From fac849d5ec0d82a2f0ca71cab9219c1bc3afdd6f Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 08:37:33 +0100 Subject: [PATCH 01/15] scaffold #116 --- .../demo-01/appservice-use-mi.azcli | 2 +- .../config-service-api/Config/AppConfig.cs | 36 +++++++++++++ .../Controllers/ConfigController.cs | 44 ++++++++++++++++ .../demo-01/config-service-api/Program.cs | 51 +++++++++++++++++++ .../Properties/launchSettings.json | 41 +++++++++++++++ .../config-service-api/appsettings.json | 21 ++++++++ .../config-service-api.csproj | 14 +++++ .../demo-01/create-app-conf.azcli | 31 +++++++---- 8 files changed, 228 insertions(+), 12 deletions(-) create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Properties/launchSettings.json create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj diff --git a/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli b/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli index c7d7cfa6..e44015cf 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli +++ b/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli @@ -6,7 +6,7 @@ plan=foodplan-$rnd app=foodapi-$rnd cd food-api-mi -az webapp up -n $app -g $grp -p $plan -l $loc --sku Free -r "DOTNET|6.0" +az webapp up -n $app -g $grp -p $plan -l $loc --sku Free -r "DOTNET|7.0" cd .. # activate system assigned identity on web app diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs new file mode 100644 index 00000000..4c55007c --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs @@ -0,0 +1,36 @@ +using Microsoft.Extensions.Configuration; + +public class AppSettings +{ + public string Title { get; set; } + public bool AuthEnabled { get; set; } + public bool UseSQLite { get; set; } + public bool UseAppConfig { get; set; } + public string ConnectionStrings { get; set; } +} + +public class FeatureManagement +{ + public bool PremiumFeature { get; set; } +} + +public class Logging +{ + public LogLevel LogLevel { get; set; } +} + +public class LogLevel +{ + public string Default { get; set; } + public string Microsoft { get; set; } + public string MicrosoftHostingLifetime { get; set; } +} + +public class AppConfig +{ + public Logging Logging { get; set; } + public string AllowedHosts { get; set; } + public string TestKey { get; set; } + public AppSettings AppSettings { get; set; } + public FeatureManagement FeatureManagement { get; set; } +} \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs new file mode 100644 index 00000000..83af18e7 --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs @@ -0,0 +1,44 @@ +using Microsoft.AspNetCore.Mvc; + +namespace config_service_api.Controllers; + +[ApiController] +[Route("[controller]")] +public class ConfigController : ControllerBase +{ + IConfiguration cfg; + IWebHostEnvironment env; + + private readonly ILogger _logger; + + public ConfigController(ILogger logger, IConfiguration config, IWebHostEnvironment environment) + { + cfg = config; + env = environment; + _logger = logger; + } + + [HttpGet(Name = "GetConfig")] + public ActionResult Get() + { + //get string typed config + var config = cfg.Get(); + return Ok(config); + } + + [HttpGet("GetPremiumFeatureEnabled")] + public ActionResult GetPremium() + { + //get string typed config + var config = cfg.Get(); + return Ok(config); + } + + [HttpGet("GetSecretFromVault")] + public ActionResult GetSecretFromVault() + { + //get string typed config + var config = cfg.Get(); + return Ok(config); + } +} diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs new file mode 100644 index 00000000..5505dbd6 --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -0,0 +1,51 @@ +using Microsoft.OpenApi.Models; + +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +IConfiguration Configuration = builder.Configuration; +builder.Services.AddSingleton(Configuration); +var cfg = Configuration.Get(); + +builder.Services.AddControllers(); + +// Swagger +builder.Services.AddEndpointsApiExplorer(); +builder.Services.AddSwaggerGen(c => +{ + c.SwaggerDoc("v1", new OpenApiInfo { Title = "App-Config-Api", Version = "v1" }); +}); + +// Cors +builder.Services.AddCors(o => o.AddPolicy("nocors", builder => +{ + builder + .SetIsOriginAllowed(host => true) + .AllowAnyMethod() + .AllowAnyHeader() + .AllowCredentials(); +})); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.UseDeveloperExceptionPage(); +} + +// Swagger +app.UseSwagger(); +app.UseSwaggerUI(c => +{ + c.SwaggerEndpoint("/swagger/v1/swagger.json", "Food-Api"); + c.RoutePrefix = string.Empty; +}); + +app.UseHttpsRedirection(); + +app.UseAuthorization(); + +app.MapControllers(); + +app.Run(); diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Properties/launchSettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Properties/launchSettings.json new file mode 100644 index 00000000..75120118 --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Properties/launchSettings.json @@ -0,0 +1,41 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "iisSettings": { + "windowsAuthentication": false, + "anonymousAuthentication": true, + "iisExpress": { + "applicationUrl": "http://localhost:33908", + "sslPort": 44365 + } + }, + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": true, + "launchUrl": "", + "applicationUrl": "http://localhost:5000", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": true, + "launchUrl": "", + "applicationUrl": "https://localhost:5001", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "IIS Express": { + "commandName": "IISExpress", + "launchBrowser": true, + "launchUrl": "", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json new file mode 100644 index 00000000..e116c243 --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json @@ -0,0 +1,21 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft": "Warning", + "Microsoft.Hosting.Lifetime": "Information" + } + }, + "AllowedHosts": "*", + "TestKey": "Loaded from local file", + "AppSettings": { + "Title": "App Config Demo", + "AuthEnabled": false, + "UseSQLite": true, + "UseAppConfig": false, + "ConnectionStrings": "Data Source=./food.db" + }, + "FeatureManagement": { + "PremiumFeature": false + } +} diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj new file mode 100644 index 00000000..6e27e3fd --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj @@ -0,0 +1,14 @@ + + + + net7.0 + enable + config_service_api + + + + + + + + diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index 24ca83d5..3b9f0356 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -1,22 +1,23 @@ -rnd=dev -grp=az204-m07-secure-solutions-$rnd +env=dev +grp=az204-m07-secure-solutions-$env loc=westeurope -cfg=foodconfig-$rnd -vault=foodvault-$rnd +cfg=$cfg-$env +vault=foodvault-$env +app=config-serice-api-$env +plan=foodplan-$env # create appconfig and add a value az appconfig create -g $grp -n $cfg -l $loc --sku free -az appconfig kv set -n foodconfig-$rnd --key "Settings:Title" --value "Fancy Food App Dev" -y -az appconfig kv set -n foodconfig-$rnd --key "Settings:Title" --value "Fancy Food App Staging" -y --label staging -az appconfig kv set -n foodconfig-$rnd --key "Settings:Title" --value "Fancy Food App" -y --label prod +az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo Dev" -y +az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo Staging" -y --label staging +az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo" -y --label production - -# key-vault binding +# app config key-vault binding cfgmi=$(az appconfig identity assign -g $grp -n $cfg --query principalId -o tsv) az keyvault set-policy -n $vault --object-id $cfgmi --secret-permissions get list -az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y -az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label prod +az appconfig kv set-keyvault -n $cfg --key "AppSettings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y +az appconfig kv set-keyvault -n $cfg --key "AppSettings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label production # alternative: keyvault policy assignment using service principal # principal=http://foodprincipal @@ -26,4 +27,12 @@ az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret- # create a feature flag and turn it on az appconfig feature set -n $cfg --feature PremiumFeature -y +az appconfig feature set -n $cfg --feature PremiumFeature -y --label production az appconfig feature enable -n $cfg --feature PremiumFeature -y + +az appservice plan create -n $plan -g $grp --sku FREE +az webapp create -n $app -g $grp --plan $plan --runtime "DOTNET|6.0" --assign-identity + +cd config-service-api +az webapp up -n $app -g $grp -p $plan -l $loc --sku Free -r "DOTNET|6.0" +cd .. \ No newline at end of file From 22a91e895b354977ec27e8cf6e3a9c461a7e12e9 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 09:10:48 +0100 Subject: [PATCH 02/15] mi api update