Handcrafted, AI-free blog posts about DevOps, DevSecOps, application security, web development, Azure and similar topics
Configuring a custom domain for an Azure App Service including a App Service Managed Certificate is the kind of task where I constantly have to look up the details. For this reason, and because a colleague asked me to blog about it, I decided to briefly document the process here.
I aimed to enable Defender for Storage on a dedicated storage account using Terraform, updating the existing configuration. Although the Terraform apply succeeded, the feature was not enabled. After research, I resolved the issue by adjusting user roles, allowing a subsequent Terraform apply to produce the desired outcome.
This blog post describes how to automate the upload of files to an Azure storage account using Terraform.
The author describes troubleshooting an Azure DevOps YAML pipeline error related to a local-exec provisioner in terraform, which failed to grant necessary permissions due to a missing Azure Active Directory Readers permission. They detail the root causes, error findings, and ultimately the adjustments made to resolve the issue, focusing on least privilege principles.
An application’s pentest revealed weak SSL/TLS cipher suites in Azure App Services. To enhance security, non-forward-secrecy cipher suites must be disabled. Utilizing Terraform and the azapi provider, a workaround was implemented to configure the Minimum TLS Cipher Suite, enforcing modern cryptographic standards.
The blog post details the process of rotating secrets stored in Azure Key Vault with each application deployment, utilizing Infrastructure as Code (IaC) principles via Terraform. It emphasizes the importance of secret rotation to minimize risks from leaks. An ASP.NET Core Web API is demonstrated as the application example, alongside procedural GitHub Actions for deployment.
The Azure DevOps YAML pipeline encountered an error requiring 'az login' during a Terraform task due to a local-exec provisioner executing a PowerShell script that needed Azure CLI access. Despite this error, the pipeline completed successfully. Activating runAzLogin resolved the issue, enabling the script's changes to be applied effectively.
Since fall 2023, Workload Identity Federation for Azure service connections has been available, allowing short-lived credential-free authentication to Azure. This post explains its benefits, its limitations, and provides an example of creating service connections using terraform.
The error "Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403" in Terraform with an Azure backend indicates a permission issue. To resolve this, assign the Storage Blob Data Contributor or Owner role to the user or service principal. After assignment, use 'az logout' and 'az login -t [tenant id]' commands to refresh the token.
In a project involving infrastructure as code (IaC) with terraform, Microsoft Entra ID security groups were manually created in the Azure portal. To avoid recreation, the import feature in terraform was used to bring existing groups into terraform state. This involved obtaining object IDs and descriptions, adding the groups as resources in terraform code, and importing them into terraform state.
blog.rufer.be 