DevOps and application security enthusiast's notes

Azure Verified Modules: Enterprise-Grade Bicep Templates

Sat, 20 Dec 2025 09:00:00 +0100

Building infrastructure-as-code from scratch can be time-consuming and error-prone. In a previous article, I covered how to govern Azure resources with Template Specs. Today, I want to introduce you to Azure Verified Modules (AVM) — Microsoft’s official library of pre-built, tested, and supported Bicep (and Terraform) modules that follow best practices out of the box.

What are Azure Verified Modules? #

Azure Verified Modules (AVM) is an initiative by Microsoft to provide a single source of truth for Infrastructure-as-Code modules. These modules are:

How to Deploy a Vue.js Static Site with Azure Developer CLI (azd)

Mon, 28 Apr 2025 07:00:00 +0100

Deploying modern front-end applications to the cloud should be simple, repeatable, and secure. In this article, I’ll show how to deploy a Vue.js static site to Azure using the Azure Developer CLI (azd), based on my azd-static-web-vuejs template repository.

Why Azure Developer CLI? #

The Azure Developer CLI (azd) is a tool that streamlines the process of provisioning Azure resources, deploying code, and managing environments. It’s especially useful for static web apps, as it combines infrastructure-as-code (Bicep), CI/CD, and local development workflows.

Azure SPN for automation

Tue, 31 Dec 2024 07:00:00 +0100

The purpose of this article is to showcase several authentication options for utilizing Azure resources in Continuous Integration (CI) pipelines. I’m going to use GitLab CI (any other DevOps platform would work as well). This guide demonstrates multiple authentication methods for integrating GitLab CI with Azure Cloud. These techniques can be applied to various scenarios, such as deploying infrastructure using Terraform or Azure Bicep. By exploring these authentication options, you’ll be better equipped to securely manage your Azure resources within your GitLab CI/CD pipelines.

Navigating Azure DevOps API: Retrieving Project Administrator Team Members

Wed, 09 Oct 2024 07:00:00 +0100

When managing projects in Azure DevOps, establishing proper governance and generating comprehensive reports often requires access to specific organizational data. One crucial piece of information is the membership of the default Project Administrator team, which is automatically created with each new project.

However, working with the ADO API can be challenging, especially when compared to other Microsoft APIs like Graph or Azure. The process of retrieving the Project Administrator team members involves multiple API calls across different endpoints, making it less straightforward than one might expect.

Leverage GitLab CI/CD Components for deployments in Azure

Sun, 26 May 2024 09:00:00 +0200

The GitLab’s CI/CD Catalog became recently generally available and therefore it’s time to build and share something useful and reusable for the community.

What are components? #

Components allow you to define reusable building blocks for your pipelines. They abstract away complexity and make pipelines more modular. Define a build component that can be reused across pipelines.

At the time of writing this article only template-type components available (there is CI steps coming up next). This article is about template-type components.

Structuring terraform projects

Fri, 20 Oct 2023 09:00:00 +0200

Howdy! It’s been awhile since I wrote here, time to shake off the dust from a pen and put something useful! 😉

In this article I’d like to share my thoughts on building terraform project in a way so that it fits the following:

Clear structure;
Reusable modules;
Multiple environments.

⚠️ This article is very much abstracted from a particular use case (i.e. it does not necessarily need to be targeting a specific cloud provider or use a specific terraform provider), its idea can be applied to any use case. We are looking at the following structure:

I am joining GitLab

Mon, 03 Apr 2023 09:00:00 +0200

I am joining GitLab, the world where everyone can contribute to live six core values (also known as CREDIT). 🎉

Being through various roles in the recent years, with all the broad experience gained, I am pretty sure about this choice and without doubts truly believe in the success of the company. I am joining the Professional Services Team to help our clients deliver the best products using GitLab’s DevOps platform. Reducing time to market by accelerating the adoption of modern software delivery methods is our (and, of course, mine) main priority.

Building GitLab demo - part 1

Fri, 28 Oct 2022 00:07:00 +0200

In these series I’d like to share my thoughts on building quick and approachable GitLab demo using as much as possible features and capabilities with less effort and keep cost slim as well. You may also want to check my first 6 months reflection on being part of the GitLab organisation.

I start with a GitLab instance and for the demo I am going to use Community Edition (since it does not require any commitments, but the same approach is possible to apply to EE). This is a good page to figure out what editions are available.

