Match a Deployment ID in Windows Azure - azure

I have several different services running the same code base as windows azure worker roles.
I'm trying to test and see if the currently executing code is running in a specific instance. If I call to this in the management API:
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(
new Uri("https://management.core.windows.net/" + subscriptionId + "/services/hostedservices/<<servicename>>/deploymentslots/production?embed-detail=true"));
I get a response like this:
<Deployment xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Name>c8bd3b12f1bc4e0db9d8c1d59e97e48b</Name>
<DeploymentSlot>Production</DeploymentSlot>
<PrivateID>d1ea61e367e84aedb68de97eded3e896</PrivateID>
<Status>Running</Status>
<Label>SXRlbVVwZGF0ZXIgLSAzLzEzLzIwMTMgMTA6NDQ6MTUgQU0=</Label>
<Url>http://itemupdater3.cloudapp.net/</Url>
<RoleInstanceList>
<RoleInstance>
<RoleName>UpdateItems</RoleName>
<InstanceName>UpdateItems_IN_0</InstanceName>
<InstanceStatus>Ready</InstanceStatus>
</RoleInstance>
</RoleInstanceList>
<UpgradeDomainCount>1</UpgradeDomainCount>
<RoleList>
<Role>
<RoleName>UpdateItems</RoleName>
<OsVersion>WA-GUEST-OS-1.22_201302-02</OsVersion>
</Role>
</RoleList>
</Deployment>
I'm trying to test and see if the currently executing code has the same ID as this response.
If I compare:
xml["Deployment"]["Name"].InnerText;
To
RoleEnvironment.CurrentRoleInstance.Role.Instances[0].Id;
It never matches. How do I match something from the C# to the ID returned from the API?
Thanks!

You're trying to compare the name of the deployment (typically a single guid-like string, unique every time you redeploy) to the name of the instance (follows a pattern of RoleName_IN_xxx). They will never match.
I'm not 100% sure what you're trying to do, but the call to Service Management API will never give you information on your current instance - because it does not know where you run from; you can even call the API from non-Azure resources. It will simply give you data about the whole subscription.
RoleEnvironment.CurrentRoleInstance.Id will provide you with the ID of the current instance.

kevin, use the RoleEnvironment.DeploymentId instead of the RoleEnvironment.CurrentRoleInstance. This will allow you to compare what is currently running with what you get from the service management API.

Related

Azure API management and App Function backend: Backend with id 'foo' could not be found

In my company we have identical environments for our application: IT, ST, AT and PRD. We use Terraform to deploy our Azure resources, and are currently attempting to set up an API management solution which passes calls to a Function App backend.
The set up is fairly simple, we have a series of APIs declared, and in their backend policies we declare this bit:
<policies>
<inbound>
<set-backend-service id="apim-generated-policy" backend-id="function-at" />
</inbound>
</policies>
In IT/ST we have been able to set this successfully. However, when our Terraform pipeline runs on AT, it always fails to update our APIs with this error:
Error: Error creating or updating API Operation Policy (Resource Group "rg-at" / API Management Service "api-at" / API "call" / Operation "get-call"):
apimanagement.APIOperationPolicyClient#CreateOrUpdate: Failure responding to request:
StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ValidationError" Message="One or more fields contain incorrect values:" Details=[{"code":"ValidationError","message":"Error in element 'set-backend-service' on line 3, column 6: Backend with id 'function-at' could not be found.","target":"set-backend-service"}]
When attempting to add this line manually in the Azure UI, the same error occurs:
Error in element 'set-backend-service' on line 3, column 10:
Backend with id 'function-at' could not be found.
I cannot understand why this refuses to work. The function exists and is in the same resource group as the API manager. My best guess is that someone has changed a setting manually in the other environments that is not reflected in the Terraform code. How can I go about troubleshooting this issue? I did a side-by-side comparison of the ST and AT APIs/functions and did not find any obvious differences.
Thanks in advance for any help!
I faced the same problem during Terraform deployment and for me solution was to add api_management_backend and in policy I was able reference to it.
I would say the problem is you are not setting the base-url property, so then the APIM service is not able to detect the backend component using the id. You need to specify both base-url and backend-id in case you want to use the id, as it explains in this article.
After messing around with this issue for some days, it appears the problems is that to use a backend, this backend needs to be declared first so that the API manager views it as available. I was not able to find anywhere in the UI where these "available" backends can be viewed or edited, but I reached this conclusion based on the (very sparse) description here.
It also seems like this process is done automatically when adding an API manually through the UI. This however is not the case when trying to do it with Terraform, so it appears the correct procedure would be to first publish the backend with Powershell, and then try to add it to the API with TF.
I added this to my terraform xml id="apim-generated-policy" it all then worked! It took a few good hours to figure this one out!

