I’m using ARM template deployment to create resources.
As part of the deployment (at a given step), I need to use a secret from an existing keyvault.
Is there a way to fetch that data at one step and pass it to the next step that needs that data?
You can use the Key Vault Secret in ARM Template by using something similar to below example:
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<SubscriptionID>/resourceGroups/<KeyVaultRG>/providers/Microsoft.KeyVault/vaults/<KeyVaultName>"
},
"secretName": "vmAdminPassword"
}
}
Related
I am looking for the list of endpoints available for bitbucket API regarding get the branches from a repository and a specific branch.
I was expecting to see something like:
GET /2.0/repositories/{workspace}/{repo_slug}/branches/
GET /2.0/repositories/{workspace}/{repo_slug}/branches/{branch}
So I can get the commits from a specific branch.
I know I can get commits but with this endpoint, its scope is under repository perspective.
Do you know if there are endpoints to work with branches and recursively into its hierarchy?
I looked over the documentation for API 2.0 but I did not see what I was looking for so that is why I am posting this question here.
In addition, I see some time ago that was not possible according to this answer, but it belongs to the version 1.0 of the API. Is it still true?
When hitting this endpoint:
https://api.bitbucket.org/2.0/repositories/<workspace>/<repository-name>`
# GET /2.0/repositories/{workspace}/{repo_slug}
You get as a result a JSON document. In the links attribute you got a key called branches. It is something like this:
{
"scm": "git",
"has_wiki": false,
"links": {
"watchers": {
"href": "https://api.bitbucket.org/2.0/repositories/{workspace}/{repo_slug}/watchers"
},
"branches": {
"href": "https://api.bitbucket.org/2.0/repositories/{workspace}/{repo_slug}/refs/branches"
},
....
So you can hit the endpoint and get the branches:
https://api.bitbucket.org/2.0/repositories/{workspace}/{repo_slug}/refs/branches
# GET /2.0/repositories/{workspace}/{repo_slug}/refs/branches
And get a specific branch with
https://api.bitbucket.org/2.0/repositories/{workspace}/{repo_slug}/refs/branches/<branch-name>
# GET /2.0/repositories/{workspace}/{repo_slug}/refs/branches/<branch-name>
I am implementing a JSON API V1 compliant API using Grape API that uses AR as the ORM. I am a little confused on the format to create nested resources / relationships. It looks like we need to create one resource at a time and can link to exisitng resources. But we can't lets say create records for a has many relationship int he same request.
My situation: There is the Donation modal. It has many Splits. A split belong to a Fund. I need to create a donation with multiple splits.
Question: How can I structure the API according to the JSON:API recommendations?
Going through the documentation few times, I am thinking I can't make the donation in one API call and will have to create each resource separately and may be run a final commit to to trigger the donation.
Step 1: Create the donation - assume returns ID 100
POST /api/v1/donations
{ type: "donation", data: { comments: "abc" } }
Step 2: Create Split 1
POST /api/v1/splits
{
type: "split",
data: { amount: 100_00 },
relationships: {
data: [{ type: "fund", id: 5 }, { type: "donation", id: 100 }]
}
}
Finally: trigger the donation with some thing like
PATCH /api/v1/donations/100
{
type: "donation"
data: {
state: "process"
}
}
Is there a way to create it in one request?
JSON:API specification does not support creating, updating or deleting multiple resources in one request in v1.0, which is the current stable version.
The upcoming v1.1 is planned to support Extensions, which allow to extend the base specification. There is a proposal of a Atomic Operations extension provided by one of the maintainers of the specification. It's planned to be released with v1.1 as official extension.
Sorry for the unspecific title. However, I am having a hard time to describe it.
I am using aws-appsync with aws cognito for authentication.
I've followed the amplify docs about the #auth annotation to handle permissions for mutations and queries.
Here is an example of my schema.
A user can create an entry and share it with others. However, they should only read the entry and should not have permissions to edit it.
An entry also has multiple notes. (And some more fields)
type Entry #model #versioned #auth (rules: [
{ allow: owner },
{ allow: owner, ownerField: "shared", queries: [get, list], mutations: []}
]) #searchable {
id: ID!
date: AWSDate
updated_at: AWSDateTime
text: String
notes: [Note] #connection(name: "EntryNotes")
shared: [String]!
}
And here is the note
type Note #model #versioned #auth (rules: [{ allow: owner }]) {
id: ID!
text: String
track: Track!
diary: DiaryEntry #connection(name: "EntryNotes")
}
This works fine so far. But the problem is the Note connection.
Because if you create a note you would create it like this:
mutation makeNote {
createNote (input: {
text: "Hello there!"
noteEntryId: "444c80ee-6fd9-4267-b371-c2ed4a3ccda4"
}) {
id
text
}
}
The problem is now, that you can create notes for entries that you do not have access to. If you somehow find out which id they have.
