Forem: Dariusz Parys The latest articles on Forem by Dariusz Parys (@dariuszparys). https://forem.com/dariuszparys https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F335552%2F26a7866a-3e51-4c7e-800b-a33c00d99acb.jpeg Forem: Dariusz Parys https://forem.com/dariuszparys en Just Your Commands Dariusz Parys Mon, 31 Mar 2025 10:07:15 +0000 https://forem.com/dariuszparys/just-your-commands-4c6f https://forem.com/dariuszparys/just-your-commands-4c6f <p><strong>Just</strong> is a simple command runner. You can get if from <a href="https://just.systems" rel="noopener noreferrer">https://just.systems</a>. I use it meanwhile regularly, and it improves consistency between my local environment and my CI/CD pipelines. Let me explain this with a trivial walkthrough.</p> <h2> Deploying Infrastructure </h2> <p>A common task is to deploy infrastructure. As I use mostly Azure for infrastructure deployments, I use bicep to do them. For this scenario a simple storage deployment will act as the canonical Hello, World. example. You can find the code for the scripts at my GitHub.</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/dariuszparys" rel="noopener noreferrer"> dariuszparys </a> / <a href="https://github.com/dariuszparys/just-your-commands" rel="noopener noreferrer"> just-your-commands </a> </h2> <h3> Sample source code for the blog post https://www.dariuszparys.com/just-your-commands/ </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Azure Bicep Deployment with Just</h1> </div> <p>This project uses <a href="https://github.com/casey/just" rel="noopener noreferrer">Just</a> as a command runner to manage Azure Bicep deployments.</p> <div class="markdown-heading"> <h2 class="heading-element">Prerequisites</h2> </div> <ol> <li> <p>Install <a href="https://github.com/casey/just#installation" rel="noopener noreferrer">Just</a></p> </li> <li> <p>Install <a href="https://docs.microsoft.com/en-us/cli/azure/install-azure-cli" rel="nofollow noopener noreferrer">Azure CLI</a></p> </li> <li> <p>Install <a href="https://github.com/PowerShell/PowerShell#get-powershell" rel="noopener noreferrer">PowerShell</a></p> </li> <li> <p>Log in to Azure CLI:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>az login</pre> </div> </li> </ol> <div class="markdown-heading"> <h2 class="heading-element">Environment Variables</h2> </div> <p>Set the following environment variables before running the deployment:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre><span class="pl-k">export</span> AZURE_SUBSCRIPTION_ID=<span class="pl-s"><span class="pl-pds">"</span>your-subscription-id<span class="pl-pds">"</span></span> <span class="pl-k">export</span> DEPLOYMENT_ENVIRONMENT=<span class="pl-s"><span class="pl-pds">"</span>dev<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Optional, defaults to "dev"</span> <span class="pl-k">export</span> AZURE_LOCATION=<span class="pl-s"><span class="pl-pds">"</span>northeurope<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Optional, defaults to "northeurope"</span> <span class="pl-k">export</span> DEPLOYMENT_NAME=<span class="pl-s"><span class="pl-pds">"</span>just-demo<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Optional, defaults to "just-demo"</span> <span class="pl-k">export</span> RESOURCE_GROUP_NAME=<span class="pl-s"><span class="pl-pds">"</span>rg-just-demo<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Optional, defaults to "rg-just-demo"</span></pre> </div> <div class="markdown-heading"> <h2 class="heading-element">Available Commands</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">Validate Deployment</h3> </div> <p>To validate the Bicep template and see what changes would be made:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>just validate-all</pre> </div> <p>This command will:</p> <ol> <li>Lint the Bicep files</li> <li>Validate the deployment</li> <li>Show what-if changes</li> </ol> <div class="markdown-heading"> <h3 class="heading-element">Deploy</h3> </div> <p>To deploy the infrastructure:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>just deploy</pre> </div> <div class="markdown-heading"> <h3 class="heading-element">Clean Up</h3> </div> <p>To delete the deployment and resource group:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>just destroy</pre> </div> <div class="markdown-heading"> <h2 class="heading-element">Additional Commands</h2> </div> <ul> <li> <code>just help</code> - Lists all available commands</li> <li> <code>just lint</code> -…</li> </ul> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/dariuszparys/just-your-commands" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>The workflow usually consists of these steps to make the deployment</p> <ol> <li>Lint the file <code>az bicep lint --file main.bicep</code> </li> <li>Validate the script <code>az deployment sub validate --template-file main.bicep --parameters environments/dev.bicepparam</code> </li> <li>Make a what-if analysis <code>az deployment sub what-if --template-file main.bicep --parameters environments/dev.bicepparam</code> </li> <li>Deploy to Infrastructure <code>az deployment sub create --template-file main.bicep --parameters environments/dev.bicepparam</code> </li> </ol> <p>This can now be scripted or in this case I use <strong>just</strong> so I will write recipes to execute those steps.</p> <h2> Simple Just Anatomy </h2> <p>I don't want to explain things that are already explained in the <a href="https://just.systems/man/en/" rel="noopener noreferrer">Just manuals</a>, but it helps to have a quick context without digging into this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>environment :<span class="o">=</span> <span class="nb">env</span><span class="o">(</span><span class="s2">"DEPLOYMENT_ENVIRONMENT"</span>, <span class="s2">"dev"</span><span class="o">)</span> <span class="c"># Lists all available recipies</span> <span class="nb">help</span>: @just <span class="nt">--list</span> _hello <span class="nv">name</span><span class="o">=</span><span class="s2">"world"</span>: @echo <span class="s2">"Hello, {{name}}"</span> <span class="c"># Deploys infrastructure to defined environment</span> deploy: _hello @echo <span class="s2">"Deploying to {{environment}}"</span> </code></pre> </div> <p>A lot happens here</p> <p>First, the variable environment gets either assigned an available environment variable called <code>DEPLOYMENT_ENVIRONMENT</code> or if not available, the value <code>dev</code>. So <strong>just</strong> has functions that can be used in recipes</p> <p>Second, the first function will be executed when no parameter is applied to the <code>just</code> command. Therefore, I often use <code>help</code> as my first recipe.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ just Available recipes: deploy <span class="c"># Deploys infrastructure to defined environment</span> <span class="nb">help</span> <span class="c"># Lists all available recipies</span> </code></pre> </div> <p>Third, <strong>just</strong> can have private recipes like <code>_hello</code> which also contains a parameter with a default value</p> <p>Fourth, <code>deploy</code> leverages the private recipe when called and executes it first without providing any parameter. Therefore, the default is taken.</p> <p>Please note that comments applied before recipes are used as description in the <code>--list</code> parameter of <code>just</code> and private recipes are not listed.