From 9e63e1298bc137f7fde5a456ecc3dee6c1f68b86 Mon Sep 17 00:00:00 2001 From: Maor Leger Date: Mon, 18 Nov 2024 18:28:27 +0000 Subject: [PATCH 1/6] wip --- sdk/keyvault/test-resources.json | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json index 9a67b4f0224e..55246dda95d0 100644 --- a/sdk/keyvault/test-resources.json +++ b/sdk/keyvault/test-resources.json @@ -67,9 +67,18 @@ "virtualNetworkRules": [], "ipRules": [], "defaultAction": "Allow" - } + }, + "managedIdentityName": "[format('{0}-mi', parameters('baseName'))]", + "managedIdentityId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]" }, "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "condition": "[parameters('enableHsm')]", + "name": "[variables('managedIdentityName')]", + "location": "[parameters('location')]" + }, { "type": "Microsoft.KeyVault/vaults", "apiVersion": "2024-04-01-preview", @@ -108,6 +117,12 @@ "family": "B", "name": "Standard_B1" }, + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[variables('managedIdentityId')]": {} + } + }, "properties": { "publicNetworkAccess": "Enabled", "networkAcls": "[variables('networkAcls')]", @@ -116,7 +131,10 @@ "enablePurgeProtection": false, "enableSoftDelete": true, "softDeleteRetentionInDays": 7 - } + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]" + ] }, { "type": "Microsoft.Storage/storageAccounts", @@ -193,9 +211,7 @@ ] } }, - "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]" - ] + "dependsOn": ["[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]"] } ], "outputs": { @@ -226,6 +242,10 @@ "AZURE_KEYVAULT_ATTESTATION_URI": { "type": "string", "value": "[format('https://{0}/', reference(resourceId('Microsoft.Web/sites', variables('attestationSite')), '2023-12-01').defaultHostName)]" + }, + "MANAGED_IDENTITY_ID": { + "type": "string", + "value": "[variables('managedIdentityId')]" } } -} \ No newline at end of file +} From ff02facd93d4d116b18c54756636a259ee534c87 Mon Sep 17 00:00:00 2001 From: Maor Leger Date: Mon, 18 Nov 2024 18:46:17 +0000 Subject: [PATCH 2/6] wip --- sdk/keyvault/test-resources.json | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json index 55246dda95d0..0dba54d4257d 100644 --- a/sdk/keyvault/test-resources.json +++ b/sdk/keyvault/test-resources.json @@ -68,14 +68,15 @@ "ipRules": [], "defaultAction": "Allow" }, - "managedIdentityName": "[format('{0}-mi', parameters('baseName'))]", - "managedIdentityId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]" + "managedIdentityName": "[format('{0}-managedIdentity', parameters('baseName'))]", + "managedIdentityId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]", + "roleAssignmentName": "[guid(resourceGroup().id, 'roleAssignment', variables('managedIdentityId'))]" }, "resources": [ { + "condition": "[parameters('enableHsm')]", "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", - "condition": "[parameters('enableHsm')]", "name": "[variables('managedIdentityName')]", "location": "[parameters('location')]" }, @@ -179,6 +180,21 @@ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('primaryAccountName'), 'default')]" ] }, + { + "type": "Microsoft.Authorization/roleAssignments", + "condition": "[parameters('enableHsm')]", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentName')]", + "properties": { + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'Storage Blob Data Contributor')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))).principalId]", + "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]" + ] + }, { "type": "Microsoft.Web/serverfarms", "apiVersion": "2023-12-01", @@ -242,10 +258,6 @@ "AZURE_KEYVAULT_ATTESTATION_URI": { "type": "string", "value": "[format('https://{0}/', reference(resourceId('Microsoft.Web/sites', variables('attestationSite')), '2023-12-01').defaultHostName)]" - }, - "MANAGED_IDENTITY_ID": { - "type": "string", - "value": "[variables('managedIdentityId')]" } } } From 