andrewmatveychuk’s gists

andrewmatveychuk / listStorageAccountKeys.bicep

Created November 11, 2024 12:42

Referencing Storage account access keys in Bicep

	resource existingStorageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' existing = {
	name: storageAccountName
	}

	resource existingWebApp 'Microsoft.Web/sites@2020-09-01' existing = {
	name: webAppName
	}

	resource siteConfig 'Microsoft.Web/sites/config@2023-12-01' = {
	parent: existingWebApp

andrewmatveychuk / accessRestrictions.bicep

Created November 11, 2024 12:38

Azure Web App access restrictions to a specific Azure Front Door instance

	resource siteConfig 'Microsoft.Web/sites/config@2023-12-01' = {
	parent: existingWebApp
	name: 'web'
	properties: {
	ipSecurityRestrictions: [
	{
	ipAddress: 'AzureFrontDoor.Backend'
	action: 'Allow'
	tag: 'ServiceTag'
	priority: 100

andrewmatveychuk / keyVaultRoleAssignment.bicep

Created November 11, 2024 12:34

Create an RBAC role assignment for Azure Key Vault using Bicep

	// Key Vault with RBAC authorization mode
	resource existingKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
	name: keyVaultName
	}

	// Creating a Key Vault RBAC roles mapping for more intuitive assignments
	var roleIdMapping = {
	'Key Vault Administrator': '00482a5a-887f-4fb3-b363-3b7fe8e74483'
	'Key Vault Certificates Officer': 'a4417e6f-fecd-4de8-b567-7b0420556985'
	'Key Vault Crypto Officer': '14b46e9e-c2b7-41b4-b07b-48a6ebf60603'

andrewmatveychuk / webAppSettings.bicep

Created November 11, 2024 12:27

How to use multi-line strings in Bicep to pass a certificate via an environment variable to connect to Azure Database for MySQL

	resource appSettings 'Microsoft.Web/sites/config@2023-12-01' = {
	parent: existingWebApp
	name: 'appsettings'
	properties: {
	// ... redacted
	database__connection__host: existingMySQLServer.properties.fullyQualifiedDomainName
	database__connection__user: databaseLogin
	database__connection__password: '@Microsoft.KeyVault(SecretUri=${databasePasswordSecretUri})'
	database__connection__database: databaseName
	// The public SSL certificate used by Azure Database for MySQL - Flexible Server (https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem)

andrewmatveychuk / appsettings.json

Created June 24, 2024 09:38

An appsettings.json file to authenticate to Azure resources using a system-assigned managed identity

	{
	"KeyVault": {
	"vaultUri": "https://kv-4zdnwe1wgbwdp.vault.azure.net", // Your Key Vault URI
	"credential": "managedidentity" // Using the system-assigned managed identity of your Azure Arc-enabled server
	}
	}

andrewmatveychuk / appsettings.json

Created June 7, 2024 09:07

A redacted appsettings.json file to authenticate to Azure resources using the DefaultAzureCredential type

	{
	"KeyVault": {
	"vaultUri": "https://kv-4zdnwe1wgbwdp.vault.azure.net" // Your Key Vault URI
	}
	}

andrewmatveychuk / appsettings.json

Created June 7, 2024 09:05

Sample configuration in an appsettings.json file to authenticate to Azure resources using the ClientCertificateCredential type

	{
	"KeyVault": {
	"vaultUri": "https://kv-4zdnwe1wgbwdp.vault.azure.net", // Your Key Vault URI
	"tenantId": "3f5ed419-0e1b-4f47-8f94-a5b9fa4f298e", // Your Azure tenant ID
	"clientId": "76a95e90-ec2c-4d59-b92b-9c5b8316cff4", // Your app registration in the tenant
	"clientCertificate": "5378d04cd9a86a6cde595478d664cc9e2f755d4b", // That should be your unique certificate thumbprint
	"clientCertificateStoreLocation": "LocalMachine" // The certificate store name, which should be 'CurrentUser' or 'LocalMachine'
	}
	}

andrewmatveychuk / WorkerService.cs

Created June 7, 2024 09:01

Using the AddAzureClients method to initialize Azure clients from an appsettings.json file

	// Extracts from a sample .NET Worker Service project

	// You can add your target Azure resources in the Program.cs file using the 'AddAzureClients' method and extension methods from corresponding Azure services client libraries
	// ...
	var builder = Host.CreateApplicationBuilder(args);

	builder.Services.AddAzureClients(clientBuilder => clientBuilder.AddSecretClient(builder.Configuration.GetSection("KeyVault")));
	// ...

	// Then you can 'inject' your Azure client into the Worker object (the Worker.cs file) and use them in your task

andrewmatveychuk / EnvVarCertApp.cs

Last active June 7, 2024 09:13

Using the DefaultAzureCredential class and environment variables to read a certificate from a local file and retrieve a Key Vault secret

	using Azure.Identity;
	using Azure.Security.KeyVault.Secrets;

	var keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME"); // Getting the Key Vault name from an environment variable

	if (keyVaultName is not null) // Checking if the environment variable is set
	{
	Console.WriteLine($"Key Vault name: {keyVaultName}");

	var keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";

andrewmatveychuk / LowLevelCertApp.cs

Created June 7, 2024 08:43

Explicit reading of a certificate from a certificate store to authenticate to an Azure Key Vault and read a secret from it

	using System.Security.Cryptography;
	using System.Security.Cryptography.X509Certificates;
	using Azure.Identity;
	using Azure.Security.KeyVault.Secrets;

	string keyVaultName = "kv-4zdnwe1wgbwdp"; // The name of the Key Vault you want to access
	var keyVaultUri = "https://" + keyVaultName + ".vault.azure.net"; // The Key Vault URI
	string tenantId = "3f5ed419-0e1b-4f47-8f94-a5b9fa4f298e"; // Your Azure tenant ID
	string clientId = "76a95e90-ec2c-4d59-b92b-9c5b8316cff4"; // Your app registration in the tenant
	string certificateThumbprint = "5378d04cd9a86a6cde595478d664cc9e2f755d4b"; // That should be your unique certificate thumbprint

Andrew Matveychuk andrewmatveychuk