public async Task <Vault> CreateKeyVaultAsync( Identity.Identity portalIdentity, Identity.Identity ownerIdentity, Guid subscriptionId, string resourceGroupName, string location, string keyVaultName, string environmentName) { await RegisterProvider(subscriptionId, "Microsoft.KeyVault"); var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var kvClient = new KeyVaultManagementClient(token) { SubscriptionId = subscriptionId.ToString() }; var permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions( secrets: new[] { "get", "list", "set", "delete" }, certificates: new[] { "get", "list", "update", "delete", "create", "import" }); var accessPolicies = new[] { // Portal MSI new AccessPolicyEntry( portalIdentity.TenantId, portalIdentity.ObjectId.ToString(), permissions), // Owner new AccessPolicyEntry( ownerIdentity.TenantId, ownerIdentity.ObjectId.ToString(), permissions) }; // TODO - Make SKU configurable var kvParams = new VaultCreateOrUpdateParameters( location, new VaultProperties( portalIdentity.TenantId, new Microsoft.Azure.Management.KeyVault.Models.Sku(Microsoft.Azure.Management.KeyVault.Models.SkuName.Standard), accessPolicies), GetEnvironmentTags(environmentName)); return(await kvClient.Vaults.CreateOrUpdateAsync( resourceGroupName, keyVaultName, kvParams)); }
/// <summary> /// Create key vault. /// </summary> /// <param name="resourceGroupName"></param> /// <param name="vaultName"></param> /// <param name="region"></param> /// <param name="sku"></param> /// <param name="permissions"></param> /// <param name="enabledForDeployment"></param> /// <param name="enabledForDiskEncryption"></param> /// <param name="enabledForTemplateDeployment"></param> /// <param name="enableSoftDelete"></param> /// <returns></returns> public Vault CreateVault( string resourceGroupName, string vaultName, string region, SkuName sku = SkuName.Premium, Permissions permissions = null, bool?enabledForDeployment = true, bool?enabledForDiskEncryption = true, bool?enabledForTemplateDeployment = true, bool?enableSoftDelete = null) { var accessPolicies = new List <AccessPolicyEntry>() { new AccessPolicyEntry { TenantId = Guid.Parse(commonData.TenantId), ObjectId = commonData.ClientObjectId, Permissions = permissions ?? DefaultPermissions } }; var properties = new VaultProperties { TenantId = Guid.Parse(commonData.TenantId), Sku = new Sku { Name = sku }, AccessPolicies = accessPolicies, EnabledForDeployment = enabledForDeployment, EnabledForDiskEncryption = enabledForDiskEncryption, EnabledForTemplateDeployment = enabledForTemplateDeployment, EnableSoftDelete = enableSoftDelete }; var parameters = new VaultCreateOrUpdateParameters { Location = region, Properties = properties }; return(keyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupName, vaultName, parameters)); }
/// <summary> /// Set vault permissions to some resource by its object id. /// </summary> /// <param name="vault"></param> /// <param name="resourceGroupName"></param> /// <param name="objectId"></param> /// <param name="permissions"></param> /// <returns></returns> public Vault SetVaultPermissions(Vault vault, string resourceGroupName, string objectId, Permissions permissions) { vault.Properties.AccessPolicies.Add( new AccessPolicyEntry { TenantId = Guid.Parse(commonData.TenantId), ObjectId = objectId, Permissions = permissions } ); var updateParams = new VaultCreateOrUpdateParameters { Location = vault.Location, Properties = vault.Properties }; return(keyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupName, vault.Name, updateParams)); }
