/**
* Azure App Service basic sample for managing web apps.
* - Create a Cosmos DB with credentials stored in a Key Vault
* - Create a web app which interacts with the Cosmos DB by first
* reading the secrets from the Key Vault.
*
* The source code of the web app is located at Asset/documentdb-dotnet-todo-app
*/
public static void RunSample(IAzure azure)
{
Region region = Region.USWest;
string appName = SdkContext.RandomResourceName("webapp-", 20);
string rgName = SdkContext.RandomResourceName("rg1NEMV_", 24);
string vaultName = SdkContext.RandomResourceName("vault", 20);
string cosmosName = SdkContext.RandomResourceName("cosmosdb", 20);
string appUrl = appName + ".azurewebsites.net";
try
{
//============================================================
// Create a CosmosDB
Utilities.Log("Creating a CosmosDB...");
ICosmosDBAccount cosmosDBAccount = azure.CosmosDBAccounts.Define(cosmosName)
.WithRegion(region)
.WithNewResourceGroup(rgName)
.WithKind(DatabaseAccountKind.GlobalDocumentDB)
.WithEventualConsistency()
.WithWriteReplication(Region.USEast)
.WithReadReplication(Region.USCentral)
.Create();
Utilities.Log("Created CosmosDB");
Utilities.Log(cosmosDBAccount);
//============================================================
// Create a key vault
var servicePrincipalInfo = ParseAuthFile(Environment.GetEnvironmentVariable("AZURE_AUTH_LOCATION"));
IVault vault = azure.Vaults
.Define(vaultName)
.WithRegion(region)
.WithNewResourceGroup(rgName)
.DefineAccessPolicy()
.ForServicePrincipal(servicePrincipalInfo.ClientId)
.AllowSecretAllPermissions()
.Attach()
.Create();
SdkContext.DelayProvider.Delay(10000);
//============================================================
// Store Cosmos DB credentials in Key Vault
IKeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(async(authority, resource, scope) =>
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, new ClientCredential(servicePrincipalInfo.ClientId, servicePrincipalInfo.ClientSecret));
return(result.AccessToken);
}), ((KeyVaultManagementClient)azure.Vaults.Manager.Inner).HttpClient);
keyVaultClient.SetSecretAsync(vault.VaultUri, "azure-documentdb-uri", cosmosDBAccount.DocumentEndpoint).GetAwaiter().GetResult();
keyVaultClient.SetSecretAsync(vault.VaultUri, "azure-documentdb-key", cosmosDBAccount.ListKeys().PrimaryMasterKey).GetAwaiter().GetResult();
keyVaultClient.SetSecretAsync(vault.VaultUri, "azure-documentdb-database", "tododb").GetAwaiter().GetResult();
//============================================================
// Create a web app with a new app service plan
Utilities.Log("Creating web app " + appName + " in resource group " + rgName + "...");
IWebApp app = azure.WebApps
.Define(appName)
.WithRegion(region)
.WithExistingResourceGroup(rgName)
.WithNewWindowsPlan(PricingTier.StandardS1)
.WithNetFrameworkVersion(NetFrameworkVersion.V4_6)
.WithAppSetting("AZURE_KEYVAULT_URI", vault.VaultUri)
.WithSystemAssignedManagedServiceIdentity()
.Create();
Utilities.Log("Created web app " + app.Name);
Utilities.Log(app);
//============================================================
// Update vault to allow the web app to access
vault.Update()
.DefineAccessPolicy()
.ForObjectId(app.SystemAssignedManagedServiceIdentityPrincipalId)
.AllowSecretAllPermissions()
.Attach()
.Apply();
//============================================================
// Deploy to web app through local Git
Utilities.Log("Deploying a local asp.net application to " + appName + " through Git...");
var profile = app.GetPublishingProfile();
Utilities.DeployByGit(profile, "documentdb-dotnet-todo-app");
Utilities.Log("Deployment to web app " + app.Name + " completed");
Utilities.Print(app);
// warm up
Utilities.Log("Warming up " + appUrl + "...");
Utilities.CheckAddress("http://" + appUrl);
SdkContext.DelayProvider.Delay(5000);
Utilities.Log("CURLing " + appUrl + "...");
Utilities.Log(Utilities.CheckAddress("http://" + appUrl));
}
finally
{
try
{
Utilities.Log("Deleting Resource Group: " + rgName);
azure.ResourceGroups.DeleteByName(rgName);
Utilities.Log("Deleted Resource Group: " + rgName);
}
catch (NullReferenceException)
{
Utilities.Log("Did not create any resources in Azure. No clean up is necessary");
}
catch (Exception g)
{
Utilities.Log(g);
}
}
}
public void CanCRUDKeyVault()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
string vaultName1 = TestUtilities.GenerateName("vault1");
string vaultName2 = TestUtilities.GenerateName("vault2");
