5 fun and easy ways to transition to Bicep and save time!

In you are into Infrastructure as Code for Azure, you probably have heard about Bicep by now, or maybe (hopefully) you're actively using it. If not, this blog post provides some guidance to help you with your personal transformation (or should I say transpilation 😊) towards Bicep. In other words, if you’ve been developing ARM Templates (JSON) a lot, here are some cool and fast ways to learn Bicep using VSCode.

Just in case you’ve never heard about Bicep, what is it in a nutshell? Bicep is like having a magic wand for Azure infrastructure as code. It's a new language that makes it super easy to create and manage Azure resources in a declarative manner. You simply write down what you want your Azure environment to look like, and Bicep takes care of the heavy lifting for you. It's like ordering a pizza, but instead of pizza, you get a fully configured Azure environment, and instead of a delivery guy, you have Bicep! Just wave your Bicep wand and poof, your Azure resources appear exactly as you specified.* * Full disclose I had ChatGTP write this fun description of Bicep! 😊

1. Decompile Right click any existing ARM Template based on JSON and simply select “Decompile to Bicep”. Within a second you are presented with the Bicep equivalent of your ARM Template. This is a super easy way of reverse engineering and learn Bicep. Note, decompile is always based on best effort. If the template can be decompiled, it will always result in a valid Bicep Template but might not be 100% optimized. It can however provide you with a great head start. In case you are wondering, yes you can also decompile using the Az CLI, PowerShell and the Bicep executable.

2. Paste JSON as Bicep If you have any existing JSON code in your clipboard, for example copied from any resource online, you can directly copy it as Bicep code in VSCode. How cool is that? 😊. With a flick of a wand (or rather, a paste into VSCode), your JSON code is transformed into beautiful, readable Bicep code.

It's important to note that this feature is currently in its experimental phase, and as such, may have limitations or unfinished elements.

3. Insert Resource To utilize this feature, you will need to follow these steps:

- Copy the resource ID of an existing resource within your Azure environment. - In your Bicep file, perform a right-click and select "Insert Resource" from the context menu. - Paste the copied resource ID into the designated field. - Upon executing these steps, the resource will be instantly available in Bicep, ready for use within your infrastructure as code deployment.

4. Local ARM Template (JSON) as a module If you have existing ARM Templates in JSON and, for whatever reason, don’t want to decompile to Bicep, you can also use an ARM Template as a module. Below is the syntax to use, this is the exact same syntax as Bicep modules. Very convenient and easy to use!

5. Template Spec as a module Similar to option 4, you can also leverage an ARM Template as a module directly from a Template Spec resource in Azure. Create a Template Spec resource in Azure, paste your ARM Template in there, and now you can reference it as a module as shown below.

To conclude If you are currently developing ARM Templates and it brings you everything you need, nothing is stopping you from continuing to use it, its fully supported. I’m not saying ARM Templates are bad and you must switch to Bicep. If you currently are using ARM Templates and you are struggling with the complexity and limitations…it's never too late to learn Bicep. And if you're already familiar with Visual Studio Code (VSCode), it's a great tool to get started with Bicep. VSCode offers a wide range of plugins and extensions that make it easier to write, debug, and deploy Bicep templates. You can use the VSCode IntelliSense feature to get suggestions and auto-completion as you type, making it easier to write correct Bicep code, including a way to visualize as you type. Bicep removes a lot of the syntax overhead of ARM Templates, providing clean coding experience, and also provides better options to reuse code based on modules and registries.

There is much more to the story of course. If you are interested in getting started with Bicep, I published a book to help you jump start on Bicep, posted lots of example code on my GitHub, and created a collection links to on demand sessions on Bicep that I (co)presented in the past.

Questions? Feel free to reach out via Twitter, LinkedIn, or E-mail!

New Number matching Azure MFA feature impact Microsoft RDGW & NPS extension

Background

Are you using Microsoft Native Remote Desktop Gateway (RDGW) in combination with the NPS extension to secure your RDGW with MFA? Prepare for this change which will be enforced tenant-wide for all users starting February 27, 2023!

Number matching is a security upgrade to traditional second factor notifications in Microsoft Authenticator. Microsoft will remove the admin controls and enforce the number match experience.

This is what Microsoft recommends

"We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance."