Static site with Hugo and Gitlab Pages

Fri, 30 Sep 2022 17:00:00 +0200

The intention of this post is to document the process of building this web site and outline some great resources I used along the journey. This is a static site based on Hugo and runs using GitLab pages. I have been fan of static sites for a while.

Back few years earlier I used Ruby on Rails framework, Docker Compose and lots of other technologies to run this site. 🤦‍♂️ This is no longer needed as we can easily publish content without all thes complexities …

Azure Policy as code with Bicep

Tue, 20 Sep 2022 07:00:00 +0200

Azure Policy is the way to enforce company’s standards and settle compliance properly at-scale. While it’s possible to do portal clickOps in small environments with little requirements, I found it’s error prone and cumbersome to deal with in anything that is bigger than just a personal Azure tenant and a demo subscription in it. :) In this article I want to walk through different aspects of policies, provide simple examples of deploying policies as code (Azure Bicep) and outline several resources that I used along the way in my journey. I highly recommend the following video (taken from here) to get started with policies:

How to build and deploy to Azure with GitLab

Thu, 08 Sep 2022 20:09:57 +0200

In this short post you’ll find how to prepare your GitLab to deploy to Azure.

Service principal #

Generate Service Principal (aka App Registration) using azure CLI (either builtin shell or local terminal, you must be logged in with Owner role credentials since we need to assign role to the scope):

1
2az ad sp create-for-rbac --name GitLabServicePrincipalName --role Owner --scopes /
3
4{
5 "appId": "<REDACTED>",
6 "displayName": "GitLabServicePrincipalName",
7 "password": "<REDACTED>",
8 "tenant": "<REDACTED>"
9}

Feel free to change scopes and role (i.e. custom role or subscription scope instead). Learn more how to generate SPN here.

How to make your own self-hosted VPN server using OpenVPN

Fri, 11 Mar 2022 07:00:00 +0100

In this article you’ll get end-to-end instructions on how to create and operate a self-hosted VPN server using OpenVPN community edition under 5 minutes for just 4 euros per month with unlimited number of connected clients. In this article you’ll also learn how to configure a client’s profile so you can get connected and use your self-hosted VPN server using either your computer or telephone. I’ll try to write as approachable as possible so anyone with decent computer knowledge can go through this and set it up. In the light of some recent changes in my motherland country it is important for people to stay connected with the rest of the world and follow broader sources of information for making personal opinions, avoid group thinking and maintain clear understanding of things happening around.

Quality controls in Azure DevOps with Prisma Cloud

Fri, 21 Jan 2022 09:00:00 +0100

This time I want to focus on quality by implementing CVE and compliance scan tool as well as the control gate on a release stage in Azure DevOps leveraging Prisma Cloud platform by Palo Alto Networks.

1├── README.md
2├── binaries
3│   └── twistcli
4├── pipelines
5│   └── azure-pipelines.yml
6└── src
7 └── Dockerfile

I would like to build my code using Azure DevOps pipelines and fail earlier as possible in case:

Azure resource governance with project Bicep and template specs

Fri, 14 Jan 2022 07:00:00 +0100

Last week I was setting up a static web site using Azure DevOps and Bicep consuming templates from git. This approach might not be the best option for a large environment with multiple teams as we’ll run into several challenges trying to share and (re)use the templates. Fortunately, Microsoft has a better place for the template. It’s called Azure Resource Manager template specs, which is a regular resource with type Microsoft.Resources/templateSpecs that has several benefits including ability to store templates with different versions (both ARM and Bicep are supported), manage access through Azure RBAC, template’s consumer does not need full access to it and can deploy resource just passing parameters.

Static web site on Azure with Azure DevOps and Bicep

Fri, 07 Jan 2022 07:00:00 +0100

In this sprint I’ll be setting up landing page (aka comming soon page or pre-launch page … static web site using Azure to be precise). The purpose of the exercise is to learn Microsoft’s capabilities around this topic. By the way, few years ago I wrote similar post for AWS services ;-)

All code from this sprint is here

 1├── README.md
 2├── pipelines
 3│   └── azure-pipelines.yml
 4├── src
 5│   ├── cake.png
 6│   ├── error.html
 7│   └── index.html
 8└── templates
 9 ├── main.bicep
10 ├── modules
11 │   ├── cdn.bicep
12 │   ├── scripts
13 │   │   └── staticweb.sh
14 │   └── storage-with-static-web.bicep
15 └── parameters.dev.json