string rgName = TestUtilities.GenerateName("rgNEMV");
IKeyVaultManager manager = TestHelper.CreateKeyVaultManager();
var spnCredentialsClientId = HttpMockServer.Variables[ConnectionStringKeys.ServicePrincipalKey];
try
{
IVault vault1 = manager.Vaults
.Define(vaultName1)
.WithRegion(Region.USWest)
.WithNewResourceGroup(rgName)
.WithEmptyAccessPolicy()
.Create();
Assert.NotNull(vault1);
Assert.Equal(vaultName1, vault1.Name);
Assert.Equal(0, vault1.AccessPolicies.Count);
vault1 = vault1.Update()
.DefineAccessPolicy()
.ForServicePrincipal(spnCredentialsClientId)
.AllowKeyAllPermissions()
.AllowSecretPermissions(SecretPermissions.Get)
.AllowSecretPermissions(SecretPermissions.List)
.Attach()
.Apply();
Assert.NotNull(vault1);
Assert.Equal(1, vault1.AccessPolicies.Count);
Assert.Equal(KeyPermissions.All.ToString(), vault1.AccessPolicies[0].Permissions.Keys[0]);
Assert.Equal(2, vault1.AccessPolicies[0].Permissions.Secrets.Count);
vault1 = vault1.Update()
.WithDeploymentEnabled()
.WithTemplateDeploymentEnabled()
.UpdateAccessPolicy(vault1.AccessPolicies.First().ObjectId)
.AllowSecretAllPermissions()
.Parent()
.Apply();
Assert.Equal(1, vault1.AccessPolicies.Count);
Assert.Equal(3, vault1.AccessPolicies[0].Permissions.Secrets.Count);
IVault vault2 = manager.Vaults
.Define(vaultName2)
.WithRegion(Region.USEast)
.WithExistingResourceGroup(rgName)
.DefineAccessPolicy()
.ForServicePrincipal(spnCredentialsClientId)
.AllowKeyPermissions(KeyPermissions.Get)
.AllowKeyPermissions(KeyPermissions.List)
.AllowKeyPermissions(KeyPermissions.Decrypt)
.AllowSecretPermissions(SecretPermissions.Get)
.Attach()
.Create();
Assert.Equal(1, vault2.AccessPolicies.Count);
Assert.Equal(3, vault2.AccessPolicies[0].Permissions.Keys.Count);
var vaults = manager.Vaults.ListByResourceGroup(rgName);
Assert.Equal(2, vaults.Count());
manager.Vaults.DeleteById(vault1.Id);
manager.Vaults.DeleteById(vault2.Id);
vaults = manager.Vaults.ListByResourceGroup(rgName);
Assert.Empty(vaults);
}
finally
{
try
{
TestHelper.CreateResourceManager().ResourceGroups.DeleteByName(rgName);
}
catch { }
}
}
}
public void CanCRUDKeyVault()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
// Create user service principal
String sp = SdkContext.RandomResourceName("sp", 20);
String us = SdkContext.RandomResourceName("us", 20);
IGraphRbacManager graphManager = TestHelper.CreateGraphRbacManager();
string vaultName1 = TestUtilities.GenerateName("vault1");
string rgName = TestUtilities.GenerateName("rgNEMV");
IKeyVaultManager manager = TestHelper.CreateKeyVaultManager();
IServicePrincipal servicePrincipal = graphManager.ServicePrincipals
.Define(sp)
.WithNewApplication("http://" + sp)
.Create();
IActiveDirectoryUser user = graphManager.Users
.Define(us)
.WithEmailAlias(us)
.WithPassword("P@$$w0rd")
.Create();
//var spnCredentialsClientId = HttpMockServer.Variables[ConnectionStringKeys.ServicePrincipalKey];
try
{
IVault vault = manager.Vaults
.Define(vaultName1)
.WithRegion(Region.USWest)
.WithNewResourceGroup(rgName)
.DefineAccessPolicy()
.ForServicePrincipal("http://" + sp)
.AllowKeyPermissions(KeyPermissions.List)
.AllowSecretAllPermissions()
.AllowCertificatePermissions(CertificatePermissions.Get)
.Attach()
.DefineAccessPolicy()
.ForUser(us)
.AllowKeyAllPermissions()
.AllowSecretAllPermissions()
.AllowCertificatePermissions(CertificatePermissions.Get, CertificatePermissions.List, CertificatePermissions.Create)
.Attach()
.Create();
Assert.NotNull(vault);
Assert.Equal(vaultName1, vault.Name);
foreach (IAccessPolicy policy in vault.AccessPolicies)
{
if (policy.ObjectId.Equals(servicePrincipal.Id))
{
Assert.Equal(1, policy.Permissions.Keys.Count);
Assert.Equal(KeyPermissions.List.Value, policy.Permissions.Keys[0]);
Assert.Equal(8, policy.Permissions.Secrets.Count);
Assert.Equal(1, policy.Permissions.Certificates.Count);
Assert.Equal(CertificatePermissions.Get.Value, policy.Permissions.Certificates[0]);
}
if (policy.ObjectId.Equals(user.Id))
{
Assert.Equal(16, policy.Permissions.Keys.Count);
Assert.Equal(8, policy.Permissions.Secrets.Count);
Assert.Equal(3, policy.Permissions.Certificates.Count);
}
}
vault = vault.Update()
.UpdateAccessPolicy(servicePrincipal.Id)
.AllowKeyAllPermissions()
.DisallowSecretAllPermissions()
.AllowCertificateAllPermissions()
.Parent()
.Apply();
foreach (IAccessPolicy policy in vault.AccessPolicies)
{
if (policy.ObjectId.Equals(servicePrincipal.Id))
{
Assert.Equal(16, policy.Permissions.Keys.Count);