4006b7550bd7c265cd31fe9dbf946661702f0d67 Mon Sep 17 00:00:00 2001 From: Maor Leger Date: Mon, 18 Nov 2024 20:05:54 +0000 Subject: [PATCH 3/6] wip --- .../test/public/backupClient.spec.ts | 48 ++++++------------- .../test/public/utils/common.ts | 4 +- sdk/keyvault/test-resources.json | 15 +++--- 3 files changed, 25 insertions(+), 42 deletions(-) diff --git a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts index 2dec59d72932..1898d57098bb 100644 --- a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts +++ b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts @@ -1,24 +1,24 @@ // Copyright (c) Microsoft Corporation. // Licensed under the MIT License. -import { isPlaybackMode, Recorder } from "@azure-tools/test-recorder"; +import type { Recorder } from "@azure-tools/test-recorder"; +import { isPlaybackMode } from "@azure-tools/test-recorder"; -import { KeyVaultBackupClient } from "../../src/index.js"; +import type { KeyVaultBackupClient } from "../../src/index.js"; import { authenticate } from "./utils/authentication.js"; import { testPollerProperties } from "./utils/recorder.js"; import { getSasToken } from "./utils/common.js"; import { delay } from "@azure/core-util"; -import { KeyClient } from "@azure/keyvault-keys"; +import type { KeyClient } from "@azure/keyvault-keys"; import { describe, it, expect, beforeEach, afterEach } from "vitest"; // TODO: https://github.com/Azure/azure-sdk-for-js/issues/30273 -describe.skip("KeyVaultBackupClient", () => { +describe("KeyVaultBackupClient", () => { let client: KeyVaultBackupClient; let keyClient: KeyClient; let recorder: Recorder; let blobStorageUri: string; - let blobSasToken: string; beforeEach(async function (ctx) { const authentication = await authenticate(ctx); @@ -27,7 +27,6 @@ describe.skip("KeyVaultBackupClient", () => { recorder = authentication.recorder; const sasTokenData = getSasToken(); blobStorageUri = sasTokenData.blobStorageUri; - blobSasToken = sasTokenData.blobSasToken; }); afterEach(async function () { @@ -36,15 +35,11 @@ describe.skip("KeyVaultBackupClient", () => { describe("beginBackup", function () { it("returns the correct backup result when successful", async function () { - const backupPoller = await client.beginBackup( - blobStorageUri, - blobSasToken, - testPollerProperties, - ); + const backupPoller = await client.beginBackup(blobStorageUri, testPollerProperties); await backupPoller.poll(); // A poller can be serialized and then resumed - const resumedPoller = await client.beginBackup(blobStorageUri, blobSasToken, { + const resumedPoller = await client.beginBackup(blobStorageUri, { resumeFrom: backupPoller.toString(), ...testPollerProperties, }); @@ -71,23 +66,18 @@ describe.skip("KeyVaultBackupClient", () => { describe("beginRestore", function () { it("full restore completes successfully", async function () { - const backupPoller = await client.beginBackup( - blobStorageUri, - blobSasToken, - testPollerProperties, - ); + const backupPoller = await client.beginBackup(blobStorageUri, testPollerProperties); const backupResult = await backupPoller.pollUntilDone(); expect(backupResult.folderUri).toBeDefined(); const restorePoller = await client.beginRestore( backupResult.folderUri!, - blobSasToken, testPollerProperties, ); await restorePoller.poll(); // A poller can be serialized and then resumed - const resumedPoller = await client.beginRestore(backupResult.folderUri!, blobSasToken, { + const resumedPoller = await client.beginRestore(backupResult.folderUri!, { ...testPollerProperties, resumeFrom: restorePoller.toString(), }); @@ -115,11 +105,7 @@ describe.skip("KeyVaultBackupClient", () => { it.skipIf(!isPlaybackMode())("selectiveKeyRestore completes successfully", async function () { const keyName = "rsa1"; await keyClient.createRsaKey(keyName); - const backupPoller = await client.beginBackup( - blobStorageUri, - blobSasToken, - testPollerProperties, - ); + const backupPoller = await client.beginBackup(blobStorageUri, testPollerProperties); const backupURI = await backupPoller.pollUntilDone(); expect(backupURI.folderUri).toBeDefined(); @@ -130,21 +116,15 @@ describe.skip("KeyVaultBackupClient", () => { const selectiveKeyRestorePoller = await client.beginSelectiveKeyRestore( keyName, backupURI.folderUri!, - blobSasToken, testPollerProperties, ); await selectiveKeyRestorePoller.poll(); // A poller can be serialized and then resumed - const resumedPoller = await client.beginSelectiveKeyRestore( - keyName, - blobStorageUri, - blobSasToken, - { - ...testPollerProperties, - resumeFrom: selectiveKeyRestorePoller.toString(), - }, - ); + const resumedPoller = await client.beginSelectiveKeyRestore(keyName, blobStorageUri, { + ...testPollerProperties, + resumeFrom: selectiveKeyRestorePoller.toString(), + }); expect(resumedPoller.getOperationState().isStarted).toEqual(true); // without polling expect(resumedPoller.getOperationState().jobId).toEqual( selectiveKeyRestorePoller.getOperationState().jobId, diff --git a/sdk/keyvault/keyvault-admin/test/public/utils/common.ts b/sdk/keyvault/keyvault-admin/test/public/utils/common.ts index dba7c09f0edb..c6113311987f 100644 --- a/sdk/keyvault/keyvault-admin/test/public/utils/common.ts +++ b/sdk/keyvault/keyvault-admin/test/public/utils/common.ts @@ -32,10 +32,10 @@ export function getEnvironmentVariable(envVarName: string): string { /** * Get a predefined SAS token and Storage URI to use when backing up a KeyVault */ -export function getSasToken(): { blobStorageUri: string; blobSasToken: string } { +export function getSasToken(): { blobStorageUri: string; blobSasToken?: string } { const baseStorageUri = getEnvironmentVariable("BLOB_STORAGE_URI").replace(/\/$/, ""); const blobStorageUri = `${baseStorageUri}/${getEnvironmentVariable("BLOB_CONTAINER_NAME")}`; - const blobSasToken = getEnvironmentVariable("BLOB_STORAGE_SAS_TOKEN"); + const blobSasToken = env["BLOB_STORAGE_SAS_TOKEN"]; // not required return { blobStorageUri, blobSasToken }; } diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json index 0dba54d4257d..c6b67d7f5df5 100644 --- a/sdk/keyvault/test-resources.json +++ b/sdk/keyvault/test-resources.json @@ -182,17 +182,16 @@ }, { "type": "Microsoft.Authorization/roleAssignments", - "condition": "[parameters('enableHsm')]", "apiVersion": "2022-04-01", - "name": "[variables('roleAssignmentName')]", + "name": "[guid(resourceGroup().id, 'StorageBlobContributor', variables('managedIdentityId'))]", "properties": { - "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'Storage Blob Data Contributor')]", + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))).principalId]", - "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]" + "scope": "[resourceGroup().id]", + "principalType": "ServicePrincipal" }, "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]" + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]" ] }, { @@ -258,6 +257,10 @@ "AZURE_KEYVAULT_ATTESTATION_URI": { "type": "string", "value": "[format('https://{0}/', reference(resourceId('Microsoft.Web/sites', variables('attestationSite')), '2023-12-01').defaultHostName)]" + }, + "MANAGED_IDENTITY_ID": { + "type": "string", + "value": "[variables('managedIdentityId')]" } } } From b64966cfd64692867039cd83d4315bcdeeaba787 Mon Sep 17 00:00:00 2001 From: Maor Leger Date: Mon, 18 Nov 2024 21:05:34 +0000 Subject: [PATCH 4/6] [keyvault] Fix dupe deploys, re-enable backup/restore tests --- sdk/keyvault/keyvault-admin/assets.json | 2 +- .../test/public/backupClient.spec.ts | 4 +- sdk/keyvault/test-resources-post.ps1 | 7 + sdk/keyvault/test-resources.bicep | 27 ++ sdk/keyvault/test-resources.json | 266 ------------------ 5 files changed, 36 insertions(+), 270 deletions(-) delete mode 100644 sdk/keyvault/test-resources.json diff --git a/sdk/keyvault/keyvault-admin/assets.json b/sdk/keyvault/keyvault-admin/assets.json index 662129f1027f..cc97db2d357b 100644 --- a/sdk/keyvault/keyvault-admin/assets.json +++ b/sdk/keyvault/keyvault-admin/assets.json @@ -2,5 +2,5 @@ "AssetsRepo": "Azure/azure-sdk-assets", "AssetsRepoPrefixPath": "js", "TagPrefix": "js/keyvault/keyvault-admin", - "Tag": "js/keyvault/keyvault-admin_4b469d86ad" + "Tag": "js/keyvault/keyvault-admin_1ce65643a5" } diff --git a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts index 1898d57098bb..4b0773eac947 100644 --- a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts +++ b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts @@ -100,9 +100,7 @@ describe("KeyVaultBackupClient", () => { } }); - // This test can only be run in playback mode because running a backup - // or restore puts the instance in a bad state (tracked in IcM). - it.skipIf(!isPlaybackMode())("selectiveKeyRestore completes successfully", async function () { + it("selectiveKeyRestore completes successfully", async function () { const keyName = "rsa1"; await keyClient.createRsaKey(keyName); const backupPoller = await client.beginBackup(blobStorageUri, testPollerProperties); diff --git a/sdk/keyvault/test-resources-post.ps1 b/sdk/keyvault/test-resources-post.ps1 index cfeaae11f018..aa98f097b4a6 100644 --- a/sdk/keyvault/test-resources-post.ps1 +++ b/sdk/keyvault/test-resources-post.ps1 @@ -111,3 +111,10 @@ Log "Creating additional required role assignments for resource access." New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto Officer" -ObjectID $testApplicationOid New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto User" -ObjectID $testApplicationOid Log "Role assignments created for '$testApplicationOid'" + +Log "Associating managed identity with managed HSM" +Update-AzKeyVaultManagedHsm ` + -HsmName $hsmName` + -IdentityType "UserAssigned" ` + -UserAssignedIdentityId $DeploymentOutputs["MANAGED_IDENTITY_ID"] +Log "Managed identity associated with managed HSM - backup and restore using managed identity is enabled" diff --git a/sdk/keyvault/test-resources.bicep b/sdk/keyvault/test-resources.bicep index 856ea69c4bfa..52f8355c3431 100644 --- a/sdk/keyvault/test-resources.bicep +++ b/sdk/keyvault/test-resources.bicep @@ -32,6 +32,13 @@ var networkAcls = { ipRules: [] defaultAction: 'Allow' } +var managedIdentityName = '${baseName}-managedIdentity' +var managedIdentityId = managedIdentity.id + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (enableHsm) { + name: managedIdentityName + location: location +} resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = { name: kvName @@ -66,6 +73,12 @@ resource managedHsm 'Microsoft.KeyVault/managedHSMs@2024-04-01-preview' = if (en family: 'B' name: 'Standard_B1' } + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentityId}': {} + } + } properties: { publicNetworkAccess: 'Enabled' networkAcls: networkAcls @@ -113,6 +126,19 @@ resource blobContainer 'Microsoft.Storage/storageAccounts/blobServices/container parent: blobService } +resource managedIdentityRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, 'StorageBlobContributor', managedIdentityId) + properties: { + roleDefinitionId: subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' + ) + principalId: managedIdentity.properties.principalId + scope: resourceGroup().id + principalType: 