More secure user permissions, misc other minor changes.

Author: Andy Churchard

articles/operator-service-manager/quickstart-containerized-network-function-create-site-network-service.md

@@ -70,10 +70,15 @@ ms.service: azure-operator-service-manager
    > [!TIP]
    > Refer to the Retrieve Custom Location section for config group value for the customlocationID. For more information, see [Quickstart: Prerequisites for Operator and Containerized Network Function (CNF)](quickstart-containerized-network-function-operator.md).
 
-10. Select **Review + Create** then **Create**.
+1. Select **Review + Create** then **Create**.
 1. Allow the deployment state to reach a state of **Succeeded**. This status indicates your CNF is up and running.
 1. Access your CNF by navigating to the **Site Network Service Object** in the Azure portal. Select the **Current State -> Resources** to view the managed resource group created by Azure Operator Service Manager (AOSM).
 
     :::image type="content" source="media/site-network-service-preview.png" alt-text="Screenshot shows an overview of the site network service created." lightbox="media/site-network-service-preview.png":::
 
 You have successfully created a Site Network Service for a Nginx Container as a CNF in Azure. You can now manage and monitor your CNF through the Azure portal.
+
+When you have finished, remember to delete the resources. You can do this by:
+
+1. Deleting the Operator Resource Group.
+1. When the above is complete, deleting the Publisher Resource Group.

articles/operator-service-manager/quickstart-containerized-network-function-network-design.md

@@ -28,7 +28,11 @@ az aosm nsd generate-config
 Execution of the preceding command generates an nsd-input.jsonc file.
 
 > [!NOTE]
-> Edit the input.json file. Replace it with the values shown in the sample. Save the file as **input-cnf-nsd.jsonc**.
+> Edit the input.json file. Replace it with the values shown in the sample below. Save the file as **input-cnf-nsd.jsonc**.
+>
+> If you changed the name of the publisher when publishing the NFDV, use your publisher name for both the `publisher_name` and `publisher` fields (the latter is within the `resource_element_templates` array).
+>
+> If you have used a different resource group name, update both the `publisher_resource_group_name` and `publisher_resource_group` fields (the latter is within the `resource_element_templates` array).
 
 Here's a sample **input-cnf-nsd.jsonc**:
 