Get Google App Engine LocationId at runtime

The new Cloud Tasks python libraries require location as task creation parameter. I can always look up the location and hardcode it, but everything else, including the project name, is available through environment variables. Is there a way to get the locationId (eg. us-central1) from python3 standard environment?
The REST API (and presumably the python client library) for AppEngine can return the location id if you know the application name:
https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps/get
The Application object that is returned has a "locationId" key.
However, note that the cloud tasks documentation calls out 2 exceptions to verbatim using this identifier: europe-west and us-central need to be passed to tasks as europe-west1 and us-central1 respectively.
It's possible to get this information from the Metadata server. Accessing http://metadata.google.internal/computeMetadata/v1/instance/region from your app will return a string of the form 'projects/[numeric-project-id]/regions/[locationId]'.

Precompiled Azure Function and SOAP endpoints

I'm writing a precompiled Azure function that will perform a SOAP call to ServiceNow. The code works as a standalone exe but I can't seem to get it converted to a precompiled function. In know it's because my DLL can't find the app.config file but what's the best way to get around it. Error message below. ServiceNow requires I set certain bindings and endpoint configuration. The other contractors for their ServiceNowSoapClient class allow me to specify a url directly but don't seem to allow me to get to the binding settings.
Exception while executing function: Functions.TimerTriggerCSharp.
System.ServiceModel: Could not find endpoint element with name
'ServiceNowSoapDev' and contract 'ServiceNowReference.ServiceNowSoap'
in the ServiceModel client configuration section. This might be
because no configuration file was found for your application, or
because no endpoint element matching this name could be found in the
client element.
In WCF you can define your client binding and endpoint programmatically instead of using app.config. Use the constructor of the generated client with two parameters:
new ServiceNowSoapClient(binding, remoteAddress);
See more code here.

How can I sign a JWT token on an Azure WebJob without getting a CryptographicException?

