Use ClientTenantProvider

Author: idg10

Solutions/Marain.Operations.ControlHost.Functions/local.settings.template.json

@@ -3,13 +3,34 @@
   "Values": {
     "AzureWebJobsStorage": "UseDevelopmentStorage=true",
     "FUNCTIONS_WORKER_RUNTIME": "dotnet",
-    "ExternalServices:OperationsStatus": "http://localhost:7077/",
     "AzureServicesAuthConnectionString": "RunAs=Developer; DeveloperTool=AzureCLI",
     "APPINSIGHTS_INSTRUMENTATIONKEY": "",
     "ExternalServices__OperationsStatus": "http://localhost:7077/",
 
+    // If you want to debug against a real storage account in Azure, set AccountName to the full connection string.
+    // If you want to debug the code the fetches the storage strings from key vault, set AccountName to just the
+    // storage account name and then set the key vault and secret names, and you'll also need to set
+    // TenantCloudBlobContainerFactoryOptions__AzureServicesAuthConnectionString
+    // to a suitable string for authenticating against key vault. If your personal account has access to the key vault, you can use:
+    // "RunAs=Developer; DeveloperTool=AzureCLI",
+    // otherwise, set up a suitable service principle, and use:
+    // "TenantCloudBlobContainerFactoryOptions__AzureServicesAuthConnectionString": "RunAs=App;AppId=AppIdForYourServicePrinciple;TenantId=0f621c67-98a0-4ed5-b5bd-31a35be41e29;AppKey=YourAppSecretHere",
     "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__AccountName": "UseDevelopmentStorage=true",
     "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__KeyVaultName": "",
-    "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__AccountKeySecretName": ""
+    "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__AccountKeySecretName": "",
+
+    // If running with a local tenancy service, point TenancyClient__TenancyServiceBaseUri at the localhost address for that
+    "TenancyClient__TenancyServiceBaseUri": "https://maridgtenancy.azurewebsites.net/"
+
+    // If instead you point TenancyClient__TenancyServiceBaseUri at an instance in Azure, this local service will need to
+    // authenticate, which means you'll need to set this this:
+    // "TenancyClient__ResourceIdForMsiAuthentication": "AppIdSecuringAccessToTenancyFunction"
+    //
+    // And for that to work, you won't be able to use tne normal az cli-based AzureServicesAuthConnectionString
+    // (because az cli is only able to obtain tokens for a fixed set of known Microsoft resource; it can't be
+    // used to obtain tokens for arbitrary applications that we've defined). Instead, you'll need to create
+    // a suitable service principle in AAD, grant that service principle access to the tenancy service, and
+    // set up the credentials like this instead of the setting above:
+    //  "AzureServicesAuthConnectionString": "RunAs=App;AppId=AppIdForYourServicePrinciple;TenantId=0f621c67-98a0-4ed5-b5bd-31a35be41e29;AppKey=YourAppSecretHere"
   }
 }

Solutions/Marain.Operations.Deployment/Templates/functions-app-settings-operations-control-host.json

@@ -60,8 +60,8 @@
         "ExternalServices__OperationsStatus": "[parameters('operationsStatusServiceBaseUrl')]",
 
         "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:AccountName": "[parameters('storageAccountName')]",
-        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:KeyVaultName": "[parameters('storageAccountKeyName')]",
-        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:AccountKeySecretName": "[parameters('keyVaultName')]"
+        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:KeyVaultName": "[parameters('keyVaultName')]",
+        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:AccountKeySecretName": "[parameters('storageAccountKeyName')]"
       }
     }
   ],

Solutions/Marain.Operations.Deployment/Templates/functions-app-settings-operations-status-host.json

@@ -55,8 +55,8 @@
         "AzureServicesAuthConnectionString": "",
 
         "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:AccountName": "[parameters('storageAccountName')]",
-        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:KeyVaultName": "[parameters('storageAccountKeyName')]",
-        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:AccountKeySecretName": "[parameters('keyVaultName')]"
+        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:KeyVaultName": "[parameters('keyVaultName')]",
+        "TenantCloudBlobContainerFactoryOptions:RootTenantBlobStorageConfiguration:AccountKeySecretName": "[parameters('storageAccountKeyName')]"
       }
     }
   ],

Solutions/Marain.Operations.Hosting.AspNetCore/Marain.Operations.Hosting.AspNetCore.csproj

