public string CreateManagedIdentity(
string subscriptionId,
string identityName)
{
if (HttpMockServer.Mode == HttpRecorderMode.Record)
{
var parameters = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity()
{
Location = this.GetProviderLocation("Microsoft.ManagedIdentity", "userAssignedIdentities")
};
var identity = this.managedServiceIdentityClient.UserAssignedIdentities.CreateOrUpdate(
this.ResourceGroupName,
identityName,
parameters);
Assert.NotNull(identity);
// Give a couple minutes for the MSI to propagate. Observed failures of principalId not being found in the tenant
// when there is no wait time between MSI creation and role assignment.
DeploymentManagerTestUtilities.Sleep(TimeSpan.FromMinutes(2));
var scope = "/subscriptions/" + subscriptionId;
var roleDefinitionList = this.authorizationClient.RoleDefinitions.List(
scope,
new Microsoft.Rest.Azure.OData.ODataQuery <Microsoft.Azure.Management.Authorization.Models.RoleDefinitionFilter>("roleName eq 'Contributor'"));
var roleAssignmentName = Guid.NewGuid().ToString();
var roleAssignmentParameters = new Microsoft.Azure.Management.Authorization.Models.RoleAssignmentCreateParameters()
{
PrincipalId = identity.PrincipalId.ToString(),
RoleDefinitionId = roleDefinitionList.First().Id,
CanDelegate = false
};
var roleAssignment = this.authorizationClient.RoleAssignments.Create(
scope,
roleAssignmentName,
roleAssignmentParameters);
Assert.NotNull(roleAssignment);
// Add additional wait time after role assignment to propagate permissions. Observed
// no permissions to modify resource group errors without wait time.
DeploymentManagerTestUtilities.Sleep(TimeSpan.FromMinutes(1));
roleAssignment = this.authorizationClient.RoleAssignments.Get(
scope,
roleAssignmentName);
Assert.NotNull(roleAssignment);
return(identity.Id);
}
return("dummyIdentity");
}
/// <summary>
/// Create user-assigned managed identity.
/// </summary>
/// <param name="resourceGroupName"></param>
/// <param name="msiName"></param>
/// <param name="location"></param>
/// <returns></returns>
public Identity CreateManagedIdentity(
string resourceGroupName,
string msiName,
string location)
{
var createParams = new Identity
{
Location = location
};
return(identityManagementClient.UserAssignedIdentities.CreateOrUpdate(resourceGroupName, msiName, createParams));
}
public override void ExecuteCmdlet()
{
base.ExecuteCmdlet();
if (this.ShouldProcess(Name,
string.Format(CultureInfo.CurrentCulture,
Properties.Resources.NewUserAssignedIdentity_ProcessMessage,
this.ResourceGroupName,
this.Name)))
{
var tagsDictionary = this.Tag?.Cast <DictionaryEntry>()
.ToDictionary(ht => (string)ht.Key, ht => (string)ht.Value);
var location = GetLocation();
Identity identityProperties = new Identity(location: location, tags: tagsDictionary);
var result =
this.MsiClient.UserAssignedIdentities
.CreateOrUpdateWithHttpMessagesAsync(
this.ResourceGroupName,
this.Name,
identityProperties).GetAwaiter().GetResult();
WriteIdentity(result.Body);
}
}
public void SetupUserAssignedMsiTests()
{
Environment.SetEnvironmentVariable("AZURE_TEST_MODE", "Playback");
using (MockContext context = MockContext.Start(this.GetType()))
{
var testBase = new ApiManagementTestBase(context);
string consumptionSkuRegion = "West US";
// create user assigned identity
var parameters = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity()
{
Location = consumptionSkuRegion
};
var userAssignedResponse = testBase.managedIdentityClient.UserAssignedIdentities.CreateOrUpdateWithHttpMessagesAsync(
testBase.rgName,
testBase.serviceName,
parameters).GetAwaiter().GetResult();
Assert.NotNull(userAssignedResponse);
var userAssigned = userAssignedResponse.Body;
Assert.NotNull(userAssigned.PrincipalId);
Assert.NotNull(userAssigned.TenantId);
// setup MSI on Consumption SKU
testBase.serviceProperties.Location = consumptionSkuRegion;
testBase.serviceProperties.Sku = new ApiManagementServiceSkuProperties(SkuType.Consumption, capacity: 0);
testBase.serviceProperties.Identity = new ApiManagementServiceIdentity("UserAssigned")
{
UserAssignedIdentities = new Dictionary <string, Components16nk615schemasapimanagementserviceidentitypropertiesuserassignedidentitiesadditionalproperties>()
{
{ userAssignedResponse.Body.Id, new Components16nk615schemasapimanagementserviceidentitypropertiesuserassignedidentitiesadditionalproperties(userAssigned.PrincipalId.ToString(), userAssigned.ClientId.ToString()) }