to Azure.Identity #116 --- .../demo-01/appservice-use-mi.azcli | 12 ++++++------ .../demo-01/food-api-mi/.azure/config | 7 ------- .../demo-01/food-api-mi/.gitignore | 2 ++ .../demo-01/food-api-mi/Startup.cs | 14 ++++++-------- .../demo-01/food-api-mi/food-api.csproj | 12 ++++++------ 5 files changed, 20 insertions(+), 27 deletions(-) delete mode 100644 demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.azure/config diff --git a/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli b/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli index e44015cf..f701587e 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli +++ b/demos/07-secure-solutions/02-managed-identity/demo-01/appservice-use-mi.azcli @@ -1,12 +1,12 @@ -rnd=dev -grp=az204-m07-secure-solutions-$rnd +env=dev +grp=az204-m07-secure-solutions-$env loc=westeurope -vault=foodvault-$rnd -plan=foodplan-$rnd -app=foodapi-$rnd +vault=foodvault-$env +plan=foodplan-$env +app=foodapi-$env cd food-api-mi -az webapp up -n $app -g $grp -p $plan -l $loc --sku Free -r "DOTNET|7.0" +az webapp up -n $app -g $grp -p $plan -l $loc --sku Free -r "DOTNET|6.0" cd .. # activate system assigned identity on web app diff --git a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.azure/config b/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.azure/config deleted file mode 100644 index 9dada5fb..00000000 --- a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.azure/config +++ /dev/null @@ -1,7 +0,0 @@ -[defaults] -group = az204-m07-secure-solutions-dev -sku = FREE -appserviceplan = foodplan-dev -location = westeurope -web = foodapi-dev - diff --git a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.gitignore b/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.gitignore index bea25d71..3be79d50 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.gitignore +++ b/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/.gitignore @@ -6,6 +6,8 @@ ## Ignore Visual Studio temporary files, build results, and ## files generated by popular Visual Studio add-ons. +.azure/ + # Database *.db diff --git a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/Startup.cs b/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/Startup.cs index b844b7f8..87802064 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/Startup.cs +++ b/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/Startup.cs @@ -2,11 +2,10 @@ using System.Collections.Generic; using System.Linq; using System.Threading.Tasks; +using Azure.Identity; +using Azure.Security.KeyVault.Secrets; using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; -using Microsoft.AspNetCore.HttpsPolicy; -using Microsoft.Azure.KeyVault; -using Microsoft.Azure.Services.AppAuthentication; using Microsoft.EntityFrameworkCore; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; @@ -31,13 +30,12 @@ public void ConfigureServices (IServiceCollection services) { //Use MI to get DB Con Str Console.WriteLine($"Using KeyVault: {cfg.Azure.KevVault}"); - var azureServiceTokenProvider = new AzureServiceTokenProvider(); - var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); - string dbconstring = (kvClient.GetSecretAsync($"https://{cfg.Azure.KevVault}", "conSQLite").Result).Value; - Console.WriteLine($"dbconstring from vault: {dbconstring}"); + var client = new SecretClient(new Uri($"https://{cfg.Azure.KevVault}"), new DefaultAzureCredential()); + var secret = client.GetSecret("conSQLite").Value; + Console.WriteLine($"dbconstring from vault: {secret.Value}"); //EF - services.AddDbContext (options => options.UseSqlite (cfg.ConnectionStrings.SqLiteDbConnection)); + services.AddDbContext (options => options.UseSqlite (secret.Value)); //Swagger services.AddSwaggerGen (c => { diff --git a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/food-api.csproj b/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/food-api.csproj index 106ad44e..dc622e24 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/food-api.csproj +++ b/demos/07-secure-solutions/02-managed-identity/demo-01/food-api-mi/food-api.csproj @@ -3,11 +3,11 @@ net6.0 - - - - - - + + + + + + \ No newline at end of file From bcaad506aeb092b86bdf63707731439084d6d55c Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 09:27:11 +0100 Subject: [PATCH 03/15] func updated to azure.identity --- .../02-managed-identity/demo-03/mi-func/.gitignore | 2 +- .../demo-03/mi-func/getSecret.cs | 14 ++++++-------- .../demo-03/mi-func/local.settings.json | 7 +++++++ .../demo-03/mi-func/mi-func.csproj | 4 ++-- 4 files changed, 16 insertions(+), 11 deletions(-) create mode 100644 demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/local.settings.json diff --git a/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/.gitignore b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/.gitignore index ff5b00c5..ad9b6e1b 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/.gitignore +++ b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/.gitignore @@ -2,7 +2,7 @@ ## files generated by popular Visual Studio add-ons. # Azure Functions localsettings file -local.settings.json +# local.settings.json # User-specific files *.suo diff --git a/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/getSecret.cs b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/getSecret.cs index 2f1da1fd..cca3e7a9 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/getSecret.cs +++ b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/getSecret.cs @@ -7,10 +7,9 @@ using Microsoft.AspNetCore.Http; using Microsoft.Extensions.Logging; using Newtonsoft.Json; -using Microsoft.Azure.Services.AppAuthentication; -using Microsoft.Azure.KeyVault; using Microsoft.Extensions.Configuration; - +using Azure.Security.KeyVault.Secrets; +using Azure.Identity; namespace Company.Function { @@ -34,13 +33,12 @@ public static async Task Run( .Build(); var kvName = config["KeyVaultName"]; - var kvUri = $"https://{kvName}.vault.azure.net/"; - log.LogInformation($"Obtaining secret {secret} from {kvUri}"); + log.LogInformation($"Obtaining secret {secret} from {kvName}"); - var serviceTokenProvider = new AzureServiceTokenProvider(); - var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(serviceTokenProvider.KeyVaultTokenCallback)); - dbconstring = (keyVaultClient.GetSecretAsync(kvUri, secret).Result).Value; + var client = new SecretClient(new Uri($"https://{kvName}.vault.azure.net/"), new DefaultAzureCredential()); + var response = await client.GetSecretAsync("conSQLite"); + dbconstring = response.Value.Value; } string responseMessage = string.IsNullOrEmpty(secret) diff --git a/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/local.settings.json b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/local.settings.json new file mode 100644 index 00000000..d19ff96d --- /dev/null +++ b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/local.settings.json @@ -0,0 +1,7 @@ +{ + "IsEncrypted": false, + "Values": { + "FUNCTIONS_WORKER_RUNTIME": "dotnet", + "KeyVaultName": "foodvault-dev" + } +} \ No newline at end of file diff --git a/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/mi-func.csproj b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/mi-func.csproj index dbd922c6..eefca7bc 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/mi-func.csproj +++ b/demos/07-secure-solutions/02-managed-identity/demo-03/mi-func/mi-func.csproj @@ -6,8 +6,8 @@ - - + + From 5677ea15c19c18a1f88441e5e621611d1b48d28c Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 10:04:28 +0100 Subject: [PATCH 04/15] key vault request added #116 --- .../01-key-vault/create-db.azcli | 10 ++--- .../01-key-vault/create-vault.azcli | 6 +-- .../02-managed-identity/demo-02/vm-mi.azcli | 10 ++--- .../config-service-api/.vscode/launch.json | 33 +++++++++++++++ .../config-service-api/.vscode/tasks.json | 41 +++++++++++++++++++ .../config-service-api/Config/AppConfig.cs | 1 + .../Controllers/ConfigController.cs | 21 ++++++---- .../demo-01/config-service-api/Program.cs | 13 ++++++ .../config-service-api/appsettings.json | 3 +- .../config-service-api.csproj | 9 ++-- 10 files changed, 120 insertions(+), 27 deletions(-) create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/launch.json create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/tasks.json diff --git a/demos/07-secure-solutions/01-key-vault/create-db.azcli b/demos/07-secure-solutions/01-key-vault/create-db.azcli index 7d143779..281a2b4b 100644 --- a/demos/07-secure-solutions/01-key-vault/create-db.azcli +++ b/demos/07-secure-solutions/01-key-vault/create-db.azcli @@ -1,9 +1,9 @@ -rnd=dev -grp=az204-m07-secure-solutions-$rnd +env=dev +grp=az204-m07-secure-solutions-$env loc=westeurope -server=foodserver$rnd -db=foodb$rnd -vault=foodvault-$rnd +server=foodserver$env +db=foodb$env +vault=foodvault-$env