</p> <p>Calling now <code>just deploy</code> outputs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ just deploy Hello, world Deploying to dev </code></pre> </div> <h2> My Just Approach </h2> <p>In my working environment and especially in the teams I am working with a lot of people still use Windows. PowerShell is set as the de-facto shell across all operating systems.</p> <h3> PowerShell Shebang </h3> <p>To enable just now to execute all commands using PowerShell I always define at the very top of my <code>justfile</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>shebang :<span class="o">=</span> <span class="k">if </span>os<span class="o">()</span> <span class="o">==</span> <span class="s1">'windows'</span> <span class="o">{</span> <span class="s1">'pwsh.exe'</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="s1">'/usr/bin/env pwsh'</span> <span class="o">}</span> <span class="nb">set </span>shell :<span class="o">=</span> <span class="o">[</span><span class="s2">"pwsh"</span>, <span class="s2">"-c"</span><span class="o">]</span> <span class="nb">set </span>windows-shell :<span class="o">=</span> <span class="o">[</span><span class="s2">"pwsh.exe"</span>, <span class="s2">"-NoProfile"</span>, <span class="s2">"-Command"</span><span class="o">]</span> </code></pre> </div> <p>This will instruct the execution engine to use PowerShell as the execution shell. There are two variables depending on the environment <code>shell</code> and <code>windows-shell</code> that are used for that.</p> <p>The <code>shebang</code> is used when a recipe will spawn multiple lines and needs to keep the context. If you don't specify this, the commands will be executed in their own environment without knowing anything about the previous line.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test without</span> without: Write-Host <span class="s2">"Without"</span> <span class="nv">$some_var</span> <span class="o">=</span> <span class="s2">"Without"</span> Write-Host <span class="nv">$some_var</span> </code></pre> </div> <p>When executing <code>without</code> you see in the output that the variable is set, but it is not available when writing to console anymore, as each line is in its own context<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ just without Write-Host <span class="s2">"Without"</span> Without <span class="nv">$some_var</span> <span class="o">=</span> <span class="s2">"Without"</span> Write-Host <span class="nv">$some_var</span> </code></pre> </div> <p>Using now the shebang defined above, it works<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Test with</span><span class="w"> </span><span class="n">with:</span><span class="w"> </span><span class="c">#!{{shebang}}</span><span class="w"> </span><span class="n">Set-PSDebug</span><span class="w"> </span><span class="nt">-Trace</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"With"</span><span class="w"> </span><span class="nv">$some_var</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"With"</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="nv">$some_var</span><span class="w"> </span><span class="n">Set-PSDebug</span><span class="w"> </span><span class="nt">-Off</span><span class="w"> </span></code></pre> </div> <p>The output does keep the variable because it executes it with the defined shell environment in one context<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> just with DEBUG: 32+ <span class="o">&gt;&gt;&gt;&gt;</span> Write-Host <span class="s2">"With"</span> With DEBUG: 33+ <span class="o">&gt;&gt;&gt;&gt;</span> <span class="nv">$some_var</span> <span class="o">=</span> <span class="s2">"With"</span> DEBUG: 34+ <span class="o">&gt;&gt;&gt;&gt;</span> Write-Host <span class="nv">$some_var</span> With DEBUG: 35+ <span class="o">&gt;&gt;&gt;&gt;</span> Set-PSDebug <span class="nt">-Off</span> </code></pre> </div> <h3> The First Recipe is Help </h3> <p>I always define this as my very first recipe<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Lists all available recipies</span> <span class="nb">help</span>: @just <span class="nt">--list</span> </code></pre> </div> <p>So, when I invoke <code>just</code> every recipe is listed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ just Available recipes: deploy <span class="c"># Deploys infrastructure to defined environment</span> <span class="nb">help</span> <span class="c"># Lists all available recipies</span> with <span class="c"># Test with</span> without <span class="c"># Test without</span> </code></pre> </div> <h3> Use Short Recipe Scripts </h3> <p>Using a shebang allows writing scripts as complex as you want. Usually if I tend to use more than one branching path in my script, I extract them into my own PowerShell modules. I invoke them e.g.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">module_path</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="s2">"path/to/psmd"</span><span class="w"> </span><span class="c"># Install k3s using Ansible</span><span class="w"> </span><span class="n">k3s-install:</span><span class="w"> </span><span class="c">#!{{ shebang }}</span><span class="w"> </span><span class="n">Import-Module</span><span class="w"> </span><span class="s2">"./{{module_path}}"</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span><span class="n">Install-K3sCluster</span><span class="w"> </span><span class="nt">-Verbose</span><span class="w"> </span></code></pre> </div> <h3> No Here Strings </h3> <p>I haven't found a way to use here strings with just. test. For instance, if I have a recipe like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Initializes the configuration toml</span><span class="w"> </span><span class="n">init:</span><span class="w"> </span><span class="c">#!{{shebang}}</span><span class="w"> </span><span class="nv">$toml</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sh">@" [package] name = "my-project" version = "0.1.0" edition = "2021" [dependencies] serde = { version = "1.0", features = ["derive"] } toml = "0.7" "@</span><span class="w"> </span><span class="nv">$toml</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-File</span><span class="w"> </span><span class="nt">-FilePath</span><span class="w"> </span><span class="s2">"Cargo.toml"</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Created Cargo.toml"</span><span class="w"> </span></code></pre> </div> <p>It would just complain about the content inside the here string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ just <span class="nt">--list</span> error: Unknown attribute <span class="sb">`</span>package<span class="sb">`</span> ——▶ justfile:5:2 │ 5 │ <span class="o">[</span>package] │ ^^^^^^^ </code></pre> </div> <p>So, I put things like this in an external PowerShell function.</p> <h3> Use Just Recipes in CI/CD </h3> <p>I aim to have my recipes agnostic to the environment. That said, I use them as well in the CI/CD environment. One drawback to using <strong>just</strong> is that the current GitHub runners or Azure DevOps agent don't have just pre-configure on their environments. So before using them, e.g. in Azure DevOps I have a task installing <strong>just</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">Bash@3</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">targetType</span><span class="pi">:</span> <span class="s1">'</span><span class="s">inline'</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">wget -qO - 'https://proget.makedeb.org/debian-feeds/prebuilt-mpr.pub' | gpg --dearmor | sudo tee /usr/share/keyrings/prebuilt-mpr-archive-keyring.gpg 1&gt; /dev/null</span> <span class="s">echo "deb [arch=all,$(dpkg --print-architecture) signed-by=/usr/share/keyrings/prebuilt-mpr-archive-keyring.gpg] https://proget.makedeb.org prebuilt-mpr $(lsb_release -cs)" | sudo tee /etc/apt/sources.list.d/prebuilt-mpr.list</span> <span class="s">sudo apt update</span> <span class="s">sudo apt install -y just</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Install</span><span class="nv"> </span><span class="s">just'</span> </code></pre> </div> <p>I also only use either <code>AzureCLI@2</code> or <code>Bash@3</code> tasks in my piplines (on Azure DevOps). To invoke a recipe e.g.