Merge pull request #278574 from jordlay/achurchard/permissions-and-other-misc-updates

Minor updates for improved user security practices

Author: JamesJBarnett

articles/operator-service-manager/concepts-expose-parameters-configuration-group-schema.md

@@ -32,6 +32,9 @@ The Azure CLI AOSM extension `az aosm nfd generate-config` command generates an
 
 This parameter controls the parameter exposure behavior in the AOSM CLI extension.
 
+>[!WARNING]
+> By exposing all parameters you are also exposing all your defaults. Make sure your defaults do not contain any sensitive information.
+
 ## Default behavior
 
 `expose_all_parameters` is always set to `false` by default. The AOSM CLI:
@@ -73,7 +76,7 @@ The AOSM CLI builds an NFDV that exposes the `required` parameter in the `deploy
 > [!IMPORTANT]
 > The AOSM CLI validates that the default `values.yaml` file in the helm chart is consistent with the chart by running `helm template`. The CLI raises an error if this `helm template` command fails.
 
-## Exposing all parameters
+## Expose all parameters
 
 The Azure AOSM CLI Extension supports making all parameters configurable. The required configuration in the input file generated by `az aosm nfd generate-config` is:
 

articles/operator-service-manager/quickstart-containerized-network-function-create-site-network-service.md

@@ -39,7 +39,7 @@ ms.service: azure-operator-service-manager
     |User Assigned Identity | Select **identity-for-nginx**
 
 
-    :::image type="content" source="media/create-site-network-service-basic-containerized.png" alt-text="Screenshot showing the basics tab to input project, instance and identity details." lightbox="media/create-site-network-service-basic-containerized.png":::
+    :::image type="content" source="media/create-site-network-service-basic-containerized.png" alt-text="Screenshot showing the basics tab to input project, instance, and identity details." lightbox="media/create-site-network-service-basic-containerized.png":::
 
 1. Select **Next: Choose a Network Site Design >**.
 1. On this screen, select the **Publisher**, **Network Service Design Resource**, and the **Network Service Design Version** you published earlier.
@@ -70,10 +70,15 @@ ms.service: azure-operator-service-manager
    > [!TIP]
    > Refer to the Retrieve Custom Location section for config group value for the customlocationID. For more information, see [Quickstart: Prerequisites for Operator and Containerized Network Function (CNF)](quickstart-containerized-network-function-operator.md).
 
-10. Select **Review + Create** then **Create**.
+1. Select **Review + Create** then **Create**.
 1. Allow the deployment state to reach a state of **Succeeded**. This status indicates your CNF is up and running.
 1. Access your CNF by navigating to the **Site Network Service Object** in the Azure portal. Select the **Current State -> Resources** to view the managed resource group created by Azure Operator Service Manager (AOSM).
 
     :::image type="content" source="media/site-network-service-preview.png" alt-text="Screenshot shows an overview of the site network service created." lightbox="media/site-network-service-preview.png":::
 
 You have successfully created a Site Network Service for a Nginx Container as a CNF in Azure. You can now manage and monitor your CNF through the Azure portal.
+
+When you have finished, remember to delete the resources. To do this:
+
+1. Delete the Operator Resource Group.
+1. When step 1 is complete, delete the Publisher Resource Group.

articles/operator-service-manager/quickstart-containerized-network-function-network-design.md

@@ -28,7 +28,11 @@ az aosm nsd generate-config
 Execution of the preceding command generates an nsd-input.jsonc file.
 
 > [!NOTE]
-> Edit the input.json file. Replace it with the values shown in the sample. Save the file as **input-cnf-nsd.jsonc**.
+> Edit the input.json file. Replace it with the values shown in the sample below. Save the file as **input-cnf-nsd.jsonc**.
+>
+> If you changed the name of the publisher when publishing the NFDV, use your publisher name for both the `publisher_name` and `publisher` fields (the latter is within the `resource_element_templates` array).
+>
+> If you have used a different resource group name, update both the `publisher_resource_group_name` and `publisher_resource_group` fields (the latter is within the `resource_element_templates` array).
 
 Here's a sample **input-cnf-nsd.jsonc**:
 