I have the following objectives for this sprint:

Authenticate With Azure Container Registry From Azure Kubernetes Service

Sun, 10 Oct 2021 07:00:00 +0100

As an engineer I want to pull container images that are part of my pods’ deployments to Azure Kubernetes Service (further - AKS) from private container registry Azure Container Registry (further - ACR). I have created Azure Resource Group (further - RG), AKS and ACR. I have submitted my very first manifest with pod using kubectl, but all I can see is that my pod creation is endlessly pending…

By the way, if you don’t want to read this, you can watch this :)

Build and release Docker Compose using Azure DevOps

Sun, 01 Dec 2019 07:00:00 +0100

I’ve been fighting a bit with some of the Azure DevOps pipeline tasks trying to configure end-to-end solution for one of my side project. It is based on a good old Docker Compose and I am pretty happy with how it works in production. What I wanted to do is schematically described down below.

What is Azure DevOps #

Azure DevOps helps to plan smarter, collaborate better, and ship faster with a set of modern dev services. It’s a end-to-end solution for any software development cycle. Anyone can use it even for free with some limitations/conditions of usage (public projects, limited pipeline minutes per month etc). And it’s free unlimited git!

How to Use S3 compatible Minio with Cloudberry

Mon, 22 Jan 2018 07:00:00 +0100

Here at CloudBerry, where one of the goal I have is to help partners decide, pick and build right configuration for dealing with computers data when they need backup solution. FTP, SCP, WebDav and some other proprietary protocols have been here forever, where simplicity and flexibility made them number one in data protection and management fields as primary target configurations. But, there is big BUT! Time flies, we can afford tens or even hundreds mbps bi-direction circuits, where target configuration apart disk IOPs may become primary bottleneck. I would consider above protocols as legacy since they have number of limitations and slow due to architecture of data transfers. And this is where something else come up. Minio gets more and more scores as part of seamless storage system for self-hosted configurations. Quick example where you would follow this guide, — you offer backup and DR services, you have bunch of unused disks (JBOD), few NASes and huge spot of free space on one of your legendary legacy server, which is still alive and you can’t just throw it away since it is still powerful and can do the job.

Episode 2: Build your own free PBX with Asterisk

Sat, 18 Nov 2017 07:00:00 +0100

Welcome to the second Episode of the AWS Free tier series. This is going to be part one (total three parts), where we are going to build our PBX carcass based on free AWS EC2. The goal of this episode is to show how you can leverage AWS environment in full throttle and get super handy services for your daily usage. We will be using EC2, S3, DynamoDB for building robust and very very secure telephony system.

AWS EC2 user data script windows

Wed, 27 Sep 2017 07:00:00 +0100

Another interesting customer case at CloudBerry Lab brought me to Amazon EC2 User Data script back again. I used to make it in the past for Linux (check this article about EC2 user data script example). Now the task is similar, but OS is different.

The challenge #

We need to have application installed into the Guest OS in our EC2 instance on launch. In order to do this we need to walk through the following steps:

EC2 user data script example

Thu, 21 Sep 2017 07:00:00 +0100

Some time ago I wrote about Linux agent from CloudBerry Lab. This time I want to pack all together and show advanced capabilities of AWS.

When we launch AWS EC2 (compute instance in the cloud) we may want to have something pre-installed (or pre-done) before we get into this VM and start working. Let me give you an example. I do launch instances with Linux OS quite often for various reason (customer’s demo, testing applications, testing software etc) and I want to have number of steps without my intervention after launch. To be precise I need my software installed when I SSH into my either CentOS or Debian. Think wide now, don’t be locked in my software. Use anything you’d love to have. Well this is good article on how to have PHP installed. In my article I’d like to have CBL for Linux installed with storage configured and backup plan scheduled. Sound cool, right? Let’s do it.

How to send SMS using Amazon SNS and Python

Thu, 14 Sep 2017 07:00:00 +0100

We live in the World of messengers and this might be not relevant tutorial, however this is not true. Sometimes we may need short text message to notify someone about something (for example, someone with not fancy phone or someone who does not have Internet available on their phone or we just need to send short message about accident on the server or just to send message to our grandparents). With that in mind, let’s take a look at Amazon SNS service with SMS option.