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">Bash@3</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Build</span><span class="nv"> </span><span class="s">APIs'</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">targetType</span><span class="pi">:</span> <span class="s1">'</span><span class="s">inline'</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">just containerize-apis</span> <span class="na">env</span><span class="pi">:</span> <span class="na">REGISTRY</span><span class="pi">:</span> <span class="s">$(registry)</span> <span class="na">TAG</span><span class="pi">:</span> <span class="s">$(buildTag)</span> </code></pre> </div> <p>The recipe (simplified version) looks like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">targetRegistry</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="n">env</span><span class="p">(</span><span class="s2">"REGISTRY"</span><span class="p">,</span><span class="w"> </span><span class="s2">"localhost:5050"</span><span class="p">)</span><span class="w"> </span><span class="n">buildTag</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="n">env</span><span class="p">(</span><span class="s2">"TAG"</span><span class="p">,</span><span class="w"> </span><span class="s2">"latest-dev"</span><span class="p">)</span><span class="w"> </span><span class="c"># Build all API containers</span><span class="w"> </span><span class="n">containerize-apis:</span><span class="w"> </span><span class="p">(</span><span class="n">containerize-facilitymanagement</span><span class="w"> </span><span class="nx">targetRegistry</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">containerize-storymanagement</span><span class="w"> </span><span class="nx">targetRegistry</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">containerize-queuemanagement</span><span class="w"> </span><span class="nx">targetRegistry</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">containerize-videostreaming</span><span class="w"> </span><span class="nx">targetRegistry</span><span class="p">)</span><span class="w"> </span><span class="c"># Build Docker container for Queue Management API</span><span class="w"> </span><span class="n">containerize-queuemanagement</span><span class="w"> </span><span class="nx">registry:</span><span class="w"> </span><span class="c">#!{{ shebang }}</span><span class="w"> </span><span class="n">docker</span><span class="w"> </span><span class="nx">build</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--tag</span><span class="w"> </span><span class="p">{{</span><span class="n">registry</span><span class="p">}}</span><span class="n">/api-queuemanagement:</span><span class="p">{{</span><span class="n">buildTag</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--file</span><span class="w"> </span><span class="n">src/Api.QueueManagement/Dockerfile</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="o">.</span><span class="w"> </span></code></pre> </div> <h2> Back Deploying Infrastructure </h2> <p>I started to discuss how I deploy infrastructure using <strong>just</strong>. When you have a look at the sample <code>justfile</code> I published, you will see that my approach is applied to this. You could argue that destroy is too many lines of code. Yes, this can be extracted to an external script or module. I usually like to use PowerShell modules, but one function is not enough for me to consider this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">shebang</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="n">os</span><span class="p">()</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s1">'windows'</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s1">'pwsh.exe'</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s1">'/usr/bin/env pwsh'</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="nx">shell</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"pwsh"</span><span class="p">,</span><span class="w"> </span><span class="s2">"-c"</span><span class="p">]</span><span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="nx">windows-shell</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"pwsh.exe"</span><span class="p">,</span><span class="w"> </span><span class="s2">"-NoProfile"</span><span class="p">,</span><span class="w"> </span><span class="s2">"-Command"</span><span class="p">]</span><span class="w"> </span><span class="n">subscription-id</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="n">env</span><span class="p">(</span><span class="s2">"AZURE_SUBSCRIPTION_ID"</span><span class="p">)</span><span class="w"> </span><span class="n">environment</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="n">env</span><span class="p">(</span><span class="s2">"DEPLOYMENT_ENVIRONMENT"</span><span class="p">,</span><span class="w"> </span><span class="s2">"dev"</span><span class="p">)</span><span class="w"> </span><span class="n">location</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="n">env</span><span class="p">(</span><span class="s2">"AZURE_LOCATION"</span><span class="p">,</span><span class="w"> </span><span class="s2">"northeurope"</span><span class="p">)</span><span class="w"> </span><span class="n">deployment-name</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="n">env</span><span class="p">(</span><span class="s2">"DEPLOYMENT_NAME"</span><span class="p">,</span><span class="w"> </span><span class="s2">"just-demo"</span><span class="p">)</span><span class="w"> </span><span class="n">resourceGroupName</span><span class="w"> </span><span class="p">:</span><span class="o">=</span><span class="w"> </span><span class="n">env</span><span class="p">(</span><span class="s2">"RESOURCE_GROUP_NAME"</span><span class="p">,</span><span class="w"> </span><span class="s2">"rg-just-demo"</span><span class="p">)</span><span class="w"> </span><span class="c"># Lists all available recipies</span><span class="w"> </span><span class="n">help:</span><span class="w"> </span><span class="err">@</span><span class="nx">just</span><span class="w"> </span><span class="nt">--list</span><span class="w"> </span><span class="c"># Lint the bicep files</span><span class="w"> </span><span class="n">lint:</span><span class="w"> </span><span class="nx">az</span><span class="w"> </span><span class="nx">bicep</span><span class="w"> </span><span class="nx">lint</span><span class="w"> </span><span class="nt">--file</span><span class="w"> </span><span class="nx">main.bicep</span><span class="w"> </span><span class="c"># Validates the bicep deployment</span><span class="w"> </span><span class="n">validate:</span><span class="w"> </span><span class="nx">_ensure-subscription</span><span class="w"> </span><span class="c">#!