user=$(az keyvault secret show --name "DBUser" --vault-name $vault --query value -o tsv) pwd=$(az keyvault secret show --name "DBPassword" --vault-name $vault --query value -o tsv) diff --git a/demos/07-secure-solutions/01-key-vault/create-vault.azcli b/demos/07-secure-solutions/01-key-vault/create-vault.azcli index 7e28672a..e5e37d10 100644 --- a/demos/07-secure-solutions/01-key-vault/create-vault.azcli +++ b/demos/07-secure-solutions/01-key-vault/create-vault.azcli @@ -1,7 +1,7 @@ -rnd=dev -grp=az204-m07-secure-solutions-$rnd +env=dev +grp=az204-m07-secure-solutions-$env loc=westeurope -vault=foodvault-$rnd +vault=foodvault-$env az group create -n $grp -l $loc diff --git a/demos/07-secure-solutions/02-managed-identity/demo-02/vm-mi.azcli b/demos/07-secure-solutions/02-managed-identity/demo-02/vm-mi.azcli index faaa72db..c1703638 100644 --- a/demos/07-secure-solutions/02-managed-identity/demo-02/vm-mi.azcli +++ b/demos/07-secure-solutions/02-managed-identity/demo-02/vm-mi.azcli @@ -1,10 +1,10 @@ -rnd=dev -grp=az204-m07-secure-solutions-$rnd +env=dev +grp=az204-m07-secure-solutions-$env loc=westeurope -identity=ua-identity-$rnd -vm=identityvm-$rnd +identity=ua-identity-$env +vm=identityvm-$env admin=az204admin -vault=foodvault-$rnd +vault=foodvault-$env az group create -n $grp -l $loc diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/launch.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/launch.json new file mode 100644 index 00000000..dc331253 --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/launch.json @@ -0,0 +1,33 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": ".NET Core Launch (web)", + "type": "coreclr", + "request": "launch", + "preLaunchTask": "build", + "program": "${workspaceFolder}/bin/Debug/net6.0/config-service-api.dll", + "args": [], + "cwd": "${workspaceFolder}", + "stopAtEntry": false, + "serverReadyAction": { + "action": "openExternally", + "pattern": "\\bNow listening on:\\s+(https?://\\S+)" + }, + "env": { + "ASPNETCORE_ENVIRONMENT": "Development" + }, + "sourceFileMap": { + "/Views": "${workspaceFolder}/Views" + } + }, + { + "name": ".NET Core Attach", + "type": "coreclr", + "request": "attach" + } + ] +} \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/tasks.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/tasks.json new file mode 100644 index 00000000..73211433 --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.vscode/tasks.json @@ -0,0 +1,41 @@ +{ + "version": "2.0.0", + "tasks": [ + { + "label": "build", + "command": "dotnet", + "type": "process", + "args": [ + "build", + "${workspaceFolder}/config-service-api.csproj", + "/property:GenerateFullPaths=true", + "/consoleloggerparameters:NoSummary" + ], + "problemMatcher": "$msCompile" + }, + { + "label": "publish", + "command": "dotnet", + "type": "process", + "args": [ + "publish", + "${workspaceFolder}/config-service-api.csproj", + "/property:GenerateFullPaths=true", + "/consoleloggerparameters:NoSummary" + ], + "problemMatcher": "$msCompile" + }, + { + "label": "watch", + "command": "dotnet", + "type": "process", + "args": [ + "watch", + "run", + "--project", + "${workspaceFolder}/config-service-api.csproj" + ], + "problemMatcher": "$msCompile" + } + ] +} \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs index 4c55007c..8dce4187 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs @@ -7,6 +7,7 @@ public class AppSettings public bool UseSQLite { get; set; } public bool UseAppConfig { get; set; } public string ConnectionStrings { get; set; } + public string KeyVault { get; set; } } public class FeatureManagement diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs index 83af18e7..890f4cbe 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs @@ -1,4 +1,8 @@ +using System.Threading.Tasks; +using Azure.Security.KeyVault.Secrets; using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.Logging; namespace config_service_api.Controllers; @@ -7,15 +11,15 @@ namespace config_service_api.Controllers; public class ConfigController : ControllerBase { IConfiguration cfg; - IWebHostEnvironment env; + SecretClient sc; - private readonly ILogger _logger; + private readonly ILogger logger; - public ConfigController(ILogger logger, IConfiguration config, IWebHostEnvironment environment) + public ConfigController(ILogger ilogger, IConfiguration config, SecretClient secretClient) { cfg = config; - env = environment; - _logger = logger; + logger = ilogger; + sc = secretClient; } [HttpGet(Name = "GetConfig")] @@ -35,10 +39,9 @@ public ActionResult GetPremium() } [HttpGet("GetSecretFromVault")] - public ActionResult GetSecretFromVault() + public async Task GetSecretFromVault() { - //get string typed config - var config = cfg.Get(); - return Ok(config); + var response = await sc.GetSecretAsync("conSQLite"); + return response.Value.Value; } } diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index 5505dbd6..4d34a093 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -1,12 +1,25 @@ +using System; +using Azure.Identity; +using Azure.Security.KeyVault.Secrets; +using Microsoft.AspNetCore.Builder; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Hosting; using Microsoft.OpenApi.Models; var builder = WebApplication.CreateBuilder(args); // Add services to the container. + +// Configuration IConfiguration Configuration = builder.Configuration; builder.Services.AddSingleton(Configuration); var cfg = Configuration.Get(); +// Key Vault Client +var client = new SecretClient(new Uri($"https://{cfg.AppSettings.KeyVault}"), new DefaultAzureCredential()); +builder.Services.AddSingleton(client); + builder.Services.AddControllers(); // Swagger diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json index e116c243..20ac6751 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json @@ -13,7 +13,8 @@ "AuthEnabled": false, "UseSQLite": true, "UseAppConfig": false, - "ConnectionStrings": "Data Source=./food.db" + "ConnectionStrings": "Data Source=./food.db", + "KeyVault": "foodvault-dev.vault.azure.net" }, "FeatureManagement": { "PremiumFeature": false diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj index 6e27e3fd..997cd5b5 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj @@ -1,14 +1,15 @@ - net7.0 - enable + net6.0 config_service_api - - + + + + From f410579486f53e514ee585a57f4b5a6f60727de8 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 10:14:22 +0100 Subject: [PATCH 05/15] file rename --- .../{ConfigController.cs => AppConfigServiceController.cs} | 6 +++--- .../03-app-config/demo-01/config-service-api/Program.cs | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) rename demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/{ConfigController.cs => AppConfigServiceController.cs} (79%) diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs similarity index 79% rename from demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs rename to demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs index 890f4cbe..311104da 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs @@ -8,14 +8,14 @@ namespace config_service_api.Controllers; [ApiController] [Route("[controller]")] -public class ConfigController : ControllerBase +public class AppConfigServiceController : ControllerBase { IConfiguration cfg; SecretClient sc; - private readonly ILogger logger; + private readonly ILogger logger; - public ConfigController(ILogger ilogger, IConfiguration config, SecretClient secretClient) + public AppConfigServiceController(ILogger ilogger, IConfiguration config, SecretClient secretClient) { cfg = config; logger = ilogger; diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index 4d34a093..bd273913 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -26,7 +26,7 @@ builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(c => { - c.SwaggerDoc("v1", new OpenApiInfo { Title = "App-Config-Api", Version = "v1" }); + c.SwaggerDoc("v1", new OpenApiInfo { Title = "App-Config-Service-Api", Version = "v1" }); }); // Cors @@ -51,7 +51,7 @@ app.UseSwagger(); app.UseSwaggerUI(c => { - c.SwaggerEndpoint("/swagger/v1/swagger.json", "Food-Api"); + c.SwaggerEndpoint("/swagger/v1/swagger.json", "App-Config-Service-Api"); c.RoutePrefix = string.Empty; }); From 504e5240a232fb6a8eb9340b9f2126d4060d621c Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 10:19:24 +0100 Subject: [PATCH 06/15] update docs #116 --- demos/01-appservices/demo-01/readme.md | 2 +- .../Controllers/AppConfigServiceController.cs | 1 - tooling/04-cli/readme.md | 6 ++++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/demos/01-appservices/demo-01/readme.md b/demos/01-appservices/demo-01/readme.md index d92347a6..cb720c70 100644 --- a/demos/01-appservices/demo-01/readme.md +++ b/demos/01-appservices/demo-01/readme.md @@ -11,7 +11,7 @@ Use [.NET Core