https://github.com/webstean/webstean
https://github.com/webstean/webstean
Last synced: 16 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/webstean/webstean
- Owner: webstean
- License: cc0-1.0
- Created: 2021-05-23T10:14:59.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2026-01-12T09:48:21.000Z (5 months ago)
- Last Synced: 2026-01-12T18:47:46.032Z (5 months ago)
- Size: 137 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
### Hey there! I'm Andrew 
## 📄 About Me
âš¡ I am a IT architect, engineer, mentor, and cloud advocate with over 20 years professional experience. I specialise in designing the hosting of enterprise applications and solutions, principally in the Azure Cloud. I love a challenge and I'm skilled at progressing from a simple proposal into a well-defined, robust and production ready solution. My experence goes beyond the typical compute, network and storage, as I have been involved in several large consolidation and migration projects of Oracle and Microsoft SQL Server databases, sometimes involving virtualisation other times in (or out) of public clouds like AWS or Azure.
🌱 I enjoy with working with developers and security/cyber indivduals, to help optimise their way of working and deliver better overall outcomes ensuring both security, reliability and agility to evolve as things change.
👯 I live and work in [Melbourne, Australia](https://en.wikipedia.org/wiki/Melbourne). But over my career I have lived and worked in [Singapore](https://en.wikipedia.org/wiki/Singapore), [Tokyo, Japan](https://en.wikipedia.org/wiki/Tokyo) and [North Carolina, USA](https://en.wikipedia.org/wiki/North_Carolina).
[Terraform](https://developer.hashicorp.com/terraform/docs) has been my new favourite bit of tech in the last few years - it solves so many of the "infra" challenges in a simple, elegant and intuitive way.
I just love how I can deploy totally repeatable infrastructure accorss multiple cloud regions. I've even used to managed VMware ESXi clusters.
Currently, I am enjoying the full Terraform support in [AZD](https://github.com/Azure/azure-dev) and [ADE](https://learn.microsoft.com/en-us/azure/deployment-environments/how-to-configure-extensibility-model-custom-image), that can be used together to combined infrastructure provisioning and application deployment in the same step. This is particularly useful during GitHub Actions / ADO Pipelines -as an example:-
```shell
## Provision Infrastructure
azd provision
## Deploy Application
azd deploy
### or do both, with one step
azd up
```
See [here](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/) and [here](https://learn.microsoft.com/en-us/azure/deployment-environments/) for the complete documentation
## 📄 Some Useful Links
#### API Examples etc..
Example Public APIs : https://github.com/public-apis/public-apis
APIM CheatSheet : https://github.com/Azure/api-management-policy-snippets/blob/master/policy-expressions%2FREADME.md/
#### Azure Portal Links
Developer Portal : https://devportal.microsoft.com
Developer Portal2(!) : https://dev.teams.microsoft.com/home
DevBox Portal : https://devbox.microsoft.com/
Azure Portal : https://portal.azure.com
*Preview* Azure Portal : https://preview.portal.azure.com/
*RC* Azure Portal : https://rc.portal.azure.com/
#### Microsoft / Azure Icons
Azure : https://learn.microsoft.com/en-us/azure/architecture/icons/
Power Platform : https://learn.microsoft.com/en-us/power-platform/guidance/icons
Dynamics 365 : https://learn.microsoft.com/en-us/dynamics365/get-started/icons
Microsoft 365 : https://learn.microsoft.com/en-us/microsoft-365/solutions/architecture-icons-templates?view=o365-worldwide
#### Microsoft / Azure Documentation
Tracker : https://msdocstracker.com/
Main Page : https://learn.microsoft.com
#### Terraform
Terraform Awesome : https://github.com/shuaibiyy/awesome-tf/blob/master/README.md
Provider: Azurerm : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Provider: Entra : https://registry.terraform.io/providers/hashicorp/azuread/latest/docs (future (now in beta): https://registry.terraform.io/providers/microsoft/msgraph/latest
Provider: azapi : https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Provider: Power Platform : https://registry.terraform.io/providers/microsoft/power-platform/latest/docs
Provider: Fabric : https://registry.terraform.io/providers/microsoft/fabric/latest
Azure Verified Modules : https://azure.github.io/Azure-Verified-Modules/
## 📄 **My Top Tip** - Use OIDC Federation (Open ID Connect)
When using Terraform providers as part of GitHub / Dev Ops actions / pipelines, please use OIDC Federation (OpenID Connect) for better security, that way you require no secrets or certificatres to expired or get compromised.
