public async Task <Vault> CreateKeyVaultAsync(
Identity.Identity portalIdentity,
Identity.Identity ownerIdentity,
Guid subscriptionId,
string resourceGroupName,
string location,
string keyVaultName,
string environmentName)
{
await RegisterProvider(subscriptionId, "Microsoft.KeyVault");
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var kvClient = new KeyVaultManagementClient(token)
{
SubscriptionId = subscriptionId.ToString()
};
var permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions(
secrets: new[] { "get", "list", "set", "delete" },
certificates: new[] { "get", "list", "update", "delete", "create", "import" });
var accessPolicies = new[]
{
// Portal MSI
new AccessPolicyEntry(
portalIdentity.TenantId,
portalIdentity.ObjectId.ToString(),
permissions),
// Owner
new AccessPolicyEntry(
ownerIdentity.TenantId,
ownerIdentity.ObjectId.ToString(),
permissions)
};
// TODO - Make SKU configurable
var kvParams = new VaultCreateOrUpdateParameters(
location,
new VaultProperties(
portalIdentity.TenantId,
new Microsoft.Azure.Management.KeyVault.Models.Sku(Microsoft.Azure.Management.KeyVault.Models.SkuName.Standard), accessPolicies),
GetEnvironmentTags(environmentName));
return(await kvClient.Vaults.CreateOrUpdateAsync(
resourceGroupName,
keyVaultName,
kvParams));
}
/// <summary>
/// Create key vault.
/// </summary>
/// <param name="resourceGroupName"></param>
/// <param name="vaultName"></param>
/// <param name="region"></param>
/// <param name="sku"></param>
/// <param name="permissions"></param>
/// <param name="enabledForDeployment"></param>
/// <param name="enabledForDiskEncryption"></param>
/// <param name="enabledForTemplateDeployment"></param>
/// <param name="enableSoftDelete"></param>
/// <returns></returns>
public Vault CreateVault(
string resourceGroupName,
string vaultName,
string region,
SkuName sku = SkuName.Premium,
Permissions permissions = null,
bool?enabledForDeployment = true,
bool?enabledForDiskEncryption = true,
bool?enabledForTemplateDeployment = true,
bool?enableSoftDelete = null)
{
var accessPolicies = new List <AccessPolicyEntry>()
{
new AccessPolicyEntry
{
TenantId = Guid.Parse(commonData.TenantId),
ObjectId = commonData.ClientObjectId,
Permissions = permissions ?? DefaultPermissions
}
};
var properties = new VaultProperties
{
TenantId = Guid.Parse(commonData.TenantId),
Sku = new Sku
{
Name = sku
},
AccessPolicies = accessPolicies,
EnabledForDeployment = enabledForDeployment,
EnabledForDiskEncryption = enabledForDiskEncryption,
EnabledForTemplateDeployment = enabledForTemplateDeployment,
EnableSoftDelete = enableSoftDelete
};
var parameters = new VaultCreateOrUpdateParameters
{
Location = region,
Properties = properties
};
return(keyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupName, vaultName, parameters));
}
/// <summary>
/// Set vault permissions to some resource by its object id.
/// </summary>
/// <param name="vault"></param>
/// <param name="resourceGroupName"></param>
/// <param name="objectId"></param>
/// <param name="permissions"></param>
/// <returns></returns>
public Vault SetVaultPermissions(Vault vault, string resourceGroupName, string objectId, Permissions permissions)
{
vault.Properties.AccessPolicies.Add(
new AccessPolicyEntry
{
TenantId = Guid.Parse(commonData.TenantId),
ObjectId = objectId,
Permissions = permissions
}
);
var updateParams = new VaultCreateOrUpdateParameters
{
Location = vault.Location,
Properties = vault.Properties
};
return(keyVaultManagementClient.Vaults.CreateOrUpdate(resourceGroupName, vault.Name, updateParams));
}
public void TestCreateKafkaClusterWithDiskEncryption()
{
TestInitialize();
string mockedTenantId = TestUtilities.GenerateGuid().ToString();
CommonData.TenantId = GetTenantId();
this.Context.AddTextReplacementRule(CommonData.TenantId, mockedTenantId);
string mockedClientObjectId = TestUtilities.GenerateGuid().ToString();
CommonData.ClientObjectId = GetServicePrincipalObjectId();
this.Context.AddTextReplacementRule(CommonData.ClientObjectId, mockedClientObjectId);
Vault vault = null;
try
{
// create key vault with soft delete enabled
vault = CreateVault(CommonData.VaultName, true);
// create managed identities for Azure resources.