AWS EFS Windows

Wed, 30 Aug 2017 07:00:00 +0100

This article was written more than 5 years ago and it was just an experiment …

Elastic File System (EFS) from Amazon was introduced at the end of 2016 (at re:Invent 2016) and in fact adds great value to cloud compute services like EC2. If you are not aware of this new service, in short - it is file share that you can mount to your cloud (or even on-prem servers connected to your VPC through Direct Connect service). Simply saying you can do mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 <ip-of-your-efs>:/ /tmp. This is copy/paste from AWS console with recommendation on mounting file share to Linux instance (of course you need to have NFS client with v4.1 support). And you can do this to multiple EC2 instances as well (even more - you can add this into Advanced details -> User’s data for launching new instances with EFS attached by default for all new instances). Something like this:

How to Run Rails App With Postgres Puma and Nginx in Docker

Mon, 15 May 2017 07:00:00 +0100

I would probably need to start this post with “why?” entry, however I leave it for other nice articles around this topic. I recently moved all my development from local environment (mac) to containers and have moved this web-site in production to containers (3 containers) with AmazonEC2 driver for docker-machine. This post contains boilerplates for Rails, PostgreSQL, nginx and some other configuration parts. I will be using Docker Compose.

Install Docker on mac #

I don’t think this needs to be explain since you can check this and it’s done in 2 minutes. If you do Docker for other operation system, check the same link, there are options for Windows and Linux environments. I would move to the next step once you have the below outputs as well (versions might be slightly different since they are rolling out updates frequently):

SEO friendly AWS static website with SSL

Mon, 09 Jan 2017 07:00:00 +0100

👉 This post was written in 2017. I am sure there are much better ways to arrange static web site. For instance I recently posted the following article: Static web site on Azure with Azure DevOps and Bicep which you may want to check! ✌️

Q: What is static website? A: It is website without dynamic data.

A: What is dynamic data? Q: Well, it is data that can or can’t be changed due to user’s (visitor) interactions, user’s (visitor) location, some internal conditions (for example whether conditions, currency exchange rate) and so-on.

How to backup PostgreSQL on Ubuntu to the cloud of your choice?

Fri, 30 Dec 2016 07:00:00 +0100

PostgreSQL is very popular solution as backend for many web projects (I believe there are other reasons to use PSQL for data store). I recently wrote short note about PSQL dump, but I’d love to extend its capabilities by offloading it to the separate storage (rather than keeping dumps in the production compute instance). Essentially, what I am going to describe here is how to backup PostgreSQL databases to the cloud (public) storage. I will use two different options: Amazon Simple Storage Service (S3) and Google Cloud Platform (GCP) and Nearline storage class (may be even Coldline to cut costs).

Conveyoring Files for Backup Cloudberry Backup With Prepost Scripts

Wed, 21 Dec 2016 07:00:00 +0100

Working with customers is always great experience and obviously it is one of the biggest way to learn new things. One of the case I’ve been working on (being CloudBerry Lab solutions architect member) had interesting requirements. Customer wanted to offload all their video data (exported surveillance content from their cameras) off to Amazon S3 with Infrequent Access storage class. This is very simple, but the interesting part is that amount of data depended on the time of the day and .. all these files are exported by third-party to certain directory on the server with cloud backup tool and you never knew their total size and more over you see those files (names), but you couldn’t touch them until they became over certain size. Last statement gave me really good strategy and the following iterations came up on board as acceptable solution.

AWS EC2 Linux backup

Wed, 14 Sep 2016 07:00:00 +0100

There is awesome Amazon Linux AMI, I think it is the most popular image that used for creating EC2 across all AWS regions. In fact you read / watch about it in every single tutorial / education course. I can just agree with all listed key features of it, but personally want to admit the following:

Lightweight. Indeed, it’s super small and contains just really basic. In free tier it is supplied by GP2 8GiB (General Purpose SSD with up to 3000 IOPS) and for daily tasks that should be fine;
Comes with built-in AWS CLI. This is what I really love! In few clicks with IAM role assigned ( (!!!) do NOT forget to do this launching your instance, otherwise you’ll miss that huge piece of Amazon);
Stable and the most reliable. This might be just my opinion, but as it is driven by Amazon and community, it should be the most robust and mature.

The launch part should be super simple and in most cases people just follow the wizard (keep your pem key in the right place and chmod it to the lowest number you can). There are different use cases people have with this image (from hosting PBX to SQL / noSQL DBs or webservices with Apache / Nginx etc). It’s all about data actually and data should be saved and recoverable.

