ARM Template with Key Vault certificate - x509certificate2

I am having a strange issue. I have 1 ARM template, which I use to deploy 2 environments.
I am adding a certificate like this:
{
"type": "Microsoft.Web/certificates",
"name": "[variables('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[parameters('almKeyVaultId')]",
"keyVaultSecretName": "[parameters('servicePrincipalCertSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('appServicePlanName'))]"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', variables('appServicePlanName'))]"
]
},
For my test environment, this succeeds.
When I deploy my QA environment, I got the error: The parameter KeyVaultId & KeyVaultSecretName has an invalid value.
However, the parameter values for Test and QA are identically (almKeyVaultId & servicePrincipalCertSecretName).
Any ideas what I am doing wrong?
Update
After deleting the full QA resource group, I was able to redeploy the exact same ARM template.
It seems that the resource group should be created after the Key Vault secret? Any ideas why? If we would encounter this in production, we don't want to delete the full resource group

I think I found the cause of this issue.
Apparently, when a resource group has been created, you cannot change the secret name. If you do so, the error above will be thrown.
If you want to change the secret name, you need to delete the resource group and redeploy everything.

I can confirm that deleting the resource group will work but I have RBAC applied to the resource group and a vendor manages our permissions so re-creating the resource group causes other problems.
I removed the certificate from the resource group (not shown in the resource group in the portal) using resources.azure.com, navigating to the resource group and removing it from the Microsoft.Web\Certificates collection.

Related

What does the CDKToolkit's BootstrapVersion SSM parameter represent?

I am using AWS CDK toolkit to create our infrasture. I created helloworld-stack.ts file and when I do cdk synth then this process creates HelloWorldStack.template.json file.
In this file we have some auto generated elements. Like this one.
Now, I am not able to understand, how bootstraping pushes this "/cdk-bootstrap/hnb659fds/version" to SSM store and why this key always has value 14.
Can someone help me to understand this behaviour?
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
After reading AWS offical doc regarding bootstrapping, I got the answer.
https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html
In this doc, they mentioned it this is their template version.

unable to get given_name and family_name from azure v2 token endpoint

In the manifest of my application registration I've configured to retrieve the given_name and family_name claims (through the UI, the resulting manifest looks like this):
"idToken": [
{
"name": "family_name",
"source": "user",
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": "user",
"essential": false,
"additionalProperties": []
}
],
During the redirect I add the profile scope along with the given_name and family_name scopes, which results in the following error.
Message contains error: 'invalid_client', error_description: 'AADSTS650053: The application 'REDACTED' asked for scope 'given_name' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Any ideas? As I understand that is what is required to configure these optional claims on the v2.0 endpoint as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
You should only use the profile 'scope', which should result in you receiving the given_name and family_name 'claims'. That's standard behaviour for an Authorization Server, which will then either:
Return the name details directly in the id token
Or allow you to send an access token to the user info endpoint to get the name details
However, Azure v2 is very Microsoft specific, and user info lookup can be painful and involve sending a separate type of token to the Graph user info endpoint. Hopefully you won't have to deal with that and you will get the name details directly in the id token.
I had a scenario where my API (which only received an access token) needed to get user info, and I solved it via steps 14 - 18 of this write up, but it's a convoluted solution.
Once you configure optional claims for your application through the UI or application manifest. you need to provide profile Delegated permissions for the application.

FIWARE Metadata in IoTAgent

I try to set up a TTN based LoRaWAN Monitoring of my Gateways and devices inside a FIWARE-Environment. Therefore it would be essential to access data not in payload_field of the MQTT-Broker of TTN.
I wonder if it is possible to access field like counter, port, app_id and metadata.
I did not find a possibility yet. Does any of you face the same problem and got a solution to this challenge?
I use the following relevant FIWARE-components in a docker environment:
fiware/orion:2.2.0
fiware/iotagent-lorawan:1.2.3
mongo:3.6.8
If you need to receive metadata directly from LoRaWAN, you will have to customize the code within the LoRaWAN IoT Agent - this just passes measures by default, but the IoT Agent node lib interface is capable of receiving metadata as well.
Alternatively a recent PR Request for the IoT Agent node lib allows for additional static metadata to be added during the provisioning stage and sent as part of the requests to the context broker. You would need to use the latest development code base as the library hasn't been ported to the LoRaWAN IoT Agent yet - amend the iotagent-node-lib dependency in the package.json as shown:
"dependencies": {
...
"iotagent-node-lib": "git://github.com/telefonicaid/iotagent-node-lib.git#master",
...
},
... etc
The documentation can be found here
Attributes with metadata are provisioned with an additional parameter as shown:
"attributes": [
{"object_id": "s", "name": "state", "type":"Text"},
{"object_id": "l", "name": "luminosity", "type":"Integer",
"metadata":{
"unitCode":{"type": "Text", "value" :"CAL"}
}
}

Change Plan's Owner/Group - Required Permissions missing

When attempting to update a Planner Plan's group using PATCH, updates to the owner field fail with 403. The attempt is being made using the Graph Explorer (and also fails using PostMan).
An attempt to change the title field succeeds (no issue with permissions, using eTag, etc.) for the call.
The documentation indicate Groups.ReadWrite.All are required, and that the owner can only be changed by the Group Owner, but the account being used is the owner of the unified group.
Are there any additional permissions required?
Example info:
If-Match: W/"JzEtUGxhbiAgQEBAQEBAQEBAQEBAQEBARCc="
PATCH https://graph.microsoft.com/beta/planner/plans/Vk_27olfLESU6vWJNgzVT2UABrBj
BODY:
{
"title": "Updated plan with new group owner",
"owner": "0ab4b389-7c7c-4757-ac75-2ba5de8c8197"
}
RESPONSE:
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item, or the item may not exist.",
"innerError": {
"request-id": "7696b78c-474f-4fc0-bba9-4554bfe303c4",
"date": "2018-11-14T16:50:59"
}
}
}
The documentation in this case is misleading/incorrect (it is trying to say the field owner can only be updated by the principal identified by the value of the owner field, which is a group that cannot actually perform operations, not the owner of that group). We'll update the documentation and clarify.
We currently do not allow Plans to be moved between groups, as some of the related items mostly live within the group itself (e.g. membership, comments, document links). We'd like to understand your scenario better to see if we could support it, so please provide feedback on https://planner.uservoice.com.

Multiple target environments and AWSGoogleSignIn

Hello I am working with multiple AWS frameworks on an Ios project. The app is setup to target the specific backend environments though a dev and prod target in xcode.
This generally works fine though the use of constants and macros to use the different identity pools etc on build.
However I am now using AWSGoogleSignInProvider to link google sign-in and cognito. this requires a awsconfiguration.json file in the project which contains the google id and the cognito Id.
{
"Version": "1.0",
"CredentialsProvider": {
"CognitoIdentity": {
"Default": {
"PoolId": "***",
"Region": "***"
}
}
},
"IdentityManager": {
"Default": {}
},
"GoogleSignIn": {
"ClientId-iOS": "***",
"Permissions": "email,profile,openid"
}
}
Im unsure on how i can target dev/prod since i would need to use different pool ids depending on environments. Can't use two files with different names and targets since naming is "immutable" and cant use any macros in the Json file itself.
By looking at the AWS framework it seams there is no way to manually set any of these, and the shared instance gets the google id through the the Json file on instantiation or throws.

Resources