{{ shebang }}</span><span class="w"> </span><span class="n">az</span><span class="w"> </span><span class="nx">deployment</span><span class="w"> </span><span class="nx">sub</span><span class="w"> </span><span class="nx">validate</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--name</span><span class="w"> </span><span class="p">{{</span><span class="n">deployment-name</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--location</span><span class="w"> </span><span class="p">{{</span><span class="n">location</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--template-file</span><span class="w"> </span><span class="n">main.bicep</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--parameters</span><span class="w"> </span><span class="nx">environments/</span><span class="p">{{</span><span class="n">environment</span><span class="p">}}</span><span class="o">.</span><span class="nf">bicepparam</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--parameters</span><span class="w"> </span><span class="n">resourceGroupName</span><span class="o">=</span><span class="p">{{</span><span class="n">resourceGroupName</span><span class="p">}}</span><span class="w"> </span><span class="c"># Shows what changes would be made by the deployment</span><span class="w"> </span><span class="n">what-if:</span><span class="w"> </span><span class="nx">_ensure-subscription</span><span class="w"> </span><span class="c">#!{{ shebang }}</span><span class="w"> </span><span class="n">az</span><span class="w"> </span><span class="nx">deployment</span><span class="w"> </span><span class="nx">sub</span><span class="w"> </span><span class="nx">what-if</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--name</span><span class="w"> </span><span class="p">{{</span><span class="n">deployment-name</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--location</span><span class="w"> </span><span class="p">{{</span><span class="n">location</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--template-file</span><span class="w"> </span><span class="n">main.bicep</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--parameters</span><span class="w"> </span><span class="nx">environments/</span><span class="p">{{</span><span class="n">environment</span><span class="p">}}</span><span class="o">.</span><span class="nf">bicepparam</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--parameters</span><span class="w"> </span><span class="n">resourceGroupName</span><span class="o">=</span><span class="p">{{</span><span class="n">resourceGroupName</span><span class="p">}}</span><span class="w"> </span><span class="c"># Validates and shows what changes would be made by the deployment</span><span class="w"> </span><span class="n">validate-all:</span><span class="w"> </span><span class="nx">lint</span><span class="w"> </span><span class="nx">validate</span><span class="w"> </span><span class="nx">what-if</span><span class="w"> </span><span class="err">_</span><span class="n">ensure-subscription:</span><span class="w"> </span><span class="nx">az</span><span class="w"> </span><span class="nx">account</span><span class="w"> </span><span class="nx">set</span><span class="w"> </span><span class="nt">--subscription</span><span class="w"> </span><span class="p">{{</span><span class="n">subscription-id</span><span class="p">}}</span><span class="w"> </span><span class="c"># Deploys the bicep deployment</span><span class="w"> </span><span class="n">deploy:</span><span class="w"> </span><span class="nx">_ensure-subscription</span><span class="w"> </span><span class="c">#!{{ shebang }}</span><span class="w"> </span><span class="n">az</span><span class="w"> </span><span class="nx">deployment</span><span class="w"> </span><span class="nx">sub</span><span class="w"> </span><span class="nx">create</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--name</span><span class="w"> </span><span class="p">{{</span><span class="n">deployment-name</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--location</span><span class="w"> </span><span class="p">{{</span><span class="n">location</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--template-file</span><span class="w"> </span><span class="n">main.bicep</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--parameters</span><span class="w"> </span><span class="nx">environments/</span><span class="p">{{</span><span class="n">environment</span><span class="p">}}</span><span class="o">.</span><span class="nf">bicepparam</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--parameters</span><span class="w"> </span><span class="n">resourceGroupName</span><span class="o">=</span><span class="p">{{</span><span class="n">resourceGroupName</span><span class="p">}}</span><span class="w"> </span><span class="c"># Deletes the deployment and the resource group</span><span class="w"> </span><span class="n">destroy:</span><span class="w"> </span><span class="nx">_ensure-subscription</span><span class="w"> </span><span class="c">#!{{ shebang }}</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Deleting deployment..."</span><span class="w"> </span><span class="n">az</span><span class="w"> </span><span class="nx">deployment</span><span class="w"> </span><span class="nx">sub</span><span class="w"> </span><span class="nx">delete</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">--name</span><span class="w"> </span><span class="p">{{</span><span class="n">deployment-name</span><span class="p">}}</span><span class="w"> </span><span class="se">`</span><span class="w"> </span><span class="nt">--no-wait</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Checking if resource group exists..."</span><span class="w"> </span><span class="nv">$rgExists</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">az</span><span class="w"> </span><span class="nx">group</span><span class="w"> </span><span class="nx">exists</span><span class="w"> </span><span class="nt">--resource-group</span><span class="w"> </span><span class="p">{{</span><span class="n">resourceGroupName</span><span class="p">}}</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$rgExists</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"true"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Resource group '{{resourceGroupName}}' exists. Deleting..."</span><span class="w"> </span><span class="n">az</span><span class="w"> </span><span class="nx">group</span><span class="w"> </span><span class="nx">delete</span><span class="w"> </span><span class="nt">--resource-group</span><span class="w"> </span><span class="p">{{</span><span class="n">resourceGroupName</span><span class="p">}}</span><span class="w"> </span><span class="nt">--yes</span><span class="w"> </span><span class="nt">--no-wait</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Resource group deletion initiated"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Resource group '{{resourceGroupName}}' does not exist"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The only environment variable you have to provide is <code>AZURE_SUBSCRIPTION_ID</code> and you are good to execute the commands. I assume that you have subscription ownership, else you have to tweak the bicep scripts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ just Available recipes: deploy <span class="c"># Deploys the bicep deployment</span> destroy <span class="c"># Deletes the deployment and the resource group</span> <span class="nb">help</span> <span class="c"># Lists all available recipies</span> lint <span class="c"># Lint the bicep files</span> validate <span class="c"># Validates the bicep deployment</span> validate-all <span class="c"># Validates and shows what changes would be made by the deployment</span> what-if <span class="c"># Shows what changes would be made by the deployment</span> </code></pre> </div> <h2> Conclusion </h2> <p>There are many other runners you could use, starting from good old <a href="https://www.gnu.org/software/make/manual/make.html" rel="noopener noreferrer"><code>make</code></a> to a python-based one like <a href="https://tox.wiki/en/latest/user_guide.html" rel="noopener noreferrer"><code>tox</code></a> and many others out there. You can achieve similar things with all of them, I stick to <a href="https://just.systems" rel="noopener noreferrer">Just</a>. I like it.