public async Task <Vault> CreateKeyVaultAsync(
            Identity.Identity portalIdentity,
            Identity.Identity ownerIdentity,
            Guid subscriptionId,
            string resourceGroupName,
            string location,
            string keyVaultName,
            string environmentName)
        {
            await RegisterProvider(subscriptionId, "Microsoft.KeyVault");

            var accessToken = await GetAccessToken();

            var token    = new TokenCredentials(accessToken);
            var kvClient = new KeyVaultManagementClient(token)
            {
                SubscriptionId = subscriptionId.ToString()
            };

            var permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions(
                secrets: new[] { "get", "list", "set", "delete" },
                certificates: new[] { "get", "list", "update", "delete", "create", "import" });

            var accessPolicies = new[]
            {
                // Portal MSI
                new AccessPolicyEntry(
                    portalIdentity.TenantId,
                    portalIdentity.ObjectId.ToString(),
                    permissions),

                // Owner
                new AccessPolicyEntry(
                    ownerIdentity.TenantId,
                    ownerIdentity.ObjectId.ToString(),
                    permissions)
            };

            // TODO - Make SKU configurable
            var kvParams = new VaultCreateOrUpdateParameters(
                location,
                new VaultProperties(
                    portalIdentity.TenantId,
                    new Microsoft.Azure.Management.KeyVault.Models.Sku(Microsoft.Azure.Management.KeyVault.Models.SkuName.Standard), accessPolicies),
                GetEnvironmentTags(environmentName));

            return(await kvClient.Vaults.CreateOrUpdateAsync(
                       resourceGroupName,
                       keyVaultName,
                       kvParams));
        }
Exemple #2
0
        /// <summary>
        /// Create key vault.
        /// </summary>
        /// <param name="resourceGroupName"></param>
        /// <param name="vaultName"></param>
        /// <param name="region"></param>
        /// <param name="sku"></param>
        /// <param name="permissions"></param>
        /// <param name="enabledForDeployment"></param>
        /// <param name="enabledForDiskEncryption"></param>
        /// <param name="enabledForTemplateDeployment"></param>
        /// <param name="enableSoftDelete"></param>
        /// <returns></returns>
        public Vault CreateVault(
            string resourceGroupName,
            string vaultName,
            string region,
            SkuName sku                       = SkuName.Premium,
            Permissions permissions           = null,
            bool?enabledForDeployment         = true,
            bool?enabledForDiskEncryption     = true,
            bool?enabledForTemplateDeployment = true,
            bool?enableSoftDelete             = null)
        {
            var accessPolicies = new List <AccessPolicyEntry>()
            {
                new AccessPolicyEntry
                {
                    TenantId    = Guid.Parse(commonData.TenantId),
                    ObjectId    = commonData.ClientObjectId,
                    Permissions = permissions ?? DefaultPermissions
                }
            };

            var properties = new VaultProperties
            {
                TenantId = Guid.Parse(commonData.TenantId),
                Sku      = new Sku
                {
                    Name = sku
                },
                AccessPolicies               = accessPolicies,
                EnabledForDeployment         = enabledForDeployment,
                EnabledForDiskEncryption     = enabledForDiskEncryption,
                EnabledForTemplateDeployment = enabledForTemplateDeployment,
                EnableSoftDelete             = enableSoftDelete
            };

            var parameters = new VaultCreateOrUpdateParameters
            {
                Location   = region,
                Properties = properties
            };

            return(keyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupName, vaultName, parameters));
        }
Exemple #3
0
        /// <summary>
        /// Set vault permissions to some resource by its object id.
        /// </summary>
        /// <param name="vault"></param>
        /// <param name="resourceGroupName"></param>
        /// <param name="objectId"></param>
        /// <param name="permissions"></param>
        /// <returns></returns>
        public Vault SetVaultPermissions(Vault vault, string resourceGroupName, string objectId, Permissions permissions)
        {
            vault.Properties.AccessPolicies.Add(
                new AccessPolicyEntry
            {
                TenantId    = Guid.Parse(commonData.TenantId),
                ObjectId    = objectId,
                Permissions = permissions
            }
                );

            var updateParams = new VaultCreateOrUpdateParameters
            {
                Location   = vault.Location,
                Properties = vault.Properties
            };

            return(keyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupName, vault.Name, updateParams));
        }
Exemple #4
0
        public void TestCreateKafkaClusterWithDiskEncryption()
        {
            TestInitialize();

            string mockedTenantId = TestUtilities.GenerateGuid().ToString();