@@ -123,7 +127,7 @@ To publish the NSDV and its associated artifacts, issue the following command:
 az aosm nsd publish --build-output-folder nsd-cli-output
 ```
 
-When the Publish process is complete, navigate to your Publisher Resource Group to observe and review the resources and artifacts that were produced.
+When the publish process is complete, navigate to your Publisher Resource Group to observe and review the resources and artifacts that were produced.
 
 ## Next steps
 

articles/operator-service-manager/quickstart-containerized-network-function-operator.md

@@ -18,9 +18,11 @@ This quickstart contains the prerequisite tasks for Operator and Containerized N
 
 ## Permissions
 
-In order to complete these prerequisites for Operator and Containerized Network Function, you need an Azure subscription where you have the _Contributor_ role (in order to create a Resource Group) and you need to be able to attain the _Owner_ or _User Access Administrator_ role over this Resource Group. Alternatively, you need an existing Resource Group where you have the ‘Owner’ or ‘User Access Administrator’ Role.
+You need an Azure subscription with an existing Resource Group over which you have the _Contributor_ role and the _User Access Administrator_ role.
 
-You also need the _Owner_ or _User Access Administrator_ role in the Network Function Definition Publisher Resource Group. The Network Function Definition Publisher Resource Group was created in [Quickstart: Publish Nginx container as Containerized Network Function (CNF)](quickstart-publish-containerized-network-function-definition.md) and named nginx-publisher-rg in the input.json file.
+Alternatively the AOSM CLI extension can create the Resource Group for you, in which case you need the _Contributor_ role over this subscription. If you use this feature, you will need to add to your user the _User Access Administrator_ role with scope of this newly created Resource Group.
+
+You also need the _User Access Administrator_ role over the Network Function Definition Publisher Resource Group. The Network Function Definition Publisher Resource Group was used in [Quickstart: Publish Nginx container as Containerized Network Function (CNF)](quickstart-publish-containerized-network-function-definition.md). Check the input-cnf-nfd.jsonc file for the Resource Group name.
 
 ## Set environment variables
 
@@ -51,11 +53,8 @@ az group create -n ${resourceGroup} -l ${location}
 
 ## Provision Azure Kubernetes Service (AKS) cluster
 
-> [!NOTE]
-> Ensure that `agentCount` is set to 1. Only one node is required at this time.
-
 ```azurecli
-az aks create -g ${resourceGroup} -n ${clusterName} --node-count 1 --generate-ssh-keys
+az aks create -g ${resourceGroup} -n ${clusterName} --node-count 3 --generate-ssh-keys
 ```
 
 ## Enable Azure Arc
@@ -220,7 +219,7 @@ In prior steps, you created a Managed Identity labeled identity-for-nginx-sns in
 
 1. Choose **Add Role Assignment**.
 
-   :::image type="content" source="media/how-to-create-user-assigned-managed-identity-operator.png" alt-text="Screenshot showing identity for nginx sns add role assignment." lightbox="media/how-to-create-user-assigned-managed-identity-operator.png":::
+   :::image type="content" source="media/how-to-create-user-assigned-managed-identity-operator.png" alt-text="Screenshot showing identity for nginx SNS add role assignment." lightbox="media/how-to-create-user-assigned-managed-identity-operator.png":::
 
 1. Select the **Managed Identity Operator** role then proceed with **Next**.
 

articles/operator-service-manager/quickstart-containerized-network-function-prerequisites.md

@@ -39,30 +39,14 @@ az extension add --name aosm
 
 ## Requirements for Containerized Network Function (CNF)
 
+### Install required local tools
+
 For those utilizing Containerized Network Functions, it's essential to ensure that the following packages are installed on the machine from which you're executing the CLI:
 
 - **Install docker**, refer to [Install the Docker Engine](https://docs.docker.com/engine/install/).
 - **Install Helm**, refer to [Install Helm CLI](https://helm.sh/docs/intro/install/). You must use Helm v3.8.0 or later.
 
 
-### Configure Containerized Network Function (CNF) deployment
-
-For deployments of Containerized Network Functions (CNFs), it's crucial to have the following stored on the machine from which you're executing the CLI:
-
-- **Helm Packages with Schema** - These packages should be present on your local storage and referenced within the `cnf-input.jsonc` configuration file. When following this quickstart, you download the required helm package.
-- **Creating a Sample Configuration File** - Generate an example configuration file for defining a CNF deployment. Issue this command to generate an `cnf-input.jsonc` file that you need to populate with your specific configuration.
-
-  ```azurecli
-  az aosm nfd generate-config --definition-type cnf
-  ```
-
-- Your container images must be present in either:
-  - A reference to existing Azure Container Registries that contain the images for your CNF.
-  - A reference to other Container Registries that contain the images for your CNF.
-
-> [!IMPORTANT]
-> Use the `docker login` command to sign in to a non-Azure container registry hosting your container images before you run any `az aosm` commands.
-
 ### Download sample Helm chart
 
 Download the sample Helm chart from here [Sample Helm chart](https://download.microsoft.com/download/c/5/1/c512cc48-ad99-4a69-afdc-db2bda449914/nginxdemo-0.3.0.tgz) for use with this quickstart.

articles/operator-service-manager/quickstart-publish-containerized-network-function-definition.md