@@ -14,7 +14,9 @@
   <Import Project="..\Common.NetStandard_2_0.proj" />
 
   <ItemGroup>
+    <PackageReference Include="Corvus.Identity.ManagedServiceIdentity.ClientAuthentication" Version="0.2.0-preview.5" />
     <PackageReference Include="Corvus.Tenancy.Abstractions" Version="0.21.0" />
+    <PackageReference Include="Marain.Tenancy.ClientTenantProvider" Version="0.3.0-preview.8" />
     <PackageReference Include="Menes.Abstractions" Version="0.9.0" />
     <PackageReference Include="Menes.Hosting.AspNetCore" Version="0.9.0" />
     <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />

Solutions/Marain.Operations.Hosting.AspNetCore/Microsoft/Extensions/DependencyInjection/OperationsRepositoryServiceCollectionExtensions.cs

@@ -9,6 +9,7 @@ namespace Microsoft.Extensions.DependencyInjection
     using Marain.Operations.OpenApi;
     using Marain.Operations.Storage;
     using Marain.Operations.Storage.Blob;
+    using Marain.Tenancy.Client;
     using Menes;
     using Microsoft.Extensions.Configuration;
 
@@ -26,7 +27,9 @@ public static class OperationsRepositoryServiceCollectionExtensions
         public static IServiceCollection AddTenancyBlobContainerOperationsRepository(
             this IServiceCollection services)
         {
-            services.AddTenantProviderBlobStore();
+            services.AddSingleton(sp => sp.GetRequiredService<IConfiguration>().GetSection("TenancyClient").Get<TenancyClientOptions>());
+            services.AddAzureManagedIdentityBasedTokenSource();
+            services.AddTenantProviderServiceClient();
             services.AddTenantCloudBlobContainerFactory(sp => sp.GetRequiredService<TenantCloudBlobContainerFactoryOptions>());
             services.AddSingleton<IOperationsRepository, OperationsRepository>();
 

Solutions/Marain.Operations.StatusHost.Functions/local.settings.template.json

@@ -6,8 +6,30 @@
     "AzureServicesAuthConnectionString": "RunAs=Developer; DeveloperTool=AzureCLI",
     "APPINSIGHTS_INSTRUMENTATIONKEY": "",
 
+    // If you want to debug against a real storage account in Azure, set AccountName to the full connection string.
+    // If you want to debug the code the fetches the storage strings from key vault, set AccountName to just the
+    // storage account name and then set the key vault and secret names, and you'll also need to set
+    // TenantCloudBlobContainerFactoryOptions__AzureServicesAuthConnectionString
+    // to a suitable string for authenticating against key vault. If your personal account has access to the key vault, you can use:
+    // "RunAs=Developer; DeveloperTool=AzureCLI",
+    // otherwise, set up a suitable service principle, and use:
+    // "TenantCloudBlobContainerFactoryOptions__AzureServicesAuthConnectionString": "RunAs=App;AppId=AppIdForYourServicePrinciple;TenantId=0f621c67-98a0-4ed5-b5bd-31a35be41e29;AppKey=YourAppSecretHere",
     "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__AccountName": "UseDevelopmentStorage=true",
     "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__KeyVaultName": "",
-    "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__AccountKeySecretName": ""
+    "TenantCloudBlobContainerFactoryOptions__RootTenantBlobStorageConfiguration__AccountKeySecretName": "",
+
+    // If running with a local tenancy service, point TenancyClient__TenancyServiceBaseUri at the localhost address for that
+    "TenancyClient__TenancyServiceBaseUri": "https://marYOURENVIRONMENTtenancy.azurewebsites.net/"
+
+    // If instead you point TenancyClient__TenancyServiceBaseUri at an instance in Azure, this local service will need to
+    // authenticate, which means you'll need to set this this:
+    // "TenancyClient__ResourceIdForMsiAuthentication": "AppIdSecuringAccessToTenancyFunction"
+    //
+    // And for that to work, you won't be able to use tne normal az cli-based AzureServicesAuthConnectionString
+    // (because az cli is only able to obtain tokens for a fixed set of known Microsoft resource; it can't be
+    // used to obtain tokens for arbitrary applications that we've defined). Instead, you'll need to create
+    // a suitable service principle in AAD, grant that service principle access to the tenancy service, and
+    // set up the credentials like this instead of the setting above:
+    //  "AzureServicesAuthConnectionString": "RunAs=App;AppId=AppIdForYourServicePrinciple;TenantId=0f621c67-98a0-4ed5-b5bd-31a35be41e29;AppKey=YourAppSecretHere"
   }
 }