/** * Azure App Service basic sample for managing web apps. * - Create a Cosmos DB with credentials stored in a Key Vault * - Create a web app which interacts with the Cosmos DB by first * reading the secrets from the Key Vault. * * The source code of the web app is located at Asset/documentdb-dotnet-todo-app */ public static void RunSample(IAzure azure) { Region region = Region.USWest; string appName = SdkContext.RandomResourceName("webapp-", 20); string rgName = SdkContext.RandomResourceName("rg1NEMV_", 24); string vaultName = SdkContext.RandomResourceName("vault", 20); string cosmosName = SdkContext.RandomResourceName("cosmosdb", 20); string appUrl = appName + ".azurewebsites.net"; try { //============================================================ // Create a CosmosDB Utilities.Log("Creating a CosmosDB..."); ICosmosDBAccount cosmosDBAccount = azure.CosmosDBAccounts.Define(cosmosName) .WithRegion(region) .WithNewResourceGroup(rgName) .WithKind(DatabaseAccountKind.GlobalDocumentDB) .WithEventualConsistency() .WithWriteReplication(Region.USEast) .WithReadReplication(Region.USCentral) .Create(); Utilities.Log("Created CosmosDB"); Utilities.Log(cosmosDBAccount); //============================================================ // Create a key vault var servicePrincipalInfo = ParseAuthFile(Environment.GetEnvironmentVariable("AZURE_AUTH_LOCATION")); IVault vault = azure.Vaults .Define(vaultName) .WithRegion(region) .WithNewResourceGroup(rgName) .DefineAccessPolicy() .ForServicePrincipal(servicePrincipalInfo.ClientId) .AllowSecretAllPermissions() .Attach() .Create(); SdkContext.DelayProvider.Delay(10000); //============================================================ // Store Cosmos DB credentials in Key Vault IKeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(async(authority, resource, scope) => { var context = new AuthenticationContext(authority, TokenCache.DefaultShared); var result = await context.AcquireTokenAsync(resource, new ClientCredential(servicePrincipalInfo.ClientId, servicePrincipalInfo.ClientSecret)); return(result.AccessToken); }), ((KeyVaultManagementClient)azure.Vaults.Manager.Inner).HttpClient); keyVaultClient.SetSecretAsync(vault.VaultUri, "azure-documentdb-uri", cosmosDBAccount.DocumentEndpoint).GetAwaiter().GetResult(); keyVaultClient.SetSecretAsync(vault.VaultUri, "azure-documentdb-key", cosmosDBAccount.ListKeys().PrimaryMasterKey).GetAwaiter().GetResult(); keyVaultClient.SetSecretAsync(vault.VaultUri, "azure-documentdb-database", "tododb").GetAwaiter().GetResult(); //============================================================ // Create a web app with a new app service plan Utilities.Log("Creating web app " + appName + " in resource group " + rgName + "..."); IWebApp app = azure.WebApps .Define(appName) .WithRegion(region) .WithExistingResourceGroup(rgName) .WithNewWindowsPlan(PricingTier.StandardS1) .WithNetFrameworkVersion(NetFrameworkVersion.V4_6) .WithAppSetting("AZURE_KEYVAULT_URI", vault.VaultUri) .WithSystemAssignedManagedServiceIdentity() .Create(); Utilities.Log("Created web app " + app.Name); Utilities.Log(app); //============================================================ // Update vault to allow the web app to access vault.Update() .DefineAccessPolicy() .ForObjectId(app.SystemAssignedManagedServiceIdentityPrincipalId) .AllowSecretAllPermissions() .Attach() .Apply(); //============================================================ // Deploy to web app through local Git Utilities.Log("Deploying a local asp.net application to " + appName + " through Git..."); var profile = app.GetPublishingProfile(); Utilities.DeployByGit(profile, "documentdb-dotnet-todo-app"); Utilities.Log("Deployment to web app " + app.Name + " completed"); Utilities.Print(app); // warm up Utilities.Log("Warming up " + appUrl + "..."); Utilities.CheckAddress("http://" + appUrl); SdkContext.DelayProvider.Delay(5000); Utilities.Log("CURLing " + appUrl + "..."); Utilities.Log(Utilities.CheckAddress("http://" + appUrl)); } finally { try { Utilities.Log("Deleting Resource Group: " + rgName); azure.ResourceGroups.DeleteByName(rgName); Utilities.Log("Deleted Resource Group: " + rgName); } catch (NullReferenceException) { Utilities.Log("Did not create any resources in Azure. No clean up is necessary"); } catch (Exception g) { Utilities.Log(g); } } }