Is there a way to check if you have permissions to the entry before creating the note?
Currently, the best way to do this is via custom resolvers within the Amplify CLI. Specifically, you are able to use AppSync pipeline resolvers to perform the authorization check before creating the note. Your pipeline resolver would contain two functions. The first would look up the entry and compare the owner to the $ctx.identity. The second function would handle writing the record to DynamoDB. You can use the same logic found in build/resolvers/Mutation.createNote.re(q|s).vtl to implement the second function by copying it into the top level resolvers/ directory and then referencing it from your custom resource. After copying the logic, you will want to disable the default createNote mutation by changing #model to #model(mutations: { update: "updateNote", delete: "deleteNote" }).
For more information on how to setup custom resolvers see https://aws-amplify.github.io/docs/cli/graphql#add-a-custom-resolver-that-targets-a-dynamodb-table-from-model. For more information on pipeline resolvers (slightly different than the example in the amplify docs) see https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html. Also see the CloudFormation reference docs for AppSync https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-appsync.html.
Looking towards the future, we are working on a design that would allow you to define auth rules that span #connections. When this is done, it will automatically configure this pattern but there is not yet a set release date.
I have a listing node in my Database and wanted to add data into it from the web console. I want to have a push ID as the key of the object. Something like this :
{
"listing": {
"4acd4g1OreMyo2FkW6DlQH7ZhvY2": {
"name": "abc",
"location": "xyz"
}
}
}
where '4acd4g1OreMyo2FkW6DlQH7ZhvY2' would be the auto generated push ID.
I know it can be done using the Android/iOS/JS SDKs (using the push method). But is this possible from the console?
No, the console doesn't support it currently. I've been using firebase for a while and I've never needed it :)
while firebase console doesn't support it officially, there is a service called mockaroo that can generate firebase random id. Make sure to pick firebase option in the format dropdown
I have a template to create a key vault and a secret within it. I also have a service fabric template, that requires 3 things from the key vault: the Vault URI, the certificate URL, and the certificate thumbprint.
If I create the key vault and secret with powershell, it is easy to manually copy these 3 things from the output, and paste them into the parameters of the service fabric template. However, what I am hoping to do, due to the fact that this cert has the same life cycle as the service fabric cluster, is to link from the key vault template to the service fabric template, so when I deploy the key vault and secret (which btw is a key that has been base 64 encoded to a string. I could have this as a secret in yet another key vault...), I can pass the 3 values on as parameters.
So I have two questions.
How do I retrieve the 3 values in the arm template. Powershell outputs them as 'ResourceId' of the key vault, 'Id' of the secret, and 'Version' of the secret. My attempt:
"sourceVaultValue": {
"value": "resourceId('Microsoft.KeyVault/vaults/', parameters('keyVaultName')"
},
"certificateThumbprint": {
"value": "[listKeys(resourceId('secrets', parameters('secretName')), '2015-06-01')"
},
"certificateUrlValue": { "value": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net:443/secrets/', parameters('secretName'), resourceId('secrets', parameters('secretName')))]"
But the certificateUrlValue is incorrect. You can see I tried with and without listKeys, but neither seemed to work... (The thumbprint is within the certUrl itself)
If I were to get the correct values, I would like to try pass them as parameters to the next template. The template in question has quite a few more parameters than the 3 I want to pass however. So is it possible to have a parametersLink element to link to the parameter file, as well as a parameters element for just those 3? Or is there an intended way of doing this?
Cheers
Ok, try this when you get back to the keyboard...
1) for the uri, you can use an output like:
"secretUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretName'))).secretUri]"
}
For #2, you cannot mix and match the link and some values, it's one or the other.
A couple thoughts on how you could do this (it depends a bit on how you want to structure the rest of your deployment)...
One way to think of this is instead of nesting the SF, deploy them in the same template since they have the same lifecycle
instead of nesting the SF template, nest the KV template and reference the outputs of that deployment in the SF template...
Aside from that I can't think of anything elegant - since you want to pass "dynamic" params to a nested deployment really the only way to do that is to dynamically write the param file behind the link or pass all the params into the deployment resource.
HTH - LMK if it doesn't...
Can't Reference a secret with dynamic id !!!!
The obvious problems with this way of doing things are:
Someone needs to type the cleartext password which means:
it needs to be known to anyone who provisions the environment and how do I feed it into an automated environment deployment? If I store the password in a parameter… ???????
"variables": {
"tenantPassword": {
"reference": {
"keyVault": {
"ID": "[concat(subscription().id,'/resourceGroups/',parameters('keyVaultResourceGroup'),'/providers/Microsoft.KeyVault/vaults/', parameters('VaultName'))]"
},
"secretName": "tenantPassword"
}
}
},