@@ -123,7 +127,7 @@ To publish the NSDV and its associated artifacts, issue the following command:
 az aosm nsd publish --build-output-folder nsd-cli-output
 ```
 
-When the Publish process is complete, navigate to your Publisher Resource Group to observe and review the resources and artifacts that were produced.
+When the publish process is complete, navigate to your Publisher Resource Group to observe and review the resources and artifacts that were produced.
 
 ## Next steps
 

articles/operator-service-manager/quickstart-containerized-network-function-operator.md

@@ -18,9 +18,11 @@ This quickstart contains the prerequisite tasks for Operator and Containerized N
 
 ## Permissions
 
-In order to complete these prerequisites for Operator and Containerized Network Function, you need an Azure subscription where you have the _Contributor_ role (in order to create a Resource Group) and you need to be able to attain the _Owner_ or _User Access Administrator_ role over this Resource Group. Alternatively, you need an existing Resource Group where you have the ‘Owner’ or ‘User Access Administrator’ Role.
+You need an Azure subscription with an existing Resource Group over which you have the _Contributor_ role and the _User Access Administrator_ role.
 
-You also need the _Owner_ or _User Access Administrator_ role in the Network Function Definition Publisher Resource Group. The Network Function Definition Publisher Resource Group was created in [Quickstart: Publish Nginx container as Containerized Network Function (CNF)](quickstart-publish-containerized-network-function-definition.md) and named nginx-publisher-rg in the input.json file.
+Alternatively you need the _Contributor_ role over this subscription so that the AOSM CLI extension can create the Resource Group, but you will then need to add  to your user the _User Access Administrator_ role with scope of this newly created Resource Group.
+
+You also need the _User Access Administrator_ role over the Network Function Definition Publisher Resource Group. The Network Function Definition Publisher Resource Group was used in [Quickstart: Publish Nginx container as Containerized Network Function (CNF)](quickstart-publish-containerized-network-function-definition.md). Check the input-cnf-nfd.jsonc file for the Resource Group name.
 
 ## Set environment variables
 
@@ -51,11 +53,8 @@ az group create -n ${resourceGroup} -l ${location}
 
 ## Provision Azure Kubernetes Service (AKS) cluster
 
-> [!NOTE]
-> Ensure that `agentCount` is set to 1. Only one node is required at this time.
-
 ```azurecli
-az aks create -g ${resourceGroup} -n ${clusterName} --node-count 1 --generate-ssh-keys
+az aks create -g ${resourceGroup} -n ${clusterName} --node-count 3 --generate-ssh-keys
 ```
 
 ## Enable Azure Arc

articles/operator-service-manager/quickstart-containerized-network-function-prerequisites.md

@@ -39,30 +39,14 @@ az extension add --name aosm
 
 ## Requirements for Containerized Network Function (CNF)
 
+### Install required local tools
+
 For those utilizing Containerized Network Functions, it's essential to ensure that the following packages are installed on the machine from which you're executing the CLI:
 
 - **Install docker**, refer to [Install the Docker Engine](https://docs.docker.com/engine/install/).
 - **Install Helm**, refer to [Install Helm CLI](https://helm.sh/docs/intro/install/). You must use Helm v3.8.0 or later.
 
 
-### Configure Containerized Network Function (CNF) deployment
-
-For deployments of Containerized Network Functions (CNFs), it's crucial to have the following stored on the machine from which you're executing the CLI:
-
-- **Helm Packages with Schema** - These packages should be present on your local storage and referenced within the `cnf-input.jsonc` configuration file. When following this quickstart, you download the required helm package.
-- **Creating a Sample Configuration File** - Generate an example configuration file for defining a CNF deployment. Issue this command to generate an `cnf-input.jsonc` file that you need to populate with your specific configuration.
-
-  ```azurecli
-  az aosm nfd generate-config --definition-type cnf
-  ```
-
-- Your container images must be present in either:
-  - A reference to existing Azure Container Registries that contain the images for your CNF.
-  - A reference to other Container Registries that contain the images for your CNF.
-
-> [!IMPORTANT]
-> Use the `docker login` command to sign in to a non-Azure container registry hosting your container images before you run any `az aosm` commands.
-
 ### Download sample Helm chart
 
 Download the sample Helm chart from here [Sample Helm chart](https://download.microsoft.com/download/c/5/1/c512cc48-ad99-4a69-afdc-db2bda449914/nginxdemo-0.3.0.tgz) for use with this quickstart.

articles/operator-service-manager/quickstart-publish-containerized-network-function-definition.md

@@ -16,10 +16,10 @@ This quickstart describes how to use the `az aosm` Azure CLI extension to create
 
 - An Azure account with an active subscription is required. If you don't have an Azure subscription, follow the instructions here [Start free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) to create an account before you begin.
 
-- The Contributor and AcrPush roles over this subscription in order to create a Resource Group, or an existing Resource Group where you have the Contributor role.
-
 - Complete the [Quickstart: Complete the prerequisites to deploy a Containerized Network Function in Azure Operator Service Manager](quickstart-containerized-network-function-prerequisites.md).
 
+- An existing Resource Group where you have the Contributor role, or the Contributor role over this subscription so that the AOSM CLI extension can create the resource group.
+
 ## Create input file
 
 Create an input file for publishing the Network Function Definition. Execute the following command to generate the input configuration file for the Network Function Definition (NFD).
@@ -32,8 +32,14 @@ Execution of the preceding command generates an cnf-input.jsonc file.
 
 > [!NOTE]
 > Edit the cnf-input.jsonc file. Replace it with the values shown in the following sample. Save the file as **input-cnf-nfd.jsonc**.
-> [!NOTE]
-> You can use multiple Container Registries as sources for your images in the AOSM CLI. The images to be copied from these Registries are populated automatically based on the helm package schema. To configure these source Registries, fill in `image_sources` list in the cnf-input.jsonc file. When using ACRs, you must have Reader/AcrPull permissions. When using other private Registries, you must run `docker login` to authenticate with all non-ACR Registries before running the `az aosm nfd build` command. In this quickstart we use `docker.io` as the image source Registry. This is a public Registry and does not require authentication.