public void CanCRUDKeyVault() { using (var context = FluentMockContext.Start(GetType().FullName)) { string vaultName1 = TestUtilities.GenerateName("vault1"); string vaultName2 = TestUtilities.GenerateName("vault2"); string rgName = TestUtilities.GenerateName("rgNEMV"); IKeyVaultManager manager = TestHelper.CreateKeyVaultManager(); var spnCredentialsClientId = HttpMockServer.Variables[ConnectionStringKeys.ServicePrincipalKey]; try { IVault vault1 = manager.Vaults .Define(vaultName1) .WithRegion(Region.USWest) .WithNewResourceGroup(rgName) .WithEmptyAccessPolicy() .Create(); Assert.NotNull(vault1); Assert.Equal(vaultName1, vault1.Name); Assert.Equal(0, vault1.AccessPolicies.Count); vault1 = vault1.Update() .DefineAccessPolicy() .ForServicePrincipal(spnCredentialsClientId) .AllowKeyAllPermissions() .AllowSecretPermissions(SecretPermissions.Get) .AllowSecretPermissions(SecretPermissions.List) .Attach() .Apply(); Assert.NotNull(vault1); Assert.Equal(1, vault1.AccessPolicies.Count); Assert.Equal(KeyPermissions.All.ToString(), vault1.AccessPolicies[0].Permissions.Keys[0]); Assert.Equal(2, vault1.AccessPolicies[0].Permissions.Secrets.Count); vault1 = vault1.Update() .WithDeploymentEnabled() .WithTemplateDeploymentEnabled() .UpdateAccessPolicy(vault1.AccessPolicies.First().ObjectId) .AllowSecretAllPermissions() .Parent() .Apply(); Assert.Equal(1, vault1.AccessPolicies.Count); Assert.Equal(3, vault1.AccessPolicies[0].Permissions.Secrets.Count); IVault vault2 = manager.Vaults .Define(vaultName2) .WithRegion(Region.USEast) .WithExistingResourceGroup(rgName) .DefineAccessPolicy() .ForServicePrincipal(spnCredentialsClientId) .AllowKeyPermissions(KeyPermissions.Get) .AllowKeyPermissions(KeyPermissions.List) .AllowKeyPermissions(KeyPermissions.Decrypt) .AllowSecretPermissions(SecretPermissions.Get) .Attach() .Create(); Assert.Equal(1, vault2.AccessPolicies.Count); Assert.Equal(3, vault2.AccessPolicies[0].Permissions.Keys.Count); var vaults = manager.Vaults.ListByResourceGroup(rgName); Assert.Equal(2, vaults.Count()); manager.Vaults.DeleteById(vault1.Id); manager.Vaults.DeleteById(vault2.Id); vaults = manager.Vaults.ListByResourceGroup(rgName); Assert.Empty(vaults); } finally { try { TestHelper.CreateResourceManager().ResourceGroups.DeleteByName(rgName); } catch { } } } }
public void CanCRUDKeyVault() { using (var context = FluentMockContext.Start(GetType().FullName)) { // Create user service principal String sp = SdkContext.RandomResourceName("sp", 20); String us = SdkContext.RandomResourceName("us", 20); IGraphRbacManager graphManager = TestHelper.CreateGraphRbacManager(); string vaultName1 = TestUtilities.GenerateName("vault1"); string rgName = TestUtilities.GenerateName("rgNEMV"); IKeyVaultManager manager = TestHelper.CreateKeyVaultManager(); IServicePrincipal servicePrincipal = graphManager.ServicePrincipals .Define(sp) .WithNewApplication("http://" + sp) .Create(); IActiveDirectoryUser user = graphManager.Users .Define(us) .WithEmailAlias(us) .WithPassword("P@$$w0rd") .Create(); //var spnCredentialsClientId = HttpMockServer.Variables[ConnectionStringKeys.ServicePrincipalKey]; try { IVault vault = manager.Vaults .Define(vaultName1) .WithRegion(Region.USWest) .WithNewResourceGroup(rgName) .DefineAccessPolicy() .ForServicePrincipal("http://" + sp) .AllowKeyPermissions(KeyPermissions.List) .AllowSecretAllPermissions() .AllowCertificatePermissions(CertificatePermissions.Get) .Attach() .DefineAccessPolicy() .ForUser(us) .AllowKeyAllPermissions() .AllowSecretAllPermissions() .AllowCertificatePermissions(CertificatePermissions.Get, CertificatePermissions.List, CertificatePermissions.Create) .Attach() .Create(); Assert.NotNull(vault); Assert.Equal(vaultName1, vault.Name); foreach (IAccessPolicy policy in vault.AccessPolicies) { if (policy.ObjectId.Equals(servicePrincipal.Id)) { Assert.Equal(1, policy.Permissions.Keys.Count); Assert.Equal(KeyPermissions.List.Value, policy.Permissions.Keys[0]); Assert.Equal(8, policy.Permissions.Secrets.Count); Assert.Equal(1, policy.Permissions.Certificates.Count); Assert.Equal(CertificatePermissions.Get.Value, policy.Permissions.Certificates[0]); } if (policy.ObjectId.Equals(user.Id)) { Assert.Equal(16, policy.Permissions.Keys.Count); Assert.Equal(8, policy.Permissions.Secrets.Count); Assert.Equal(3, policy.Permissions.Certificates.Count); } } vault = vault.Update() .UpdateAccessPolicy(servicePrincipal.Id) .AllowKeyAllPermissions() .DisallowSecretAllPermissions() .AllowCertificateAllPermissions() .Parent() .Apply(); foreach (IAccessPolicy policy in vault.AccessPolicies) { if (policy.ObjectId.Equals(servicePrincipal.Id)) { Assert.Equal(16, policy.Permissions.Keys.Count); Assert.Equal(0, policy.Permissions.Secrets.Count); Assert.Equal(14, policy.Permissions.Certificates.Count); } } } finally { try { TestHelper.CreateResourceManager().ResourceGroups.DeleteByName(rgName); } catch { } } } }