Minimal object storage S3 compatible

Tue, 30 Aug 2016 07:00:00 +0100

At Cloudberry lab I’ve met lots of cases where customers would like to use their FTP or even webDAV stack as backup destination. In some cases this become a nightmare and either backup window is not affordable (e.g. backup performance is not really awesome). I started to seek for alternative to this legacy architectures and, I guess, I found the first and the fly is good so far! Minio — minimal object storage, what acts as generic s3 compatible storage.

Call recording Asterisk

Thu, 04 Aug 2016 07:00:00 +0100

I was experimenting with Asterisk IP/PBX, which I have explained how to deploy recently. It was a bit tough after few years of not touching it, but eventually I did it. One of the major feature you need to have, running heavy loaded call-center, is call recording. And fortunately there is embedded feature in this soft switch called MixMonitor. Well, there are few limitations, but using Linux and 3d party we can easily get rid of them (i.e. I want mp3 format for all my recordings instead of GSM or others).

Mount AWS S3 bucket to your Debian

Wed, 27 Jul 2016 07:00:00 +0100

This is really nice to have as it can extend Linux file system with unlimited capacity for assets / logs / recorded call etc. The key is S3FS!

Ok, let’s get started.

Create bucket in S3 and IAM user with full S3 access;
Install dependencies;
Install S3FS;
Save access and secret key;
Mount bucket;
Profit!

The following dependencies you will need:

1apt-get install build-essential git libfuse-dev libcurl4-openssl-dev libxml2-dev mime-support automake libtool pkg-config libssl-dev

Clone S3FS to your Linux FS:

Compile G729 for Asterisk from binaries

Tue, 22 Dec 2015 07:00:00 +0100

This is quite popular source of binaries for enabling premium G.729 module (codec_g729.so) in Asterisk. Let’s enable this module for our recently installed Asterisk v13.

Prerequisites #

In order to install this codec we need some prerequisites. Let’s get them and install. We can either wget it or clone from git. Does not matter. BCG729 is the lib we need.

1cd /usr/src/
2wget http://download-mirror.savannah.gnu.org/releases/linphone/plugins/sources/bcg729-1.0.0.tar.gz
3tar xzf bcg729-1.0.0.tar.gz
4cd bcg729-1.0.0
5./configure --libdir=/lib
6make
7make install

Binaries #

Let’s check our CPU type, Asterisk version

Fail2ban with Asterisk 13

Tue, 22 Dec 2015 07:00:00 +0100

Even having fresh AWS EC2 instance with either fixed or not IP, I start seeing constant attempts to get access to my SIP server. Brute force attacks are very famous and now I’m going to change this in my server by setting Fail2Ban in place.

Prepare Asterisk (logger.conf) #

Uncomment the following in your /etc/asterisk/logger.conf

1[general]
2dateformat = %F %T
3...
4[logfiles]
5security = security

Installing and configuring fail2ban using apt-get manager #

1sudo apt-get update
2apt-get install fail2ban

Once finished, let’s add the following to the end of /etc/fail2ban/jail.conf. Feel free to change numbers (they are self-explained).

How to install Asterisk IPPBX on Debian 8x jessie

Mon, 21 Dec 2015 07:00:00 +0100

I must admit, I did it last time in 2009 and was not aware of new generations at all. That time I used to work with Asterisk 1.4. Let’s see what has been missed. :)

Prerequisites #

Let’s update packages and install some dependencies.

1apt-get update
2apt-get install build-essential -y
3apt-get install git-core subversion libjansson-dev sqlite autoconf automake libtool libxml2-dev libncurses5-dev -y

Installation of Asterisk 13 #

Now we are ready to download and compile our PBX. Let’s quickly do this.

Fixing invalid locale settings in Debian 8

Mon, 21 Sep 2015 07:00:00 +0100

You might have met this before. Indeed! Very annoying. This is due to unset of locale variable in Debian environment specifically for Perl applications.

 1Can't set locale; make sure $LC_* and $LANG are correct!
 2perl: warning: Setting locale failed.
 3perl: warning: Please check that your locale settings:
 4LANGUAGE = (unset),
 5LC_ALL = (unset),
 6LC_CTYPE = "UTF-8",
 7LANG = "en_US.UTF-8"
 8are supported and installed on your system.
 9perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
10locale: Cannot set LC_CTYPE to default locale: No such file or directory
11locale: Cannot set LC_ALL to default locale: No such file or directory

To solve the above issue you need