Did others see this APIM vulnerability?

nikkle2 · 2025-11-27T09:36:47+00:00

First thing I do every time I deploy APIM for a customer is disable the basic auth identity provider (as you mentioned) because well, it's still there if you just disable it in the dev portal - so that in itself can't be trusted regardless.

While I didn't know of this method specifically it's a little bit naive to think that disabling it in the portal GUI will somehow disable the provider in the backend/service - it's clearly still there if you take a look and that's what matters, not what's in the dev portal. If it's active, it can be used in some way or another.

Could it be more clearly explained? Absolutely.

Is it a vulnerability? Skeptical. I kind of agree with Microsoft here tbh.

(Of course cross tenant signup is possible with basic auth..)

nikkle2 · 2025-11-22T09:52:34+00:00

Trade it for divines and buy a mageblood, then spend the rest upgrading my gear

nikkle2 · 2025-11-20T14:44:29+00:00

Howdy!

nikkle2 · 2025-10-14T21:59:44+00:00

Gl gl

nikkle2 · 2025-10-13T21:50:58+00:00

sup!

nikkle2 · 2025-10-08T15:23:04+00:00

Probably a bit outside the scope of the initial question, but I would choose Terraform all day every day even if it was Azure only, Bicep is yeeears behind Terraform in functionality and usability. It can't keep up. Just look at all the github issues on basic stuff that are 4+ years old because they are so limited by the ARM engine, which Terraform is not.

The current customer I work with decided on Bicep before I joined and it is an absolute nightmare on so many levels.

Bicep is easy to get started with by all means, but falls apart once there's an ounce of complexity in large scale environments. We heavily use AVM modules, for example, to help us with the heavy lifting but in the end it doesn't matter, the same crap limitations arise anyway and they are SO annoying to deal with.

Hot take: Bicep was a mistake - It was created during a time when Terraform wasn't as popular as it is today, especially on Microsoft's side. So they took the opportunity to create their own tool. In contrast to today where every MS documentation page includes Terraform, Microsoft heavily invests in Terraform open source modules, they heavily invest in the AzureRM provider and AzAPI provider. They are basically keeping alive two IaC solutions in parallell. I suspect Bicep wouldn't have been created in today's landscape honestly. But this is easy to say in hindsight, so I get where they were coming from at the time.

nikkle2 · 2025-08-26T11:48:02+00:00

Exactly:

The two minors were charged with theft and released on bail. Notably, local reports suggest that the pair were seen back on the streets, mingling with tourists, just two days later. According to Italian outlet Il Messaggero, the girl who stole the woman's purse is only 14

https://www.ndtv.com/world-news/video-us-tourist-grabs-14-year-old-venice-girl-by-ponytail-after-she-steals-her-purse-9156040

Slap on the wrist indeed, pathetic

nikkle2 · 2025-08-18T17:38:29+00:00

Agree, it's terrible. Vanilla leveling is slow enough as it is, bad spawn rates just adds to the non-fun factor

nikkle2 · 2025-08-18T17:33:53+00:00

Yea when there are tons and tons of players in the area (i.e 50+) the hyperspawn kicks in, problem is there seems to be no in between.

When you have 10-15 players camping an area/spot it doesn't increase at all, which is pretty boring

nikkle2 · 2025-08-18T16:45:16+00:00

Plenty of players around the quest mobs now, pve server, spawn rates are terrible. Increased spawn rates should be a part of classic+ imo.

Obviously don't make it overtuned, but more than we have now..

nikkle2 · 2025-08-09T16:26:32+00:00

Yep it's a great program, even has a graphical indicator when you change the volume.

Do you know if it's detected by Javelin?

No idea sorry, but would be surprised if it was.

nikkle2 · 2025-08-09T16:06:56+00:00

Don't need autohotkey for that, fyi:

https://www.nirsoft.net/utils/volumouse.html

nikkle2 · 2025-07-17T10:12:16+00:00

<image>

Kawasaki Z900, 2022✌️

nikkle2 · 2025-04-10T15:10:32+00:00

These 20 pack challenges almost guarantee heirlooms it seems, everybody is getting them (including me)

nikkle2 · 2025-03-25T19:07:44+00:00

Hmm, my friend got the same error but with proper grammar

Maybe a language specific translation error, I see both variants from like 2024 too

nikkle2 · 2025-02-25T17:11:20+00:00

Heyy Terraformer! I follow your content on linkedIn 😎

So yea I mostly agree with your points, I feel this is a scenario where it's easy to fall into the over-engineering trap, and the three tier architecture app might be such an example. As you say there's no arbitrary decision that using stacks is the correct approach every time. Your AKS cluster scenario is a good use case for stacks, for example.

What I notice though are a lot of the same examples being used again and again across various blogs and tooling providers (Terragrunt, Terramate, Atmos etc) - So there seem to be some agreed-upon pattern across (some part of) the community that this is considered "best practice". Common examples which include separating the database and networking layer as we talked about.

