Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consolidate keyvault writes, and fix error about null #2266

Merged
merged 1 commit into from
Jan 6, 2022
+97 −67
Merged

Consolidate keyvault writes, and fix error about null #2266

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
164 changes: 97 additions & 67 deletions e2e/test/prerequisites/E2ETestsSetup/e2eTestsSetup.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,10 +144,9 @@ $certificateHashAlgorithm = "SHA256"

if ($GenerateResourcesForDevOpsPipeline)
{
$iothubUnitsToBeCreated = 3;
$iothubUnitsToBeCreated = 5;
drwill-ms marked this conversation as resolved.
Show resolved Hide resolved
}


#################################################################################################
# Get Function App contents to pass to deployment
#################################################################################################
Expand Down Expand Up @@ -208,6 +207,7 @@ $groupCertChainPath = "$PSScriptRoot/GroupCertChain.p7b";
############################################################################################################################
# Cleanup old certs and files that can cause a conflict
############################################################################################################################

CleanUp-Certs

# Generate self signed Root and Intermediate CA cert, expiring in 2 years
Expand Down Expand Up @@ -434,16 +434,21 @@ $instrumentationKey = az deployment group show -g $ResourceGroup -n $deploymentN
$iotHubName = az deployment group show -g $ResourceGroup -n $deploymentName --query 'properties.outputs.hubName.value' --output tsv

#################################################################################################################################################
# Configure an AAD app and create self signed certs and get the bytes to generate more content info.
# Configure an AAD app to authenticate Log Analytics Workspace, if specified
drwill-ms marked this conversation as resolved.
Show resolved Hide resolved
#################################################################################################################################################
Write-Host "`nCreating app registration $logAnalyticsAppRegnName"
$logAnalyticsAppRegUrl = "http://$logAnalyticsAppRegnName"
$logAnalyticsAppId = az ad sp create-for-rbac -n $logAnalyticsAppRegUrl --role "Reader" --scope $resourceGroupId --query "appId" --output tsv
Write-Host "`nCreated application $logAnalyticsAppRegnName with Id $logAnalyticsAppId."

if ($EnableIotHubSecuritySolution)
drwill-ms marked this conversation as resolved.
Show resolved Hide resolved
{
Write-Host "`nCreating app registration $logAnalyticsAppRegnName"
$logAnalyticsAppRegUrl = "http://$logAnalyticsAppRegnName"
$logAnalyticsAppId = az ad sp create-for-rbac -n $logAnalyticsAppRegUrl --role "Reader" --scope $resourceGroupId --query "appId" --output tsv
Write-Host "`nCreated application $logAnalyticsAppRegnName with Id $logAnalyticsAppId."
}

#################################################################################################################################################
# Configure an AAD app to perform IoT hub data actions.
#################################################################################################################################################

Write-Host "`nCreating app registration $iotHubAadTestAppRegName for IoT hub data actions"
$iotHubAadTestAppRegUrl = "http://$iotHubAadTestAppRegName"
$iotHubDataContributorRoleId = "4fc6c259987e4a07842ec321cc9d413f"
Expand All @@ -456,6 +461,7 @@ Write-Host "`nCreated application $iotHubAadTestAppRegName with Id $iotHubAadTes
#################################################################################################################################################
# Add role assignement for User assinged managed identity to be able to perform import and export jobs on the IoT hub.
#################################################################################################################################################

Write-Host "`nGranting the user assigned managed identity $managedIdentityName Storage Blob Data Contributor permissions on resource group: $ResourceGroup."
$msiPrincipalId = az identity show -n $managedIdentityName -g $ResourceGroup --query principalId --output tsv
$msiResourceId = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$managedIdentityName"
Expand All @@ -464,6 +470,7 @@ az role assignment create --assignee $msiPrincipalId --role 'Storage Blob Data C
##################################################################################################################################
# Granting the IoT hub system identity storage blob contributor access on the resoruce group
##################################################################################################################################