'ServicePrincipal' + } +} + resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = { name: attestationFarm location: location @@ -151,3 +177,4 @@ output CLIENT_OBJECT_ID string = testApplicationOid output BLOB_STORAGE_URI string = storageAccount.properties.primaryEndpoints.blob output BLOB_CONTAINER_NAME string = blobContainerName output AZURE_KEYVAULT_ATTESTATION_URI string = 'https://${webApp.properties.defaultHostName}/' +output MANAGED_IDENTITY_ID string = managedIdentityId diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json deleted file mode 100644 index c6b67d7f5df5..000000000000 --- a/sdk/keyvault/test-resources.json +++ /dev/null @@ -1,266 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "5316885779202138251" - } - }, - "parameters": { - "hsmLocation": { - "type": "string", - "defaultValue": "australiaeast" - }, - "baseName": { - "type": "string", - "defaultValue": "[resourceGroup().name]" - }, - "tenantId": { - "type": "string", - "defaultValue": "72f988bf-86f1-41af-91ab-2d7cd011db47" - }, - "testApplicationOid": { - "type": "string" - }, - "provisionerApplicationOid": { - "type": "string" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "enableHsm": { - "type": "bool", - "defaultValue": false - }, - "keyVaultSku": { - "type": "string", - "defaultValue": "premium" - }, - "attestationImage": { - "type": "string", - "defaultValue": "keyvault-mock-attestation:latest" - } - }, - "variables": { - "attestationFarm": "[format('{0}farm', parameters('baseName'))]", - "attestationSite": "[format('{0}site', parameters('baseName'))]", - "attestationImageUri": "[format('DOCKER|azsdkengsys.azurecr.io/{0}', parameters('attestationImage'))]", - "kvName": "[parameters('baseName')]", - "hsmName": "[format('{0}hsm', parameters('baseName'))]", - "blobContainerName": "hsmbackups", - "primaryAccountName": "[format('{0}prim', replace(parameters('baseName'), '-', ''))]", - "kvAdminDefinitionId": "00482a5a-887f-4fb3-b363-3b7fe8e74483", - "kvAdminAssignmentName": "[guid(resourceGroup().id, variables('kvAdminDefinitionId'), parameters('testApplicationOid'))]", - "encryption": { - "services": { - "blob": { - "enabled": true - } - }, - "keySource": "Microsoft.Storage" - }, - "networkAcls": { - "bypass": "AzureServices", - "virtualNetworkRules": [], - "ipRules": [], - "defaultAction": "Allow" - }, - "managedIdentityName": "[format('{0}-managedIdentity', parameters('baseName'))]", - "managedIdentityId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]", - "roleAssignmentName": "[guid(resourceGroup().id, 'roleAssignment', variables('managedIdentityId'))]" - }, - "resources": [ - { - "condition": "[parameters('enableHsm')]", - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", - "name": "[variables('managedIdentityName')]", - "location": "[parameters('location')]" - }, - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2024-04-01-preview", - "name": "[variables('kvName')]", - "location": "[parameters('location')]", - "properties": { - "sku": { - "family": "A", - "name": "[parameters('keyVaultSku')]" - }, - "tenantId": "[parameters('tenantId')]", - "enabledForDeployment": false, - "enabledForDiskEncryption": false, - "enabledForTemplateDeployment": false, - "enableSoftDelete": true, - "enableRbacAuthorization": true, - "softDeleteRetentionInDays": 7 - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[variables('kvAdminAssignmentName')]", - "properties": { - "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', variables('kvAdminDefinitionId'))]", - "principalId": "[parameters('testApplicationOid')]" - } - }, - { - "condition": "[parameters('enableHsm')]", - "type": "Microsoft.KeyVault/managedHSMs", - "apiVersion": "2024-04-01-preview", - "name": "[variables('hsmName')]", - "location": "[parameters('hsmLocation')]", - "sku": { - "family": "B", - "name": "Standard_B1" - }, - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[variables('managedIdentityId')]": {} - } - }, - "properties": { - "publicNetworkAccess": "Enabled", - "networkAcls": "[variables('networkAcls')]", - "tenantId": "[parameters('tenantId')]", - "initialAdminObjectIds": "[union(createArray(parameters('testApplicationOid')), createArray(parameters('provisionerApplicationOid')))]", - "enablePurgeProtection": false, - "enableSoftDelete": true, - "softDeleteRetentionInDays": 7 - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]" - ] - }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2023-05-01", - "name": "[variables('primaryAccountName')]", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_RAGRS" - }, - "kind": "StorageV2", - "properties": { - "networkAcls": "[variables('networkAcls')]", - "supportsHttpsTrafficOnly": true, - "encryption": "[variables('encryption')]", - "accessTier": "Hot" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}', variables('primaryAccountName'), 'default')]", - "properties": { - "cors": { - "corsRules": [] - }, - "deleteRetentionPolicy": { - "enabled": false - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]" - ] - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2023-05-01", - "name": "[format('{0}/{1}/{2}', variables('primaryAccountName'), 'default', variables('blobContainerName'))]", - "properties": { - "publicAccess": "None" - }, - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('primaryAccountName'), 'default')]" - ] - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(resourceGroup().id, 'StorageBlobContributor', variables('managedIdentityId'))]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))).principalId]", - "scope": "[resourceGroup().id]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]" - ] - }, - { - "type": "Microsoft.Web/serverfarms", - "apiVersion": "2023-12-01", - "name": "[variables('attestationFarm')]", - "location": "[parameters('location')]", - "kind": "linux", - "sku": { - "name": "B1" - }, - "properties": { - "reserved": true - } - }, - { - "type": "Microsoft.Web/sites", - "apiVersion": "2023-12-01", - "name": "[variables('attestationSite')]", - "location": "[parameters('location')]", - "properties": { - "httpsOnly": true, - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]", - "siteConfig": { - "alwaysOn": true, - "linuxFxVersion": "[variables('attestationImageUri')]", - "appSettings": [ - { - "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE", - "value": "false" - } - ] - } - }, - "dependsOn": ["[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]"] - } - ], - "outputs": { - "KEYVAULT_URI": { - "type": "string", - "value": "[reference(resourceId('Microsoft.KeyVault/vaults', variables('kvName')), '2024-04-01-preview').vaultUri]" - }, - "AZURE_MANAGEDHSM_URI": { - "type": "string", - "value": "[if(parameters('enableHsm'), reference(resourceId('Microsoft.KeyVault/managedHSMs', variables('hsmName')), '2024-04-01-preview').hsmUri, '')]" - }, - "KEYVAULT_SKU": { - "type": "string", - "value": "[reference(resourceId('Microsoft.KeyVault/vaults', variables('kvName')), '2024-04-01-preview').sku.name]" - }, - "CLIENT_OBJECT_ID": { - "type": "string", - "value": "[parameters('testApplicationOid')]" - }, - "BLOB_STORAGE_URI": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName')), '2023-05-01').primaryEndpoints.blob]" - }, - "BLOB_CONTAINER_NAME": { - "type": "string", - "value": "[variables('blobContainerName')]" - }, - "AZURE_KEYVAULT_ATTESTATION_URI": { - "type": "string", - "value": "[format('https://{0}/', reference(resourceId('Microsoft.Web/sites', variables('attestationSite')), '2023-12-01').defaultHostName)]" - }, - "MANAGED_IDENTITY_ID": { - "type": "string", - "value": "[variables('managedIdentityId')]" - } - } -} From 