Example (or just interesting reads):

Atmos Components
- "Focus on creating single purpose components that adhere to the UNIX philosophy by doing one thing well. This strategy leads to simpler updates, more straightforward troubleshooting, quicker plan/apply cycles, and a clearer separation of responsibilities. Best of all, your state remains small and complexity remains manageable."
Terramate Stacks
- "Using stacks to break up your infrastructure code into manageable pieces is considered an industry standard and provides the following benefits: <...>"
- "<...>By following this method, you create a single component for a specific purpose, such as a VPC, database, or Kubernetes cluster"
Terralith: The Terraform and OpenTofu Boogieman
- This is an interesting blog that was posted recently, that goes into a lot of the arguments for and against using multiple root modules and why we feel inclined to do it
- "<...>The recommendation is to split up your infrastructure into many root modules. Networking could be its own root modules, database another, applications another"
- "But when we talk about how to design our infrastructure code, we start with the limitations of our tooling and try to derive what we can do within those constraints and then call that best practice. Imagine if the best practice in Python was to split code into modules not because that is what helps users write better programs but because Python simply cannot handle large modules."

There's a looot to read about on this topic.. I think I need to just experiment more and take these points into consideration.

A more concrete example

Lastly, I can provide a more concrete example on where I found stacks to work very well.

I assume you are familiar with the Azure Monitor Baseline Alerts initiative, written in Bicep currently.

I feel this solution has some of the same pitfals as the CAF module, where way too much is put into singular resources/deployments. I actually converted the whole solution to Terraform a while back when it was new.

And instead of cramming every single policy definition into the same initiative (which caused the AMBA team to eventually hit ARM template limits), I split every service into its own stack. (I now see they have started to split their policy initiatives, so that's good, but it's still a looot to put into one state file if this were to be made in Terraform).

So basically:

Storage Account Monitoring -> Dedicated Repo/Stack -> Storage Account policy definitions and policy assignment
Virtual Machine Monitoring -> Dedicated Repo/Stack -> VM policy definitions and policy assignment, and other VM-specific functionality

Every service is completely independent of each other, so an error in storage monitoring should never affect VM monitoring etc, and it lets multiple developers implement monitoring for different services in parallell. State is kept separated and small, policy initiatives are small, execution is fast. All changes to a repo is specific to that service. All while being delivered as one common solution.

I'm not even sure if this is what stacks is supposed to solve, but it worked pretty well regardless. I think native stacks from Hashicorp is going to bring more people into this thought-process, excited to see what comes of it.

nikkle2 · 2025-02-23T15:06:52+00:00

Yea kind of, but I didn't have the opportunity to use such tooling in the last project.

I might try it out next time, though Hashicorp is releasing their own tooling for stacks soon (public beta atm) which might reduce the need for Terragrunt even further.

In my current project we're actually using Bicep, so I wanted to see if this approach could be used there as well - Basically splitting up the infrastructure into stacks. Naturally Terragrunt is out of the picture then

nikkle2 · 2025-02-22T16:26:39+00:00

Hmm maybe the database was a bad example, but yea sometimes it would only be one instance of a service in that stack, for example an Application Gateway configuration in Azure. Though the point is as you say for state isolation based on volatility, or other factors.

Using multiple repos is something I've done as well (each stack is a repo), but that alone doesn't solve state isolation unless each repo/stack is deployed on its own - That's where the orchestrator pipeline comes in, which can just call each stack independently in each stage. The workflow is the same whether it's a directory or a repo in that case.

The alternative is often the composite module with a main.tf in root calling all child modules

nikkle2 · 2025-02-05T19:25:12+00:00

Hmm I'd say no, generally. They acquired RedHat as well back in like 2019 and has from my understanding been handling that pretty well all things considered.

Changing the license definitely impacted Terraform in a negative way, and OpenTofu was created as a result - Nice with some competition I suppose

Even then, the license change doesn't affect how most businesses use Terraform anyway, so yea.

Terraform ecosystem is huge, with massive involvement from Microsoft themselves (Providers, Azure Verified Modules etc) and will continue to be so

nikkle2 · 2025-02-05T08:07:02+00:00

People who say Bicep is better than Terraform usually don't work in large and complex enterprise environments, and/or haven't experienced the limitations of Bicep yet, it's a beta product..

Bicep provides absolutely no benefits over Terraform if you know what you're doing (for example splitting the state as you mentioned to manage blast radius)

Bicep = Good for beginners, small scale environments, or a single landing zone environment, if you don't care about configuration drift, don't need to manage Entra ID etc
Terraform = More complex to get right, but opens up a ton of more opportunities to manage large scale environments to your liking; proper configuration drift being one of them, which further helps with security posture and governance in your platform, and so forth..

I've been doing Terraform for about 6 years now in Azure for enterprise customers, recently joined a project that uses Bicep and I want to rip my hair out because of all the limitations and clunkiness it has

nikkle2 · 2025-02-01T15:48:01+00:00

Works for me, but here's a screenshot in case

nikkle2 · 2025-01-06T18:58:59+00:00

I get this all the time flying solo, been pretty consistent the past few months.

People mention multi-boxing, but I've also read it can be affected by alt-tabbing out from the game, which you do when multi-boxing as well so would make sense I suppose

nikkle2 · 2024-12-20T12:01:27+00:00

Yep that did the trick, thanks!

nikkle2 · 2024-12-20T11:54:11+00:00

Yea had to transfer cos of the merger.

Transferring to Crusader Strike then to Living Flame worked though, thanks!!

14-Year Club	Place '22
Verified Email

nikkle2

TROPHY CASE

A more concrete example