Write-Host "`nGranting the system identity on the hub $iotHubName Storage Blob Data Contributor permissions on resource group: $ResourceGroup."
$systemIdentityPrincipal = az resource list -n $iotHubName --query [0].identity.principalId --out tsv
az role assignment create --assignee $systemIdentityPrincipal --role "Storage Blob Data Contributor" --scope $resourceGroupId --output none
Expand Down Expand Up @@ -505,6 +512,7 @@ if ($isVerified -eq 'false')
##################################################################################################################################
# Fetch the iothubowner policy details
##################################################################################################################################

$iothubownerSasPolicy = "iothubowner"
$iothubownerSasPrimaryKey = az iot hub policy show --hub-name $iotHubName --name $iothubownerSasPolicy --query 'primaryKey'

Expand All @@ -523,6 +531,7 @@ if (-not $iotHubCertChainDevice)
##################################################################################################################################
# Create the IoT devices and modules that are used by the .NET samples
##################################################################################################################################

$iotHubSasBasedDeviceId = "DoNotDeleteDevice1"
$iotHubSasBasedDevice = az iot hub device-identity list -g $ResourceGroup --hub-name $iotHubName --query "[?deviceId=='$iotHubSasBasedDeviceId'].deviceId" --output tsv

Expand Down Expand Up @@ -642,9 +651,12 @@ az iot dps enrollment create `
--certificate-path $individualDeviceCertPath `
--output none

Write-Host "`nCreating a self-signed certificate and placing it in $ResourceGroup."
az ad app credential reset --id $logAnalyticsAppId --create-cert --keyvault $keyVaultName --cert $ResourceGroup --output none
Write-Host "`nSuccessfully created a self signed certificate for your application $logAnalyticsAppRegnName in $keyVaultName key vault with cert name $ResourceGroup."
if ($EnableIotHubSecuritySolution)
drwill-ms marked this conversation as resolved.
Show resolved Hide resolved
{
Write-Host "`nCreating a self-signed certificate and placing it in $ResourceGroup."
az ad app credential reset --id $logAnalyticsAppId --create-cert --keyvault $keyVaultName --cert $ResourceGroup --output none
Write-Host "`nSuccessfully created a self signed certificate for your application $logAnalyticsAppRegnName in $keyVaultName key vault with cert name $ResourceGroup."
}

Write-Host "`nFetching the certificate binary."
$selfSignedCerts = "$PSScriptRoot\selfSignedCerts"
Expand All @@ -664,68 +676,84 @@ Remove-Item -r $selfSignedCerts
# Store all secrets in a KeyVault - Values will be pulled down from here to configure environment variables
###################################################################################################################################

Write-Host "`nWriting secrets to KeyVault $keyVaultName."
drwill-ms marked this conversation as resolved.
Show resolved Hide resolved
az keyvault set-policy -g $ResourceGroup --name $keyVaultName --object-id $userObjectId --secret-permissions delete get list set --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-CONNECTION-STRING" --value $iotHubConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-PFX-X509-THUMBPRINT" --value $iotHubThumbprint --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-PROXY-SERVER-ADDRESS" --value $proxyServerAddress --output none
az keyvault secret set --vault-name $keyVaultName --name "FAR-AWAY-IOTHUB-HOSTNAME" --value $farHubHostName --output none
az keyvault secret set --vault-name $keyVaultName --name "DPS-IDSCOPE" --value $dpsIdScope --output none
az keyvault secret set --vault-name $keyVaultName --name "PROVISIONING-CONNECTION-STRING" --value $dpsConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "CUSTOM-ALLOCATION-POLICY-WEBHOOK" --value $customAllocationPolicyWebhook --output none

$dpsEndpoint = "global.azure-devices-provisioning.net"
if ($Region.EndsWith('euap', 'CurrentCultureIgnoreCase'))
{
$dpsEndpoint = "global-canary.azure-devices-provisioning.net"
}
az keyvault secret set --vault-name $keyVaultName --name "DPS-GLOBALDEVICEENDPOINT" --value $dpsEndpoint --output none

