Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor with terrafrom and defaultCredential for keyvault sample #126

Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,21 +1,135 @@
# Using Key Vault Secrets With Spring Cloud Azure Key Vault Secrets Starter

# Spring Cloud Azure Starter Key Vault Secrets Sample
This sample illustrates the simplest usage of `spring-cloud-azure-starter-keyvault-secrets`.
To learn all features, please refer to [reference doc](https://microsoft.github.io/spring-cloud-azure/docs/current/reference/html/index.html#secret-management).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using this symbolic link, current, will make it possible to be broken in the feature. But seems like we don't have a better choice now.


This sample illustrates the simplest usage of `spring-cloud-azure-starter-keyvault-secrets`. To learn all features, please refer to [reference doc](https://microsoft.github.io/spring-cloud-azure/docs/4.0.0-beta.1/reference/html/index.html).
## What You Will build

## Create Azure resources
You will build an application that use `spring-cloud-azure-starter-keyvault-secrets` to retrieve secrets from [Azure Key Vault](https://azure.microsoft.com/services/key-vault/).

1. Read [document about register an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application. get the `Application (client) ID`: **${AZURE_CLIENT_ID}**, and create a secret, get the `Client Secret Value`: **${AZURE_CLIENT_SECRET}**.
2. Read [document about create key vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal), get the `Directory ID`: **${AZURE_TENANT_ID}** and `Vault URI` **${ENDPOINT}**.
3. Read [document about assign Key Vault access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal), assign `Secret Management` template to the client(or principal) we created in step 1.
## What You Need

## Fill the values in application.yml
Fill these values in application.yml: **${AZURE_TENANT_ID}**, **${AZURE_CLIENT_ID}**, **${AZURE_CLIENT_SECRET}**, **${ENDPOINT}**.
- [An Azure subscription](https://azure.microsoft.com/free/)
- [Terraform](https://www.terraform.io/)
- [IntelliJ IDEA](https://www.jetbrains.com/idea/download/#section=mac)
saragluna marked this conversation as resolved.
Show resolved Hide resolved
- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli)
- JDK8
- Maven

## Prevision Azure Resources required to run this sample.
saragluna marked this conversation as resolved.
Show resolved Hide resolved

### Authenticate using the Azure CLI
Terraform must authenticate to Azure to create infrastructure.

In your terminal, use the Azure CLI tool to setup your account permissions locally.

```shell
az login
```

Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use.

```shell
You have logged in. Now let us find all the subscriptions to which you have access...

[
{
"cloudName": "AzureCloud",
"homeTenantId": "home-Tenant-Id",
"id": "subscription-id",
"isDefault": true,
"managedByTenants": [],
"name": "Subscription-Name",
"state": "Enabled",
"tenantId": "0envbwi39-TenantId",
"user": {
"name": "[email protected]",
"type": "user"
}
}
]
```

If you have more than one subscription, specify the subscription-id you want to use with command below:
```shell
az account set --subscription <your-subscription-id>
```

### Provision the Resources

After login Azure CLI with your account, now you can use the terraform script to create Azure Resources.

```shell
# In the root directory of the sample
# Initialize your Terraform configuration
terraform -chdir=./terraform init

# Apply your Terraform Configuration
# Type `yes` at the confirmation prompt to proceed.
terraform -chdir=./terraform apply

```


It may take a few minutes to run the script. After successful running, you will see prompt information like below:

```shell

azurecaf_name.kv: Creating...
azurecaf_name.resource_group: Creating...
azurecaf_name.resource_group: Creation complete after ...
azurecaf_name.kv: Creation complete after 0s ...
azurerm_resource_group.main: Creating...
azurerm_resource_group.main: Creation complete after 4s ...
azurerm_key_vault.kv_account: Creating...
azurerm_key_vault.kv_account: Still creating...
...
azurerm_key_vault.kv_account: Creation complete after 2m36s ...
azurerm_key_vault_secret.kv: Creating...
azurerm_key_vault_secret.kv: Creation complete after 8s ...

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

Outputs:

...


```

You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created.

### Export output to your local Environment
Running the command below to export environment values:

```shell
source ./terraform/setup_env.sh
```

## Run locally
saragluna marked this conversation as resolved.
Show resolved Hide resolved

In your terminal, run `mvn clean spring-boot:run`.


```shell
mvn clean spring-boot:run
```

## Verify this sample

## Start application
Start the application, you will see a log like this:

```text
property springDataSourceUrl in Azure Key Vault: <spring-data-source-url-value>
property springDataSourceUrl in Azure Key Vault: this is a test value
```


## Clean up Resources
After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing.

The terraform destroy command terminates resources managed by your Terraform project.
To destroy the resources you created.

```shell
terraform -chdir=./terraform destroy
```
Original file line number Diff line number Diff line change
@@ -1,11 +1,6 @@
spring:
cloud:
azure:
profile:
tenant-id: ${AZURE_TENANT_ID}
credential:
client-id: ${AZURE_CLIENT_ID}
client-secret: ${AZURE_CLIENT_SECRET}
keyvault:
secret:
property-source-enabled: true
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.75"
}
azurecaf = {
source = "aztfmod/azurecaf"
version = "1.2.10"
}
}
}

provider "azurerm" {
features {}
}

// ===========resource_group===========
resource "azurecaf_name" "resource_group" {
name = var.application_name
resource_type = "azurerm_resource_group"
random_length = 5
clean_input = true
}

resource "azurerm_resource_group" "main" {
name = azurecaf_name.resource_group.result
location = var.location

tags = {
"terraform" = "true"
"application-name" = var.application_name
"spring-cloud-azure-sample" = var.sample_tag_value
}
}

data "azurerm_client_config" "current" {
}

// ===========azurerm_key_vault===========
resource "azurecaf_name" "kv" {
name = var.application_name
resource_type = "azurerm_resource_group"
random_length = 5
clean_input = true
}

resource "azurerm_key_vault" "kv_account" {
name = azurecaf_name.kv.result
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false

sku_name = "standard"

access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id

key_permissions = [
"Get",
"Delete",
]

secret_permissions = [
"Get",
"List",
"Set",
"Purge",
"Delete"
]

storage_permissions = [
"Get",
"Delete",
]
}

tags = {
"terraform" = "true"
"spring-cloud-azure-sample" = var.sample_tag_value
}
}

resource "azurerm_key_vault_secret" "kv" {
name = "spring-data-source-url"
value = "this is a test value"
key_vault_id = azurerm_key_vault.kv_account.id
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "keyvault_uri" {
value = azurerm_key_vault.kv_account.vault_uri
description = "The keyvault uri."
saragluna marked this conversation as resolved.
Show resolved Hide resolved
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
export ENDPOINT=$(terraform -chdir=./terraform output -raw keyvault_uri)
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
variable "application_name" {
type = string
description = "The name of your application"
default = "keyvault"
}

variable "location" {
type = string
description = "The Azure region where all resources in this example should be created"
default = "eastus"
}

variable "sample_tag_value" {
type = string
description = "The value of spring-cloud-azure-sample tag"
default = "true"
}