I have a WebJob that needs to create a JWT token to talk with an external service. The following code works when I run the WebJob on my local machine:
public static string SignES256(byte[] p8Certificate, object header, object payload)
{
var headerString = JsonConvert.SerializeObject(header);
var payloadString = JsonConvert.SerializeObject(payload);
CngKey key = CngKey.Import(p8Certificate, CngKeyBlobFormat.Pkcs8PrivateBlob);
using (ECDsaCng dsa = new ECDsaCng(key))
{
dsa.HashAlgorithm = CngAlgorithm.Sha256;
var unsignedJwtData = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(headerString)) + "." + Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(payloadString));
var signature = dsa.SignData(Encoding.UTF8.GetBytes(unsignedJwtData));
return unsignedJwtData + "." + Base64UrlEncoder.Encode(signature);
}
}
However, when I deploy my WebJob to Azure, I get the following exception:
Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: NotificationFunctions.QueueOperation ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.NCryptNative.ImportKey(SafeNCryptProviderHandle provider, Byte[] keyBlob, String format) at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, CngKeyBlobFormat format, CngProvider provider)
It says it can't find a specified file, but the parameters I am passing in are not looking at a file location, they are in memory. From what I have gathered, there may be some kind of cryptography setting I need to enable to be able to use the CngKey.Import method, but I can't find any settings in the Azure portal to configure related to this.
I have also tried using JwtSecurityTokenHandler, but it doesn't seem to handle the ES256 hashing algorithm I need to use (even though it is referenced in the JwtAlgorithms class as ECDSA_SHA256).
Any suggestions would be appreciated!
UPDATE
It appears that CngKey.Import may actually be trying to store the certificate somewhere that is not accessible on Azure. I don't need it stored, so if there is a better way to access the certificate in memory or convert it to a different kind of certificate that would be easier to use that would work.
UPDATE 2
This issue might be related to Azure Web Apps IIS setting not loading the user profile as mentioned here. I have enabled this by setting WEBSITE_LOAD_USER_PROFILE = 1 in the Azure portal app settings. I have tried with this update when running the code both via the WebJob and the Web App in Azure but I still receive the same error.
I used a decompiler to take a look under the hood at what the CngKey.Import method was actually doing. It looks like it tries to insert the certificate I am using into the "Microsoft Software Key Storage Provider". I don't actually need this, just need to read the value of the certificate but it doesn't look like that is possible.
Once I realized a certificate is getting inserted into a store somewhere one the machine, I started thinking about how bad of a think that would be from a security standpoint if your Azure Web App was running in a shared environment, like it does for the Free and Shared tiers. Sure enough, my VM was on the Shared tier. Scaling it up to the Basic tier resolved this issue.

Microsoft Unity - How to register connectionstring as a parameter to repository constructor when it can vary by client?

I am relatively new to IoC containers so I apologize in advance for my ignorance.
My application is a asp.net 4.0 MVC app that uses the Entity Framework with a Repository layer on top of that. It is a multi tenant application so the connection string that is used varies by the logged in client.
The connection string is determined by a 'key' that gets passed in as part of the route which indicates the client. This route data is only present on the first request of the user's session.
The route looks kind of like this: http://{host}/login/dev/
where 'dev' indicates we are using the dev database.
Currently the IoC container is registering all dependencies in the global.asax Application_Start event handler and I have the 'key' hardcoded as follows:
var cnString = CommonServices.GetDBConnection("dev");
container.RegisterType<IRequestMgmtRecipientRepository, RequestMgmtRecipientRepository>(
new InjectionConstructor(cnString));
Is there a way with Unity to dynamically register the repository based on the logged in client using the route data that is supplied initially?
Note: I am not manually resolving the repositories. They are getting constructed by the container when the controllers get instantiated.
I am stumped.
Thanks!
Quick assumption, you can use the host to identify your tenant.
the following article has a slightly different approach http://www.agileatwork.com/bolt-on-multi-tenancy-in-asp-net-mvc-with-unity-and-nhibernate-part-ii-commingled-data/, its using NH, but it is usable.
based on the above this hacked code may work (not tried/complied the following, not much of a unity user, more of a windsor person :) )
Container.RegisterType<IRequestMgmtRecipientRepository, RequestMgmtRecipientRepository>(new InjectionFactory(c =>
{
//the following you can get via a static class
//HttpContext.Current.Request.Url.Host, if i remember correctly
var context = c.Resolve<HttpContextBase>();
var host = context.Request.Headers["Host"] ?? context.Request.Url.Host;
var connStr = CommonServices.GetDBConnection("dev_" + host); //assumed
return new RequestMgmtRecipientRepository(connStr);
}));
Scenario 2 (i do not think this was the case)
if the client identifies the Tenant (not the host, ie http: //host1), this suggests you would already need access to a database to access the client information? in this case the database which holds client information, will also need to have enough information to identify the tenant.
the issue with senario 2 will arise around anon uses, which tenant is being accessed.
assuming senario 2, then the InjectionFactory should still work.
hope this helps

Resources