CLI](https://docs.microsoft.com/en-us/dotnet/core/tools/). Scaffold and run App: ```bash -dotnet new api -n cli-api +dotnet new webapi -n cli-api --framework net6.0 dotnet run ``` diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs index 311104da..a532fa75 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs @@ -25,7 +25,6 @@ public AppConfigServiceController(ILogger ilogger, I [HttpGet(Name = "GetConfig")] public ActionResult Get() { - //get string typed config var config = cfg.Get(); return Ok(config); } diff --git a/tooling/04-cli/readme.md b/tooling/04-cli/readme.md index 5c460d12..1c24e83c 100644 --- a/tooling/04-cli/readme.md +++ b/tooling/04-cli/readme.md @@ -65,6 +65,12 @@ az extension list-available --output table az extension add --name ``` +Set Azrue CLI to auto-update: + +```bash +az config set extension.use_dynamic_install=yes_without_prompt +``` + ### List and set Subscriptions List Subscriptions: From a7dce202cb520d30ab9cbe67a916251fb235aee0 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 13:37:51 +0100 Subject: [PATCH 07/15] dynamic value --- .../demo-01/config-service-api/Config/AppConfig.cs | 3 ++- .../demo-01/config-service-api/Program.cs | 11 +++++++++++ .../demo-01/config-service-api/appsettings.json | 7 ++++--- .../config-service-api/config-service-api.csproj | 2 ++ .../03-app-config/demo-01/create-app-conf.azcli | 4 +++- 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs index 8dce4187..9db9109e 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs @@ -8,6 +8,8 @@ public class AppSettings public bool UseAppConfig { get; set; } public string ConnectionStrings { get; set; } public string KeyVault { get; set; } + public string AppConfig { get; set; } + public string DynamicValue { get; set; } } public class FeatureManagement @@ -31,7 +33,6 @@ public class AppConfig { public Logging Logging { get; set; } public string AllowedHosts { get; set; } - public string TestKey { get; set; } public AppSettings AppSettings { get; set; } public FeatureManagement FeatureManagement { get; set; } } \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index bd273913..e028e9d5 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -3,12 +3,23 @@ using Azure.Security.KeyVault.Secrets; using Microsoft.AspNetCore.Builder; using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.Configuration.AzureAppConfiguration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Hosting; using Microsoft.OpenApi.Models; var builder = WebApplication.CreateBuilder(args); +string connectionString = "Endpoint=https://foodconfig-dev.azconfig.io;Id=ssJq-l9-s0:kcBy2fb28Z9g1Jo6xA7J;Secret=4pVAt4fMYU8pVZFDXy569EW4sq2/gw+j1uTgUh6EvP4="; + +builder.Configuration.AddAzureAppConfiguration(options => +{ + options.Connect(connectionString) + .Select("AppSettings:*", "production") + .ConfigureRefresh(refreshOptions => + refreshOptions.Register("AppSettings:DynamicValue", refreshAll: true)); +}); + // Add services to the container. // Configuration diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json index 20ac6751..226e6ff6 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json @@ -7,14 +7,15 @@ } }, "AllowedHosts": "*", - "TestKey": "Loaded from local file", "AppSettings": { - "Title": "App Config Demo", + "Title": "App Config From File", "AuthEnabled": false, "UseSQLite": true, "UseAppConfig": false, "ConnectionStrings": "Data Source=./food.db", - "KeyVault": "foodvault-dev.vault.azure.net" + "KeyVault": "foodvault-dev.vault.azure.net", + "AppConfig": "https://foodconfig-dev.azconfig.io", + "DynamicValue": "From File" }, "FeatureManagement": { "PremiumFeature": false diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj index 997cd5b5..17018f58 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/config-service-api.csproj @@ -8,6 +8,8 @@ + + diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index 3b9f0356..43ce39e6 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -1,7 +1,7 @@ env=dev grp=az204-m07-secure-solutions-$env loc=westeurope -cfg=$cfg-$env +cfg=foodconfig-$env vault=foodvault-$env app=config-serice-api-$env plan=foodplan-$env @@ -12,6 +12,8 @@ az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo D az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo Staging" -y --label staging az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo" -y --label production +az appconfig kv set -n $cfg --key "AppSettings:ChangingVal" --value "Original" -y + # app config key-vault binding cfgmi=$(az appconfig identity assign -g $grp -n $cfg --query principalId -o tsv) az keyvault set-policy -n $vault --object-id $cfgmi --secret-permissions get list From 43bf5c2693c05e1c976c7069f7bb3c0607ecd257 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 13:56:20 +0100 Subject: [PATCH 08/15] app confic base --- .../demo-01/config-service-api/Config/AppConfig.cs | 4 +--- .../demo-01/config-service-api/Program.cs | 10 +++++++--- .../demo-01/config-service-api/appsettings.json | 2 +- .../03-app-config/demo-01/create-app-conf.azcli | 2 +- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs index 9db9109e..dcdaaa64 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs @@ -1,12 +1,10 @@ -using Microsoft.Extensions.Configuration; - public class AppSettings { public string Title { get; set; } public bool AuthEnabled { get; set; } public bool UseSQLite { get; set; } public bool UseAppConfig { get; set; } - public string ConnectionStrings { get; set; } + public string ConnectionString { get; set; } public string KeyVault { get; set; } public string AppConfig { get; set; } public string DynamicValue { get; set; } diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index e028e9d5..4ff0feb6 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -15,9 +15,13 @@ builder.Configuration.AddAzureAppConfiguration(options => { options.Connect(connectionString) - .Select("AppSettings:*", "production") - .ConfigureRefresh(refreshOptions => - refreshOptions.Register("AppSettings:DynamicValue", refreshAll: true)); + .ConfigureKeyVault(kv => + { + kv.SetCredential(new DefaultAzureCredential()); + }) + .Select("*", "production") + .ConfigureRefresh(refreshOptions => + refreshOptions.Register("AppSettings:DynamicValue", refreshAll: true)); }); // Add services to the container. diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json index 226e6ff6..6b3c250f 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json @@ -12,7 +12,7 @@ "AuthEnabled": false, "UseSQLite": true, "UseAppConfig": false, - "ConnectionStrings": "Data Source=./food.db", + "ConnectionString": "Data Source=./food-local.db", "KeyVault": "foodvault-dev.vault.azure.net", "AppConfig": "https://foodconfig-dev.azconfig.io", "DynamicValue": "From File" diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index 43ce39e6..707efdec 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -12,7 +12,7 @@ az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo D az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo Staging" -y --label staging az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo" -y --label production -az appconfig kv set -n $cfg --key "AppSettings:ChangingVal" --value "Original" -y +az appconfig kv set -n $cfg --key "AppSettings:DynamicValue" --value "Original" -y --label production # app config key-vault binding cfgmi=$(az appconfig identity assign -g $grp -n $cfg --query principalId -o tsv) From e50153ecc182716e49f92d789b0c87e71885ae18 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Wed, 8 Feb 2023 22:25:49 +0100 Subject: [PATCH 09/15] rename to env --- .vscode/settings.json | 3 +++ .../demo-01/create-webapps.azcli | 16 ++++++++-------- .../demo-01/mvc-app/.azure/config | 7 +++++++ .../demo-02/deploy-using-git.azcli | 8 ++++---- .../01-appservices/demo-03/create-webapp.azcli | 8 ++++---- .../demo-04/deploy-easy-auth.azcli | 8 ++++---- .../demo-05/create-webapp-slots.azcli | 8 ++++---- .../demo-06/traffic-manager.azcli | 18 +++++++++--------- .../demo-01/create-blob-app.azcli | 6 +++--- .../demo-02/creata-sas-app.azcli | 6 +++--- .../demo-03/create-fileshare.azcli | 4 ++-- .../demo-01/config-service-api/.azure/config | 7 +++++++ .../demo-01/config-service-api/Program.cs | 1 - .../demo-01/create-app-conf.azcli | 6 ++++-- 14 files changed, 62 insertions(+), 44 deletions(-) create mode 100644 .vscode/settings.json create mode 100644 demos/01-appservices/demo-01/mvc-app/.azure/config create mode 100644 demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..089c9674 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "appService.defaultWebAppToDeploy": "None" +} \ No newline at end of file diff --git a/demos/01-appservices/demo-01/create-webapps.azcli b/demos/01-appservices/demo-01/create-webapps.azcli index 33058fe6..d75562d2 100644 --- a/demos/01-appservices/demo-01/create-webapps.azcli +++ b/demos/01-appservices/demo-01/create-webapps.azcli @@ -1,22 +1,22 @@ -rnd=$RANDOM -grp=az204-m01-appservices-$rnd +env=$RANDOM +grp=az204-m01-appservices-$env loc=westeurope -appPlan=appservices-$rnd -mvcapp=mvcapp-$rnd +plan=appservices-$env +mvcapp=mvcapp-$env # create a resource group az group create -n $grp -l $loc # create an App Service plan -az appservice plan create -n $appPlan -g $grp --sku S1 +az appservice plan create -n $plan -g $grp --sku S1 # create cliapp -az webapp create -n cli-api-$rnd -g $grp --plan $appPlan --runtime "DOTNET|6.0" +az webapp create -n cli-api-$env -g $grp --plan $plan --runtime "DOTNET|6.0" # create mvcapp -az webapp create -n $mvcapp -g $grp --plan $appPlan --runtime "DOTNET|6.0" +az webapp create -n $mvcapp -g $grp --plan $plan --runtime "DOTNET|6.0" # create and upload mvcapp app using az webapp up cd mvc-app -az webapp up -n $mvcapp -g $grp -p $appPlan --sku F1 -l $loc -r "DOTNET|6.0" +az webapp up -n $mvcapp -g $grp -p $plan --sku F1 -l $loc -r "DOTNET|6.0" cd .. \ No newline at end of file diff --git a/demos/01-appservices/demo-01/mvc-app/.azure/config b/demos/01-appservices/demo-01/mvc-app/.azure/config new file mode 100644 index 00000000..537b50fe --- /dev/null +++ b/demos/01-appservices/demo-01/mvc-app/.azure/config @@ -0,0 +1,7 @@ +[defaults] +group = az204-m01-appservices-15443 +sku = F1 +appserviceplan = appservices-15443 +location = westeurope +web = mvcapp-15443 + diff --git a/demos/01-appservices/demo-02/deploy-using-git.azcli b/demos/01-appservices/demo-02/deploy-using-git.azcli index c2d5c7e9..c40fe1aa 100644 --- a/demos/01-appservices/demo-02/deploy-using-git.azcli +++ b/demos/01-appservices/demo-02/deploy-using-git.azcli @@ -1,7 +1,7 @@ -rnd=$RANDOM -grp=az204-m01-gitdeploy-$rnd -appPlan=gitdeploy-$rnd -app=gitdeploy-website-$rnd +env=$RANDOM +grp=az204-m01-gitdeploy-$env +appPlan=gitdeploy-$env +app=gitdeploy-website-$env gitrepo="https://github.com/arambazamba/git-deploy-app" az group create -n $grp -l westeurope diff --git a/demos/01-appservices/demo-03/create-webapp.azcli b/demos/01-appservices/demo-03/create-webapp.azcli index 6ebd8fc4..3dc607a3 100644 --- a/demos/01-appservices/demo-03/create-webapp.azcli +++ b/demos/01-appservices/demo-03/create-webapp.azcli @@ -1,7 +1,7 @@ -rnd=$RANDOM -grp=az204-m01-appsettings-$rnd -plan=appsettings-$rnd -app=settings-api-$rnd +env=$RANDOM +grp=az204-m01-appsettings-$env +plan=appsettings-$env +app=settings-api-$env loc=westeurope az group create -n $grp -l $loc diff --git a/demos/01-appservices/demo-04/deploy-easy-auth.azcli b/demos/01-appservices/demo-04/deploy-easy-auth.azcli index e4e0f2a1..bfa63b3b 100644 --- a/demos/01-appservices/demo-04/deploy-easy-auth.azcli +++ b/demos/01-appservices/demo-04/deploy-easy-auth.azcli @@ -1,7 +1,7 @@ -rnd=$RANDOM -grp=az204-m01-easy-auth-$rnd -appPlan=easyauth-$rnd -app=easyauth-website-$rnd +env=$RANDOM +grp=az204-m01-easy-auth-$env +appPlan=easyauth-$env +app=easyauth-website-$env appregName=easyauth-app gitrepo="https://github.com/arambazamba/git-deploy-app" tenantID=d92b247e-90e0-4469-a129-6a32866c0d0a diff --git a/demos/01-appservices/demo-05/create-webapp-slots.azcli b/demos/01-appservices/demo-05/create-webapp-slots.azcli index d532ce29..2b964c46 100644 --- a/demos/01-appservices/demo-05/create-webapp-slots.azcli +++ b/demos/01-appservices/demo-05/create-webapp-slots.azcli @@ -1,7 +1,7 @@ -rnd=$RANDOM -grp=az204-m01-deployment-slots-$rnd -appPlan=deployment-slots-$rnd -app=deployment-slots-app-$rnd +env=$RANDOM +grp=az204-m01-deployment-slots-$env +appPlan=deployment-slots-$env +app=deployment-slots-app-$env loc=westeurope slot=staging diff --git a/demos/01-appservices/demo-06/traffic-manager.azcli b/demos/01-appservices/demo-06/traffic-manager.azcli index 52441028..ccf3bd47 100644 --- a/demos/01-appservices/demo-06/traffic-manager.azcli +++ b/demos/01-appservices/demo-06/traffic-manager.azcli @@ -1,8 +1,8 @@ -rnd=$RANDOM -eugrp=az204-tm-eu-$rnd -usgrp=az204-tm-us-$rnd -euplan=tm-westeur-$rnd -usplan=tm-eastus-$rnd +env=$RANDOM +eugrp=az204-tm-eu-$env +usgrp=az204-tm-us-$env +euplan=tm-westeur-$env +usplan=tm-eastus-$env gitrepo="https://github.com/arambazamba/git-deploy-app" user=labadmin pwd=Pa$$w0rd1234! @@ -22,13 +22,13 @@ az webapp deployment source config -n tmapp-$usplan -g $usgrp -u $gitrepo --bran usid=$(az webapp show -n tmapp-$usplan -g $usgrp --query id -o tsv) # Create TM Profile & Add Endpoints -az network traffic-manager profile create -g $eugrp -n tmprofile$rnd --routing-method Geographic \ - --unique-dns-name tmapp-$rnd --ttl 30 --protocol HTTP --port 80 --path "/" +az network traffic-manager profile create -g $eugrp -n tmprofile$env --routing-method Geographic \ + --unique-dns-name tmapp-$env --ttl 30 --protocol HTTP --port 80 --path "/" -az network traffic-manager endpoint create --name ep-$euplan -g $eugrp --profile-name tmprofile$rnd --geo-mapping GEO-EU \ +az network traffic-manager endpoint create --name ep-$euplan -g $eugrp --profile-name tmprofile$env --geo-mapping GEO-EU \ --type azureEndpoints --target-resource-id $euid --endpoint-status Enabled -az network traffic-manager endpoint create --name ep-$usplan -g $eugrp --profile-name tmprofile$rnd --geo-mapping GEO-NA \ +az network traffic-manager endpoint create --name ep-$usplan -g $eugrp --profile-name tmprofile$env --geo-mapping GEO-NA \ --type azureEndpoints --target-resource-id $usid --endpoint-status Enabled # Create a vm in the US to access the webapp with an us ip address diff --git a/demos/02-blob-storage/demo-01/create-blob-app.azcli b/demos/02-blob-storage/demo-01/create-blob-app.azcli index 5aa8c2d0..176a0dba 100644 --- a/demos/02-blob-storage/demo-01/create-blob-app.azcli +++ b/demos/02-blob-storage/demo-01/create-blob-app.azcli @@ -1,7 +1,7 @@ -rnd=$RANDOM -grp=az204-m02-foodpics-$rnd +env=$RANDOM +grp=az204-m02-foodpics-$env loc=westeurope -acct=foodpics$rnd +acct=foodpics$env container="food" blob_name=shrimp-vindaloo.jpg file_to_upload="./food-pics/shrimp-vindaloo.jpg" diff --git a/demos/02-blob-storage/demo-02/creata-sas-app.azcli b/demos/02-blob-storage/demo-02/creata-sas-app.azcli index 24197248..4972a8ea 100644 --- a/demos/02-blob-storage/demo-02/creata-sas-app.azcli +++ b/demos/02-blob-storage/demo-02/creata-sas-app.azcli @@ -1,7 +1,7 @@ -rnd=$RANDOM +env=$RANDOM loc=westeurope -grp=az204-m02-sas-$rnd -acct=medicalrecords$rnd +grp=az204-m02-sas-$env +acct=medicalrecords$env container="patient-images" path="./patient-images/" blob="patient-32589.jpg" diff --git a/demos/02-blob-storage/demo-03/create-fileshare.azcli b/demos/02-blob-storage/demo-03/create-fileshare.azcli index 913b3e45..b84ea377 100644 --- a/demos/02-blob-storage/demo-03/create-fileshare.azcli +++ b/demos/02-blob-storage/demo-03/create-fileshare.azcli @@ -1,7 +1,7 @@ -rnd=$RANDOM +env=$RANDOM grp=az-lab loc=westeurope -acct=labvm$rnd +acct=labvm$env az group create -n $grp -l $loc diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config new file mode 100644 index 00000000..4cad674f --- /dev/null +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config @@ -0,0 +1,7 @@ +[defaults] +group = az204-m07-secure-solutions-dev +sku = F1 +appserviceplan = foodplan-dev +location = westeurope +web = config-serice-api-dev + diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index 4ff0feb6..513e7a93 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -25,7 +25,6 @@ }); // Add services to the container. - // Configuration IConfiguration Configuration = builder.Configuration; builder.Services.AddSingleton(Configuration); diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index 707efdec..d0aea9c9 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -33,8 +33,10 @@ az appconfig feature set -n $cfg --feature PremiumFeature -y --label production az appconfig feature enable -n $cfg --feature PremiumFeature -y az appservice plan create -n $plan -g $grp --sku FREE -az webapp create -n $app -g $grp --plan $plan --runtime "DOTNET|6.0" --assign-identity +webmi=$(az webapp create -n $app -g $grp --plan $plan --runtime "DOTNET|6.0" --assign-identity --query identity.principalId -o tsv) +az keyvault set-policy -n $vault --object-id $webmi --secret-permissions get list + cd config-service-api -az webapp up -n $app -g $grp -p $plan -l $loc --sku Free -r "DOTNET|6.0" +az webapp up -n $app -g $grp -p $plan -l $loc --sku Free --runtime "DOTNET|6.0" cd .. \ No newline at end of file From 468b89c338133e565fbeaa79acbcb7a11f6ab934 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Thu, 9 Feb 2023 10:39:35 +0100 Subject: [PATCH 10/15] con string updated --- .../03-app-config/demo-01/config-service-api/Program.