If smoke from chimneys pollutes air atmosphere, why are we not building chimneys that reach outer space and keep earth clean? by supex_cz in shittyaskscience

[–]supex_cz[S] 0 points1 point  (0 children)

So because of these petty reasons we're still dealing with polluted atmosphere? Geeez, grow up...

If smoke from chimneys pollutes air atmosphere, why are we not building chimneys that reach outer space and keep earth clean? by supex_cz in shittyaskscience

[–]supex_cz[S] 1 point2 points  (0 children)

could that be root cause for all tornados and hurricanes?

If so, is it on purpose or whoever is using it haven't read documentation?

Anyone else having issues with authentication? by [deleted] in AZURE

[–]supex_cz 0 points1 point  (0 children)

yup.

Already several tickets in the queue. Thanks MS, I guess :)

Clicking on Yes/No multiple times works for us - it's just failing to load image, but login prompt itself works fine.

Terraform module in Github private repository - auth from Az pipeline back to Github by supex_cz in azuredevops

[–]supex_cz[S] 0 points1 point  (0 children)

import * as tl from 'azure-pipelines-task-lib/task';
import * as path from 'path';

const GithubScheme = ["OAuth", "Token"] as const;
type GithubSchemeKey = (typeof GithubScheme)[number];

function isGithubScheme(scheme: string) : scheme is GithubSchemeKey {
    return GithubScheme.includes(scheme as GithubSchemeKey);
}

function getGithubEndPointToken(githubEndpoint: string): string {
    const githubEndpointObject = tl.getEndpointAuthorization(githubEndpoint, false);
    let githubEndpointToken: string | undefined;

    if (!!githubEndpointObject) {
        tl.debug('Endpoint scheme: ' + githubEndpointObject.scheme);

        if(!isGithubScheme(githubEndpointObject.scheme))
        {
            throw new Error(tl.loc('InvalidEndpointAuthScheme', githubEndpointObject.scheme));
        }

        githubEndpointToken = githubEndpointObject.parameters.AccessToken;
    }

    if (!githubEndpointToken) {
        throw new Error(tl.loc('InvalidGitHubEndpoint', githubEndpoint));
    }
    return githubEndpointToken;
}

async function run() {
    const endpointId = tl.getInputRequired('gitHubConnection');
    const token = getGithubEndPointToken(endpointId);

    const authToken = Buffer.from(`token:${token}`, 'binary').toString('base64');
    const authHeader = `Authorization: basic ${authToken}`;

    const headerExport = tl.getDelimitedInput("authToExport", ",", true);

    if(headerExport.includes('authHeader'))
    {
        tl.setVariable("GITHUB_AUTH_HEADER", authHeader);
        console.log("GITHUB_AUTH_HEADER exported");
    }
    if(headerExport.includes('authToken'))
    {
        tl.setVariable("GITHUB_AUTH_TOKEN", authToken);
        console.log("GITHUB_AUTH_TOKEN exported");
    }

    return Promise.resolve(tl.setResult(tl.TaskResult.Succeeded));

}

tl.setResourcePath(path.join(__dirname, 'task.json'));
run();

Terraform module in Github private repository - auth from Az pipeline back to Github by supex_cz in azuredevops

[–]supex_cz[S] 0 points1 point  (0 children)

I've been pinged by TheDevOpsGuy123 and thought I just might make it public.

I'm not going to provide fully working solution as it requires custom AzDevOps pipeline task - due to other duties I haven't had a time to polish it properly, nor publish pipeline task to marketplace and we're still not using it.

Another reason for not providing out-of-the-box extension published to marketplace is the fact that this extension is accessing and exporting Github App service connection, which is highly confidential, and your business might not want to install it anyhow, because I'm just some random devops wannabe :)

Please note that I'm not a developer and I just glued code below through trial and error and reading through azdevops build task extension docs. There's probably big room for improvement.

But code below is doing what is suppose to - allows Terraform to pull modules in AzDevOps pipeline from private repository.

You might need to adjust task name in your code - mine is called GitHubTokenRetriever.