While this adds and unlocks security capabilities and options, there is a downside if you currently use RD Gateway with the NPS Extension for Azure MFA. If you need more background information on how this works, check out this article I published back in 2017, which is still relevant: The Microsoft Platform: Securing RD Gateway with MFA using the new NPS Extension for Azure MFA!

The impact on RD Gateway + NPS Extension

The reason of the impact is that NPS does not support number matching. However, the latest NPS extension does work with One-Time Password (OTP) methods like e.g. the OTP available in Microsoft Authenticator. Generally, you need to make sure that you run the latest version of the NPS extension. For more information on supported versions and what (registry) workaround you can use and other requirements that apply, follow this guide

If your organization uses Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail.

Release notes on this change

Below is a snippet of the release notes of the NPS extension version 1.2.2131.2 that address the change that Microsoft made.

"...Changed the default value of OVERRIDE_NUMBER_MATCHING_WITH_OTP from False to a Microsoft managed value. There is no change to the current authentication experience for users. Microsoft will begin enabling number matching for all users of the Microsoft Authenticator app starting 27th of February 2023.

After this date, if your organization has not set the OVERRIDE_NUMBER_MATCHING_WITH_OTP value to False, your Microsoft Authenticator users will be required to enter an OTP code instead of the Approve/Deny push notification experience..."

Solution (more of a workaround)

What you can do to prevent failed sign-ins after February 27, 2023 is the following. Set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE.

To create the registry key that overrides push notifications on your NPS Server:

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.

2. Key: OVERRIDE_NUMBER_MATCHING_WITH_OTP,  Value = TRUE

4. Restart the NPS Service.

What this does is fall back to Approve/Deny push notifications when using Microsoft Authenticator.

ChatGPT to author Bicep templates?

I'm sure that by now many have heard about ChatGPT. If not, ChatGPT is a large language model developed by OpenAI. It is based on the GPT (Generative Pre-training Transformer) architecture, which was trained on a massive amount of text data to generate human-like text. ChatGPT is fine-tuned to perform specific language tasks such as answering questions, generating text and more. It uses the latest advances in neural network technology to understand and respond to natural language input in a way that mimics human conversation. It can be used for various applications such as chatbots, automated customer service, language translation and more.

I took ChatGPT for a spin to see how accurate and detailed it would be to write (Infra as) Code. Somehow Bicep felt like a good candidate! (in case you don't know why, follow this link 😊)

The first question I asked was to author a simple Bicep template to create a Vnet.

I was blown away by the initial response which came back instantly! That looks awesome for a first try! Do note that ChatGPT says Bicep is still in preview. The reason is that ChatGPT is trained on a large dataset of text data that was current as of 2021, so it may not have information that is more recent than that. The training data used to build the model is also constantly being updated, so the information available to ChatGPT may change over time.

Also note that ChatGPT gave some advise on network designs as well, how cool is that!

A best practice however would be to use a parameter instead of 'resourceGroup().location'. So lets tell ChatGPT to adapt to that and also tell it to to make resourceGroup().location the default value of the parameter.

That was easy! Next, we'll tell it to use a different API version when dealing with VNets.

There we go. Finally, lets see if it can also generate a parameters file with a couple of sample values. Of course it can!

And this is just scratching the surface on what ChatGPT is able to do based on a simple example, there is so much more!

ChatGPT can help with writing code by providing code snippets, examples, and templates for a specific programming language or framework. It can also help with troubleshooting errors by providing solutions to common problems. Additionally, ChatGPT can assist with understanding the proper syntax and usage of a particular command or function by providing explanations and documentation.

ChatGPT can also help with writing code by providing suggestions for code improvements and better practices and by suggesting alternative ways to implement a certain functionality. It can also help with understanding and working with complex code by providing explanations of the code's behavior and providing examples of how to use it.

It's important to note that while ChatGPT can help with writing code, it's not a replacement for human programmers. ChatGPT can provide suggestions and examples, but it can't replace the experience and understanding of the problem domain that a human developer has.

Strong advise: do not blindly trust AI generated code for production environments. Use AI to assist you, not to replace you.

And guess what...part of this article was actually written by ChatGPT itself! Did you notice that? The possibilities are endless and I'm looking forward to test driving this some more! What are your thoughts?