diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/README.md b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/README.md index c4c7f579c..69ec88ded 100644 --- a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/README.md +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/README.md @@ -1,20 +1,125 @@ +# Spring Cloud Azure Starter Key Vault Secrets Sample -# Spring Cloud Azure Starter Key Vault Secrets Sample +This sample illustrates the usage of `spring-cloud-azure-starter-keyvault-secrets`. To learn all features, please refer to [reference doc](https://microsoft.github.io/spring-cloud-azure/docs/4.0.0-beta.2/reference/html/index.html). -This sample illustrates the simplest usage of `spring-cloud-azure-starter-keyvault-secrets`. To learn all features, please refer to [reference doc](https://microsoft.github.io/spring-cloud-azure/docs/4.0.0-beta.1/reference/html/index.html). +## What You Will Build -## Create Azure resources +You will build an application that use `spring-cloud-azure-starter-keyvault-secrets` to retrieve multiple secrets from multiple [Azure Key Vault](https://azure.microsoft.com/services/key-vault/). -1. Read [document about register an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application. get the `Application (client) ID`: **${AZURE_CLIENT_ID_1}**, and create a secret, get the `Client Secret Value`: **${AZURE_CLIENT_SECRET_1}**. -2. Read [document about create key vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal), get the `Directory ID`: **${AZURE_TENANT_ID_1}** and `Vault URI` **${ENDPOINT_1}**. -3. Read [document about assign Key Vault access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal), assign `Secret Management` template to the client(or principal) we created in step 1. -4. Same to previous steps, get **${AZURE_CLIENT_ID_2}**, **${AZURE_CLIENT_SECRET_2}**, **${AZURE_TENANT_ID_2}** and **${ENDPOINT_1}**. assign `Secret Management` template to the **${AZURE_CLIENT_ID_2}. +## What You Need -## Fill the values in application.yml -Fill these values in application.yml: **${AZURE_TENANT_ID_1}**, **${AZURE_CLIENT_ID_1}**, **${AZURE_CLIENT_SECRET_1}**, **${ENDPOINT_1}**, **${AZURE_TENANT_ID_2}**, **${AZURE_CLIENT_ID_2}**, **${AZURE_CLIENT_SECRET_2}**, **${ENDPOINT_2}**. +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) -## Start application -Start the application, you will see a log like this: +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +If you have more than one subscription, specify the subscription-id you want to use with command below: +```shell +az account set --subscription +``` + +### Provision the Resources +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +```shell +# In the root directory of the sample +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +# Type `yes` at the confirmation prompt to proceed. +terraform -chdir=./terraform apply + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +azurecaf_name.azurecaf_name_kv_02: Creating... +azurecaf_name.azurecaf_name_kv_01: Creating... +azurecaf_name.resource_group: Creating... +azurecaf_name.azurecaf_name_kv_01: Creation complete after 0s ... +azurecaf_name.resource_group: Creation complete after 0s ... +azurecaf_name.azurecaf_name_kv_02: Creation complete after 0s ... +azurerm_resource_group.main: Creating... +azurerm_resource_group.main: Creation complete after 3s ... +azurerm_key_vault.kv_account_02: Creating... +azurerm_key_vault.kv_account_01: Creating... +azurerm_key_vault.kv_account_02: Still creating... +... +azurerm_key_vault_secret.kv_01: Creation complete ... +azurerm_key_vault_secret.kv_both_01: Creation complete ... +azurerm_key_vault.kv_account_02: Creation complete after ... +azurerm_key_vault_secret.kv_02_both: Creating... +azurerm_key_vault_secret.kv_02: Creating... +azurerm_key_vault_secret.kv_02_both: Creation complete ... +azurerm_key_vault_secret.kv_02: Creation complete ... + +Apply complete! Resources: 10 added, 0 changed, 0 destroyed. + +Outputs: + +... + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +```shell + source ./terraform/setup_env.sh +``` + +## Run Locally +In your terminal, run `mvn clean spring-boot:run`. + +```shell +mvn clean spring-boot:run +``` + +## Verify This Sample + +Start the application, you will see logs like this: ```text secretNameInKeyVault1: secret-value-1 secretNameInKeyVault2: secret-name-in-key-vault-2-value-2 @@ -23,3 +128,12 @@ secretNameInKeyVaultBoth: secret-value-1 We can see that property-source-1 have higher priority. +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +```shell +terraform -chdir=./terraform destroy +``` diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/src/main/resources/application.yml b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/src/main/resources/application.yml index 42602d219..bc9477453 100644 --- a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/src/main/resources/application.yml +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/src/main/resources/application.yml @@ -8,16 +8,6 @@ spring: - name: key-vault-1 endpoint: ${ENDPOINT_1} - profile: - tenant-id: ${AZURE_TENANT_ID_1} - credential: - client-id: ${AZURE_CLIENT_ID_1} - client-secret: ${AZURE_CLIENT_SECRET_1} - name: key-vault-2 endpoint: ${ENDPOINT_2} - profile: - tenant-id: ${AZURE_TENANT_ID_2} - credential: - client-id: ${AZURE_CLIENT_ID_2} - client-secret: ${AZURE_CLIENT_SECRET_2} diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/main.tf b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/main.tf new file mode 100644 index 000000000..181131dc9 --- /dev/null +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/main.tf @@ -0,0 +1,139 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 2.75" + } + azurecaf = { + source = "aztfmod/azurecaf" + version = "1.2.10" + } + } +} + +provider "azurerm" { + features {} +} + +// ===========resource_group=========== +resource "azurecaf_name" "resource_group" { + name = var.application_name + resource_type = "azurerm_resource_group" + random_length = 5 + clean_input = true +} + +resource "azurerm_resource_group" "main" { + name = azurecaf_name.resource_group.result + location = var.location + + tags = { + "terraform" = "true" + "application-name" = var.application_name + "spring-cloud-azure-sample" = var.sample_tag_value + } +} + +data "azurerm_client_config" "current" { +} + +// ===========azurerm_key_vault_01=========== +resource "azurecaf_name" "azurecaf_name_kv_01" { + name = var.application_name + resource_type = "azurerm_key_vault" + random_length = 5 + clean_input = true +} + +resource "azurerm_key_vault" "kv_account_01" { + name = azurecaf_name.azurecaf_name_kv_01.result + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + enabled_for_disk_encryption = true + tenant_id = data.azurerm_client_config.current.tenant_id + soft_delete_retention_days = 7 + purge_protection_enabled = false + + sku_name = "standard" + + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + secret_permissions = [ + "Get", + "List", + "Set", + "Purge", + "Delete" + ] + } + + tags = { + "terraform" = "true" + "spring-cloud-azure-sample" = var.sample_tag_value + } +} + +resource "azurerm_key_vault_secret" "key_vault_secret_01" { + name = "secret-name-in-key-vault-1" + value = "key_vault_secret_01: secret-name-in-key-vault-1: value" + key_vault_id = azurerm_key_vault.kv_account_01.id +} + +resource "azurerm_key_vault_secret" "key_vault_secret_common_01" { + name = "secret-name-in-key-vault-both" + value = "key_vault_secret_common_01: secret-name-in-key-vault-both: value" + key_vault_id = azurerm_key_vault.kv_account_01.id +} + + +// ===========azurerm_key_vault_02=========== +resource "azurecaf_name" "azurecaf_name_kv_02" { + name = var.application_name + resource_type = "azurerm_key_vault" + random_length = 5 + clean_input = true +} + +resource "azurerm_key_vault" "kv_account_02" { + name = azurecaf_name.azurecaf_name_kv_02.result + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + enabled_for_disk_encryption = true + tenant_id = data.azurerm_client_config.current.tenant_id + soft_delete_retention_days = 7 + purge_protection_enabled = false + + sku_name = "standard" + + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + secret_permissions = [ + "Get", + "List", + "Set", + "Purge", + "Delete" + ] + } + + tags = { + "terraform" = "true" + "spring-cloud-azure-sample" = var.sample_tag_value + } +} + +resource "azurerm_key_vault_secret" "key_vault_secret_02" { + name = "secret-name-in-key-vault-2" + value = "key_vault_secret_02: secret-name-in-key-vault-2: value" + key_vault_id = azurerm_key_vault.kv_account_02.id +} + +resource "azurerm_key_vault_secret" "key_vault_secret_common_02" { + name = "secret-name-in-key-vault-both" + value = "key_vault_secret_common_02: secret-name-in-key-vault-both: value" + key_vault_id = azurerm_key_vault.kv_account_02.id +} diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/outputs.tf b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/outputs.tf new file mode 100644 index 000000000..57553a8a3 --- /dev/null +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/outputs.tf @@ -0,0 +1,9 @@ +output "KEYVAULT_URI_01" { + value = azurerm_key_vault.kv_account_01.vault_uri + description = "The key vault uri 01." +} + +output "KEYVAULT_URI_02" { + value = azurerm_key_vault.kv_account_02.vault_uri + description = "The key vault uri 02." +} diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/setup_env.sh b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/setup_env.sh new file mode 100644 index 000000000..3c34bb7c2 --- /dev/null +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/setup_env.sh @@ -0,0 +1,2 @@ +export ENDPOINT_1=$(terraform -chdir=./terraform output -raw KEYVAULT_URI_01) +export ENDPOINT_2=$(terraform -chdir=./terraform output -raw KEYVAULT_URI_02) \ No newline at end of file diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/variables.tf b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/variables.tf new file mode 100644 index 000000000..b0c2c829e --- /dev/null +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source/terraform/variables.tf @@ -0,0 +1,17 @@ +variable "application_name" { + type = string + description = "The name of your application." + default = "mul-keyvault" +} + +variable "location" { + type = string + description = "The Azure region where all resources in this example should be created." + default = "eastus" +} + +variable "sample_tag_value" { + type = string + description = "The value of spring-cloud-azure-sample tag." + default = "true" +} diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/README.md b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/README.md index d865e4680..0a917c463 100644 --- a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/README.md +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/README.md @@ -18,10 +18,6 @@ You will build an application that use `spring-cloud-azure-starter-keyvault-secr - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) ## Provision Azure Resources Required to Run This Sample -This sample will create Azure resources using Terraform. If you choose to run it without using Terraform to provision resources, please pay attention to: -> [!IMPORTANT] -> If you choose to use a security principal to authenticate and authorize with Azure Active Directory for accessing an Azure resource -> please refer to [Authorize access with Azure AD](https://microsoft.github.io/spring-cloud-azure/docs/current/reference/html/index.html#authorize-access-with-azure-active-directory) to make sure the security principal has been granted the sufficient permission to access the Azure resource. ### Authenticate Using the Azure CLI Terraform must authenticate to Azure to create infrastructure. @@ -75,11 +71,10 @@ terraform -chdir=./terraform apply ``` - It may take a few minutes to run the script. After successful running, you will see prompt information like below: ```shell - +... azurecaf_name.kv: Creating... azurecaf_name.resource_group: Creating... azurecaf_name.resource_group: Creation complete after ... @@ -98,8 +93,6 @@ Apply complete! Resources: 5 added, 0 changed, 0 destroyed. Outputs: ... - - ``` You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. @@ -115,7 +108,6 @@ Running the command below to export environment values: In your terminal, run `mvn clean spring-boot:run`. - ```shell mvn clean spring-boot:run ``` @@ -128,7 +120,6 @@ Start the application, you will see a log like this: property springDataSourceUrl in Azure Key Vault: this is a test value ``` - ## Clean Up Resources After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/main.tf b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/main.tf index dfb8bd48f..0ab46f850 100644 --- a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/main.tf +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/main.tf @@ -40,7 +40,7 @@ data "azurerm_client_config" "current" { // ===========azurerm_key_vault=========== resource "azurecaf_name" "kv" { name = var.application_name - resource_type = "azurerm_resource_group" + resource_type = "azurerm_key_vault" random_length = 5 clean_input = true } @@ -60,11 +60,6 @@ resource "azurerm_key_vault" "kv_account" { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id - key_permissions = [ - "Get", - "Delete", - ] - secret_permissions = [ "Get", "List", @@ -72,11 +67,6 @@ resource "azurerm_key_vault" "kv_account" { "Purge", "Delete" ] - - storage_permissions = [ - "Get", - "Delete", - ] } tags = { diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/outputs.tf b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/outputs.tf index f59d1ed43..3010f283e 100644 --- a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/outputs.tf +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/outputs.tf @@ -1,4 +1,4 @@ -output "keyvault_uri" { +output "KEYVAULT_URI" { value = azurerm_key_vault.kv_account.vault_uri description = "The key vault uri." } diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/setup_env.sh b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/setup_env.sh index d79c6eb78..6100b2736 100644 --- a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/setup_env.sh +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/setup_env.sh @@ -1 +1 @@ -export ENDPOINT=$(terraform -chdir=./terraform output -raw keyvault_uri) \ No newline at end of file +export ENDPOINT=$(terraform -chdir=./terraform output -raw KEYVAULT_URI) \ No newline at end of file diff --git a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/variables.tf b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/variables.tf index ac40a08c8..6fe3d961b 100644 --- a/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/variables.tf +++ b/keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source/terraform/variables.tf @@ -1,17 +1,17 @@ variable "application_name" { type = string - description = "The name of your application" + description = "The name of your application." default = "keyvault" } variable "location" { type = string - description = "The Azure region where all resources in this example should be created" + description = "The Azure region where all resources in this example should be created." default = "eastus" } variable "sample_tag_value" { type = string - description = "The value of spring-cloud-azure-sample tag" + description = "The value of spring-cloud-azure-sample tag." default = "true" }