-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor with terrafrom and defaultCredential for keyvault sample #126
Merged
backwind1233
merged 9 commits into
Azure-Samples:spring-cloud-azure_4.0
from
backwind1233:terraform_keyvault_aad
Dec 24, 2021
Merged
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
22590c6
add terraform for keyvault
backwind1233 934da11
Merge branch 'spring-cloud-azure_4.0' into terraform_keyvault_aad
backwind1233 36454bf
add README.md
backwind1233 be785b8
update readme for keyvault
backwind1233 0eb6060
update README.md
backwind1233 c4c3d53
update aztfmod/azurecaf from 1.2.6 to 1.2.10
backwind1233 3969a32
fix comments
backwind1233 40be09f
fix doc
backwind1233 eaf0d66
update '## What You Need'
backwind1233 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
134 changes: 124 additions & 10 deletions
134
...lt/spring-cloud-azure-starter-keyvault-secrets/single-property-source/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,135 @@ | ||
# Using Key Vault Secrets With Spring Cloud Azure Key Vault Secrets Starter | ||
|
||
# Spring Cloud Azure Starter Key Vault Secrets Sample | ||
This sample illustrates the simplest usage of `spring-cloud-azure-starter-keyvault-secrets`. | ||
To learn all features, please refer to [reference doc](https://microsoft.github.io/spring-cloud-azure/docs/current/reference/html/index.html#secret-management). | ||
|
||
This sample illustrates the simplest usage of `spring-cloud-azure-starter-keyvault-secrets`. To learn all features, please refer to [reference doc](https://microsoft.github.io/spring-cloud-azure/docs/4.0.0-beta.1/reference/html/index.html). | ||
## What You Will build | ||
|
||
## Create Azure resources | ||
You will build an application that use `spring-cloud-azure-starter-keyvault-secrets` to retrieve secrets from [Azure Key Vault](https://azure.microsoft.com/services/key-vault/). | ||
|
||
1. Read [document about register an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application. get the `Application (client) ID`: **${AZURE_CLIENT_ID}**, and create a secret, get the `Client Secret Value`: **${AZURE_CLIENT_SECRET}**. | ||
2. Read [document about create key vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal), get the `Directory ID`: **${AZURE_TENANT_ID}** and `Vault URI` **${ENDPOINT}**. | ||
3. Read [document about assign Key Vault access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal), assign `Secret Management` template to the client(or principal) we created in step 1. | ||
## What You Need | ||
|
||
## Fill the values in application.yml | ||
Fill these values in application.yml: **${AZURE_TENANT_ID}**, **${AZURE_CLIENT_ID}**, **${AZURE_CLIENT_SECRET}**, **${ENDPOINT}**. | ||
- [An Azure subscription](https://azure.microsoft.com/free/) | ||
- [Terraform](https://www.terraform.io/) | ||
- [IntelliJ IDEA](https://www.jetbrains.com/idea/download/#section=mac) | ||
saragluna marked this conversation as resolved.
Show resolved
Hide resolved
|
||
- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) | ||
- JDK8 | ||
- Maven | ||
|
||
## Prevision Azure Resources required to run this sample. | ||
saragluna marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
### Authenticate using the Azure CLI | ||
Terraform must authenticate to Azure to create infrastructure. | ||
|
||
In your terminal, use the Azure CLI tool to setup your account permissions locally. | ||
|
||
```shell | ||
az login | ||
``` | ||
|
||
Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. | ||
|
||
```shell | ||
You have logged in. Now let us find all the subscriptions to which you have access... | ||
|
||
[ | ||
{ | ||
"cloudName": "AzureCloud", | ||
"homeTenantId": "home-Tenant-Id", | ||
"id": "subscription-id", | ||
"isDefault": true, | ||
"managedByTenants": [], | ||
"name": "Subscription-Name", | ||
"state": "Enabled", | ||
"tenantId": "0envbwi39-TenantId", | ||
"user": { | ||
"name": "[email protected]", | ||
"type": "user" | ||
} | ||
} | ||
] | ||
``` | ||
|
||
If you have more than one subscription, specify the subscription-id you want to use with command below: | ||
```shell | ||
az account set --subscription <your-subscription-id> | ||
``` | ||
|
||
### Provision the Resources | ||
|
||
After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. | ||
|
||
```shell | ||
# In the root directory of the sample | ||
# Initialize your Terraform configuration | ||
terraform -chdir=./terraform init | ||
|
||
# Apply your Terraform Configuration | ||
# Type `yes` at the confirmation prompt to proceed. | ||
terraform -chdir=./terraform apply | ||
|
||
``` | ||
|
||
|
||
It may take a few minutes to run the script. After successful running, you will see prompt information like below: | ||
|
||
```shell | ||
|
||
azurecaf_name.kv: Creating... | ||
azurecaf_name.resource_group: Creating... | ||
azurecaf_name.resource_group: Creation complete after ... | ||
azurecaf_name.kv: Creation complete after 0s ... | ||
azurerm_resource_group.main: Creating... | ||
azurerm_resource_group.main: Creation complete after 4s ... | ||
azurerm_key_vault.kv_account: Creating... | ||
azurerm_key_vault.kv_account: Still creating... | ||
