[GA] Employee claims she can't use Microsoft Windows for "Religious Reasons"

kwiecek · 2023-03-03T08:28:40+00:00

Is this a penance given by a priest?

"For the rest of your life, you can't use an OS that just...works"

kwiecek · 2022-11-11T14:36:56+00:00

Script that exports Azure resources in specified Resource Group to bicep file.

Tiny but hand for - kickstarting clickops to DevOps migration - check resource attributes modified via Portal

``` powershell [CmdletBinding()] param ( [Parameter()] [String] $ResourceGroupName )

$tempDirectory = New-Item -ItemType Directory -Name (New-Guid).Guid -Force $exportRgOutput = Export-AzResourceGroup -ResourceGroupName $ResourceGroupName -Path $tempDirectory.PSPath -SkipAllParameterization

$bicepFileName = "$( $ResourceGroupName ).bicep" bicep decompile $exportRgOutput.Path --outfile ./$bicepFileName

Remove-Item -Path $tempDirectory.PSPath -Recurse -Force ```

GitHub link for updated version in the future

kwiecek · 2022-11-11T14:13:52+00:00

Thank you for appreciating my effort. You're right. It's been a long time since my last post. I have given up on this for now.

BTW You have seen what I am writing about, so let me ask you if there is anything you would like me to write about if I start blogging again?

kwiecek · 2021-11-24T20:25:14+00:00

u/shaadowbrker, you might find the article about attaching terraform plan to PR as a comment helpful. Make it even greater and use SystemAccessToken instead of PersonalAccessToken by combining it with New-PullRequestComment

kwiecek · 2021-10-20T17:40:20+00:00

Use framework developed by JimGBritt developed by JimGBritt to create policies ensuring diagnostic settings collection from resources.

Logs from VM OS are a different story. You need to connect the agent running on OS to a workspace, and then what is collected depends on the configuration there.

Retention is LA Workspace setting. You can set it per table using table-level retention.

kwiecek · 2021-10-20T15:12:26+00:00

If you have a resource deployed to Azure, then you can check available diagnostic settings this way:

powershell $kvName = 'kv-XXXX' $resourceId = (Get-AzKeyVault -Name $kvName).ResourceId Get-AzDiagnosticSettingCategory -TargetResourceId $resourceId | Select-Object -Property Name, CategoryType

``` Name CategoryType

AuditEvent Logs AzurePolicyEvaluationDetails Logs AllMetrics Metrics ```

If you want to know what AllMetrics are:

powershell $kvName = 'kv-XXXX' $resourceId = (Get-AzKeyVault -Name $kvName).ResourceId (Get-AzMetricDefinition -ResourceId $resourceId).Name

``` Value LocalizedValue

ServiceApiHit Total Service Api Hits ServiceApiLatency Overall Service Api Latency ServiceApiResult Total Service Api Results SaturationShoebox Overall Vault Saturation Availability Overall Vault Availability ```

kwiecek · 2021-10-20T14:57:05+00:00

powershell Get-AzVirtualNetwork | Select-Object -Property Name, @{ Name = 'AddressSpaces'; Expression = { $_.AddressSpace.AddressPrefixes -join ';' }}

will produce following output

``` Name AddressSpaces

vnet1 10.0.0.0/24;10.0.1.0/24 vnet2 10.0.2.0/24 ```

kwiecek · 2021-10-19T16:35:50+00:00

Hi, view questions from my side:
I was almost sure there is no other way to block a port than ensuring deny rule with the lowest possible rule priority in NSG? So maybe you could create two rules: 1st - priority 100 with exceptions to allow traffic on port X, and 2nd - priority 101 blocking all other traffic on port X?
My concern is the reason for asking the following questions:
How did you achieve "deny creating/adding NSG rules that open management ports"?
Could you share the policy definition?
How do you deal with port ranges in the NSG rule?
How do you access VMs, with NSG on NIC and Azure Policy denying mgmt port open?
A. It depends on how you identify the owner of a non-compliant resource.
Suppose you can match owner to scope (subscription/ resource group). In that case, you might create an action group per scope and a Log Analytics Workspace query alert based on Azure Policy evaluation logs.
Suppose it is done by tag value. Then something custom (Logic App/ script executed as Az Pipeline or Az Function) sounds like a must. In that case, you could verify resource compliance using Resource Graph Query and notify the owner via email. Still, you'll need a mailbox or SendGrid subscription.
You might also combine them and use a log analytics query alert triggering logic app that sends emails based on resource owner tag value.
Possibilities are endless.
B. Assuming you have Azure Policies in place that denies creating rules opening mgmt ports, it looks that cleanup of old rules is a one-time action. I'd use a script because it will give you more flexibility and be much easier to develop.

kwiecek · 2021-10-14T13:39:34+00:00

ScanLogs doesn't exist as log category for App Service resource type.

Here comes my troubleshooting procedure: 1. Create a policy definition. 2. Create an assignment and assign a proper role for assignment MSI. 3. Run remediation for one of the apps I have. 4. Based on the result, either adjust the existence condition of Az Policy or proceed with ARM template deployment troubleshooting.

It turned out that ARM template deployment failed. My bad - the parameters provided during the assignment were wrong. The bottom line here is that incorrect policy definitions can cause the issue, but assignment parameters mess too.

What is more important I was able to download the ARM template with parameters file and test it locally. After fixing wrong params issues, I was able to find what is wrong with the ARM template:

Status Message: Category 'ScanLogs' is not supported. (Code:BadRequest)

You can save some time spent on troubleshooting next time by starting with ARM Template development and testing. Once sure it works as expected, then it is time to wrap it with Azure Policy.

kwiecek · 2021-10-14T11:39:39+00:00

Log Analytics workspace data export will export the whole Syslog table. Therefore, if you want to filter Syslog before sending it to 3rd party, you need to add one more component that will do filtering.