}
};
var createdService = testBase.client.ApiManagementService.CreateOrUpdate(
resourceGroupName: testBase.rgName,
serviceName: testBase.serviceName,
parameters: testBase.serviceProperties);
ValidateService(createdService,
testBase.serviceName,
testBase.rgName,
testBase.subscriptionId,
consumptionSkuRegion,
testBase.serviceProperties.PublisherEmail,
testBase.serviceProperties.PublisherName,
testBase.serviceProperties.Sku.Name,
testBase.tags);
Assert.NotNull(createdService.Identity);
Assert.NotNull(createdService.Identity.Type);
Assert.Equal("UserAssigned", createdService.Identity.Type);
Assert.NotNull(createdService.Identity.UserAssignedIdentities);
Assert.Equal(1, createdService.Identity.UserAssignedIdentities.Count);
Assert.Equal(userAssigned.PrincipalId.ToString(), createdService.Identity.UserAssignedIdentities.First().Value.PrincipalId);
Assert.Equal(userAssigned.Id.ToString(), createdService.Identity.UserAssignedIdentities.First().Key);
// Delete
testBase.client.ApiManagementService.Delete(
resourceGroupName: testBase.rgName,
serviceName: testBase.serviceName);
Assert.Throws <ErrorResponseException>(() =>
{
testBase.client.ApiManagementService.Get(
resourceGroupName: testBase.rgName,
serviceName: testBase.serviceName);
});
}
}
public void NamespaceBYOKCreateGetUpdateDelete()
{
using (MockContext context = MockContext.Start(this.GetType()))
{
InitializeClients(context);
var location = "West US 2";
var resourceGroup = string.Empty;
var keyVaultName = "SDKTestingKey1";
var KeyName = "sdktestingkey11";
var KeyName2 = "sdktestingkey12";
var KeyName3 = "sdktestingkey13";
var resourceGroupCluster = EventHubManagementHelper.ResourceGroupCluster;
var identityName1 = TestUtilities.GenerateName(EventHubManagementHelper.IdentityPrefix);
var identityName2 = TestUtilities.GenerateName(EventHubManagementHelper.IdentityPrefix);
if (string.IsNullOrWhiteSpace(resourceGroup))
{
resourceGroup = TestUtilities.GenerateName(EventHubManagementHelper.ResourceGroupPrefix);
this.ResourceManagementClient.TryRegisterResourceGroup(location, resourceGroup);
}
var namespaceName = TestUtilities.GenerateName(EventHubManagementHelper.NamespacePrefix);
var namespaceName2 = TestUtilities.GenerateName(EventHubManagementHelper.NamespacePrefix);
try
{
var checkNameAvailable = EventHubManagementClient.Namespaces.CheckNameAvailability(namespaceName);
//Create Namespace with System Assigned Identity
//----------------------------------------------------
var createNamespaceResponse = this.EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName,
new EHNamespace()
{
Location = location,
Sku = new Microsoft.Azure.Management.EventHub.Models.Sku
{
Name = Microsoft.Azure.Management.EventHub.Models.SkuName.Premium,
Tier = SkuTier.Premium
},
Tags = new Dictionary <string, string>()
{
{ "tag1", "value1" },
{ "tag2", "value2" }
},
IsAutoInflateEnabled = false,
MaximumThroughputUnits = 0,
Identity = new Identity()
{
Type = ManagedServiceIdentityType.SystemAssigned
}
});
Assert.NotNull(createNamespaceResponse);
Assert.Equal(namespaceName, createNamespaceResponse.Name);
Assert.False(createNamespaceResponse.IsAutoInflateEnabled);
Assert.Equal(0, createNamespaceResponse.MaximumThroughputUnits);
Assert.Equal(ManagedServiceIdentityType.SystemAssigned, createNamespaceResponse.Identity.Type);
//----------------------------------------------------------------------
TestUtilities.Wait(TimeSpan.FromSeconds(5));
//Remove System Assigned Identity from namespace
//-----------------------------------------------
createNamespaceResponse.Identity = new Identity()
{
Type = ManagedServiceIdentityType.None
};
createNamespaceResponse = EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName, createNamespaceResponse);
Assert.NotNull(createNamespaceResponse);
Assert.Equal(namespaceName, createNamespaceResponse.Name);
Assert.False(createNamespaceResponse.IsAutoInflateEnabled);
Assert.Equal(0, createNamespaceResponse.MaximumThroughputUnits);
Assert.Null(createNamespaceResponse.Identity);
//------------------------------------------------
//ReEnable System assigned identity and later enable encryption
//--------------------------------------------------
createNamespaceResponse.Identity = new Identity()
{