az keyvault secret set --vault-name $keyVaultName --name "DPS-X509-PFX-CERTIFICATE-PASSWORD" --value $dpsX509PfxCertificatePassword --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-X509-PFX-CERTIFICATE" --value $iothubX509PfxCertificate --output none
az keyvault secret set --vault-name $keyVaultName --name "DPS-INDIVIDUALX509-PFX-CERTIFICATE" --value $dpsIndividualX509PfxCertificate --output none
az keyvault secret set --vault-name $keyVaultName --name "DPS-GROUPX509-PFX-CERTIFICATE" --value $dpsGroupX509PfxCertificate --output none
az keyvault secret set --vault-name $keyVaultName --name "DPS-GROUPX509-CERTIFICATE-CHAIN" --value $dpsGroupX509CertificateChain --output none
az keyvault secret set --vault-name $keyVaultName --name "STORAGE-ACCOUNT-CONNECTION-STRING" --value $storageAccountConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "LA-WORKSPACE-ID" --value $workspaceId --output none
az keyvault secret set --vault-name $keyVaultName --name "MSFT-TENANT-ID" --value "72f988bf-86f1-41af-91ab-2d7cd011db47" --output none
az keyvault secret set --vault-name $keyVaultName --name "LA-AAD-APP-ID" --value $logAnalyticsAppId --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-CLIENT-ID" --value $iotHubAadTestAppId --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-CLIENT-SECRET" --value $iotHubAadTestAppPassword --output none
az keyvault secret set --vault-name $keyVaultName --name "LA-AAD-APP-CERT-BASE64" --value $fileContentB64String --output none
az keyvault secret set --vault-name $keyVaultName --name "DPS-GLOBALDEVICEENDPOINT-INVALIDCERT" --value "invalidcertgde1.westus.cloudapp.azure.com" --output none
az keyvault secret set --vault-name $keyVaultName --name "PIPELINE-ENVIRONMENT" --value "prod" --output none
az keyvault secret set --vault-name $keyVaultName --name "HUB-CHAIN-DEVICE-PFX-CERTIFICATE" --value $iothubX509ChainDevicePfxCertificate --output none
az keyvault secret set --vault-name $keyVaultName --name "HUB-CHAIN-ROOT-CA-CERTIFICATE" --value $iothubX509RootCACertificate --output none
az keyvault secret set --vault-name $keyVaultName --name "HUB-CHAIN-INTERMEDIATE1-CERTIFICATE" --value $iothubX509Intermediate1Certificate --output none
az keyvault secret set --vault-name $keyVaultName --name "HUB-CHAIN-INTERMEDIATE2-CERTIFICATE" --value $iothubX509Intermediate2Certificate --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-X509-CHAIN-DEVICE-NAME" --value $iotHubCertChainDeviceCommonName --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-USER-ASSIGNED-MSI-RESOURCE-ID" --value $msiResourceId --output none

# These environment variables are only used in Java
az keyvault secret set --vault-name $keyVaultName --name "IOT-DPS-CONNECTION-STRING" --value $dpsConnectionString --output none # DPS Connection string Environment variable for Java
az keyvault secret set --vault-name $keyVaultName --name "IOT-DPS-ID-SCOPE" --value $dpsIdScope --output none # DPS ID Scope Environment variable for Java
az keyvault secret set --vault-name $keyVaultName --name "FAR-AWAY-IOTHUB-CONNECTION-STRING" --value $farHubConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "IS-BASIC-TIER-HUB" --value "false" --output none

<#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="fake shared access token")]#>
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-DEVICE-CONN-STRING-INVALIDCERT" --value "HostName=invalidcertiothub1.westus.cloudapp.azure.com;DeviceId=DoNotDelete1;SharedAccessKey=zWmeTGWmjcgDG1dpuSCVjc5ZY4TqVnKso5+g1wt/K3E=" --output none
<#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="fake shared access token")]#>
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-CONN-STRING-INVALIDCERT" --value "HostName=invalidcertiothub1.westus.cloudapp.azure.com;SharedAccessKeyName=iothubowner;SharedAccessKey=Fk1H0asPeeAwlRkUMTybJasksTYTd13cgI7SsteB05U=" --output none
<#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="fake shared access token")]#>
az keyvault secret set --vault-name $keyVaultName --name "PROVISIONING-CONNECTION-STRING-INVALIDCERT" --value "HostName=invalidcertdps1.westus.cloudapp.azure.com;SharedAccessKeyName=provisioningserviceowner;SharedAccessKey=lGO7OlXNhXlFyYV1rh9F/lUCQC1Owuh5f/1P0I1AFSY=" --output none

az keyvault secret set --vault-name $keyVaultName --name "E2E-IKEY" --value $instrumentationKey --output none