</p> infrastructureascode azure bicep shell Azure Container Registry Cache: Updated Guide with Docker Hub Integration Dariusz Parys Wed, 29 Jan 2025 12:20:30 +0000 https://forem.com/dariuszparys/azure-container-registry-cache-updated-guide-with-docker-hub-integration-566p https://forem.com/dariuszparys/azure-container-registry-cache-updated-guide-with-docker-hub-integration-566p <p>Some time ago, I wrote an article about <a href="https://www.dariuszparys.com/how-to-avoid-docker-hub-rate-limits-and-improve-your-workflow/" rel="noopener noreferrer">Docker Hub rate limits</a> and described ways to mitigate them. Unfortunately, the method I suggested using Azure Container Registry cache no longer works without authentication.</p> <p>You can find more details about this in the <a href="https://learn.microsoft.com/en-us/azure/container-registry/container-registry-artifact-cache?pivots=development-environment-azure-portal" rel="noopener noreferrer">Artifact cache in Azure Container Registry</a> documentation, specifically in the <a href="https://learn.microsoft.com/en-us/azure/container-registry/container-registry-artifact-cache?pivots=development-environment-azure-portal#upstream-support" rel="noopener noreferrer">Upstream support</a> section.</p> <blockquote> <p>Azure Container Registry supports only authenticated pulls to Docker Hub.</p> </blockquote> <h2> How to Enable Caching, the correct way </h2> <p>Let me walk you through enabling the cache. Here are the steps:</p> <ol> <li>Create a free Docker Hub account if you don't have one yet</li> </ol> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>❗ Check your eligibility for a personal account first. You may need a paid subscription tier for Docker if you're not using it for personal or open source projects.</th> </tr> </thead> <tbody> </tbody> </table></div> <ol> <li><p>Create a <a href="https://app.docker.com/settings/personal-access-tokens" rel="noopener noreferrer">personal access token</a> in Docker Hub</p></li> <li><p>Store your Docker Hub username and token credentials in Azure KeyVault</p></li> <li><p>Create an Azure Container Registry credential cache to retrieve the KeyVault credentials for Docker Hub</p></li> <li><p>Create an Azure Container Registry caching rule using that credential set</p></li> </ol> <p>To simplify this process, I've created a GitHub repository with all the necessary automation.</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/dariuszparys" rel="noopener noreferrer"> dariuszparys </a> / <a href="https://github.com/dariuszparys/acr-cache-docker-images" rel="noopener noreferrer"> acr-cache-docker-images </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Project Documentation for Bicep Project</h1> </div> <div class="markdown-heading"> <h2 class="heading-element">Overview</h2> </div> <p>This project configures an Azure Container Registry with Docker Hub credentials stored securely in Azure Key Vault, using managed identities for secure access.</p> <div class="markdown-heading"> <h2 class="heading-element">Project Structure</h2> </div> <p>The project is organized into the following directories and files:</p> <ul> <li> <strong>/src</strong>: Contains the main Bicep file and modules for resource deployment.</li> <li> <strong>/src/modules</strong>: Includes reusable Bicep modules for creating and managing Azure resources.</li> <li> <strong>deploy.sh</strong>: Script to automate the deployment process.</li> <li> <strong>.env</strong>: File for environment variables</li> <li> <strong>README.md</strong>: Project documentation and instructions.</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Prerequisites</h2> </div> <ul> <li>Azure subscription</li> <li>Azure CLI installed</li> <li>Bicep CLI installed (if necessary)</li> <li>Docker Hub account</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Deployment</h2> </div> <ol> <li>Set environment variables:</li> </ol> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre><span class="pl-k">export</span> DOCKER_HUB_USERNAME=<span class="pl-s"><span class="pl-pds">"</span>your-username<span class="pl-pds">"</span></span> <span class="pl-k">export</span> DOCKER_HUB_PAT=<span class="pl-s"><span class="pl-pds">"</span>your-personal-access-token<span class="pl-pds">"</span></span></pre> </div> <ol start="2"> <li>Configure parameters</li> </ol> <p>Update <code>main.bicepparam</code> to your liking.</p> <ol start="3"> <li>Run deployment:</li> </ol> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>chmod +x deploy.sh ./deploy.sh</pre> </div> <div class="markdown-heading"> <h2 class="heading-element">Caching Repositories</h2> </div> <p>Once this is set up we can now cache any public repository from docker hub in the Azure Container Registry. The following…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/dariuszparys/acr-cache-docker-images" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Bicep Automation </h2> <p>The GitHub repository uses Bicep to automate resource creation in Azure. Before running it, you'll need a <a href="https://app.docker.com/settings/personal-access-tokens?ref=dariuszparys.com" rel="noopener noreferrer">personal access token from Docker Hub</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F18f4uhc0il0v1ovhspi3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F18f4uhc0il0v1ovhspi3.png" alt="PAT in Docker Hub using Public Repo Read-only" width="800" height="648"></a></p> <p>Feel free to choose access permissions that make sense for your needs. Since I'm only working with public repositories, I selected that option.</p> <h2> Example Deployment </h2> <p>To test this, you can either export the variables <code>DOCKER_HUB_USERNAME</code> and <code>DOCKER_HUB_PAT</code> and run the <code>deploy.sh</code> script, or modify the <code>src/main.bicepparam</code> file.</p> <p>The credentials will be stored in a newly created Azure KeyVault within the example resource group. You can modify the resource group name and location in the parameter file.</p> <p>After deployment, you can link your public Docker Hub repository to Azure Container Registry by creating a cache with the credentials set from the Bicep deployment.