Assert.Equal(0, policy.Permissions.Secrets.Count);
Assert.Equal(14, policy.Permissions.Certificates.Count);
}
}
}
finally
{
try
{
TestHelper.CreateResourceManager().ResourceGroups.DeleteByName(rgName);
}
catch { }
}
}
}
// This method will be called for each input received from the pipeline to this cmdlet; if no input is received, this method is not called
protected override void ProcessRecord()
{
ProgressRecord progress = new ProgressRecord(1, "SimpleSwarm Setup", "Connecting to Azure...");
WriteProgress(progress);
var credentials = SdkContext.AzureCredentialsFactory.FromFile(Environment.GetEnvironmentVariable("AZURE_AUTH_LOCATION"));
var azure = Microsoft.Azure.Management.Fluent.Azure
.Configure()
.Authenticate(credentials)
.WithDefaultSubscription();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Resource Group...");
WriteProgress(progress);
IResourceGroup resourceGroup = azure.ResourceGroups
.Define(resourceGroupName)
.WithRegion(location)
.Create();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Swarm Manager Identity...");
WriteProgress(progress);
IIdentity identityManager = azure.Identities
.Define("AzSwarmManager")
.WithRegion(location)
.WithExistingResourceGroup(resourceGroup)
.Create();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Swarm Worker Identity...");
WriteProgress(progress);
IIdentity identityWorker = azure.Identities
.Define("AzSwarmWorker")
.WithRegion(location)
.WithExistingResourceGroup(resourceGroup)
.Create();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Key Vault...");
WriteProgress(progress);
IVault keyVault = azure.Vaults
.Define(SdkContext.RandomResourceName("azswarmkv-", 20))
.WithRegion(location)
.WithExistingResourceGroup(resourceGroup)
.WithEmptyAccessPolicy().Create();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Updating Key Vault Swarm Manager Access Policy...");
WriteProgress(progress);
keyVault.Update()
.DefineAccessPolicy()
.ForObjectId(identityManager.PrincipalId)
.AllowSecretAllPermissions()
.Attach()
.Apply();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Updating Key Vault Swarm Worker Access Policy...");
WriteProgress(progress);
keyVault.Update()
.DefineAccessPolicy()
.ForObjectId(identityWorker.PrincipalId)
.AllowSecretPermissions(SecretPermissions.Get)
.AllowSecretPermissions(SecretPermissions.List)
.Attach()
.Apply();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Virtual Network...");
WriteProgress(progress);
INetwork network = azure.Networks
.Define(SdkContext.RandomResourceName("AzSwarmNetwork", 20))
.WithRegion(location)
.WithExistingResourceGroup(resourceGroup)
.WithAddressSpace("10.0.0.0/16")
.WithSubnet("AzSwarmSubnet", "10.0.0.0/24")
.Create();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Storage Account...");
WriteProgress(progress);
IStorageAccount storage = azure.StorageAccounts
.Define(SdkContext.RandomResourceName("azswarmst", 20))
.WithRegion(location)
.WithExistingResourceGroup(resourceGroup)
.WithAccessFromAllNetworks()
.WithAccessFromAzureServices()
.WithGeneralPurposeAccountKindV2()
.WithOnlyHttpsTraffic()
.WithSku(StorageAccountSkuType.Standard_LRS)
.Create();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Storage Account Table...");
WriteProgress(progress);
var storageAccountAccessKeys = storage.GetKeys();
string storageConnectionString = "DefaultEndpointsProtocol=https"
+ ";AccountName=" + storage.Name
+ ";AccountKey=" + storageAccountAccessKeys[0].Value
+ ";EndpointSuffix=core.windows.net";
var cloudStorageAccount = CloudStorageAccount.Parse(storageConnectionString);
CloudTableClient tableClient = cloudStorageAccount.CreateCloudTableClient(new TableClientConfiguration());
CloudTable table = tableClient.GetTableReference("SimpleSwarmSetup");
table.CreateIfNotExists();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Manager Availability Set...");
WriteProgress(progress);
IAvailabilitySet availabilitySetManager = azure.AvailabilitySets.Define("azswarm-manager-avset")
.WithRegion(location)
.WithExistingResourceGroup(resourceGroup)
.WithFaultDomainCount(3)
.WithUpdateDomainCount(5)
.Create();
progress = new ProgressRecord(1, "SimpleSwarm Setup", "Creating Manager Availability Set...");
WriteProgress(progress);
IAvailabilitySet availabilitySetWorker = azure.AvailabilitySets.Define("azswarm-worker-avset")
.WithRegion(location)
.WithExistingResourceGroup(resourceGroup)
.WithFaultDomainCount(3)
.WithUpdateDomainCount(5)
.Create();
WriteVerbose("SimpleSwarm Setup Completed");
}