2bb9a5a52cd4f1f2348ba61d1780ec02e4b1a44f Mon Sep 17 00:00:00 2001 From: Maor Leger Date: Mon, 18 Nov 2024 21:09:01 +0000 Subject: [PATCH 5/6] fixes --- sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts | 1 - sdk/keyvault/test-resources-post.ps1 | 5 +---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts index 4b0773eac947..fd851347d168 100644 --- a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts +++ b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts @@ -12,7 +12,6 @@ import { delay } from "@azure/core-util"; import type { KeyClient } from "@azure/keyvault-keys"; import { describe, it, expect, beforeEach, afterEach } from "vitest"; -// TODO: https://github.com/Azure/azure-sdk-for-js/issues/30273 describe("KeyVaultBackupClient", () => { let client: KeyVaultBackupClient; let keyClient: KeyClient; diff --git a/sdk/keyvault/test-resources-post.ps1 b/sdk/keyvault/test-resources-post.ps1 index aa98f097b4a6..49988b7c066c 100644 --- a/sdk/keyvault/test-resources-post.ps1 +++ b/sdk/keyvault/test-resources-post.ps1 @@ -113,8 +113,5 @@ New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Log "Role assignments created for '$testApplicationOid'" Log "Associating managed identity with managed HSM" -Update-AzKeyVaultManagedHsm ` - -HsmName $hsmName` - -IdentityType "UserAssigned" ` - -UserAssignedIdentityId $DeploymentOutputs["MANAGED_IDENTITY_ID"] +Update-AzKeyVaultManagedHsm -HsmName $hsmName -IdentityType "UserAssigned" -UserAssignedIdentityId $DeploymentOutputs["MANAGED_IDENTITY_ID"] Log "Managed identity associated with managed HSM - backup and restore using managed identity is enabled" From 9a88f00be8108ef14d6a90491bd3451e156631f9 Mon Sep 17 00:00:00 2001 From: Maor Leger Date: Wed, 20 Nov 2024 21:39:18 +0000 Subject: [PATCH 6/6] updates --- .../test/public/backupClient.abort.spec.ts | 19 +++++++++---------- .../test/public/backupClient.spec.ts | 8 +++++--- .../test/public/utils/common.ts | 11 ----------- sdk/keyvault/test-resources-post.ps1 | 2 +- 4 files changed, 15 insertions(+), 25 deletions(-) diff --git a/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts b/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts index 3b1cb74a71e7..de061772975f 100644 --- a/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts +++ b/sdk/keyvault/keyvault-admin/test/public/backupClient.abort.spec.ts @@ -6,16 +6,14 @@ import { Recorder } from "@azure-tools/test-recorder"; import { KeyVaultBackupClient } from "../../src/index.js"; import { authenticate } from "./utils/authentication.js"; import { testPollerProperties } from "./utils/recorder.js"; -import { getSasToken } from "./utils/common.js"; import { describe, it, beforeEach, afterEach, expect } from "vitest"; import { AbortError } from "@azure/abort-controller"; +import { getEnvironmentVariable } from "./utils/common.js"; -// TODO: https://github.com/Azure/azure-sdk-for-js/issues/30273 -describe.skip("Aborting KeyVaultBackupClient's requests", () => { +describe("Aborting KeyVaultBackupClient's requests", () => { let client: KeyVaultBackupClient; let recorder: Recorder; let blobStorageUri: string; - let blobSasToken: string; let generateFakeUUID: () => string; @@ -25,9 +23,10 @@ describe.skip("Aborting KeyVaultBackupClient's requests", () => { recorder = authentication.recorder; generateFakeUUID = authentication.generateFakeUUID; - const sasTokenData = getSasToken(); - blobStorageUri = sasTokenData.blobStorageUri; - blobSasToken = sasTokenData.blobSasToken; + blobStorageUri = new URL( + getEnvironmentVariable("BLOB_CONTAINER_NAME"), + getEnvironmentVariable("BLOB_STORAGE_URI"), + ).href; }); afterEach(async function () { @@ -39,7 +38,7 @@ describe.skip("Aborting