app config working with con string

demos/07-secure-solutions/01-key-vault/create-vault.azcli

@@ -16,6 +16,9 @@ az keyvault secret set --vault-name $vault --name "DBPassword" --value "Lab@dmin
 az keyvault secret show --vault-name $vault --name "DBUser" 
 
 user=$(az keyvault secret show --vault-name $vault --name "DBUser" --query value)
+pwd=$(az keyvault secret show --vault-name $vault --name "DBPassword" --query value -o tsv)
+
+az keyvault secret set --vault-name $vault --name "conSQLServer" --value "Server=tcp:$server.database.windows.net,1433;Database=$db;User ID=$user;Password='$pwd';Encrypt=true;Connection Timeout=30;"
 
 az keyvault secret list --vault-name $vault -o table
 

demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs

@@ -1,11 +1,13 @@
-public class Settings
+public class AppSettings
 {
     public string Title { get; set; }
     public bool AuthEnabled { get; set; }
-    public string ConnectionString { get; set; }
+    public string DBConnectionString { get; set; }
     public string KeyVault { get; set; }
     public string AppConfigEndpoint { get; set; }
+    public string AppConfigConnection { get; set; }    
     public string Sentinel { get; set; }
+    public string Environment { get; set; }
 }
 
 public class FeatureManagement
@@ -29,6 +31,6 @@ public class AppConfig
 {
     public Logging Logging { get; set; }
     public string AllowedHosts { get; set; }
-    public Settings AppSettings { get; set; }
+    public AppSettings Settings { get; set; }
     public FeatureManagement FeatureManagement { get; set; }
 }

demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs

@@ -3,35 +3,32 @@
 using Azure.Security.KeyVault.Secrets;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.Configuration.AzureAppConfiguration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.OpenApi.Models;
 
 var builder = WebApplication.CreateBuilder(args);
 
-string connectionString = "Endpoint=https://foodconfig-dev.azconfig.io;Id=B1kS-l9-s0:O8WiC3kXo8OKaABKcK4y;Secret=dlCIR0ybMLVX1czEyI9AlaKOcVaINQbZZkkek8uKS88=";
+// Access Base Configuration
+IConfiguration Configuration = builder.Configuration;
+builder.Services.AddSingleton<IConfiguration>(Configuration);
+var cfg = Configuration.Get<AppConfig>();
 
 builder.Configuration.AddAzureAppConfiguration(options =>
 {    
-    options.Connect(connectionString)
+    options.Connect(cfg.Settings.AppConfigConnection)
         .ConfigureKeyVault(kv =>
         {
             kv.SetCredential(new DefaultAzureCredential());
         })
-        .Select("*", "production")        
+        .Select("*", cfg.Settings.Environment)        
         .ConfigureRefresh(refreshOptions =>
             refreshOptions.Register("Settings:Sentinel", refreshAll: true));
 });
 
 // Add services to the container.
-// Configuration
-IConfiguration Configuration = builder.Configuration;
-builder.Services.AddSingleton<IConfiguration>(Configuration);
-var cfg = Configuration.Get<AppConfig>();
-
 // Key Vault Client
-var client = new SecretClient(new Uri($"https://{cfg.AppSettings.KeyVault}"), new DefaultAzureCredential());
+var client = new SecretClient(new Uri($"https://{cfg.Settings.KeyVault}"), new DefaultAzureCredential());
 builder.Services.AddSingleton<SecretClient>(client);
 
 builder.Services.AddControllers();

demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json

@@ -7,13 +7,15 @@
     }
   },
   "AllowedHosts": "*",
-  "AppSettings": {
+  "Settings": {
     "Title": "App Config From File",
     "AuthEnabled": false,
-    "ConnectionString": "Data Source=./food-local.db",
+    "DBConnectionString": "Data Source=./food-local.db",
     "KeyVault": "foodvault-dev.vault.azure.net",
     "AppConfigEndpoint": "https://foodconfig-dev.azconfig.io",
-    "Sentinel": 1
+    "AppConfigConnection": "Endpoint=https://foodconfig-dev.azconfig.io;Id=fVrb-l9-s0:Kn9pxn7Ueh+XZ9viVGsR;Secret=hbr+jKb0SgK+RIrud2EXWXKZkschTJt23bCzN29xWRI=",
+    "Sentinel": 1,
+    "Environment": "production"
   },
   "FeatureManagement": {
     "PremiumFeature": false

demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli

@@ -18,27 +18,33 @@ az appconfig kv set -n $cfg --key "Settings:Sentinel" --value 1 -y --label produ
 cfgmi=$(az appconfig identity assign -g $grp -n $cfg --query principalId -o tsv)
 az keyvault set-policy -n $vault --object-id $cfgmi --secret-permissions get list
 
-az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y
-az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label production
+az appconfig kv set-keyvault -n $cfg --key "Settings:DBConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y
+az appconfig kv set-keyvault -n $cfg --key "Settings:DBConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label production
 
 # alternative: keyvault policy assignment using service principal
 # principal=http://foodprincipal
 # az ad sp create-for-rbac -n $principal --sdk-auth
 # az keyvault set-policy -n $vault --spn $principal --secret-permissions get list
 
-# create a feature flag and turn it on
-az appconfig feature set -n $cfg --feature PremiumFeature -y
-az appconfig feature set -n $cfg --feature PremiumFeature -y --label production
-az appconfig feature enable -n $cfg --feature PremiumFeature -y
-
 # create hosting webapp and add keyvault permissions to managed identity
 cd config-service-api
 az webapp up -n $app -g $grp -p $plan -l $loc --sku Free --runtime "DOTNET|6.0" 
 cd ..
 webmi=$(az webapp identity assign -g $grp -n $app --query principalId -o tsv)
 az keyvault set-policy -n $vault --object-id $webmi --secret-permissions get list
 
-# add app config reader permissions to managed identity
+sleep 15 # wait for managed identity to propagate
+
+# add app config reader permissions to managed identity and add the endpoint to webapp config
 az role assignment create --role "App Configuration Data Reader" --assignee $webmi --scope $appconfigid
+configEP=$(az appconfig list -g $grp --query "[?name=='$cfg'].endpoint" -o tsv)
+configCon=$(az appconfig credential list --name $cfg --query [0].connectionString -o tsv)
+az webapp config appsettings set -g $grp -n $app --settings "Settings:AppConfigEndpoint=$configEP"
+az webapp config appsettings set -g $grp -n $app --settings "Settings:AppConfigConnection=$configCon"
 
-az webapp restart -g $grp -n $app
+az webapp restart -g $grp -n $app
+
+# create a feature flag and turn it on
+az appconfig feature set -n $cfg --feature PremiumFeature -y
+az appconfig feature set -n $cfg --feature PremiumFeature -y --label production
+az appconfig feature enable -n $cfg --feature PremiumFeature -y

demos/07-secure-solutions/03-app-config/demo-01/readme.md

@@ -1,13 +1,9 @@
-# Demo
+# App Configuration Services
 
-Execute `create-app-conf.azcli` to create required base services.
+- Execute `create-app-conf.azcli` to create required base services.
 
-Get the Connection String of the AppConfig Service and add it as env var:
+    >Note: This demo assumes that you have already created the base services from 01-key-vault by executing `create-vault.azcli`
 
-```powershell
-setx AppConfigCS "Endpoint=https://foodconfig-20433.azconfig.io;Id=YhpI-l9-s0:bXPh6ApX2WzFki7odj33;Secret=o8LoLhCIy5Rn3okemD0CkDan4y83rozMR7C8cRz/SECRET="
-```
+- Get the Connection String of the AppConfig Service and add to `appsettings.json`:
 
-![secret](_images/app-config-con-string.png)
-
-Examine Demo-01 and execute it using `dotnet run`
+    ![secret](_images/app-config-con-string.png)