maskati

PowerShell XML with and without BOM

# ok, returns XmlDocument
Invoke-RestMethod 'https://gist.githubusercontent.com/maskati/69324c8232cc93914b65b8b300a60dc5/raw/a082827c9cb6faacd9f89a5c803d91daef3d1b3e/nobom.xml'

# ok, conversion to XmlDocument fails and returns string with initial BOM character (0xFEFF) UTF8 encoded as 0xEF 0xBB 0xBF
Invoke-RestMethod 'https://gist.githubusercontent.com/maskati/69324c8232cc93914b65b8b300a60dc5/raw/a082827c9cb6faacd9f89a5c803d91daef3d1b3e/bom.xml'

# fails because XmlDocument.LoadXml cannot handle initial BOM character

maskati

Service Bus Emulator on Azure Container Instance

Deploys within an Azure Container Instance container group with Azure Service Bus Emulator and Azure SQL Edge.

Configures the emulator using Config.json.

You must accept the Service Bus Emulator EULA and Azure SQL Edge EULA.

Service Bus TCP 5672 is open to the internet without authentication. Parameter exposeMssqlPort defines if the MSSQL default port is open to the internet authenticated with mssqlSaPassword which is by default S3rv1c3Bu$Emul@t0r.

maskati

Calculating the Bicep uniqueString hash locally using PowerShell

The Bicep uniqueString as well as the ARM uniqueString function:

Creates a deterministic hash string based on the values provided as parameters

The actual function implementation is not documented, but is (almost certainly) a variant of the Murmur hash algorithm that maps the provided string parameters to a 64 bit hash and returns a 13 character Base32-like encoding of this hash.

The function:

1. Concatenates the string parameters with a dash -
2. UTF8 encodes the resulting concatenated string

maskati

Using Blobfuse2 to mount Azure Blob Storage using managed identity from Azure Container Instance privileged containers

• You can mount Azure Blob Storage as a filesystem on Linux using Blobfuse2. This includes support for both blob containers and data lake hierarchical namespaces.
• You can also perform this mount on Linux containers as long as the container has mount privilege provided by the CAP_SYS_ADMIN capability.
• You can run containers with privileged capabilities on Azure PaaS using Azure Container Instance [confidential containers](https://learn.m

maskati

You can create a Mermaid Gantt Chart in order to visualize the sequence and duration of Azure deployment operations. The output is similar to the following:

gantt
  dateFormat %YYYY-%m-%dT%H:%M:%S.%L%Z
  axisFormat %H:%M:%S.%L
  title Deployment 'mydeployment'
  > : milestone, 2024-12-09T14:00:14.1519943Z, 0ms
  x : milestone, 2024-12-09T14:00:23.5689337Z, 0ms
  section mydeployment

maskati

Did you know you can call REST APIs from your Bicep deployment templates using just a function call?

var getResponse = httpClient.listHttpRequest(httpClient.apiVersion, {
  method: 'GET'
  uri: 'https://mallow.fi/'
})

var postResponse = httpClient.listHttpRequest(httpClient.apiVersion, {
 method: 'POST'

maskati

You can use WeTTY to create a web based interactive terminal for a shell running in the context of your GitHub Actions workflow, and combine that with Microsoft dev tunnels to open a secure and authenticated connection into that shell. The default dev tunnels security model secures access by requiring authentication with the same account used to host the tunnel (in the below example a GitHub account).

You can use this to investigate issues with your workflow scripts in the context of the actual runner. Here is an example of htop running on a GitHub hosted agent.

The below workflow step:

1. Installs Dev tunnels and WeTTY (due to a know issue we install version 2.5).
2. Starts WeTTY to host a bash shell over a web interface.
3. Auth

maskati

Key Vault secrets can be set through:

• The data plane (Key Vault REST API) using the Set Secret operation.
• The management plane (ARM) by deploying a Microsoft.KeyVault/vaults/secrets resource.

There is a notable difference between these methods with regards to adhering to the Key Vault network security and access model configurations.

• Key Vaults with network restrictions will verify data plane operations against network access rules, and you will not be able to add or update a secret from the public Internet to a private Key Vault.
• Key Vaults authorized with access policies or Key Vau

maskati

Azure has an upcoming capability to export resource templates from the Azure Portal in Bicep format. This capability is actually already added to a new version of the Export Template REST API operation. You can test this by setting the appropriate outputFormat parameter which takes a value of either Json or Bicep from the Azure.Deployments.Core.Entities.ExportTemplateOutputFormat enumeration. Below is a PowerShell script to export a resource group as a Bicep template without local ARM decompilation.

$resourcegroup = 'MyResourceGroupName'
$groupid = az group show --name $resourcegroup --query id -o tsv
$token = az account get-access-token --query accessToken -o tsv|convertto-securestring -force -asplaintext
irm -method post -authentication bearer -token $token -uri "https://management.azure.com${groupid}/exportTemplate?api-version=2024-06-01-preview" -contenttype 'application/json' -body (@{resources=@('*')

maskati

Microsoft documents recommended abbreviations for Azure resource types as well as resource type specific naming rules and restrictions. Microsoft also publishes the Azure Naming Tool which happens to contain a structured repository of Azure resource type abbreviations and naming rules.

You can get a quick searchable grid of this data using PowerShell. If you prefer you can replace the Windows-only Out-GridView with the cross platform [Out-ConsoleGridView](https://github.com/PowerShell/ConsoleGuiTools/blob/main/docs/Microsoft.PowerShell.ConsoleGuiTools/Out-Console