var msi = CreateMsi(CommonData.ManagedIdentityName);
// add managed identity to vault
var requiredPermissions = new Permissions
{
Keys = new List <string>()
{
KeyPermissions.Get, KeyPermissions.WrapKey, KeyPermissions.UnwrapKey
},
Secrets = new List <string>()
{
SecretPermissions.Get, SecretPermissions.Set, SecretPermissions.Delete
}
};
vault = SetVaultPermissions(vault, msi.PrincipalId.ToString(), requiredPermissions);
Assert.NotNull(vault);
// create key
string keyName = TestUtilities.GenerateName("hdicsharpkey1");
var keyIdentifier = GenerateVaultKey(vault, keyName);
// create HDInsight cluster with Kafka disk encryption
string clusterName = TestUtilities.GenerateName("hdisdk-kafka-byok");
var createParams = CommonData.PrepareClusterCreateParamsForWasb();
createParams.Properties.ClusterDefinition.Kind = "Kafka";
var workerNode = createParams.Properties.ComputeProfile.Roles.First(role => role.Name == "workernode");
workerNode.DataDisksGroups = new List <DataDisksGroups>
{
new DataDisksGroups
{
DisksPerNode = 8
}
};
createParams.Identity = new ClusterIdentity
{
Type = ResourceIdentityType.UserAssigned,
UserAssignedIdentities = new Dictionary <string, UserAssignedIdentity>
{
{ msi.Id, new UserAssignedIdentity() }
}
};
createParams.Properties.DiskEncryptionProperties = new DiskEncryptionProperties
{
VaultUri = keyIdentifier.Vault,
KeyName = keyIdentifier.Name,
KeyVersion = keyIdentifier.Version,
MsiResourceId = msi.Id
};
var cluster = HDInsightClient.Clusters.Create(CommonData.ResourceGroupName, clusterName, createParams);
ValidateCluster(clusterName, createParams, cluster);
// check disk encryption properties
var diskEncryptionProperties = cluster.Properties.DiskEncryptionProperties;
var diskEncryptionPropertiesParams = createParams.Properties.DiskEncryptionProperties;
Assert.NotNull(diskEncryptionProperties);
Assert.Equal(diskEncryptionPropertiesParams.VaultUri, diskEncryptionProperties.VaultUri);
Assert.Equal(diskEncryptionPropertiesParams.KeyName, diskEncryptionProperties.KeyName);
Assert.Equal(diskEncryptionPropertiesParams.KeyVersion, diskEncryptionProperties.KeyVersion);
Assert.Equal(msi.Id, diskEncryptionProperties.MsiResourceId, true);
keyName = TestUtilities.GenerateName("hdicsharpkey2");
var secondKeyIdentifier = GenerateVaultKey(vault, keyName);
// rotate cluster key
var rotateParams = new ClusterDiskEncryptionParameters
{
VaultUri = secondKeyIdentifier.Vault,
KeyName = secondKeyIdentifier.Name,
KeyVersion = secondKeyIdentifier.Version
};
HDInsightClient.Clusters.RotateDiskEncryptionKey(CommonData.ResourceGroupName, clusterName, rotateParams);
cluster = HDInsightClient.Clusters.Get(CommonData.ResourceGroupName, clusterName);
// check disk encryption properties
diskEncryptionProperties = cluster.Properties.DiskEncryptionProperties;
Assert.NotNull(diskEncryptionProperties);
Assert.Equal(rotateParams.VaultUri, diskEncryptionProperties.VaultUri);
Assert.Equal(rotateParams.KeyName, diskEncryptionProperties.KeyName);
Assert.Equal(rotateParams.KeyVersion, diskEncryptionProperties.KeyVersion);
Assert.Equal(msi.Id, diskEncryptionProperties.MsiResourceId, true);
}
finally
{
if (vault != null)
{
DeleteVault(vault);
}
}
}