# These environment variables are used by .NET samples
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-DEVICE-CONN-STRING" --value $iotHubSasBasedDeviceConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-MODULE-CONN-STRING" --value $iotHubSasBasedModuleConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "PNP-TC-DEVICE-CONN-STRING" --value $temperatureControllerSampleDeviceConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "PNP-THERMOSTAT-DEVICE-CONN-STRING" --value $thermostatSampleDeviceConnectionString --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-SAS-KEY" --value $iothubownerSasPrimaryKey --output none
az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-SAS-KEY-NAME" --value $iothubownerSasPolicy --output none
az keyvault secret set --vault-name $keyVaultName --name "DPS-SYMMETRIC-KEY-INDIVIDUAL-ENROLLMENT-REGISTRATION-ID" --value $symmetricKeySampleEnrollmentRegistrationId --output none
az keyvault secret set --vault-name $keyVaultName --name "DPS-SYMMETRIC-KEY-INDIVIDUAL-ENROLLEMNT-PRIMARY-KEY" --value $symmetricKeySampleEnrollmentPrimaryKey --output none

$keyvaultKvps = @{
"IOTHUB-CONNECTION-STRING" = $iotHubConnectionString;
"IOTHUB-PFX-X509-THUMBPRINT" = $iotHubThumbprint;
"IOTHUB-PROXY-SERVER-ADDRESS" = $proxyServerAddress;
"FAR-AWAY-IOTHUB-HOSTNAME" = $farHubHostName;
"DPS-IDSCOPE" = $dpsIdScope;
"PROVISIONING-CONNECTION-STRING" = $dpsConnectionString;
"CUSTOM-ALLOCATION-POLICY-WEBHOOK" = $customAllocationPolicyWebhook;
"DPS-GLOBALDEVICEENDPOINT" = $dpsEndpoint;
"DPS-X509-PFX-CERTIFICATE-PASSWORD" = $dpsX509PfxCertificatePassword;
"IOTHUB-X509-PFX-CERTIFICATE" = $iothubX509PfxCertificate;
"DPS-INDIVIDUALX509-PFX-CERTIFICATE" = $dpsIndividualX509PfxCertificate;
"DPS-GROUPX509-PFX-CERTIFICATE" = $dpsGroupX509PfxCertificate;
"DPS-GROUPX509-CERTIFICATE-CHAIN" = $dpsGroupX509CertificateChain;
"STORAGE-ACCOUNT-CONNECTION-STRING" = $storageAccountConnectionString;
"MSFT-TENANT-ID" = "72f988bf-86f1-41af-91ab-2d7cd011db47";
"LA-AAD-APP-ID" = $logAnalyticsAppId;
"IOTHUB-CLIENT-ID" = $iotHubAadTestAppId;
"IOTHUB-CLIENT-SECRET" = $iotHubAadTestAppPassword;
"LA-AAD-APP-CERT-BASE64" = $fileContentB64String;
"DPS-GLOBALDEVICEENDPOINT-INVALIDCERT" = "invalidcertgde1.westus.cloudapp.azure.com";
"PIPELINE-ENVIRONMENT" = "prod";
"HUB-CHAIN-DEVICE-PFX-CERTIFICATE" = $iothubX509ChainDevicePfxCertificate;
"HUB-CHAIN-ROOT-CA-CERTIFICATE" = $iothubX509RootCACertificate;
"HUB-CHAIN-INTERMEDIATE1-CERTIFICATE" = $iothubX509Intermediate1Certificate;
"HUB-CHAIN-INTERMEDIATE2-CERTIFICATE" = $iothubX509Intermediate2Certificate;
"IOTHUB-X509-CHAIN-DEVICE-NAME" = $iotHubCertChainDeviceCommonName;
"IOTHUB-USER-ASSIGNED-MSI-RESOURCE-ID" = $msiResourceId;
"E2E-IKEY" = $instrumentationKey;