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index 513e7a93..4e6b19fe 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -10,7 +10,7 @@ var builder = WebApplication.CreateBuilder(args); -string connectionString = "Endpoint=https://foodconfig-dev.azconfig.io;Id=ssJq-l9-s0:kcBy2fb28Z9g1Jo6xA7J;Secret=4pVAt4fMYU8pVZFDXy569EW4sq2/gw+j1uTgUh6EvP4="; +string connectionString = "Endpoint=https://foodconfig-dev.azconfig.io;Id=B1kS-l9-s0:O8WiC3kXo8OKaABKcK4y;Secret=dlCIR0ybMLVX1czEyI9AlaKOcVaINQbZZkkek8uKS88="; builder.Configuration.AddAzureAppConfiguration(options => { From c48a693e3e825d613038442243e9f6dc62d3b405 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Thu, 9 Feb 2023 10:44:21 +0100 Subject: [PATCH 11/15] controller renamed --- .../demo-01/config-service-api/Config/AppConfig.cs | 6 +++--- ...nfigServiceController.cs => ConfigController.cs} | 6 +++--- .../demo-01/config-service-api/appsettings.json | 2 +- .../03-app-config/demo-01/create-app-conf.azcli | 13 +++++++------ 4 files changed, 14 insertions(+), 13 deletions(-) rename demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/{AppConfigServiceController.cs => ConfigController.cs} (78%) diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs index dcdaaa64..07eb672b 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs @@ -1,4 +1,4 @@ -public class AppSettings +public class Settings { public string Title { get; set; } public bool AuthEnabled { get; set; } @@ -7,7 +7,7 @@ public class AppSettings public string ConnectionString { get; set; } public string KeyVault { get; set; } public string AppConfig { get; set; } - public string DynamicValue { get; set; } + public string Sentinel { get; set; } } public class FeatureManagement @@ -31,6 +31,6 @@ public class AppConfig { public Logging Logging { get; set; } public string AllowedHosts { get; set; } - public AppSettings AppSettings { get; set; } + public Settings AppSettings { get; set; } public FeatureManagement FeatureManagement { get; set; } } \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs similarity index 78% rename from demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs rename to demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs index a532fa75..0d15fbc3 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/AppConfigServiceController.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Controllers/ConfigController.cs @@ -8,14 +8,14 @@ namespace config_service_api.Controllers; [ApiController] [Route("[controller]")] -public class AppConfigServiceController : ControllerBase +public class ConfigController : ControllerBase { IConfiguration cfg; SecretClient sc; - private readonly ILogger logger; + private readonly ILogger logger; - public AppConfigServiceController(ILogger ilogger, IConfiguration config, SecretClient secretClient) + public ConfigController(ILogger ilogger, IConfiguration config, SecretClient secretClient) { cfg = config; logger = ilogger; diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json index 6b3c250f..bc7b3e32 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json @@ -15,7 +15,7 @@ "ConnectionString": "Data Source=./food-local.db", "KeyVault": "foodvault-dev.vault.azure.net", "AppConfig": "https://foodconfig-dev.azconfig.io", - "DynamicValue": "From File" + "Sentinel": 1 }, "FeatureManagement": { "PremiumFeature": false diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index d0aea9c9..02680bcd 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -8,18 +8,19 @@ plan=foodplan-$env # create appconfig and add a value az appconfig create -g $grp -n $cfg -l $loc --sku free -az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo Dev" -y -az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo Staging" -y --label staging -az appconfig kv set -n $cfg --key "AppSettings:Title" --value "App Config Demo" -y --label production +az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo Dev" -y +az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo Staging" -y --label staging +az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo" -y --label production -az appconfig kv set -n $cfg --key "AppSettings:DynamicValue" --value "Original" -y --label production +az appconfig kv set -n $cfg --key "Settings:Sentinel" --value 1 -y +az appconfig kv set -n $cfg --key "Settings:Sentinel" --value 1 -y --label production # app config key-vault binding cfgmi=$(az appconfig identity assign -g $grp -n $cfg --query principalId -o tsv) az keyvault set-policy -n $vault --object-id $cfgmi --secret-permissions get list -az appconfig kv set-keyvault -n $cfg --key "AppSettings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y -az appconfig kv set-keyvault -n $cfg --key "AppSettings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label production +az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y +az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label production # alternative: keyvault policy assignment using service principal # principal=http://foodprincipal From 9d9732786d38081a7cdf426b516d1ded2a06f3df Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Thu, 9 Feb 2023 11:08:39 +0100 Subject: [PATCH 12/15] base config working --- .../demo-01/config-service-api/.azure/config | 6 +++--- .../demo-01/config-service-api/Program.cs | 4 ++-- .../demo-01/create-app-conf.azcli | 18 ++++++++---------- 3 files changed, 13 insertions(+), 15 deletions(-) diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config index 4cad674f..93ab059c 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/.azure/config @@ -1,7 +1,7 @@ [defaults] group = az204-m07-secure-solutions-dev -sku = F1 -appserviceplan = foodplan-dev +sku = FREE +appserviceplan = config-plan-dev location = westeurope -web = config-serice-api-dev +web = config-api-dev diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index 4e6b19fe..4e2c2897 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -21,7 +21,7 @@ }) .Select("*", "production") .ConfigureRefresh(refreshOptions => - refreshOptions.Register("AppSettings:DynamicValue", refreshAll: true)); + refreshOptions.Register("Settings:Sentinel", refreshAll: true)); }); // Add services to the container. @@ -40,7 +40,7 @@ builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(c => { - c.SwaggerDoc("v1", new OpenApiInfo { Title = "App-Config-Service-Api", Version = "v1" }); + c.SwaggerDoc("v1", new OpenApiInfo { Title = "App-Config-Api", Version = "v1" }); }); // Cors diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index 02680bcd..94963862 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -3,13 +3,12 @@ grp=az204-m07-secure-solutions-$env loc=westeurope cfg=foodconfig-$env vault=foodvault-$env -app=config-serice-api-$env -plan=foodplan-$env +app=config-api-$env +plan=config-plan-$env # create appconfig and add a value az appconfig create -g $grp -n $cfg -l $loc --sku free az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo Dev" -y -az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo Staging" -y --label staging az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo" -y --label production az appconfig kv set -n $cfg --key "Settings:Sentinel" --value 1 -y @@ -28,16 +27,15 @@ az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret- # az keyvault set-policy -n $vault --spn $principal --secret-permissions get list # create a feature flag and turn it on - az appconfig feature set -n $cfg --feature PremiumFeature -y az appconfig feature set -n $cfg --feature PremiumFeature -y --label production az appconfig feature enable -n $cfg --feature PremiumFeature -y -az appservice plan create -n $plan -g $grp --sku FREE -webmi=$(az webapp create -n $app -g $grp --plan $plan --runtime "DOTNET|6.0" --assign-identity --query identity.principalId -o tsv) -az keyvault set-policy -n $vault --object-id $webmi --secret-permissions get list - - +# create hosting webapp and add keyvault permissions to managed identity cd config-service-api az webapp up -n $app -g $grp -p $plan -l $loc --sku Free --runtime "DOTNET|6.0" -cd .. \ No newline at end of file +cd .. +webmi=$(az webapp identity assign -g $grp -n $app --query principalId -o tsv) + +az keyvault set-policy -n $vault --object-id $webmi --secret-permissions get list +az webapp restart -g $grp -n $app \ No newline at end of file From 27955110a0690408b5de8601a00826fa9e48c20f Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Thu, 9 Feb 2023 11:40:11 +0100 Subject: [PATCH 13/15] cleanup --- .../demo-01/config-service-api/Config/AppConfig.cs | 4 +--- .../03-app-config/demo-01/config-service-api/Program.cs | 2 +- .../demo-01/config-service-api/appsettings.json | 4 +--- .../03-app-config/demo-01/create-app-conf.azcli | 7 +++++-- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs index 07eb672b..ba3b1a6b 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs @@ -2,11 +2,9 @@ public class Settings { public string Title { get; set; } public