This works and fully support with both GiutHub Actions and Azure DevOps (ADO) pipelines. The relevant documentation links can be found below:
[Setting up Terraform Azure provider to use OIDC Federation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc)
[Setting up Terraform Entra ID provider to use OIDC Federation](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_oidc)
[Setting up Terraform Power Platform provider to use OIDC Federation](https://registry.terraform.io/providers/microsoft/power-platform/latest/docs#authenticating-to-power-platform-using-a-service-principal-with-oidc)
```hcl
## Example: Add a Federation identity for GitHub to an Azure Application
## Generally, I'd recommend using the alterantive (User Assigned Identity) as per below
## as its a smaller footprint
resource "azuread_application_federated_identity_credential" "example_federation" {
for_each = github_repository.example
display_name = "fedcred-example-github"
application_id = azuread_application.yourapp.id
audiences = ["api://AzureADTokenExchange"]
issuer = "https://token.actions.githubusercontent.com"
description = "Federated identity for ...."
## permission for just the main branch
subject = "repo:${each.value.full_name}:ref:refs/heads/main"
## permission for the GitHub environmnet
subject = "repo:${each.value.full_name}:environment:${var.environment_name}" ## this is for the environment, but you use branch (such as main)
}
## Example: Add a Federation identity for GitHub to an Azure User Managed Identity (UMI)
## This works, even if you don't have the ability to created applications within Entra ID
resource "azurerm_federated_identity_credential" "example_federation" {
for_each = github_repository.example
name = "fedcred-example-github"
resource_group_name = azurerm_resource_group.example.name
audience = ["api://AzureADTokenExchange"]
parent_id = azurerm_user_assigned_identity.example.id
issuer = "https://token.actions.githubusercontent.com"
## permission for just the main branch
subject = "repo:${each.value.full_name}:ref:refs/heads/main"
## permission for the GitHub environmnet
subject = "repo:${each.value.full_name}:environment:${var.environment_name}" ## this is for the environment, but you use branch (such as main)
}
```
If you've read this far, you might be asking Q: Isn't a User Assigned Identities a bit limiting? You cannot give them access to read Microsoft Graph and therefore they cannot read users, groups or applications, like when trying to authenticate users via easy auth or for SQL Server etc...
> [!IMPORTANT]
> Whilst it is *NOT possible* to add Microsoft Graph permissions to an Entra ID Service Principal (such as a Managed Identity) in the Azure portal, it can done it via the API.
> And, in terraform, you achieve this will the folowing:
## System Assigned Identies - MS Graph permissions
```hcl
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_app_role_assignment" "sqlserver_system_identity_graph_user_read_all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
principal_object_id = data.azurerm_mssql_server.identity[0].principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "sqlserver_system_identity_graph_group_read_all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Group.Read.All"]
principal_object_id = data.azurerm_mssql_server.identity[0].principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "sqlserver_system_identity_graph_groupmember_read_all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["GroupMember.Read.All"]
principal_object_id = data.azurerm_mssql_server.identity[0].principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "sqlserver_system_identity_graph_application_read_all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Application.Read.All"]
principal_object_id = each.value.identity[0].principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
```
For example, you can assigned this system assigned identity of an Azure SQL Server, and then the server can use managed identity to managed access to the database, since the user assigned identity give it enough access to read Entra ID users, group (including group members) and applications. Read more about this [here](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity?view=azuresql)
but, even better you can use:
## User Assigned Identies - MS Graph permissions
This gives you the ultimate in flexibility as you can apply these permission accross multiple resources, which ultimately requires less code to build and maintain.
```hcl
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azurerm_user_assigned_identity" "example-identity" {
name = "id-example-with-graph-permissions"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
tags = azurerm_resource_group.example.tags
}
resource "azuread_app_role_assignment" "github-environment-identity-user-read-all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
principal_object_id = azurerm_user_assigned_identity.example.principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "github-environment-identity-group-read-all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Group.Read.All"]
principal_object_id = azurerm_user_assigned_identity.example.principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "github-environment-identity-group-member-read-all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["GroupMember.Read.All"]
principal_object_id = azurerm_user_assigned_identity.example.principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "github-environment-identity-group-app-read-all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Application.Read.All"]
principal_object_id = azurerm_user_assigned_identity.example.principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
```
## 📄 Code Snippet
View the full code on Gist:
[](https://gist.github.com/webstean/f7792c2f971423591f3efe6bfd450c9a)