</p> <p>For example, to cache the public Python repository, you can<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az acr cache create <span class="se">\</span> <span class="nt">--registry</span> acrdemoxtpogsljytqrc <span class="se">\</span> <span class="nt">--name</span> mypython <span class="se">\</span> <span class="nt">--source-repo</span> docker.io/library/python <span class="se">\</span> <span class="nt">--target-repo</span> python <span class="se">\</span> <span class="nt">--cred-set</span> dockerhub </code></pre> </div> <p>Once the cache rule is created we can evaluate it in the Azure Portal</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj0osjn2nqs6cqhfz7hgs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj0osjn2nqs6cqhfz7hgs.png" alt="Caching rule in ACR" width="800" height="461"></a></p> <p>To pull new images, simply reference your Azure Container Registry repository wherever you need it—whether in Azure Pipelines, GitHub Actions, or directly in the shell like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ az acr login <span class="nt">--name</span> acrdemoxtpogsljytqrc Login Succeeded ~ took 5s ❯ docker pull acrdemoxtpogsljytqrc.azurecr.io/python Using default tag: latest latest: Pulling from python Digest: sha256:d57ec66c94b9497b9f3c66f6cdddc1e4e0bad4c584397e0b57a721baef0e6fdc Status: Image is up to <span class="nb">date </span><span class="k">for </span>acrdemoxtpogsljytqrc.azurecr.io/python:latest acrdemoxtpogsljytqrc.azurecr.io/python:latest ~ ❯ docker pull acrdemoxtpogsljytqrc.azurecr.io/python:alpine3.20 alpine3.20: Pulling from python c4f340f38ec0: Download <span class="nb">complete </span>0152682790bb: Download <span class="nb">complete </span>bb4d68a0c460: Download <span class="nb">complete </span>05da92a20133: Download <span class="nb">complete </span>Digest: sha256:9ab3b6ef4afb7582afaa84e97d40a36f192595bb0578561c282cecc22a45de49 Status: Downloaded newer image <span class="k">for </span>acrdemoxtpogsljytqrc.azurecr.io/python:alpine3.20 acrdemoxtpogsljytqrc.azurecr.io/python:alpine3.20 </code></pre> </div> <p>Thanks to the cache rule, the images automatically transfer to your Azure Container Registry and appear in your ACR repository.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwrehurg27puwpwux6on.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwrehurg27puwpwux6on.png" alt="3 Images already cached in the ACR" width="800" height="481"></a></p> <h2> Notes </h2> <p>In the shared GitHub project, I use a system-assigned identity, which requires splitting KeyVault creation and KeyVault Access Policies. This setup can be simplified once the <a href="https://github.com/Azure/acr/issues/790?ref=dariuszparys.com" rel="noopener noreferrer">corresponding issue is resolved</a> to allow user-assigned managed identities.</p> <p>I hope this helps!</p> <p>Cover image by Photo by <a href="https://unsplash.com/@guibolduc?utm_source=ghost&amp;utm_medium=referral&amp;utm_campaign=api-credit" rel="noopener noreferrer">Guillaume Bolduc</a> / <a href="https://unsplash.com/?utm_source=ghost&amp;utm_medium=referral&amp;utm_campaign=api-credit" rel="noopener noreferrer">Unsplash</a></p> containers docker bicep infrastructureascode Generate Sequence Diagrams for Azure B2C User Journeys with ChatGPT Dariusz Parys Tue, 06 Aug 2024 07:43:04 +0000 https://forem.com/dariuszparys/generate-sequence-diagrams-for-azure-b2c-user-journeys-with-chatgpt-3fol https://forem.com/dariuszparys/generate-sequence-diagrams-for-azure-b2c-user-journeys-with-chatgpt-3fol <p>Working with Azure B2C is an XML battle, especially when it comes to customizing user journeys using custom policies. A starter pack you can get from GitHub helps you set up your own policy.</p> <p><a href="https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack" rel="noopener noreferrer">Azure B2C custom policy starter pack</a></p> <p>The readme is comprehensive and has all the necessary information, but sometimes, it helps to have a flow sequence diagram. Sequence diagrams can be created using Mermaid, given a syntax that can be included in your Markdown documentation. The renderer will then visualize the sequences for you.</p> <h2> Generative AI can help here </h2> <p>There is an excellent way to do this with Generative AI. In my case, I use ChatGPT. The steps are as follows.</p> <p>First, upload the XML policy files you want to analyze. In my example, I'm interested in the sign-in and sign-up user journey, so I'm only uploading <strong>TrustFrameworkBase.xml</strong>, <strong>TrustFrameworkExtensions.xml</strong>, and <strong>SignUpOrSignIn.xml</strong>.</p> <p>Next, prompt ChatGPT to generate the sequence diagram based on the uploaded files. In the case I provide here, I used the following prompt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Create a sequence diagram for the &lt;User Journey Name&gt; user journey in Azure AD B2C. The diagram should integrate the flow of claims directly into the main sequence and use notes and background colors to distinguish between different flows. ### Sequence Diagram Details: 1. The initial request where the user opens the page and requests the policy. 2. The user decision point where they choose between different options (e.g., Sign Up or Sign In). 3. The detailed flow for each option, including: - Collecting claims - Validating and transforming claims - Interactions with Azure AD for validation and user data retrieval - Displaying success messages to the user 4. The token refresh flow if applicable. 5. Use notes to highlight claims collection and validation. 6. Use different background colors to distinguish between different options (e.g., Sign Up and Sign In). </code></pre> </div> <p>Replace with the user journey I uploaded, in the example <em>Sign In or Sign Up</em>. The chatbot will start to analyze the files, and as a result, I get back this Mermaid sequence diagram.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant User participant Browser participant AzureAD_B2C as Azure AD B2C participant IDP as Identity Provider participant App as Relying Party Application Note over User, Browser: Step 1: Access Sign Up or Sign In page User-&gt;&gt;Browser: Access Sign Up/Sign In Page Browser-&gt;&gt;AzureAD_B2C: Request Sign Up/Sign In Page AzureAD_B2C-&gt;&gt;Browser: Return Sign Up/Sign In Page Note over User, Browser: Step 2: Enter credentials or select IDP User-&gt;&gt;Browser: Enter credentials/select IDP Browser-&gt;&gt;AzureAD_B2C: Submit credentials/IDP selection alt Local Account AzureAD_B2C-&gt;&gt;AzureAD_B2C: Validate credentials AzureAD_B2C-&gt;&gt;Browser: Prompt for additional claims (if needed) Browser-&gt;&gt;User: Display additional claims form User-&gt;&gt;Browser: Submit additional claims Browser-&gt;&gt;AzureAD_B2C: Submit additional claims else Social IDP AzureAD_B2C-&gt;&gt;IDP: Redirect to IDP IDP-&gt;&gt;User: Display IDP login page User-&gt;&gt;IDP: Enter credentials IDP-&gt;&gt;AzureAD_B2C: Return user claims end Note over AzureAD_B2C: Step 4: Process user claims AzureAD_B2C-&gt;&gt;AzureAD_B2C: Validate and transform claims AzureAD_B2C-&gt;&gt;App: Send claims to relying party application Note over App, User: Step 5: User is authenticated App-&gt;&gt;User: Welcome Page or Application Landing Page </code></pre> </div> <p>You can look at the result in GitHub, which supports rendering Mermaid diagrams.</p> <p><a href="https://gist.github.com/dariuszparys/904d64978f9448f23bfb7698fee0cf6a" rel="noopener noreferrer">https://gist.github.com/dariuszparys/904d64978f9448f23bfb7698fee0cf6a</a></p> <p>As with all generative models, the output may vary depending on how you prompt it and what model you use. It is more about the basic idea that we can transform one format to another, which helps us create documentation we don't have out of the box. Give it a try.</p> azure chatgpt mermaidjs ai How to Avoid Docker Hub Rate Limits (and Improve Your Workflow) Dariusz Parys Tue, 14 May 2024 13:27:35 +0000 https://forem.com/dariuszparys/how-to-avoid-docker-hub-rate-limits-and-improve-your-workflow-50e9 https://forem.com/dariuszparys/how-to-avoid-docker-hub-rate-limits-and-improve-your-workflow-50e9 <p>Docker Hub has a rate limit that is effectively in place since November 2020 <a href="https://www.docker.com/blog/checking-your-current-docker-pull-rate-limits-and-status/" rel="noopener noreferrer">Checking Your Current Docker Pull Rate Limits and Status | Docker</a>. The detailed documentation about this rate limit is described here <a href="https://docs.docker.com/docker-hub/download-rate-limit/" rel="noopener noreferrer">Docker Hub rate limit | Docker Docs</a></p> <p>There is nothing new, but somehow, there is. I recently received an email from Azure stating that I should mitigate the effects of rate limiting by June 30th, 2024.