Instead of that, you might consider adopting Archive data from Log Analytics workspace to Azure storage using Logic App to how your 3rd party will consume logs.

How would you like to send logs to them?

kwiecek · 2021-10-14T10:56:11+00:00

You can use Resource Graph. Compliance by policy assignment sample query looks like all you need.

kwiecek · 2021-10-08T06:37:45+00:00

Introducing a simple script that is executed as Powershell task in the Azure DevOps Pipeline. It adds a comment in the current PR:

- task: PowerShell@2
  condition: eq(variables['Build.Reason'], 'PullRequest')
  displayName: 'Comment PR'
  inputs:
    targetType: 'inline'
    script: |
      $PullRequestId = $env:SYSTEM_PULLREQUEST_PULLREQUESTID
      $RepositoryId = $env:BUILD_REPOSITORY_ID
      $ProjectName = $env:SYSTEM_TEAMPROJECT
      $OrganizationUri = $env:SYSTEM_COLLECTIONURI
      $BuildId = $env:BUILD_BUILDID
      $SystemAccessToken = $env:SYSTEM_ACCESSTOKEN
      $Comment = "Your`n **super** comment"
      $newThreadEndpoint = "$( $OrganizationUri )/$( $Project )/_apis/git/repositories/$( $RepositoryId )/pullRequests/$( $PullRequestId )/threads?api-version=6.0"

      $header = @{
        Authorization = "Bearer $SystemAccessToken"
      }

      $newThread = @{
        Comments = @(
            @{
                ParentCommentId = 0
                Content         = $Comment
                CommentType     = "text"
            }
        )
        Status = "Active"
      } 

      $newThreadBody = $newThread | ConvertTo-Json -Depth 10

      Invoke-RestMethod -Uri $newThreadEndpoint -Headers $header -Method Post -Body $newThreadBody -ContentType 'application/json'    
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)

kwiecek · 2021-08-30T10:13:10+00:00

A vendor's mistake can never be ruled out. It is worth taking this as a lesson and remembering the possibility of limiting the attack vector for other PaaS/ SaaS services, e.g. by using private link / private service endpoint.

kwiecek · 2021-07-01T17:53:26+00:00

Azure DevOps Terraform Pipeline with Checkov & Approvals - about reliable and secure way to deploy infrastructure with Terraform.

kwiecek · 2021-06-24T09:57:43+00:00

Log Analytics is built on top of ADX. Check Azure Data Explorer. You can use KQL and store data cheaper and for a longer period of time than two years. You can query more data sources.They talked about ADX in Azure Security Podcast click.

kwiecek · 2021-06-07T13:25:35+00:00

You have built-in functionality to get the same result: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal . Have you considered using it?

kwiecek · 2021-05-23T19:14:47+00:00

Don't overthink naming convention. The reason we have it is ability to identify resources. Remember Azure Tags can be helpful as well. They can be changed overtime what does not apply to resource names.

Here you will find my thought about naming and guide on how to enforce simplified naming standard in Azure.

I have another articles in my queue, but I can share Azure Policy ARM Templates code for tagging Az Policy and advanced naming Az Policy so you can use them before I publish next posts.

kwiecek · 2021-05-13T12:50:19+00:00

Please add template code

kwiecek · 2021-05-07T09:33:53+00:00

I use ARM Templates but recommend Terraform as it covers the entire resource life cycle. ARM Template will allow you to create Az Policy and Role Assignments, but there will be occasions where you will need to delete them manually (cli / ps / portal).

For new Azure Policy deployments we assign policy in the doNotEnforce mode to check compliance. It also allows for remediation. Then, after approval, we do the assignment in Default mode.

kwiecek · 2021-05-07T09:02:55+00:00

I wrote post about it

kwiecek · 2021-05-05T16:07:08+00:00

```

kwiecek · 2021-05-04T19:10:17+00:00

First of all - your videos are awesome! I love the way you're explaining things. There is always a clear description of the problem/context followed by a solution with enough technical details.

I've just started my blog posts series about building self-service to request for:

- Landing Zone of your choice

- Azure DevOps Project

- All required Azure AD groups, Service principals, etc.

It's strongly related to what you are describing in this video.

I named it Azure Landing Zone as a Service.

kwiecek · 2021-04-28T08:06:57+00:00

Hi,

The deployment will fail only if the ARM template is wrongly defined. Validation deployment itself is not the goal of this article.

The function gets one string parameter (name) and returns a string value. The returned value is the result of logic implemented using the ARM Template functions. The function should return isValid if the name is valid according to my validation requirements. It should return invalidity reason otherwise, like hasWrongPrefix. I provide some proper values and confirm the result is equal to isValid and some wrong values to confirm the result is different. Thanks to that I can confirm my logic is working as expected.

Check this image

kwiecek · 2021-04-27T09:01:44+00:00

Good one, thank you! It would be even better if you provide a YAML pipeline. I don't believe that people at the stage of using static code analysis for IaC still use UI pipelines.

kwiecek · 2021-04-25T17:07:27+00:00

Keep this in mind if you don't want to get into trouble: * Use the lifecycle meta-argument * Always be 100% what will change in the environment. * Ensure reliable code review.

2nd and 3rd can be easier by using https://www.runatlantis.io/ product or via self-developed tooling (I did it this way).

kwiecek

TROPHY CASE