// This method will be called for each input received from the pipeline to this cmdlet; if no input is received, this method is not called protected override void ProcessRecord() { ProgressRecord progress = new ProgressRecord(1, "SimpleSwarm Setup", "Connecting to Azure..."); WriteProgress(progress); var credentials = SdkContext.AzureCredentialsFactory.FromFile(Environment.GetEnvironmentVariable("AZURE_AUTH_LOCATION")); var azure = Microsoft.Azure.Management.Fluent.Azure .Configure() .Authenticate(credentials) .WithDefaultSubscription(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Resource Group..."); WriteProgress(progress); IResourceGroup resourceGroup = azure.ResourceGroups .Define(resourceGroupName) .WithRegion(location) .Create(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Swarm Manager Identity..."); WriteProgress(progress); IIdentity identityManager = azure.Identities .Define("AzSwarmManager") .WithRegion(location) .WithExistingResourceGroup(resourceGroup) .Create(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Swarm Worker Identity..."); WriteProgress(progress); IIdentity identityWorker = azure.Identities .Define("AzSwarmWorker") .WithRegion(location) .WithExistingResourceGroup(resourceGroup) .Create(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Key Vault..."); WriteProgress(progress); IVault keyVault = azure.Vaults .Define(SdkContext.RandomResourceName("azswarmkv-", 20)) .WithRegion(location) .WithExistingResourceGroup(resourceGroup) .WithEmptyAccessPolicy().Create(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Updating Key Vault Swarm Manager Access Policy..."); WriteProgress(progress); keyVault.Update() .DefineAccessPolicy() .ForObjectId(identityManager.PrincipalId) .AllowSecretAllPermissions() .Attach() .Apply(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Updating Key Vault Swarm Worker Access Policy..."); WriteProgress(progress); keyVault.Update() .DefineAccessPolicy() .ForObjectId(identityWorker.PrincipalId) .AllowSecretPermissions(SecretPermissions.Get) .AllowSecretPermissions(SecretPermissions.List) .Attach() .Apply(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Virtual Network..."); WriteProgress(progress); INetwork network = azure.Networks .Define(SdkContext.RandomResourceName("AzSwarmNetwork", 20)) .WithRegion(location) .WithExistingResourceGroup(resourceGroup) .WithAddressSpace("10.0.0.0/16") .WithSubnet("AzSwarmSubnet", "10.0.0.0/24") .Create(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Storage Account..."); WriteProgress(progress); IStorageAccount storage = azure.StorageAccounts .Define(SdkContext.RandomResourceName("azswarmst", 20)) .WithRegion(location) .WithExistingResourceGroup(resourceGroup) .WithAccessFromAllNetworks() .WithAccessFromAzureServices() .WithGeneralPurposeAccountKindV2() .WithOnlyHttpsTraffic() .WithSku(StorageAccountSkuType.Standard_LRS) .Create(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Storage Account Table..."); WriteProgress(progress); var storageAccountAccessKeys = storage.GetKeys(); string storageConnectionString = "DefaultEndpointsProtocol=https" + ";AccountName=" + storage.Name + ";AccountKey=" + storageAccountAccessKeys[0].Value + ";EndpointSuffix=core.windows.net"; var cloudStorageAccount = CloudStorageAccount.Parse(storageConnectionString); CloudTableClient tableClient = cloudStorageAccount.CreateCloudTableClient(new TableClientConfiguration()); CloudTable table = tableClient.GetTableReference("SimpleSwarmSetup"); table.CreateIfNotExists(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Manager Availability Set..."); WriteProgress(progress); IAvailabilitySet availabilitySetManager = azure.AvailabilitySets.Define("azswarm-manager-avset") .WithRegion(location) .WithExistingResourceGroup(resourceGroup) .WithFaultDomainCount(3) .WithUpdateDomainCount(5) .Create(); progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Manager Availability Set..."); WriteProgress(progress); IAvailabilitySet availabilitySetWorker = azure.AvailabilitySets.Define("azswarm-worker-avset") .WithRegion(location) .WithExistingResourceGroup(resourceGroup) .WithFaultDomainCount(3) .WithUpdateDomainCount(5) .Create(); WriteVerbose("SimpleSwarm Setup Completed"); }