</p> <p>This date made me think, and I did some investigations. First, I started to look up precisely what the limits are.</p> <h2> Checking Local Rate Limits </h2> <p>If you don't have a docker subscription you pay for, you might hit the docker rate limit, which is for the free account - 200 image pulls per 6 hours. Our anonymous pulls were already just 100 image pulls per 6 hours.</p> <p>I never log in to Docker Hub, so I run under the anonymous tier. I also never hit this limit locally. Also, I have had builds often on certain days, and 100 pulls per 6 hours seems not too much. It turns out that the pull only counts if the image is not already cached on your system. That is good, as you usually don't wipe your image cache each time.</p> <h3> Retrieving Rate Limits on Your System </h3> <p>Checking my local pulled docker images shows only one python base image<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ docker images REPOSITORY TAG IMAGE ID CREATED SIZE python 3.11-slim-buster db841a2e8ab3 11 months ago 120MB </code></pre> </div> <p>Following the <a href="https://www.docker.com/blog/checking-your-current-docker-pull-rate-limits-and-status/" rel="noopener noreferrer">guidance</a> I retrieve with the anonymous bearer token the current limits I have.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ curl <span class="nt">--head</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest HTTP/1.1 200 OK content-length: 2782 content-type: application/vnd.docker.distribution.manifest.v1+prettyjws docker-content-digest: sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020 docker-distribution-api-version: registry/2.0 etag: <span class="s2">"sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020"</span> <span class="nb">date</span>: Tue, 07 May 2024 10:31:48 GMT strict-transport-security: max-age<span class="o">=</span>31536000 ratelimit-limit: 100<span class="p">;</span><span class="nv">w</span><span class="o">=</span>21600 ratelimit-remaining: 94<span class="p">;</span><span class="nv">w</span><span class="o">=</span>21600 docker-ratelimit-source: 0.0.0.0 </code></pre> </div> <p>I pulled now an additional <code>ubuntu:latest</code> image and re-executed the curl call to the rate limit endpoint. The output states correctly that my limit was reduced by one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ curl <span class="nt">--head</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest HTTP/1.1 200 OK content-length: 2782 content-type: application/vnd.docker.distribution.manifest.v1+prettyjws docker-content-digest: sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020 docker-distribution-api-version: registry/2.0 etag: <span class="s2">"sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020"</span> <span class="nb">date</span>: Tue, 07 May 2024 10:32:19 GMT strict-transport-security: max-age<span class="o">=</span>31536000 ratelimit-limit: 100<span class="p">;</span><span class="nv">w</span><span class="o">=</span>21600 ratelimit-remaining: 93<span class="p">;</span><span class="nv">w</span><span class="o">=</span>21600 docker-ratelimit-source: 0.0.0.0 </code></pre> </div> <p>Pulling again an image that is now locally cached, in this case the <code>ubuntu:latest</code> again, doesn't affect the rate limit at all.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ curl <span class="nt">--head</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest HTTP/1.1 200 OK content-length: 2782 content-type: application/vnd.docker.distribution.manifest.v1+prettyjws docker-content-digest: sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020 docker-distribution-api-version: registry/2.0 etag: <span class="s2">"sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020"</span> <span class="nb">date</span>: Tue, 07 May 2024 10:32:36 GMT strict-transport-security: max-age<span class="o">=</span>31536000 ratelimit-limit: 100<span class="p">;</span><span class="nv">w</span><span class="o">=</span>21600 ratelimit-remaining: 93<span class="p">;</span><span class="nv">w</span><span class="o">=</span>21600 docker-ratelimit-source: 0.0.0.0 </code></pre> </div> <h2> Azure &amp; Azure DevOps MS Hosted Agents: Handling Rate Limits </h2> <p>But what about the Azure and Azure DevOps environments with Microsoft-hosted agents? Are they supposed to have the same issue?</p> <p>I created a simple test pipeline to see how Azure DevOps handles rate limits.</p> <div class="ltag_gist-liquid-tag"> </div> <p>The docker images cached in the Ubuntu:22.04 runner image, can be found here <a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#cached-docker-images" rel="noopener noreferrer">runner-images/images/ubuntu/Ubuntu2204-Readme.md</a>. It doesn't have any of the images cached that I just pulled in the pipeline.</p> <p>The exciting thing about this pipeline run is that the output of the "Check rate limit" step doesn't show any rate limits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>HTTP/1.1 200 OK content-length: 2782 content-type: application/vnd.docker.distribution.manifest.v1+prettyjws docker-content-digest: sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020 docker-distribution-api-version: registry/2.0 etag: <span class="s2">"sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020"</span> <span class="nb">date</span>: Tue, 07 May 2024 10:05:56 GMT strict-transport-security: max-age<span class="o">=</span>31536000 docker-ratelimit-source: 13.79.31.179 </code></pre> </div> <p>I did the same for Azure, opened a CLI in the Portal, and entered the same rate limit query.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dariusz <span class="o">[</span> ~ <span class="o">]</span><span class="nv">$ TOKEN</span><span class="o">=</span><span class="si">$(</span>curl <span class="s2">"https://auth.docker.io/token?service=registry.docker.io&amp;scope=repository:ratelimitpreview/test:pull"</span> | jq <span class="nt">-r</span> .token<span class="si">)</span> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5429 0 5429 0 0 20653 0 <span class="nt">--</span>:--:-- <span class="nt">--</span>:--:-- <span class="nt">--</span>:--:-- 20721 dariusz <span class="o">[</span> ~ <span class="o">]</span><span class="nv">$ </span>curl <span class="nt">--head</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest HTTP/1.1 200 OK content-length: 2782 content-type: application/vnd.docker.distribution.manifest.v1+prettyjws docker-content-digest: sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020 docker-distribution-api-version: registry/2.0 etag: <span class="s2">"sha256:767a3815c34823b355bed31760d5fa3daca0aec2ce15b217c9cd83229e0e2020"</span> <span class="nb">date</span>: Tue, 07 May 2024 11:00:31 GMT strict-transport-security: max-age<span class="o">=</span>31536000 docker-ratelimit-source: 0.0.0.0 </code></pre> </div> <p>I inspected the retrieved token with <a href="https://jwt.ms" rel="noopener noreferrer">https://jwt.ms</a> and received the anonymous tier output, with an untouched rate limit of 100.