+>
+> If you are using an existing resource group, change the `publisher_resource_group_name` field to match it.
+
+> [!TIP]
+> You can use multiple container registries as sources for your images in the AOSM CLI. The images to be copied from these registries are selected automatically based on the helm package schema. The source registries are configured in the `image_sources` list of the cnf-input.jsonc file.
+>
+>When using ACRs, you must have the Reader and AcrPull roles on the ACR. When using non-ACR registries, you must run `docker login` to authenticate with each private registry before running the `az aosm nfd build` command.
+> **In this quickstart we use `docker.io` as the image source registry. This is a *public* registry and does not require authentication.**
 
 Here's sample input-cnf-nfd.jsonc file:
 
@@ -45,7 +51,7 @@ Here's sample input-cnf-nfd.jsonc file:
   // Will be created if it does not exist.
   "publisher_name": "nginx-publisher",
   // Resource group for the Publisher resource.
-  // You should create this before running the publish command
+  // Will be created if it does not exist.
   "publisher_resource_group_name": "nginx-publisher-rg",
   // Name of the ACR Artifact Store resource.
   // Will be created if it does not exist.
@@ -63,9 +69,8 @@ Here's sample input-cnf-nfd.jsonc file:
   "helm_packages": [
     {
       "name": "nginxdemo",
-      "path_to_chart": "nginxdemo-0.1.0.tgz",
-      "default_values": "",
-      "depends_on": []
+      "path_to_chart": "nginxdemo-0.3.0.tgz",
+      "default_values": ""
     }
   ]
 }
@@ -110,6 +115,13 @@ Execute the following command to publish the Network Function Definition (NFD) a
 > [!NOTE]
 > If you are using Windows, you must have Docker Desktop running during the publish step.
 
+> [!NOTE]
+> Publisher names must be unique within a region. It is quite likely that the 'nginx-publisher' defined in the example config file already exists.
+>
+>If you get an error saying "**A private publisher resource with the name 'nginx-publisher' already exists in the provided region**", edit the `publisher_name` field in the config file so that it is unique (e.g. add a random string suffix), re-run the `build` command (above), and then re-run this `publish` command.
+>
+>If you go on to create a network service design, you will need to use this new pubilsher name in the `resource_element_templates` array.
+
 ```azurecli
 az aosm nfd publish -b cnf-cli-output --definition-type cnf
 ```

articles/operator-service-manager/quickstart-publish-virtualized-network-function-definition.md

@@ -16,9 +16,9 @@ This quickstart describes how to use the `az aosm` Azure CLI extension to create
 
 - An Azure account with an active subscription is required. If you don't have an Azure subscription, follow the instructions here [Start free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) to create an account before you begin.
 
-- The Contributor role over this subscription in order to create a Resource Group, or an existing Resource Group where you have the Contributor role.
+- Complete the [Quickstart: Complete the prerequisites to deploy a Virtualized Network Function in Azure Operator Service Manager](quickstart-virtualized-network-function-prerequisites.md)
 
-- It's also assumed that you followed the prerequisites in [Quickstart: Complete the prerequisites to deploy a Virtualized Network Function in Azure Operator Service Manager](quickstart-virtualized-network-function-prerequisites.md)
+- An existing Resource Group where you have the Contributor role, or the Contributor role over this subscription so that the AOSM CLI extension can create the resource group.
 
 ## Create input file
 
@@ -32,6 +32,8 @@ Once you execute this command, a vnf-input.jsonc file is generated.
 
 > [!NOTE]
 > Edit the vnf-input.jsonc file, replacing it with the values shown in the sample. Save the file as **input-vnf-nfd.jsonc**.
+>
+> If you are using an existing resource group, change the `publisher_resource_group_name` field to match it.
 
 Here is a sample input-vnf-nfd.jsonc file:
 
@@ -155,6 +157,13 @@ These files are created in a subdirectory called **vnf-cli-output**:
 
 Execute the following command to publish the Network Function Definition (NFD) and upload the associated artifacts:
 
+> [!NOTE]
+> Publisher names must be unique within a region. It is quite likely that the 'ubuntu-publisher' defined in the example config file already exists.
+>
+>If you get an error saying "**A private publisher resource with the name 'ubuntu-publisher' already exists in the provided region**", edit the `publisher_name` field in the config file so that it is unique (e.g. add a random string suffix), re-run the `build` command (above), and then re-run this `publish` command.
+>
+>If you go on to create a network service design, you will need to use this new pubilsher name in the `resource_element_templates` array.
+
 ```azurecli
 az aosm nfd publish --build-output-folder vnf-cli-output --definition-type vnf
 ```

articles/operator-service-manager/quickstart-virtualized-network-function-create-site-network-service.md

@@ -103,3 +103,8 @@ Wait for the deployment to reach the 'Succeeded' state. After completion, your V
 1. Select the link under **Current State -> Resources**. The link takes you to the managed resource group created by Azure Operator Service Manager.
 
 Congratulations! You have successfully created a Site Network Service for Ubuntu Virtual Machine (VM) as a Virtual Network Function (VNF) in Azure. You can now manage and monitor your Virtual Network Function (VNF) through the Azure portal.
+
+When you have finished, remember to delete the resources. You can do this by:
+
+1. Deleting the Operator Resource Group.
+1. When the above is complete, deleting the Publisher Resource Group.

articles/operator-service-manager/quickstart-virtualized-network-function-network-design.md

@@ -30,6 +30,10 @@ An `nsd-input.jsonc` file is generated when you run this command.
 
 > [!NOTE]
 > Edit the nsd-input.jsonc file, replacing it with the values shown in the sample. Remove the section where resource_element_type is set to ArmTemplate. This is for adding infrastructure (such as VNets) to more complicated NSDs, which is not needed in this quickstart. Save the file as **input-vnf-nsd.jsonc**.
+>
+> If you changed the name of the publisher when publishing the NFDV, use your publisher name for both the `publisher_name` and `publisher` fields (the latter is within the `resource_element_templates` array).
+>
+> If you have used a different resource group name, update both the `publisher_resource_group_name` and `publisher_resource_group` fields (the latter is within the `resource_element_templates` array).
 