... | ||
azurerm_key_vault.kv_account: Creation complete after 2m36s ... | ||
azurerm_key_vault_secret.kv: Creating... | ||
azurerm_key_vault_secret.kv: Creation complete after 8s ... | ||
|
||
Apply complete! Resources: 5 added, 0 changed, 0 destroyed. | ||
|
||
Outputs: | ||
|
||
... | ||
|
||
|
||
``` | ||
|
||
You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. | ||
|
||
### Export output to your local Environment | ||
Running the command below to export environment values: | ||
|
||
```shell | ||
source ./terraform/setup_env.sh | ||
``` | ||
|
||
## Run locally | ||
saragluna marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
In your terminal, run `mvn clean spring-boot:run`. | ||
|
||
|
||
```shell | ||
mvn clean spring-boot:run | ||
``` | ||
|
||
## Verify this sample | ||
|
||
## Start application | ||
Start the application, you will see a log like this: | ||
|
||
```text | ||
property springDataSourceUrl in Azure Key Vault: <spring-data-source-url-value> | ||
property springDataSourceUrl in Azure Key Vault: this is a test value | ||
``` | ||
|
||
|
||
## Clean up Resources | ||
After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. | ||
|
||
The terraform destroy command terminates resources managed by your Terraform project. | ||
To destroy the resources you created. | ||
|
||
```shell | ||
terraform -chdir=./terraform destroy | ||
``` |
5 changes: 0 additions & 5 deletions
5
...-azure-starter-keyvault-secrets/single-property-source/src/main/resources/application.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
92 changes: 92 additions & 0 deletions
92
...ault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
terraform { | ||
required_providers { | ||
azurerm = { | ||
source = "hashicorp/azurerm" | ||
version = ">= 2.75" | ||
} | ||
azurecaf = { | ||
source = "aztfmod/azurecaf" | ||
version = "1.2.10" | ||
} | ||
} | ||
} | ||
|
||
provider "azurerm" { | ||
features {} | ||
} | ||
|
||
// ===========resource_group=========== | ||
resource "azurecaf_name" "resource_group" { | ||
name = var.application_name | ||
resource_type = "azurerm_resource_group" | ||
random_length = 5 | ||
clean_input = true | ||
} | ||
|
||
resource "azurerm_resource_group" "main" { | ||
name = azurecaf_name.resource_group.result | ||
location = var.location | ||
|
||
tags = { | ||
"terraform" = "true" | ||
"application-name" = var.application_name | ||
"spring-cloud-azure-sample" = var.sample_tag_value | ||
} | ||
} | ||
|
||
data "azurerm_client_config" "current" { | ||
} | ||
|
||
// ===========azurerm_key_vault=========== | ||
resource "azurecaf_name" "kv" { | ||
name = var.application_name | ||
resource_type = "azurerm_resource_group" | ||
random_length = 5 | ||
clean_input = true | ||
} | ||
|
||
resource "azurerm_key_vault" "kv_account" { | ||
name = azurecaf_name.kv.result | ||
location = azurerm_resource_group.main.location | ||
resource_group_name = azurerm_resource_group.main.name | ||
enabled_for_disk_encryption = true | ||
tenant_id = data.azurerm_client_config.current.tenant_id | ||
soft_delete_retention_days = 7 | ||
purge_protection_enabled = false | ||
|
||
sku_name = "standard" | ||
|
||
access_policy { | ||
tenant_id = data.azurerm_client_config.current.tenant_id | ||
object_id = data.azurerm_client_config.current.object_id | ||
|
||
key_permissions = [ | ||
"Get", | ||
"Delete", | ||
] | ||
|
||
secret_permissions = [ | ||
"Get", | ||
"List", | ||
"Set", | ||
"Purge", | ||
"Delete" | ||
] | ||
|
||
storage_permissions = [ | ||
"Get", | ||
"Delete", | ||
] | ||
} | ||
|
||
tags = { | ||
"terraform" = "true" | ||
"spring-cloud-azure-sample" = var.sample_tag_value | ||
} | ||
} | ||
|
||
resource "azurerm_key_vault_secret" "kv" { | ||
name = "spring-data-source-url" | ||
value = "this is a test value" | ||
key_vault_id = azurerm_key_vault.kv_account.id | ||
} |
4 changes: 4 additions & 0 deletions
4
...t/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/outputs.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "keyvault_uri" { | ||
value = azurerm_key_vault.kv_account.vault_uri | ||
description = "The keyvault uri." | ||
saragluna marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} |
1 change: 1 addition & 0 deletions
1
...spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/setup_env.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export ENDPOINT=$(terraform -chdir=./terraform output -raw keyvault_uri) |
17 changes: 17 additions & 0 deletions
17
...spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
variable "application_name" { | ||
type = string | ||
description = "The name of your application" | ||
default = "keyvault" | ||
} | ||
|
||
variable "location" { | ||
type = string | ||
description = "The Azure region where all resources in this example should be created" | ||
default = "eastus" | ||
} | ||
|
||
variable "sample_tag_value" { | ||
type = string | ||
description = "The value of spring-cloud-azure-sample tag" | ||
default = "true" | ||
} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using this symbolic link, current, will make it possible to be broken in the feature. But seems like we don't have a better choice now.