Monday, September 20, 2021

TFS Build failure: folder cannot be deleted because it is not empty

When we run the build pipeline in Azure Devops, if we encounter below error then you can make the change recommended here.

Issue

D:\DevOps\Build\33\s\PT\<foldername>cannot be deleted because it is not empty. 

D:\DevOps\Build\33\s\PT\<foldername> cannot be deleted because it is not empty.

---- Summary: 0 conflicts, 1 warnings, 0 errors ---- 

Sleeping for 200 ms 

Retrying. Attempt $2/$3 

##[error]_proc should be null. (Parameter '_proc')


Cause

You can perform different kinds of cleaning of the working directory of your private agent before the build is run. If the Clean is set to false, it does not  get a fresh pull before the build is run.


Resolution


Change the clean dropdown to true and the error goes of in the next run.




Saturday, September 18, 2021

Update Azure SQL Database table using Service Principal Context

The script below checks whether a key exists in the DB and if yes it updates and if not it adds the key and value to the table. The context used here is the Service Principal Name (SPN) which is the client ID and secret key. Also the SQL authentication user ID and password is required. Make sure your machine ip is added in the firewall rules to run the query.

$dbuser = "username"

$password = "dbpswd"

$tenid = "tenantid"

$clientid = "client ID"

$secretkey = "Secret Key"

$Servername ="dbservername"

$database="dbname"


Write-Output "Starting"

#$clientid = Get-AzureRMAutomationVariable -Name $varclientid

#$secretkey = Get-AzureRMAutomationVariable -Name $varsecretkey

#$dbuser = Get-AzureRMAutomationVariable -Name $vardbuser

#$password = Get-AzureRMAutomationVariable -Name $vardbpass

#$sbpk = "test"


Add-SqlAzureAuthenticationContext -ClientID $clientid -Secret $secretkey -Tenant $tenid

$sqlConn = New-Object System.Data.SqlClient.SqlConnection

$sqlConn.ConnectionString = "Server=$Servername.database.windows.net; User ID = $dbuser ; Password = $password ; Database = $database; Column Encryption Setting=enabled;"

$sqlConn.Open()

Write-Output "sql conn opened"

function updateparamMaster($sqlconn,$paraID,$ParaGrp,$ParaValue)

{


#Check if the paramid and ParamGroup exists

$sqlcmd = New-Object System.Data.SqlClient.SqlCommand

$sqlcmd.Connection = $sqlConn

$query = "select * from parametermaster where paramid= $paraID and ParamGroup= '"+$ParaGrp+"'"

$sqlcmd.CommandText = $query

$adp = New-Object System.Data.SqlClient.SqlDataAdapter $sqlcmd

$data = New-Object System.Data.DataSet

$adp.Fill($data)

$paramcount = $data.Tables[0].Rows.count

Write-Host "Row count-" $paramcount


if($paramcount -eq 0)

{

Write-Output $ParaGrp "ParamGroup does not exist- creating new entry"

$sqlcmd = New-Object System.Data.SqlClient.SqlCommand

$sqlcmd.Connection = $sqlConn

$sqlcmd.CommandText = "INSERT into parametermaster(paramid,ParamGroup,Value) VALUES (@paramid, @ParamGroup, @Val)"

$sqlcmd.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@paramid",[Data.SQLDBType]::Int)))

$sqlcmd.Parameters["@paramid"].Value = $paraID

$sqlcmd.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@ParamGroup",[Data.SQLDBType]::VarChar, 50)))

$sqlcmd.Parameters["@ParamGroup"].Value = $ParaGrp

$sqlcmd.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@val",[Data.SQLDBType]::NVarChar, 500)))

$sqlcmd.Parameters["@val"].Value =$ParaValue

$sqlcmd.ExecuteNonQuery();

}

else

{

Write-Output $ParaGrp "ParamGroup exist- updating entry"

$sqlcmd = New-Object System.Data.SqlClient.SqlCommand

$sqlcmd.Connection = $sqlConn

$sqlcmd.CommandText = "UPDATE parametermaster SET [Value] = @Val WHERE paramid = @paramid AND ParamGroup = @ParamGroup"