<#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="fake shared access token")]#>
"IOTHUB-DEVICE-CONN-STRING-INVALIDCERT" = "HostName=invalidcertiothub1.westus.cloudapp.azure.com;DeviceId=DoNotDelete1;SharedAccessKey=zWmeTGWmjcgDG1dpuSCVjc5ZY4TqVnKso5+g1wt/K3E=";
<#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="fake shared access token")]#>
"IOTHUB-CONN-STRING-INVALIDCERT" = "HostName=invalidcertiothub1.westus.cloudapp.azure.com;SharedAccessKeyName=iothubowner;SharedAccessKey=Fk1H0asPeeAwlRkUMTybJasksTYTd13cgI7SsteB05U=";
<#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="fake shared access token")]#>
"PROVISIONING-CONNECTION-STRING-INVALIDCERT" = "HostName=invalidcertdps1.westus.cloudapp.azure.com;SharedAccessKeyName=provisioningserviceowner;SharedAccessKey=lGO7OlXNhXlFyYV1rh9F/lUCQC1Owuh5f/1P0I1AFSY=";

# These environment variables are only used in Java

"IOT-DPS-CONNECTION-STRING" = $dpsConnectionString; # DPS Connection string Environment variable for Java
"IOT-DPS-ID-SCOPE" = $dpsIdScope; # DPS ID Scope Environment variable for Java
"FAR-AWAY-IOTHUB-CONNECTION-STRING" = $farHubConnectionString;
"IS-BASIC-TIER-HUB" = "false";

# These environment variables are used by .NET samples

"IOTHUB-DEVICE-CONN-STRING" = $iotHubSasBasedDeviceConnectionString;
"IOTHUB-MODULE-CONN-STRING" = $iotHubSasBasedModuleConnectionString;
"PNP-TC-DEVICE-CONN-STRING" = $temperatureControllerSampleDeviceConnectionString;
"PNP-THERMOSTAT-DEVICE-CONN-STRING" = $thermostatSampleDeviceConnectionString;
"IOTHUB-SAS-KEY" = $iothubownerSasPrimaryKey;
"IOTHUB-SAS-KEY-NAME" = $iothubownerSasPolicy;
"DPS-SYMMETRIC-KEY-INDIVIDUAL-ENROLLMENT-REGISTRATION-ID" = $symmetricKeySampleEnrollmentRegistrationId;
"DPS-SYMMETRIC-KEY-INDIVIDUAL-ENROLLEMNT-PRIMARY-KEY" = $symmetricKeySampleEnrollmentPrimaryKey;
}

if ($EnableIotHubSecuritySolution)
{
$keyvaultKvps.Add("LA-WORKSPACE-ID", $workspaceId)
}

Write-Host "`nWriting secrets to KeyVault $keyVaultName."
az keyvault set-policy -g $ResourceGroup --name $keyVaultName --object-id "$userObjectId" --output none --show-only-errors --secret-permissions delete get list set;
foreach ($kvp in $keyvaultKvps.GetEnumerator())
{
Write-Host "`tWriting $($kvp.Name)."
if ($null -eq $kvp.Value)
{
Write-Warning "`t`tValue is unexpectedly null!";
}
az keyvault secret set --vault-name $keyVaultName --name $kvp.Name --value "$($kvp.Value)" --output none --only-show-errors
}

###################################################################################################################################
# Run docker containers for TPM simulators and proxy
Expand All @@ -746,6 +774,7 @@ if (-not (docker images -q aziotbld/testproxy))
############################################################################################################################
# Clean up certs and files created by the script
############################################################################################################################

CleanUp-Certs

# Creating a file to run to load environment variables
Expand All @@ -758,6 +787,7 @@ Add-Content -Path $file.PSPath -Value "$PSScriptRoot\LoadEnvironmentVariablesFro
############################################################################################################################
# Configure environment variables
############################################################################################################################

Invoke-Expression "$loadScriptDir\$loadScriptName"

$endTime = (Get-Date)
Expand Down