 ```json
 {

articles/operator-service-manager/quickstart-virtualized-network-function-operator.md

@@ -107,8 +107,6 @@ This quickstart contains the prerequisite tasks for Operator and Virtualized Net
     ```
 1. The script creates a Virtual Network, a Network Security Group and the Managed Identity.
 
-
-
 ## Locate Resource ID for managed identity
 
 1. **Login to Azure portal**: Open a web browser and sign in to the Azure portal (https://portal.azure.com/) using your Azure account credentials.
@@ -134,7 +132,7 @@ This quickstart contains the prerequisite tasks for Operator and Virtualized Net
 
 ## Update Site Network Service (SNS) permissions
 
-To perform this task, you need either the 'Owner' or 'User Access Administrator' role in the respective Resource Group.
+To perform this task, you need the 'User Access Administrator' role over the respective Resource Group.
 In prior steps, you created a Managed Identity labeled *identity-for-ubuntu-vm-sns* inside your reference resource group. This identity plays a crucial role in deploying the Site Network Service. (SNS). Grant the identity 'Contributor' permissions for relevant resources. These actions facilitate the connection of the Virtual Machine (VM) to the Virtual Network (VNET). Through this identity, the Site Network Service (SNS) attains the required permissions.
 
 In prior steps, you created a Managed Identity labeled identity-for-ubuntu-vm-sns inside your reference resource group. This identity plays a crucial role in deploying the Site Network Service (SNS). Grant the identity 'Contributor' permissions for relevant resources. These actions facilitate the deployment of the Virtual Network Function and the connection of the Virtual Machine (VM) to the Virtual Network (VNET). Through this identity, the Site Network Service (SNS) attains the required permissions.
@@ -199,7 +197,7 @@ In prior steps, you created a Managed Identity labeled identity-for-ubuntu-vm-sn
 
 1. Select **Review and assign**.
 
-Completion of all the tasks outlined in this article ensures that the Service Network Slice (SNS) has the necessary permissions to function effectively within the specified Azure environment.
+Completion of all the tasks outlined in this article ensures that the Site Network Service (SNS) has the necessary permissions to function effectively within the specified Azure environment.
 
 ## Next steps
 

articles/operator-service-manager/quickstart-virtualized-network-function-prerequisites.md

@@ -61,7 +61,6 @@ Prior to using the Azure Operator Service Manager you must first register the re
 
 ```azurecli
 # Register Resource Provider
-az provider register --namespace Microsoft.ContainerRegistry
 az provider register --namespace Microsoft.ContainerInstance
 ```
 ## Verify registration status
@@ -70,17 +69,12 @@ To verify the registration status of the resource providers, you can run the fol
 
 ```azurecli
 # Query the Resource Provider
-az provider show -n Microsoft.ContainerRegistry --query "{RegistrationState: registrationState, ProviderName: namespace}"
 az provider show -n Microsoft.ContainerInstance --query "{RegistrationState: registrationState, ProviderName: namespace}"
 ```
 
 Upon success, the following output displays:
 
 ```azurecli
-{
-  "ProviderName": "Microsoft.ContainerRegistry",
-  "RegistrationState": "Registered"
-}
 {
   "ProviderName": "Microsoft.ContainerInstance",
   "RegistrationState": "Registered"