Handcrafted, AI-free blog posts about DevOps, DevSecOps, application security, web development, Azure and similar topics
Configuring a custom domain for an Azure App Service including a App Service Managed Certificate is the kind of task where I constantly have to look up the details. For this reason, and because a colleague asked me to blog about it, I decided to briefly document the process here.
The author describes troubleshooting an Azure DevOps YAML pipeline error related to a local-exec provisioner in terraform, which failed to grant necessary permissions due to a missing Azure Active Directory Readers permission. They detail the root causes, error findings, and ultimately the adjustments made to resolve the issue, focusing on least privilege principles.
An application’s pentest revealed weak SSL/TLS cipher suites in Azure App Services. To enhance security, non-forward-secrecy cipher suites must be disabled. Utilizing Terraform and the azapi provider, a workaround was implemented to configure the Minimum TLS Cipher Suite, enforcing modern cryptographic standards.
This week, I faced challenges deploying an ASP.NET Core Web API to an Azure App Service using GitHub Actions and OpenID Connect. Initial attempts with azure/webapps-deploy@v3 failed due to missing credentials. A later try with azure/cli@v2 failed because the deployment file wasn't a valid zip. Properly zipping the files led to successful deployment.
The blog post details the process of rotating secrets stored in Azure Key Vault with each application deployment, utilizing Infrastructure as Code (IaC) principles via Terraform. It emphasizes the importance of secret rotation to minimize risks from leaks. An ASP.NET Core Web API is demonstrated as the application example, alongside procedural GitHub Actions for deployment.
Since fall 2023, Workload Identity Federation for Azure service connections has been available, allowing short-lived credential-free authentication to Azure. This post explains its benefits, its limitations, and provides an example of creating service connections using terraform.
The error "Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403" in Terraform with an Azure backend indicates a permission issue. To resolve this, assign the Storage Blob Data Contributor or Owner role to the user or service principal. After assignment, use 'az logout' and 'az login -t [tenant id]' commands to refresh the token.
In a project involving infrastructure as code (IaC) with terraform, Microsoft Entra ID security groups were manually created in the Azure portal. To avoid recreation, the import feature in terraform was used to bring existing groups into terraform state. This involved obtaining object IDs and descriptions, adding the groups as resources in terraform code, and importing them into terraform state.
This blog post guides the configuration of Serilog for a .NET Core Web API running on an Azure App Service. It covers logging requirements and implementation, including Serilog setup in Program.cs and appsettings.json. It also provides instructions for querying logs in Azure Application Insights and streaming them using Log Stream in Azure App Service.
The author was tasked with setting up a CI/CD process for a Blazor application using JetBrains Space. They had experience with other tools like Azure DevOps and GitHub Actions but found implementing pipelines in Space challenging. They struggled with creating the necessary automation scripts and host parameters. Despite good documentation, they found the CI/CD features lacking in predefined steps and tasks for standard cases, leading to unnecessary effort. They were also concerned about the exposure of project-wide secrets as plain text in runtime parameters.
blog.rufer.be 