$sqlcmd.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@paramid",[Data.SQLDBType]::Int)))

$sqlcmd.Parameters["@paramid"].Value = $paraID

$sqlcmd.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@ParamGroup",[Data.SQLDBType]::VarChar, 50)))

$sqlcmd.Parameters["@ParamGroup"].Value = $ParaGrp

$sqlcmd.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@val",[Data.SQLDBType]::NVarChar, 500)))

$sqlcmd.Parameters["@val"].Value =$ParaValue

$sqlcmd.ExecuteNonQuery();

}


}


updateparamMaster -sqlconn $sqlConn -paraID 118 -ParaGrp "SharedDb" -ParaValue

Tuesday, September 14, 2021

Add Virtual Machine Scale Set (VMSS) Managed Identity to Azure Key Vault Access Policy- Powershell

 The below Powershell script will help you to add VMSS managed identity to Azure Key vault access policy.

#First, Get the identity Object ID and application Id based on the managed identity name

$identity = Get-AzUserAssignedIdentity -ResourceGroupName "RGName" -Name "sample-vmssid"


# $identity.ClienId is the Application ID and $identity.PrincipalID is the Object ID. You can run the below command by passing parameters and permissions required to be set to the Key vault

Set-AzKeyVaultAccessPolicy -ResourceGroupName "RGName" -VaultName "VaultName-kvt" -ObjectId $identity.PrincipalId -ApplicationId $identity.ClientId -PermissionsToKeys get,list,unwrapKey,wrapKey -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create


#Thats it and you can see the vmss managed identity in the access policy for key vault.


#You can do the above using Azure CLI as well like below

spObjectID=$(az resource list -n vmss_name --query [*].identity.principalId --out tsv)

az keyvault set-policy -n vaultname-kvt --key-permissions get list wrapKey unwrapKey --secret-permissions backup restore --certificate-permissions get list delete create --object-id spObjectID


**Always share your knowledge**

Sunday, September 12, 2021

Set the compilation debug flag in IIS web.config

 One of the first things I check when troubleshooting ASP.NET applications is the debug flag in the web.config.

For this, I’ve written the following function that use the [xml] accelerator to cast the web.config file contents as an xmlDocument and use PowerShell’s dot notation to get the debug flag value, or use the .NET methods of the dom document to set the debug flag value:


function SetWebConfigDebugFlag {

    PARAM(

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true)]

        [string]$IISsitename,


        [Parameter(Mandatory=$true)]

        [ValidateSet(‘True’, ‘False’)]

        $DebugFlag = $false

    )

$mersite= Get-Website -Name $IISsitename

$appPath = $mersite.physicalPath + "\web.config"

$config = [xml](Get-Content -Path $appPath)

 try {

if (($config.SelectSingleNode(‘configuration/system.web/compilation’)) -eq $null) {

$compilation = $config.CreateElement(‘compilation’)

$sw = $config.SelectSingleNode(‘configuration/system.web’)

[void] $sw.AppendChild($compilation)

} 

if ($config.SelectSingleNode(‘configuration/system.web/compilation/debug’) -eq $null) {

$compilation = $config.SelectSingleNode(‘configuration/system.web/compilation’)

$compilation.SetAttribute(‘debug’, ($DebugFlag.ToString()).ToLower())

} else {

$config.configuration.‘system.web’.compilation.debug = $DebugFlag

}

$config.Save($appPath)

if($?) {

$Result = ‘Success’

$ThisDebugFlag = $DebugFlag

} else {

$Result = ‘Error saving the config file’

$ThisDebugFlag = ""

}

}

catch {

$Result = $appPath.Exception.Message

if ($Result -eq ‘You cannot call a method on a null-valued expression.’) {

$Result = "Configuration does not contain a ‘system.web’ section"

$ThisDebugFlag = ""

}

}

New-Object -TypeName PSObject -Property @{‘Path’=$appPath; ‘DebugFlag’=$ThisDebugFlag; ‘Result’=$Result }

}

#Calling the above function by passing iissitename and Debugflag params.