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"x5c"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"MIIEFj...Cx5Q3"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="err">.</span><span class="p">{</span><span class="w"> </span><span class="nl">"access"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"pull"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ratelimitpreview/test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"pull_limit"</span><span class="p">:</span><span class="w"> </span><span class="s2">"100"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pull_limit_interval"</span><span class="p">:</span><span class="w"> </span><span class="s2">"21600"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"repository"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"registry.docker.io"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1715079853</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1715079553</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auth.docker.io"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dckr_jti_CjpzWM-iQQaK_7QXf8wlUkz8kJI="</span><span class="p">,</span><span class="w"> </span><span class="nl">"nbf"</span><span class="p">:</span><span class="w"> </span><span class="mi">1715079253</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="p">}</span><span class="err">.</span><span class="p">[</span><span class="err">Signature</span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>Based on this claim <a href="https://forums.docker.com/t/testing-dockerhub-pull-limits-in-azure/120981" rel="noopener noreferrer">Testing Dockerhub pull limits in Azure - Docker Community Forums</a> there must have been some agreement that was already known back in 2022 when this was written, and probably this agreement will now run out by end of June 2024.</p> <h2> Starting Rate Limit Mitigation </h2> <p>The rate limits will likely affect future CI pipeline runs. In our case, we have a CI pipeline that builds images on each push to the Azure DevOps git repository using the Azure Container Registry build task.</p> <h3> Current State: CI Pipeline Configuration in Azure DevOps </h3> <p>Below is a snippet from a pipeline step in Azure DevOps to build our image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">AzureCLI@2</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Build</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">container</span><span class="nv"> </span><span class="s">image"</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">azureSubscription</span><span class="pi">:</span> <span class="s">$(serviceConnection)</span> <span class="na">addSpnToEnvironment</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">workingDirectory</span><span class="pi">:</span> <span class="s">$(projectRoot)</span> <span class="na">scriptType</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">scriptLocation</span><span class="pi">:</span> <span class="s">inlineScript</span> <span class="na">inlineScript</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">az acr build --registry "${REGISTRY}" --image "${REGISTRY}.azurecr.io/backend:dev-${BUILD_NUMBER}" --image "${REGISTRY}.azurecr.io/backend:dev-latest" --platform linux --file Dockerfile .</span> <span class="na">env</span><span class="pi">:</span> <span class="na">REGISTRY</span><span class="pi">:</span> <span class="s">$(containerRegistryName)</span> <span class="na">BUILD_NUMBER</span><span class="pi">:</span> <span class="s">$(Build.BuildNumber)</span> </code></pre> </div> <p>The corresponding Dockerfile still refers to the base image on the Docker hub.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.11-slim-buster</span> <span class="k">WORKDIR</span><span class="s"> /code</span> <span class="k">COPY</span><span class="s"> ./requirements.txt /code/requirements.txt</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> /code/requirements.txt <span class="k">COPY</span><span class="s"> app /code/app</span> <span class="k">CMD</span><span class="s"> ["uvicorn", "app.main:app", "--host=0.0.0.0", "--port=8000"]</span> </code></pre> </div> <h3> Using Azure Container Registry Caching </h3> <p>As the Azure Container Registry is in place, we changed the behavior using the Azure Container Registry Cache feature.</p> <blockquote> <p><strong>NOTE:</strong> In its basic tier, Azure Container Registry costs nearly as much as the Pro subscription for Docker Hub. We are using Azure Container Registry for our project anyway, so we mitigate the additional costs. Your mileage may vary.</p> </blockquote> <p>This feature allows the ACR to pull and cache an image from another registry based on your defined rules. In the case of the Python-based images, a rule might look like this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az acr cache create <span class="se">\</span> <span class="nt">--registry</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--name</span> python-base-images <span class="se">\</span> <span class="nt">--source-repo</span> docker.io/library/python </code></pre> </div> <p>We changed the Dockerfile to pull from our ACR instead of the Docker hub where the base image originally lives.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">ARG</span><span class="s"> REGISTRY=your-acr-registry-name</span> <span class="k">FROM</span><span class="s"> $REGISTRY.azurecr.io/python:3.11-slim-buster</span> <span class="k">WORKDIR</span><span class="s"> /code</span> <span class="k">COPY</span><span class="s"> ./requirements.txt /code/requirements.txt</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> /code/requirements.txt <span class="k">COPY</span><span class="s"> app /code/app</span> <span class="k">CMD</span><span class="s"> ["uvicorn", "app.main:app", "--host=0.0.0.0", "--port=8000"]</span> </code></pre> </div> <p>The first time this runs, ACR will pull this image from Docker Hub and cache it under the <strong>python</strong> repository, as specified in the shell command above.</p> <p>Once the pipeline runs and pulls the image through the Azure Container Registry, you can evaluate the cache rule and look up the cached repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az acr cache list <span class="nt">--registry</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span> az acr repository show <span class="nt">--name</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span> <span class="nt">--repository</span> python </code></pre> </div> <p>From now on, using Azure Container Registry Cache will mitigate rate limits that might affect our pipeline runs on Microsoft-hosted Agents and offer benefits like improved build performance, reduced network traffic, enhanced reliability, and simplified management.</p> <h2> Conclusion: Optimizing Development Workflows in the Face of Rate Limits </h2> <p>Docker Hub rate limits present an opportunity to optimize your development workflow and improve performance.</p> <p><strong>Take Action</strong></p> <ul> <li> <strong>Explore caching strategies:</strong> Understand how effective caching can reduce your reliance on Docker Hub.</li> <li> <strong>Leverage your cloud provider's registry:</strong>  Cloud registries often offer integrated solutions that streamline image management and can boost build speeds.</li> <li> <strong>If you need a high volume of pulls, consider a paid Docker Hub subscription:</strong> This ensures reliable access and support.</li> </ul> <p>By proactively addressing Docker Hub's limits, you can enhance the efficiency and resilience of your CI/CD pipelines.</p> docker azure containers