Type = ManagedServiceIdentityType.SystemAssigned
};
createNamespaceResponse = EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName, createNamespaceResponse);
Assert.NotNull(createNamespaceResponse);
Assert.Equal(namespaceName, createNamespaceResponse.Name);
Assert.False(createNamespaceResponse.IsAutoInflateEnabled);
Assert.Equal(0, createNamespaceResponse.MaximumThroughputUnits);
Assert.Equal(ManagedServiceIdentityType.SystemAssigned, createNamespaceResponse.Identity.Type);
//--------------------------------------------------
//Give Key Vault Permissions to namespace to set system assigned encryption
//---------------------------------------------------
Microsoft.Azure.Management.KeyVault.Models.VaultCreateOrUpdateParameters vaultparams = new Microsoft.Azure.Management.KeyVault.Models.VaultCreateOrUpdateParameters();
var accesPolicies = new Microsoft.Azure.Management.KeyVault.Models.AccessPolicyEntry()
{
ObjectId = createNamespaceResponse.Identity.PrincipalId,
TenantId = Guid.Parse(createNamespaceResponse.Identity.TenantId),
Permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions()
{
Keys = new List <string> {
"get", "wrapKey", "unwrapKey"
}
}
};
Vault getVaultRsponse = KeyVaultManagementClient.Vaults.Get(resourceGroupCluster, keyVaultName);
vaultparams = new VaultCreateOrUpdateParameters(getVaultRsponse.Location, getVaultRsponse.Properties);
vaultparams.Properties.AccessPolicies.Add(accesPolicies);
var updateVault = KeyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupCluster, keyVaultName, vaultparams);
TestUtilities.Wait(TimeSpan.FromSeconds(5));
// Encrypt data in Event Hub namespace Customer managed key from keyvault
var getNamespaceResponse = EventHubManagementClient.Namespaces.Get(resourceGroup, namespaceName);
getNamespaceResponse.Encryption = new Encryption()
{
KeySource = KeySource.MicrosoftKeyVault,
KeyVaultProperties = new[] {
new KeyVaultProperties()
{
KeyName = KeyName,
KeyVaultUri = updateVault.Properties.VaultUri,
KeyVersion = ""
}
}
};
var updateNamespaceResponse = this.EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName, getNamespaceResponse);
Assert.Equal(1, updateNamespaceResponse.Encryption.KeyVaultProperties.Count);
Assert.Equal(KeyName, updateNamespaceResponse.Encryption.KeyVaultProperties[0].KeyName);
Assert.Equal(updateVault.Properties.VaultUri, updateNamespaceResponse.Encryption.KeyVaultProperties[0].KeyVaultUri + "/");
//-------------------------------------------------------------
Vault getVaultRsponse1 = KeyVaultManagementClient.Vaults.Get(resourceGroupCluster, keyVaultName);
vaultparams = new VaultCreateOrUpdateParameters(getVaultRsponse.Location, getVaultRsponse.Properties);
vaultparams.Properties.AccessPolicies.Remove(accesPolicies);
var updateVault1 = KeyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupCluster, keyVaultName, vaultparams);
TestUtilities.Wait(TimeSpan.FromSeconds(5));
//Create User Assigned Identities and give permissions to access keyvault
//----------------------------------------------------------------
Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity identity1 = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity()
{
Location = "westus"
};
Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity identity2 = new Microsoft.Azure.Management.ManagedServiceIdentity.Models.Identity()
{
Location = "westus"
};
var userAssignedIdentity1 = IdentityManagementClient.UserAssignedIdentities.CreateOrUpdate(resourceGroup, identityName1, identity1);
var userAssignedIdentity2 = IdentityManagementClient.UserAssignedIdentities.CreateOrUpdate(resourceGroup, identityName2, identity2);
var accessPolicies = new Microsoft.Azure.Management.KeyVault.Models.AccessPolicyEntry()
{
ObjectId = userAssignedIdentity1.PrincipalId.ToString(),
TenantId = (Guid)userAssignedIdentity1.TenantId,
Permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions()
{
Keys = new List <string> {
"get", "wrapKey", "unwrapKey"
}
}
};
var accessPolicies2 = new Microsoft.Azure.Management.KeyVault.Models.AccessPolicyEntry()
{
ObjectId = userAssignedIdentity2.PrincipalId.ToString(),
TenantId = (Guid)userAssignedIdentity2.TenantId,
Permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions()
{
Keys = new List <string> {
"get", "wrapKey", "unwrapKey"
}
}
};
getVaultRsponse = KeyVaultManagementClient.Vaults.Get(resourceGroupCluster, keyVaultName);