public void TestCreateKafkaClusterWithDiskEncryption() { TestInitialize(); string mockedTenantId = TestUtilities.GenerateGuid().ToString(); CommonData.TenantId = GetTenantId(); this.Context.AddTextReplacementRule(CommonData.TenantId, mockedTenantId); string mockedClientObjectId = TestUtilities.GenerateGuid().ToString(); CommonData.ClientObjectId = GetServicePrincipalObjectId(); this.Context.AddTextReplacementRule(CommonData.ClientObjectId, mockedClientObjectId); Vault vault = null; try { // create key vault with soft delete enabled vault = CreateVault(CommonData.VaultName, true); // create managed identities for Azure resources. var msi = CreateMsi(CommonData.ManagedIdentityName); // add managed identity to vault var requiredPermissions = new Permissions { Keys = new List <string>() { KeyPermissions.Get, KeyPermissions.WrapKey, KeyPermissions.UnwrapKey }, Secrets = new List <string>() { SecretPermissions.Get, SecretPermissions.Set, SecretPermissions.Delete } }; vault = SetVaultPermissions(vault, msi.PrincipalId.ToString(), requiredPermissions); Assert.NotNull(vault); // create key string keyName = TestUtilities.GenerateName("hdicsharpkey1"); var keyIdentifier = GenerateVaultKey(vault, keyName); // create HDInsight cluster with Kafka disk encryption string clusterName = TestUtilities.GenerateName("hdisdk-kafka-byok"); var createParams = CommonData.PrepareClusterCreateParamsForWasb(); createParams.Properties.ClusterDefinition.Kind = "Kafka"; var workerNode = createParams.Properties.ComputeProfile.Roles.First(role => role.Name == "workernode"); workerNode.DataDisksGroups = new List <DataDisksGroups> { new DataDisksGroups { DisksPerNode = 8 } }; createParams.Identity = new ClusterIdentity { Type = ResourceIdentityType.UserAssigned, UserAssignedIdentities = new Dictionary <string, UserAssignedIdentity> { { msi.Id, new UserAssignedIdentity() } } }; createParams.Properties.DiskEncryptionProperties = new DiskEncryptionProperties { VaultUri = keyIdentifier.Vault, KeyName = keyIdentifier.Name, KeyVersion = keyIdentifier.Version, MsiResourceId = msi.Id }; var cluster = HDInsightClient.Clusters.Create(CommonData.ResourceGroupName, clusterName, createParams); ValidateCluster(clusterName, createParams, cluster); // check disk encryption properties var diskEncryptionProperties = cluster.Properties.DiskEncryptionProperties; var diskEncryptionPropertiesParams = createParams.Properties.DiskEncryptionProperties; Assert.NotNull(diskEncryptionProperties); Assert.Equal(diskEncryptionPropertiesParams.VaultUri, diskEncryptionProperties.VaultUri); Assert.Equal(diskEncryptionPropertiesParams.KeyName, diskEncryptionProperties.KeyName); Assert.Equal(diskEncryptionPropertiesParams.KeyVersion, diskEncryptionProperties.KeyVersion); Assert.Equal(msi.Id, diskEncryptionProperties.MsiResourceId, true); keyName = TestUtilities.GenerateName("hdicsharpkey2"); var secondKeyIdentifier = GenerateVaultKey(vault, keyName); // rotate cluster key var rotateParams = new ClusterDiskEncryptionParameters { VaultUri = secondKeyIdentifier.Vault, KeyName = secondKeyIdentifier.Name, KeyVersion = secondKeyIdentifier.Version }; HDInsightClient.Clusters.RotateDiskEncryptionKey(CommonData.ResourceGroupName, clusterName, rotateParams); cluster = HDInsightClient.Clusters.Get(CommonData.ResourceGroupName, clusterName); // check disk encryption properties diskEncryptionProperties = cluster.Properties.DiskEncryptionProperties; Assert.NotNull(diskEncryptionProperties); Assert.Equal(rotateParams.VaultUri, diskEncryptionProperties.VaultUri); Assert.Equal(rotateParams.KeyName, diskEncryptionProperties.KeyName); Assert.Equal(rotateParams.KeyVersion, diskEncryptionProperties.KeyVersion); Assert.Equal(msi.Id, diskEncryptionProperties.MsiResourceId, true); } finally { if (vault != null) { DeleteVault(vault); } } }