Skip to content

Instantly share code, notes, and snippets.

View maskati's full-sized avatar

Majid Maskati maskati

6 followers · 3 following
View GitHub Profile
@maskati
maskati / #bicep-fast-lint.md
Created March 24, 2025 11:21
Faster linting of multiple Bicep files

Bicep v0.34.1 brings many great features to Bicep. One that I think is underrated by not having it as a highlighted feature is the new --pattern argument for faster batch operations on multiple files. Below is a comparison of a simulated linting of 100 Bicep files using a parallel invocation of bicep lint vs a single invocation of bicep lint --pattern. The difference is dramatic, with pattern based linting being 40 times faster in clock time on a 4 core system, and 261 times faster in CPU usage. I typically lint all Bicep files that are part of an IaC repository to ensure that module changes do not break upstream or downstream dependencies. This change will allow you to save CI runner resources and have your IaC PR checks completed faster.

> docker run --rm -it alpine /bin/sh -c 'apk add -q --no-progress libstdc++ icu-libs icu-data-full parallel && wget
@maskati
maskati / #aad-b2c-hash.md
Last active March 20, 2025 08:57
Calculate the Azure AD B2C hash claims transformation locally using PowerShell

The Azure AD B2C hash claims transformation takes the following form:

<ClaimsTransformation Id="MyHashClaimsTransformation" TransformationMethod="Hash">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="myPlaintext" TransformationClaimType="plaintext" />
    <InputClaim ClaimTypeReferenceId="mySalt" TransformationClaimType="salt" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_MyRandomizerSecret" />
@maskati
maskati / #dotnet-remote-diagnostics.md
Created February 17, 2025 16:19
Diagnosing .NET applications remotely

Diagnosing .NET applications remotely

Performing .NET diagnostics such as memory dumps and process tracing can be challenging in some scenarios, for example when running distroless containers which do not have an interactive shell. Fortunately .NET provides several options for performing remote diagnostics. The options differ somewhat in their capabilities.

Tool Description Supports remote diagnostics
diagnostic tools Command line utilities, which connect to your .NET process to perform diagnostics. Limited support. dotnet-counters and dotnet-trace support remote diagnostics with shared diagnostic port socket (for example shared /tmp for default port). Currently other utilities such as dotnet-dump require shared process namespace. T
@maskati
maskati / #user-assigned-identity-token.md
Created February 6, 2025 11:53
Acquire an access token for a user-assigned identity using PowerShell and an Azure Storage account

Acquire an access token for a user-assigned identity

Did you know that you can acquire an access token for an Azure user-assigned identity using PowerShell and an Azure Storage account? You can achieve this by hosting a minimal OpenID Provider and delegating trust via workload identity federation. This post will also help you better understand the technical details of how federated credentials work.

Note

This only gives you the access token. There might also be network access control or Entra conditional access for workload identities which limit calling resources with the token.

The process in brief:

  1. Create an RSA sign
@maskati
maskati / #keyvault-copy-across-subscriptions.md
Created February 6, 2025 07:01
Copy Azure Key Vault keys between subscriptions

Copy Azure Key Vault keys between subscriptions

Azure Key Vault keys secure the private key material in a way that is not exportable. Key Vault backups are encrypted and restricted to the same Azure subscription and Azure geography.

You can copy a key from one subscription to another by:

  1. Taking a backup in the source subscription
  2. Creating a new key vault in the source subscription (any region in the same geography) and restoring the backup
  3. Moving the new key vault to the destination subscription

Some limitations:

@maskati
maskati / #azure-vpn.md
Last active February 3, 2025 12:52
Host your own global VPN on Azure PaaS using Tailscale

Host your own global VPN on Azure PaaS using Tailscale

This example shows setting up a Tailscale exit node running as a container on Azure Container Instances to provide global Internet egress. You can also use a similar setup to configure a Tailscale subnet router which would allow access to Azure private Virtual Networks, private endpoints, private DNS zone resolution as well as Azure service endpoints.

You can use exit nodes on several platforms including Android, iOS, Linux, macOS, tvOS and Windows.

Warning

Using an exit node will tunnel all your traffic through the selected Azure region. This might trigger certain security controls such as Entra ID protection impossible travel.

[!NOTE]

@maskati
maskati / #flexible-federated-identity.md
Created January 16, 2025 08:50
Azure flexible federated identity credentials

Azure flexible federated identity credentials

Up until now you have been able to define a federatedIdentityCredential with the issuer, audiences and subject properties. For example to allow a GitHub Actions workflow running in the context of environment prod in the repository octo-org/octo-repo:

{
  "issuer": "https://token.actions.githubusercontent.com"
  "audiences": [
    "api://AzureADTokenExchange"
  ]
@maskati
maskati / #entra-id-principals-permissions-report.md
Last active January 13, 2025 10:03
Generate a report of Entra ID principals and permissions

Generate a report of Entra ID principals and permissions

I wanted a way to report on current Entra ID principals in my tenant as well as the permissions granted to such principals across apps, the tenant directory and Azure subscriptions. Microsoft provides the separately licensed Entra Permissions Management which provides comprehensive principal and permissions discovery and reporting. I wanted something simpler.

The PowerShell script entra-id-principals-permissions-report.ps1 enumerates all principals and various permissions available in your current [Azure CLI login context](https://learn.microsoft.com/en-us/cli/azure/a

@maskati
maskati / #powershell-xml-bom.md
Last active January 9, 2025 07:06
PowerShell XML with and without BOM

PowerShell XML with and without BOM

# ok, returns XmlDocument
Invoke-RestMethod 'https://gist.githubusercontent.com/maskati/69324c8232cc93914b65b8b300a60dc5/raw/a082827c9cb6faacd9f89a5c803d91daef3d1b3e/nobom.xml'

# ok, conversion to XmlDocument fails and returns string with initial BOM character (0xFEFF) UTF8 encoded as 0xEF 0xBB 0xBF
Invoke-RestMethod 'https://gist.githubusercontent.com/maskati/69324c8232cc93914b65b8b300a60dc5/raw/a082827c9cb6faacd9f89a5c803d91daef3d1b3e/bom.xml'

# fails because XmlDocument.LoadXml cannot handle initial BOM character
@maskati
maskati / #servicebusemulator.md
Last active January 9, 2025 07:07
Service Bus Emulator on Azure Container Instance

Service Bus Emulator on Azure Container Instance

Deploys within an Azure Container Instance container group with Azure Service Bus Emulator and Azure SQL Edge.

Configures the emulator using Config.json.

You must accept the Service Bus Emulator EULA and Azure SQL Edge EULA.

Service Bus TCP 5672 is open to the internet without authentication. Parameter exposeMssqlPort defines if the MSSQL default port is open to the internet authenticated with mssqlSaPassword which is by default S3rv1c3Bu$Emul@t0r.