vaultparams = new VaultCreateOrUpdateParameters(getVaultRsponse.Location, getVaultRsponse.Properties);
vaultparams.Properties.AccessPolicies.Add(accessPolicies);
vaultparams.Properties.AccessPolicies.Add(accessPolicies2);
updateVault = KeyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupCluster, keyVaultName, vaultparams);
//--------------------------------------------------------
TestUtilities.Wait(TimeSpan.FromSeconds(5));
//Enable User Assigned Identity Encryption
//---------------------------------------------
createNamespaceResponse = this.EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName2,
new EHNamespace()
{
Location = location,
Sku = new Microsoft.Azure.Management.EventHub.Models.Sku
{
Name = Microsoft.Azure.Management.EventHub.Models.SkuName.Premium,
Tier = SkuTier.Premium
},
Identity = new Identity()
{
Type = ManagedServiceIdentityType.UserAssigned,
UserAssignedIdentities = new Dictionary <string, UserAssignedIdentity>()
{
{ userAssignedIdentity1.Id, new UserAssignedIdentity() },
{ userAssignedIdentity2.Id, new UserAssignedIdentity() }
},
},
Encryption = new Encryption()
{
KeySource = KeySource.MicrosoftKeyVault,
KeyVaultProperties = new List <KeyVaultProperties> {
new KeyVaultProperties()
{
KeyName = KeyName2,
KeyVaultUri = updateVault.Properties.VaultUri,
KeyVersion = "",
Identity = new UserAssignedIdentityProperties()
{
UserAssignedIdentity = userAssignedIdentity1.Id
}
},
new KeyVaultProperties()
{
KeyName = KeyName3,
KeyVaultUri = updateVault.Properties.VaultUri,
KeyVersion = "",
Identity = new UserAssignedIdentityProperties()
{
UserAssignedIdentity = userAssignedIdentity1.Id
}
}
}
}
}
);
Assert.Equal(ManagedServiceIdentityType.UserAssigned, createNamespaceResponse.Identity.Type);
Assert.Equal(2, createNamespaceResponse.Encryption.KeyVaultProperties.Count);
Assert.Equal(KeyName2, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyName);
Assert.Equal(KeyName3, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyName);
Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyVaultUri + "/");
Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyVaultUri + "/");
Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[0].Identity.UserAssignedIdentity);
Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[1].Identity.UserAssignedIdentity);
Assert.Equal(2, createNamespaceResponse.Identity.UserAssignedIdentities.Count);
//-------------------------------------------------------------------------------------
//Test if identity can be set to System and User assigned.
//---------------------------------------------------------------------------------
createNamespaceResponse.Identity.Type = ManagedServiceIdentityType.SystemAssignedUserAssigned;
createNamespaceResponse = EventHubManagementClient.Namespaces.CreateOrUpdate(resourceGroup, namespaceName2, createNamespaceResponse);
Assert.Equal(ManagedServiceIdentityType.SystemAssignedUserAssigned, createNamespaceResponse.Identity.Type);
Assert.Equal(2, createNamespaceResponse.Encryption.KeyVaultProperties.Count);
Assert.Equal(KeyName2, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyName);
Assert.Equal(KeyName3, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyName);
Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[0].KeyVaultUri + "/");
Assert.Equal(updateVault.Properties.VaultUri, createNamespaceResponse.Encryption.KeyVaultProperties[1].KeyVaultUri + "/");
Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[0].Identity.UserAssignedIdentity);
Assert.Equal(userAssignedIdentity1.Id, createNamespaceResponse.Encryption.KeyVaultProperties[1].Identity.UserAssignedIdentity);
Assert.Equal(2, createNamespaceResponse.Identity.UserAssignedIdentities.Count);
//----------------------------------------------------------------------------------
}
finally
{
this.EventHubManagementClient.Namespaces.DeleteAsync(resourceGroup, namespaceName, default(CancellationToken)).ConfigureAwait(false);
this.EventHubManagementClient.Namespaces.DeleteAsync(resourceGroup, namespaceName2, default(CancellationToken)).ConfigureAwait(false);
//Delete Resource Group
this.ResourceManagementClient.ResourceGroups.DeleteWithHttpMessagesAsync(resourceGroup, null, default(CancellationToken)).ConfigureAwait(false);
Console.WriteLine("End of EH2018 Namespace CRUD IPFilter Rules test");
}
}
}