KeyVaultBackupClient's requests", () => { controller.abort(); await expect( - client.beginBackup(blobStorageUri, blobSasToken, { + client.beginBackup(blobStorageUri, { ...testPollerProperties, abortSignal: controller.signal, }), @@ -52,7 +51,7 @@ describe.skip("Aborting KeyVaultBackupClient's requests", () => { controller.abort(); await expect( - client.beginRestore(backupURI, blobSasToken, { + client.beginRestore(backupURI, { ...testPollerProperties, abortSignal: controller.signal, }), @@ -66,7 +65,7 @@ describe.skip("Aborting KeyVaultBackupClient's requests", () => { controller.abort(); await expect( - client.beginSelectiveKeyRestore("key-name", backupURI, blobSasToken, { + client.beginSelectiveKeyRestore("key-name", backupURI, { ...testPollerProperties, abortSignal: controller.signal, }), diff --git a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts index fd851347d168..c3ae42b2c4e9 100644 --- a/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts +++ b/sdk/keyvault/keyvault-admin/test/public/backupClient.spec.ts @@ -7,10 +7,10 @@ import { isPlaybackMode } from "@azure-tools/test-recorder"; import type { KeyVaultBackupClient } from "../../src/index.js"; import { authenticate } from "./utils/authentication.js"; import { testPollerProperties } from "./utils/recorder.js"; -import { getSasToken } from "./utils/common.js"; import { delay } from "@azure/core-util"; import type { KeyClient } from "@azure/keyvault-keys"; import { describe, it, expect, beforeEach, afterEach } from "vitest"; +import { getEnvironmentVariable } from "./utils/common.js"; describe("KeyVaultBackupClient", () => { let client: KeyVaultBackupClient; @@ -24,8 +24,10 @@ describe("KeyVaultBackupClient", () => { client = authentication.backupClient; keyClient = authentication.keyClient; recorder = authentication.recorder; - const sasTokenData = getSasToken(); - blobStorageUri = sasTokenData.blobStorageUri; + blobStorageUri = new URL( + getEnvironmentVariable("BLOB_CONTAINER_NAME"), + getEnvironmentVariable("BLOB_STORAGE_URI"), + ).href; }); afterEach(async function () { diff --git a/sdk/keyvault/keyvault-admin/test/public/utils/common.ts b/sdk/keyvault/keyvault-admin/test/public/utils/common.ts index c6113311987f..7a74f9ecb5d3 100644 --- a/sdk/keyvault/keyvault-admin/test/public/utils/common.ts +++ b/sdk/keyvault/keyvault-admin/test/public/utils/common.ts @@ -28,14 +28,3 @@ export function getEnvironmentVariable(envVarName: string): string { } return envVar; } - -/** - * Get a predefined SAS token and Storage URI to use when backing up a KeyVault - */ -export function getSasToken(): { blobStorageUri: string; blobSasToken?: string } { - const baseStorageUri = getEnvironmentVariable("BLOB_STORAGE_URI").replace(/\/$/, ""); - const blobStorageUri = `${baseStorageUri}/${getEnvironmentVariable("BLOB_CONTAINER_NAME")}`; - const blobSasToken = env["BLOB_STORAGE_SAS_TOKEN"]; // not required - - return { blobStorageUri, blobSasToken }; -} diff --git a/sdk/keyvault/test-resources-post.ps1 b/sdk/keyvault/test-resources-post.ps1 index 49988b7c066c..6a526e4f3f63 100644 --- a/sdk/keyvault/test-resources-post.ps1 +++ b/sdk/keyvault/test-resources-post.ps1 @@ -113,5 +113,5 @@ New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Log "Role assignments created for '$testApplicationOid'" Log "Associating managed identity with managed HSM" -Update-AzKeyVaultManagedHsm -HsmName $hsmName -IdentityType "UserAssigned" -UserAssignedIdentityId $DeploymentOutputs["MANAGED_IDENTITY_ID"] +Update-AzKeyVaultManagedHsm -HsmName $hsmName -ResourceGroupName $DeploymentOutputs["KEYVAULT_RESOURCE_GROUP"] -UserAssignedIdentity $DeploymentOutputs["MANAGED_IDENTITY_ID"] Log "Managed identity associated with managed HSM - backup and restore using managed identity is enabled"