SetWebConfigDebugFlag -IISsitename "iissitename" -DebugFlag 'True'

Wednesday, September 8, 2021

Azure Sentinel- Most common Use cases deployment

 Ready to go . Just import them, configure any additional permissions needed. Take advantage of Azure Sentinel right now.


Disable Users from OnPrem Active Directory:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-OnPremADUser


Block Azure AD Users:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser


Integrate Azure Sentinel alerts with Service Now:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Close-SentinelIncident-fromSNOW


Add Comments (Guidelines) on Incidents:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Comment-RemediationSteps


Confirm Risks for Azure Active Directory Users:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Confirm-AADRiskyUser


Collect Threat Vulnerability Management report from compromised Machine:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Enrich-SentinelIncident-MDATPTVM


Send all details (Machine Vulnerabilities, Missing KBs, Security Recommendations, Alerts, Software Inventory) from a compromised Machine and send it via Teams:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-MachineData-EDR-SOAR-ActionsOnMachine


Send scheduled report focused on Cost Management:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-IngestionCostAlert


Start Packet Capture from a compromised Machine:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Run-AzureVMPacketCapture


Send scheduled report focused on Connector Heath:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-ConnectorHealthStatus


Restrict App Execution in a compromised Machine:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Restrict-MDATPAppExectution

Monday, September 6, 2021

Backup objects into another vault in another subscription

 How to: Backup objects into another vault in another subscription

In this section, I'm getting the secret values and saving them into another vault directly. We want to do this without touching any disk files.

With this approach, we're simply fetching all secrets from Vault1 in Subscription1, and saving them to Vault2 in Subscription2. However, remember that the secrets we fetch now are not encrypted to your subscription, hence it's not a good idea to persist them in memory, sessions or disk. Here I'm not saving it to any variables.

Make sure you have installed Azure CLI for windows in order to run the below script.


Param(

    [parameter(mandatory)] [string] $sourceVaultName,

    [parameter(mandatory)] [string] $sourceSubscriptionId,

    [parameter(mandatory)] [string] $destinationVaultName,

    [parameter(mandatory)] [string] $destinationSubscriptionId,

    [string] $destinationSecretsDisable = $true

)


# 1. Set the source subscription id. 

Write-Host "Setting origin subscription to: $($sourceSubscriptionId)..."

az account set -s $sourceSubscriptionId


# 1.1 Get all secrets

Write-Host "Listing all origin secrets from vault: $($sourceVaultName)"

$originSecretKeys = az keyvault secret list --vault-name $sourceVaultName  -o json --query "[].name"  | ConvertFrom-Json


# 1.3 Loop the secrets, and push the value to the destination vault without instantiating new variables.

$originSecretKeys | ForEach-Object {

    $secretName = $_

    Write-Host " - Getting '$($secretName)' from origin, and setting in destination..."

    az keyvault secret set --name $secretName --vault-name $destinationVaultName -o none --value(az keyvault secret show --name $secretName --vault-name $sourceVaultName -o json --query "value")

}


Write-Host "Secrets restored."


You can call the above script as mentioned below

.\CopySecretsToAnotherVault.ps1 -originVault "vault1-name" -originSubscriptionId "SUBSCRIPTION GUID" -destinationVault "vault2-name" -destinationSubscriptionId "SUBSCRIPTION GUID"

Passing Keyvault certificates to Virtual Machine deployment using ARM template

 

Referencing certificate from keyvault in an ARM template

You need to make sure all parameters are passed

"virtualMachineProfile": {
          "osProfile": {
            "computerNamePrefix""[variables('compnamepref')]",
            "adminUsername""[variables('adminUPN')]",
            "adminPassword""[variables('adminpswd')]",
            "windowsConfiguration": {
              "provisionVMAgent"true,
              "enableAutomaticUpdates"false
            },
            "secrets": [
              {
                "sourceVault": {
                  "id""[resourceId(parameters('RG'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
                },
                "vaultCertificates": [
                  {
                    "certificateUrl""[parameters('Cert1')]",
                    "certificateStore""My"
                  },
                  {
                    "certificateUrl""[parameters('Cert2')]",
                    "certificateStore""My"
                  }
                ]
              }
            ]