubleshoot build issues in Azure Devops is "System.Debug". Create a new variable called "System.Debug" and set it to true.

Run your pipeline and you will see a bunch of messages.

git apply patch done properly

Totally agree with the way this has been done.

Getting to know what are the change made  git apply --stat 0001-file.patch
Initiate dry run to detect errors: git apply --check 0001-file.patch
Finally, to apply patches git am to apply your patch as a commit: it allows you to sign off an applied patch. This can be useful for later reference. git am --signoff < 0001-file.patch

Terraform - configuring function app to use existing ASE

It is something hard to get the settings rights for terraform, if you don't run it multiple times.
In this example, i had so much errors and i found out that, if you referencing an existing ASE plan, you better make sure it matches - in terms of TIER and SIZE. Otherwise your service plan is as good as no service plan

\resource"azurerm_app_service_plan""ase-service-plan"{ name = "${var.environment}${var.service_plan_name}" resource_group_name = "${}" location = "${var.location}" kind = "FunctionApp" app_service_environment_id = "/subscriptions/ your-subscription-id/ resourceGroups/yourResourceGroup/providers/Microsoft.Web/ hostingEnvironments/your-ASE-name" maximum_elastic_worker_count = 1 ## required - Isolated ASEV2 ## Best to match this sku { tier = "Isolated" size = "I1" capacity = 1 } }

Nodejes - Loading from node_modules from parent directory

Interestingly, node_modules libraries are loaded from child, then move its way up to parent until the root.

That's is not really what the docs says. 

To resolve this, either add package dependencies on the parent node_modules or remove that folder.


npm audit error - package vulnerabilities

Run into this error during my npm build. Awesome treat of the day, it seems.
Time to get cracking with resolving inflight npm libraries issues.

When i encounter this issues, non of my build work. It just shows the following error and exit.

Good thing it ask me to use

npm audit fix

to fix stuff and it works. Obey the npm cli :)

npm react script error - The react script package provided by Create React App requires a dependency

Bump into this error today,

The react script package provided by Create React App requires a dependency. The react-scripts package provided by Create React App requires a dependency

"jest" : "24.7.1"

To resolves this, apply changes suggested from here.

you also need to provide this.......

npx npm-force-resolutions npm install

Funny thing, is that this doesn't work for me.

Az cli - setting diagnostic logs for event hub

This is a script that allows you to setup diagnostic logging for keyvault and event hub. You can easily use it for other stuff as well.

First of all your start off with something simple like this, to enable diagnostic logging for a vault called "myvault". Unless it is a resource Id, then you need to provide resource group info.  (Please note - resource group is the resource group that vault resides)

When it comes to --workspace, ideally it is best to

az monitor diagnostic-settings create -n "lalala" --resource "myvault" -g "devrgpmtengine" --resource-type "Microsoft.KeyVault/vaults" --workspace "mydevworkspace" --metrics '[{"category": "AllMetrics","enabled": true,"retentionPolicy": {"enabled": false, "days": 0 }}]'

when it comes to --workspace, it is best to have something that looks like this, full resource path to your workspace. It looks like the figure b…

Powershell - Passing json string into az cli for execution

when you're trying to work with Az cli, you tend to pass in a bunch of json strings. And the thing about powershell, you need to escape double quotes otherwise you will get a whole bunch of errors : -

Expecting property name enclosed in double quotes: line 1 column 1
Expecting property name enclosed in double quotes: line 1 column 3 (char 2)

blah blah blah

To solve this, look at this example :-

This is an example how you can use "az monitor diagnostic-settings" command line.

hope this helps!!!

Azure key - using rsa (private and public key)

The idea is pretty simple, create a rsa key in azure. Use public key to encrypt. Then use private key to decrypt. Private key never leave the vault.

Here is the code for doing that.

If you're getting bad request? Please check to make sure you have added MSI to the keyvault access policy.

I had that many many times the following error message,

Unhandled Exception: Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'BadRequest'

and the problem is due to, specifying foAEP to false, instead of true.

varencryptedText = rsa.Encrypt(byteData, fOAEP: true); // use to be false :(

Azure diagnostic settings - quick way to look at all the setups

Go to Azure portal -> Monitor -> diagnostic settings 

Please change the subscription filter as required.

Writing to a variable for other tasks in the pipelines

You can create/ update a pipeline variable using the following command :-

Write-Host"##vso[task.setvariable variable=myvariableName;] $myVariableWithValue"

Terraform - setup AzureRM as a backend storage

Say you're trying to setup terraforma backend - to save state file into Azure, you might get prompt asking for container name, then provide the configuration listed in figure 1.1.

Before that, you need to setup your ARM authentication (yes, all of this)


If you get error messages saying

"Error inspecting states in the "azurerm" backend" - please provide settings in figure 1.1

If you encounter this error, remember to delete your statefile folder (.terraform) or whenever any of your test results in failure. This is important

Error inspecting states in the "azurerm" backend:
storage: service returned error: StatusCode=403, ErrorCode=AuthenticationFailed, ErrorMessage=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

If you want to pass DYNAMIC values in, you can use :-

terraform init -backen…

Wireshark - Master grand list of fields

Deep dive into fields you can specify on the filter section of wireshark. Here are a complete ref :-

Sans SIFT workstation - a forensic VM

Mitre - Threat framework

This is awesome. It has a huge list and not sure how one can possible ensure this is carry out.

terraform spitting out 403 access error when creating keyvault secret in azure

I bump into this issues alot when i try to create a keyvault, then setup some poliy around it and then when i add secret / key into it, bang! this happens -

terraform spitting out 403 access error when creating keyvault secret in azure

Solution that worked for me (adds depends_on) into EVERY "azurerm_key_vault_secret" and key that is about to be written into a keyvault. This happens when you trying to create key vault and then add policy. If you're just adding secret (with the keyvault already exist), then you're fine.

Yes, add to every secret or key that has a dependencies and you can have it as a module. It won't work.

resource"azurerm_key_vault""kvpaymentengine"{ name = "${var.environment}${var.keyvault_name}" location = "${var.location}" resource_group_name = "${module.pmt-rg.rg_name}" tenant_id = "${var.tenant_id}" }

Terraform Error: spawn terraform ENOENT

I know this sounds strange as hell, right.

When this happened to me, Terraform was actually complaining about incorrect path that was given in my variables / settings.

Azure devops - Az cli extension can access pipeline variables definition

Az Cli extension can access pipeline variable definition without any environment setup. You should be able to use do something like this :-

Where $ENVIRONMENT are pipelines variable definition.

az functionapp cors remove -g $ENVIRONMENT$RESOURCE_GROUP_NAME -n $ENVIRONMENT$FUNCTIONAPP_NAME --allowed-origins "*"

az cli function app source code is under appservice

If you're looking for az cli functionapp code, well it is available under appservice folder as shown in diagram below :

How to disable remote debugging from your porta

Been looking around but manage to find it myself.

Goto your function app, then click on ''General settings" - most of your configuration is available here.

Using git subtree

Updating repository 

git subtree is a copy of a clone repository. You need to issue separate command to update your branch for example,

git subtree pull --prefix=storedprocedures https://mycopied_git_repository/ 

Running pull alone, will not update the 'copied' branch. This also means you need to pull and then push changes to be reflected.

For example, say you have your local git repo calle 'my_local_git_repo', mounted to a folder called externalibrary, if you run git pull, you only update 'my_local_git_repo' and not mycopied_git_repository. Run command above, git subtree to update.

After that, you need to push your changes to your 'my_local_git_repo' so that, build tools like Azure DevOps, is able to see it and update