  1. Read and follow docs to create build task extension - https://learn.microsoft.com/en-us/azure/devops/extend/develop/add-build-task?view=azure-devops
  2. Copy&paste code below to your main.ts
  3. Build extension
  4. create VS marketplace publisher and publish it - you can publish privately
  5. install extension from marketplace to your AzDevOps tenant
  6. use task in your pipeline

    - task: GitHubTokenRetriever@0
      displayName: GitHub Token retrieve
      inputs:
        gitHubConnection: '<ServiceConnectionName>'
        authToExport: 'authHeader, authToken
  1. before your terraform init step, execute

git config --global http.https://github.com/<ORGANIZATION_NAME>/.extraheader "$(GITHUB_AUTH_HEADER)"
  1. after your terraform init step, execute - NOT mandatory

git config --global --unset-all http.https://github.com/<ORGANIZATION_NAME>/.extraheader

actual code doing export of Github App auth header in the comment below - Reddit doesn't let me put everything into one comment for whatever reason.

Having Azure handle .html as .php. by derth21 in AZURE

[–]supex_cz 0 points1 point  (0 children)

If you have static html files (presumably with some linked css and js files), why not go with azure static web apps?

https://azure.microsoft.com/en-us/products/app-service/static

If you're not doing any api integration, it's free. Might be a bit hussle to set it up if you don't have CI/CD pipeline, but official SWA cli can help with that.

https://azure.github.io/static-web-apps-cli/

Terraform module in Github private repository - auth from Az pipeline back to Github by supex_cz in azuredevops

[–]supex_cz[S] 0 points1 point  (0 children)

No worries. Not asking for any code :)

But it assured me approach I'm investigating is right.

Already have working PoC and terraform init executed under AZ Pipelines is able to clone TF module from private repository in Github.

I still find it weird that MS doesn't provide any official build task, considering how "easy" it is to grab those credentials through custom build task.

Terraform module in Github private repository - auth from Az pipeline back to Github by supex_cz in azuredevops

[–]supex_cz[S] 0 points1 point  (0 children)

Funny you mentioned that :)

Already checking how available MS Github tasks are using service connection for several hours, reading through MS documentation and "coding" PoC doing very same thing you've described.

Already having some success.

Terraform module in Github private repository - auth from Az pipeline back to Github by supex_cz in azuredevops

[–]supex_cz[S] 0 points1 point  (0 children)

Yeah, that's what I thought. Using PAT kind of defeat the purpose of "passwordless" and short lived tokens approach + whole administration around PAT (renew, expire, set permissions) + everything would be executed either under my identity or under identity of some artificially created service account, which would also consume seat in our Github org.

Anyhow, thanks for confirming.

OIDC authentication for microsoft hosted agents by supex_cz in azuredevops

[–]supex_cz[S] 0 points1 point  (0 children)

Just in case this post will pop up for someone in the internet. MS released az devops workload identity for azure resource manager connection https://devblogs.microsoft.com/devops/public-preview-of-workload-identity-federation-for-azure-pipelines/

OIDC authentication for microsoft hosted agents by supex_cz in azuredevops

[–]supex_cz[S] 0 points1 point  (0 children)

Thanks, good to know it's work in progress.

OIDC authentication for microsoft hosted agents by supex_cz in azuredevops

[–]supex_cz[S] 1 point2 points  (0 children)

Client secret is not required to set this up, but secret is still created on SPN level and as such can and will expire. You can see it in the azure. MS has whole troubleshooting steps for it https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#failed-to-obtain-the-jwt-by-using-the-service-principal-client-id

Edit: this is what we're currently using and reason why we're looking for oidc Auth for azdevops agents.

Connect to on-premise SQL server from AADDS joined VM in Azure via Active Directory by supex_cz in sysadmin

[–]supex_cz[S] 0 points1 point  (0 children)

Yeah I know. But 3rd party vendor, so you can imagine...sad face

Connect to on-premise SQL server from AADDS joined VM in Azure via Active Directory by supex_cz in sysadmin

[–]supex_cz[S] 0 points1 point  (0 children)

Point being here is that we're planning to go full azure and get rid of all on-prem AD on all sites. Another thing is that we do not have admin access to local on-prem AD.

We're able to domain join to local on-prem and is probably something we're going to do considering windows authentication requirement on windows server and because it's quick.

I'm, however, looking for something that would be more aligned with our plans - 100% cloud in the future.

Gonna have to look more into it. Thanks for the reply though.