            CommonData.TenantId = GetTenantId();
            this.Context.AddTextReplacementRule(CommonData.TenantId, mockedTenantId);

            string mockedClientObjectId = TestUtilities.GenerateGuid().ToString();

            CommonData.ClientObjectId = GetServicePrincipalObjectId();
            this.Context.AddTextReplacementRule(CommonData.ClientObjectId, mockedClientObjectId);

            Vault vault = null;

            try
            {
                // create key vault with soft delete enabled
                vault = CreateVault(CommonData.VaultName, true);

                // create managed identities for Azure resources.
                var msi = CreateMsi(CommonData.ManagedIdentityName);

                // add managed identity to vault
                var requiredPermissions = new Permissions
                {
                    Keys = new List <string>()
                    {
                        KeyPermissions.Get, KeyPermissions.WrapKey, KeyPermissions.UnwrapKey
                    },
                    Secrets = new List <string>()
                    {
                        SecretPermissions.Get, SecretPermissions.Set, SecretPermissions.Delete
                    }
                };

                vault = SetVaultPermissions(vault, msi.PrincipalId.ToString(), requiredPermissions);
                Assert.NotNull(vault);

                // create key
                string keyName       = TestUtilities.GenerateName("hdicsharpkey1");
                var    keyIdentifier = GenerateVaultKey(vault, keyName);

                // create HDInsight cluster with Kafka disk encryption
                string clusterName  = TestUtilities.GenerateName("hdisdk-kafka-byok");
                var    createParams = CommonData.PrepareClusterCreateParamsForWasb();
                createParams.Properties.ClusterDefinition.Kind = "Kafka";
                var workerNode = createParams.Properties.ComputeProfile.Roles.First(role => role.Name == "workernode");
                workerNode.DataDisksGroups = new List <DataDisksGroups>
                {
                    new DataDisksGroups
                    {
                        DisksPerNode = 8
                    }
                };

                createParams.Identity = new ClusterIdentity
                {
                    Type = ResourceIdentityType.UserAssigned,
                    UserAssignedIdentities = new Dictionary <string, UserAssignedIdentity>
                    {
                        { msi.Id, new UserAssignedIdentity() }
                    }
                };

                createParams.Properties.DiskEncryptionProperties = new DiskEncryptionProperties
                {
                    VaultUri      = keyIdentifier.Vault,
                    KeyName       = keyIdentifier.Name,
                    KeyVersion    = keyIdentifier.Version,
                    MsiResourceId = msi.Id
                };

                var cluster = HDInsightClient.Clusters.Create(CommonData.ResourceGroupName, clusterName, createParams);
                ValidateCluster(clusterName, createParams, cluster);

                // check disk encryption properties
                var diskEncryptionProperties       = cluster.Properties.DiskEncryptionProperties;
                var diskEncryptionPropertiesParams = createParams.Properties.DiskEncryptionProperties;
                Assert.NotNull(diskEncryptionProperties);
                Assert.Equal(diskEncryptionPropertiesParams.VaultUri, diskEncryptionProperties.VaultUri);
                Assert.Equal(diskEncryptionPropertiesParams.KeyName, diskEncryptionProperties.KeyName);
                Assert.Equal(diskEncryptionPropertiesParams.KeyVersion, diskEncryptionProperties.KeyVersion);
                Assert.Equal(msi.Id, diskEncryptionProperties.MsiResourceId, true);

                keyName = TestUtilities.GenerateName("hdicsharpkey2");
                var secondKeyIdentifier = GenerateVaultKey(vault, keyName);

                // rotate cluster key
                var rotateParams = new ClusterDiskEncryptionParameters
                {
                    VaultUri   = secondKeyIdentifier.Vault,
                    KeyName    = secondKeyIdentifier.Name,
                    KeyVersion = secondKeyIdentifier.Version
                };

                HDInsightClient.Clusters.RotateDiskEncryptionKey(CommonData.ResourceGroupName, clusterName, rotateParams);
                cluster = HDInsightClient.Clusters.Get(CommonData.ResourceGroupName, clusterName);

                // check disk encryption properties
                diskEncryptionProperties = cluster.Properties.DiskEncryptionProperties;
                Assert.NotNull(diskEncryptionProperties);
                Assert.Equal(rotateParams.VaultUri, diskEncryptionProperties.VaultUri);
                Assert.Equal(rotateParams.KeyName, diskEncryptionProperties.KeyName);
                Assert.Equal(rotateParams.KeyVersion, diskEncryptionProperties.KeyVersion);
                Assert.Equal(msi.Id, diskEncryptionProperties.MsiResourceId, true);
            }
            finally
            {
                if (vault != null)
                {
                    DeleteVault(vault);
                }
            }
        }