bool AuthEnabled { get; set; } - public bool UseSQLite { get; set; } - public bool UseAppConfig { get; set; } public string ConnectionString { get; set; } public string KeyVault { get; set; } - public string AppConfig { get; set; } + public string AppConfigEndpoint { get; set; } public string Sentinel { get; set; } } diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index 4e2c2897..5e1c48fa 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -13,7 +13,7 @@ string connectionString = "Endpoint=https://foodconfig-dev.azconfig.io;Id=B1kS-l9-s0:O8WiC3kXo8OKaABKcK4y;Secret=dlCIR0ybMLVX1czEyI9AlaKOcVaINQbZZkkek8uKS88="; builder.Configuration.AddAzureAppConfiguration(options => -{ +{ options.Connect(connectionString) .ConfigureKeyVault(kv => { diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json index bc7b3e32..d0ec6876 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json @@ -10,11 +10,9 @@ "AppSettings": { "Title": "App Config From File", "AuthEnabled": false, - "UseSQLite": true, - "UseAppConfig": false, "ConnectionString": "Data Source=./food-local.db", "KeyVault": "foodvault-dev.vault.azure.net", - "AppConfig": "https://foodconfig-dev.azconfig.io", + "AppConfigEndpoint": "https://foodconfig-dev.azconfig.io", "Sentinel": 1 }, "FeatureManagement": { diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index 94963862..2cafa371 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -7,7 +7,7 @@ app=config-api-$env plan=config-plan-$env # create appconfig and add a value -az appconfig create -g $grp -n $cfg -l $loc --sku free +appconfigid=$(az appconfig create -g $grp -n $cfg -l $loc --sku free --query id -o tsv) az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo Dev" -y az appconfig kv set -n $cfg --key "Settings:Title" --value "App Config Demo" -y --label production @@ -36,6 +36,9 @@ cd config-service-api az webapp up -n $app -g $grp -p $plan -l $loc --sku Free --runtime "DOTNET|6.0" cd .. webmi=$(az webapp identity assign -g $grp -n $app --query principalId -o tsv) - az keyvault set-policy -n $vault --object-id $webmi --secret-permissions get list + +# add app config reader permissions to managed identity +az role assignment create --role "App Configuration Data Reader" --assignee $webmi --scope $appconfigid + az webapp restart -g $grp -n $app \ No newline at end of file From 45b46cd2a3ad87b77414926c2bda18609c3792ef Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Fri, 10 Feb 2023 07:33:08 +0100 Subject: [PATCH 14/15] app config working with con string --- .../01-key-vault/create-vault.azcli | 3 +++ .../_images/app-config-con-string.png | Bin .../config-service-api/Config/AppConfig.cs | 8 +++--- .../demo-01/config-service-api/Program.cs | 17 +++++-------- .../config-service-api/appsettings.json | 8 +++--- .../demo-01/create-app-conf.azcli | 24 +++++++++++------- .../03-app-config/demo-01/readme.md | 14 ++++------ 7 files changed, 40 insertions(+), 34 deletions(-) rename demos/07-secure-solutions/03-app-config/{ => demo-01}/_images/app-config-con-string.png (100%) diff --git a/demos/07-secure-solutions/01-key-vault/create-vault.azcli b/demos/07-secure-solutions/01-key-vault/create-vault.azcli index e5e37d10..920ae80a 100644 --- a/demos/07-secure-solutions/01-key-vault/create-vault.azcli +++ b/demos/07-secure-solutions/01-key-vault/create-vault.azcli @@ -16,6 +16,9 @@ az keyvault secret set --vault-name $vault --name "DBPassword" --value "Lab@dmin az keyvault secret show --vault-name $vault --name "DBUser" user=$(az keyvault secret show --vault-name $vault --name "DBUser" --query value) +pwd=$(az keyvault secret show --vault-name $vault --name "DBPassword" --query value -o tsv) + +az keyvault secret set --vault-name $vault --name "conSQLServer" --value "Server=tcp:$server.database.windows.net,1433;Database=$db;User ID=$user;Password='$pwd';Encrypt=true;Connection Timeout=30;" az keyvault secret list --vault-name $vault -o table diff --git a/demos/07-secure-solutions/03-app-config/_images/app-config-con-string.png b/demos/07-secure-solutions/03-app-config/demo-01/_images/app-config-con-string.png similarity index 100% rename from demos/07-secure-solutions/03-app-config/_images/app-config-con-string.png rename to demos/07-secure-solutions/03-app-config/demo-01/_images/app-config-con-string.png diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs index ba3b1a6b..1da0d2a1 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Config/AppConfig.cs @@ -1,11 +1,13 @@ -public class Settings +public class AppSettings { public string Title { get; set; } public bool AuthEnabled { get; set; } - public string ConnectionString { get; set; } + public string DBConnectionString { get; set; } public string KeyVault { get; set; } public string AppConfigEndpoint { get; set; } + public string AppConfigConnection { get; set; } public string Sentinel { get; set; } + public string Environment { get; set; } } public class FeatureManagement @@ -29,6 +31,6 @@ public class AppConfig { public Logging Logging { get; set; } public string AllowedHosts { get; set; } - public Settings AppSettings { get; set; } + public AppSettings Settings { get; set; } public FeatureManagement FeatureManagement { get; set; } } \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs index 5e1c48fa..28aa92b4 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/Program.cs @@ -3,35 +3,32 @@ using Azure.Security.KeyVault.Secrets; using Microsoft.AspNetCore.Builder; using Microsoft.Extensions.Configuration; -using Microsoft.Extensions.Configuration.AzureAppConfiguration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Hosting; using Microsoft.OpenApi.Models; var builder = WebApplication.CreateBuilder(args); -string connectionString = "Endpoint=https://foodconfig-dev.azconfig.io;Id=B1kS-l9-s0:O8WiC3kXo8OKaABKcK4y;Secret=dlCIR0ybMLVX1czEyI9AlaKOcVaINQbZZkkek8uKS88="; +// Access Base Configuration +IConfiguration Configuration = builder.Configuration; +builder.Services.AddSingleton(Configuration); +var cfg = Configuration.Get(); builder.Configuration.AddAzureAppConfiguration(options => { - options.Connect(connectionString) + options.Connect(cfg.Settings.AppConfigConnection) .ConfigureKeyVault(kv => { kv.SetCredential(new DefaultAzureCredential()); }) - .Select("*", "production") + .Select("*", cfg.Settings.Environment) .ConfigureRefresh(refreshOptions => refreshOptions.Register("Settings:Sentinel", refreshAll: true)); }); // Add services to the container. -// Configuration -IConfiguration Configuration = builder.Configuration; -builder.Services.AddSingleton(Configuration); -var cfg = Configuration.Get(); - // Key Vault Client -var client = new SecretClient(new Uri($"https://{cfg.AppSettings.KeyVault}"), new DefaultAzureCredential()); +var client = new SecretClient(new Uri($"https://{cfg.Settings.KeyVault}"), new DefaultAzureCredential()); builder.Services.AddSingleton(client); builder.Services.AddControllers(); diff --git a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json index d0ec6876..b1d414af 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json +++ b/demos/07-secure-solutions/03-app-config/demo-01/config-service-api/appsettings.json @@ -7,13 +7,15 @@ } }, "AllowedHosts": "*", - "AppSettings": { + "Settings": { "Title": "App Config From File", "AuthEnabled": false, - "ConnectionString": "Data Source=./food-local.db", + "DBConnectionString": "Data Source=./food-local.db", "KeyVault": "foodvault-dev.vault.azure.net", "AppConfigEndpoint": "https://foodconfig-dev.azconfig.io", - "Sentinel": 1 + "AppConfigConnection": "Endpoint=https://foodconfig-dev.azconfig.io;Id=fVrb-l9-s0:Kn9pxn7Ueh+XZ9viVGsR;Secret=hbr+jKb0SgK+RIrud2EXWXKZkschTJt23bCzN29xWRI=", + "Sentinel": 1, + "Environment": "production" }, "FeatureManagement": { "PremiumFeature": false diff --git a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli index 2cafa371..67da7136 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli +++ b/demos/07-secure-solutions/03-app-config/demo-01/create-app-conf.azcli @@ -18,19 +18,14 @@ az appconfig kv set -n $cfg --key "Settings:Sentinel" --value 1 -y --label produ cfgmi=$(az appconfig identity assign -g $grp -n $cfg --query principalId -o tsv) az keyvault set-policy -n $vault --object-id $cfgmi --secret-permissions get list -az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y -az appconfig kv set-keyvault -n $cfg --key "Settings:ConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label production +az appconfig kv set-keyvault -n $cfg --key "Settings:DBConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLite" -y +az appconfig kv set-keyvault -n $cfg --key "Settings:DBConnectionString" --secret-identifier "https://$vault.vault.azure.net/Secrets/conSQLServer" -y --label production # alternative: keyvault policy assignment using service principal # principal=http://foodprincipal # az ad sp create-for-rbac -n $principal --sdk-auth # az keyvault set-policy -n $vault --spn $principal --secret-permissions get list -# create a feature flag and turn it on -az appconfig feature set -n $cfg --feature PremiumFeature -y -az appconfig feature set -n $cfg --feature PremiumFeature -y --label production -az appconfig feature enable -n $cfg --feature PremiumFeature -y - # create hosting webapp and add keyvault permissions to managed identity cd config-service-api az webapp up -n $app -g $grp -p $plan -l $loc --sku Free --runtime "DOTNET|6.0" @@ -38,7 +33,18 @@ cd .. webmi=$(az webapp identity assign -g $grp -n $app --query principalId -o tsv) az keyvault set-policy -n $vault --object-id $webmi --secret-permissions get list -# add app config reader permissions to managed identity +sleep 15 # wait for managed identity to propagate + +# add app config reader permissions to managed identity and add the endpoint to webapp config az role assignment create --role "App Configuration Data Reader" --assignee $webmi --scope $appconfigid +configEP=$(az appconfig list -g $grp --query "[?name=='$cfg'].endpoint" -o tsv) +configCon=$(az appconfig credential list --name $cfg --query [0].connectionString -o tsv) +az webapp config appsettings set -g $grp -n $app --settings "Settings:AppConfigEndpoint=$configEP" +az webapp config appsettings set -g $grp -n $app --settings "Settings:AppConfigConnection=$configCon" -az webapp restart -g $grp -n $app \ No newline at end of file +az webapp restart -g $grp -n $app + +# create a feature flag and turn it on +az appconfig feature set -n $cfg --feature PremiumFeature -y +az appconfig feature set -n $cfg --feature PremiumFeature -y --label production +az appconfig feature enable -n $cfg --feature PremiumFeature -y \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/readme.md b/demos/07-secure-solutions/03-app-config/demo-01/readme.md index dfc71243..afc777ca 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/readme.md +++ b/demos/07-secure-solutions/03-app-config/demo-01/readme.md @@ -1,13 +1,9 @@ -# Demo +# App Configuration Services -Execute `create-app-conf.azcli` to create required base services. +- Execute `create-app-conf.azcli` to create required base services. -Get the Connection String of the AppConfig Service and add it as env var: + >Note: This demo assumes that you have already created the base services from 01-key-vault by executing `create-vault.azcli` -```powershell -setx AppConfigCS "Endpoint=https://foodconfig-20433.azconfig.io;Id=YhpI-l9-s0:bXPh6ApX2WzFki7odj33;Secret=o8LoLhCIy5Rn3okemD0CkDan4y83rozMR7C8cRz/SECRET=" -``` +- Get the Connection String of the AppConfig Service and add to `appsettings.json`: -![secret](_images/app-config-con-string.png) - -Examine Demo-01 and execute it using `dotnet run` \ No newline at end of file + ![secret](_images/app-config-con-string.png) \ No newline at end of file From 20728461dbd19f9eec170df116b4827d9518c990 Mon Sep 17 00:00:00 2001 From: Alexander Pajer Date: Fri, 10 Feb 2023 07:35:42 +0100 Subject: [PATCH 15/15] docs --- .../AppConfigConsole/.vscode/launch.json | 27 ------------ .../AppConfigConsole/.vscode/tasks.json | 42 ------------------- .../AppConfigConsole/AppConfigConsole.csproj | 10 ----- .../demo-01/AppConfigConsole/Program.cs | 32 -------------- .../demo-01/AppConfigConsole/appsettings.json | 0 .../03-app-config/demo-01/readme.md | 6 +-- 6 files changed, 1 insertion(+), 116 deletions(-) delete mode 100644 demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/launch.json delete mode 100644 demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/tasks.json delete mode 100644 demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/AppConfigConsole.csproj delete mode 100644 demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/Program.cs delete mode 100644 demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/appsettings.json diff --git a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/launch.json b/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/launch.json deleted file mode 100644 index 7dd37eac..00000000 --- a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/launch.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - // Use IntelliSense to find out which attributes exist for C# debugging - // Use hover for the description of the existing attributes - // For further information visit https://github.com/OmniSharp/omnisharp-vscode/blob/master/debugger-launchjson.md - "version": "0.2.0", - "configurations": [ - { - "name": ".NET Core Launch (console)", - "type": "coreclr", - "request": "launch", - "preLaunchTask": "build", - // If you have changed target frameworks, make sure to update the program path. - "program": "${workspaceFolder}/bin/Debug/net6.0/AppConfigConsole.dll", - "args": [], - "cwd": "${workspaceFolder}", - // For more information about the 'console' field, see https://aka.ms/VSCode-CS-LaunchJson-Console - "console": "internalConsole", - "stopAtEntry": false - }, - { - "name": ".NET Core Attach", - "type": "coreclr", - "request": "attach", - "processId": "${command:pickProcess}" - } - ] -} diff --git a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/tasks.json b/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/tasks.json deleted file mode 100644 index 8aaeefda..00000000 --- a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/.vscode/tasks.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "version": "2.0.0", - "tasks": [ - { - "label": "build", - "command": "dotnet", - "type": "process", - "args": [ - "build", - "${workspaceFolder}/AppConfigConsole.csproj", - "/property:GenerateFullPaths=true", - "/consoleloggerparameters:NoSummary" - ], - "problemMatcher": "$msCompile" - }, - { - "label": "publish", - "command": "dotnet", - "type": "process", - "args": [ - "publish", - "${workspaceFolder}/AppConfigConsole.csproj", - "/property:GenerateFullPaths=true", - "/consoleloggerparameters:NoSummary" - ], - "problemMatcher": "$msCompile" - }, - { - "label": "watch", - "command": "dotnet", - "type": "process", - "args": [ - "watch", - "run", - "${workspaceFolder}/AppConfigConsole.csproj", - "/property:GenerateFullPaths=true", - "/consoleloggerparameters:NoSummary" - ], - "problemMatcher": "$msCompile" - } - ] -} \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/AppConfigConsole.csproj b/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/AppConfigConsole.csproj deleted file mode 100644 index 451016d4..00000000 --- a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/AppConfigConsole.csproj +++ /dev/null @@ -1,10 +0,0 @@ - - - Exe - net6.0 - - - - - - \ No newline at end of file diff --git a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/Program.cs b/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/Program.cs deleted file mode 100644 index 7b4b34c7..00000000 --- a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/Program.cs +++ /dev/null @@ -1,32 +0,0 @@ -using System; -using Azure.Identity; -using Microsoft.Extensions.Configuration; -using Microsoft.Extensions.Configuration.AzureAppConfiguration; - -namespace AppConfigConsole -{ - class Program - { - static void Main(string[] args) - { - var builder = new ConfigurationBuilder(); - - // Update Connection String - var cs = ""; - builder.AddAzureAppConfiguration(options => - { - options.Connect(cs) - // Uncomment if you want to use a specific label - .Select(KeyFilter.Any, "prod") - .ConfigureKeyVault(kv => - { - kv.SetCredential(new DefaultAzureCredential()); - }); - }); - - var config = builder.Build(); - Console.WriteLine(config["Settings:Title"] ?? "No Title received"); - Console.WriteLine(config["Settings:ConnectionString"] ?? "No ConString received"); - } - } -} diff --git a/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/appsettings.json b/demos/07-secure-solutions/03-app-config/demo-01/AppConfigConsole/appsettings.json deleted file mode 100644 index e69de29b..00000000 diff --git a/demos/07-secure-solutions/03-app-config/demo-01/readme.md b/demos/07-secure-solutions/03-app-config/demo-01/readme.md index afc777ca..cac0a2d8 100644 --- a/demos/07-secure-solutions/03-app-config/demo-01/readme.md +++ b/demos/07-secure-solutions/03-app-config/demo-01/readme.md @@ -2,8 +2,4 @@ - Execute `create-app-conf.azcli` to create required base services. - >Note: This demo assumes that you have already created the base services from 01-key-vault by executing `create-vault.azcli` - -- Get the Connection String of the AppConfig Service and add to `appsettings.json`: - - ![secret](_images/app-config-con-string.png) \ No newline at end of file + >Note: This demo assumes that you have already created the base services from 01-key-vault by executing `create-vault.azcli` \ No newline at end of file