@@ -16,10 +16,10 @@ This quickstart describes how to use the `az aosm` Azure CLI extension to create
 
 - An Azure account with an active subscription is required. If you don't have an Azure subscription, follow the instructions here [Start free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) to create an account before you begin.
 
-- The Contributor and AcrPush roles over this subscription in order to create a Resource Group, or an existing Resource Group where you have the Contributor role.
-
 - Complete the [Quickstart: Complete the prerequisites to deploy a Containerized Network Function in Azure Operator Service Manager](quickstart-containerized-network-function-prerequisites.md).
 
+- An existing Resource Group where you have the Contributor role, or the Contributor role over this subscription so that the AOSM CLI extension can create the resource group.
+
 ## Create input file
 
 Create an input file for publishing the Network Function Definition. Execute the following command to generate the input configuration file for the Network Function Definition (NFD).
@@ -32,8 +32,14 @@ Execution of the preceding command generates an cnf-input.jsonc file.
 
 > [!NOTE]
 > Edit the cnf-input.jsonc file. Replace it with the values shown in the following sample. Save the file as **input-cnf-nfd.jsonc**.
-> [!NOTE]
-> You can use multiple Container Registries as sources for your images in the AOSM CLI. The images to be copied from these Registries are populated automatically based on the helm package schema. To configure these source Registries, fill in `image_sources` list in the cnf-input.jsonc file. When using ACRs, you must have Reader/AcrPull permissions. When using other private Registries, you must run `docker login` to authenticate with all non-ACR Registries before running the `az aosm nfd build` command. In this quickstart we use `docker.io` as the image source Registry. This is a public Registry and does not require authentication.
+>
+> If you are using an existing resource group, change the `publisher_resource_group_name` field to match it.
+
+> [!TIP]
+> You can use multiple container registries as sources for your images in the AOSM CLI. The images to be copied from these registries are selected automatically based on the helm package schema. The source registries are configured in the `image_sources` list of the cnf-input.jsonc file.
+>
+>When using ACRs, you must have the Reader and AcrPull roles on the ACR. When using non-ACR registries, you must run `docker login` to authenticate with each private registry before running the `az aosm nfd build` command.
+> **In this quickstart we use `docker.io` as the image source registry. This is a *public* registry and does not require authentication.**
 
 Here's sample input-cnf-nfd.jsonc file:
 
@@ -45,7 +51,7 @@ Here's sample input-cnf-nfd.jsonc file:
   // Will be created if it does not exist.
   "publisher_name": "nginx-publisher",
   // Resource group for the Publisher resource.
-  // You should create this before running the publish command
+  // Will be created if it does not exist.
   "publisher_resource_group_name": "nginx-publisher-rg",
   // Name of the ACR Artifact Store resource.
   // Will be created if it does not exist.
@@ -63,9 +69,8 @@ Here's sample input-cnf-nfd.jsonc file:
   "helm_packages": [
     {
       "name": "nginxdemo",
-      "path_to_chart": "nginxdemo-0.1.0.tgz",
-      "default_values": "",
-      "depends_on": []
+      "path_to_chart": "nginxdemo-0.3.0.tgz",
+      "default_values": ""
     }
   ]
 }
@@ -110,6 +115,13 @@ Execute the following command to publish the Network Function Definition (NFD) a
 > [!NOTE]
 > If you are using Windows, you must have Docker Desktop running during the publish step.
 
+> [!NOTE]
+> Publisher names must be unique within a region. It is quite likely that the 'nginx-publisher' defined in the example config file already exists.
+>
+>If you get an error saying "**A private publisher resource with the name 'nginx-publisher' already exists in the provided region**", edit the `publisher_name` field in the config file so that it is unique (e.g. add a random string suffix), re-run the `build` command (above), and then re-run this `publish` command.
+>
+>If you go on to create a network service design, you will need to use this new pubilsher name in the `resource_element_templates` array.
+
 ```azurecli
 az aosm nfd publish -b cnf-cli-output --definition-type cnf
 ```

articles/operator-service-manager/quickstart-publish-virtualized-network-function-definition.md

@@ -16,9 +16,9 @@ This quickstart describes how to use the `az aosm` Azure CLI extension to create
 
 - An Azure account with an active subscription is required. If you don't have an Azure subscription, follow the instructions here [Start free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) to create an account before you begin.
 
-- The Contributor role over this subscription in order to create a Resource Group, or an existing Resource Group where you have the Contributor role.
+- Complete the [Quickstart: Complete the prerequisites to deploy a Virtualized Network Function in Azure Operator Service Manager](quickstart-virtualized-network-function-prerequisites.md)
 
-- It's also assumed that you followed the prerequisites in [Quickstart: Complete the prerequisites to deploy a Virtualized Network Function in Azure Operator Service Manager](quickstart-virtualized-network-function-prerequisites.md)
+- An existing Resource Group where you have the Contributor role, or the Contributor role over this subscription so that the AOSM CLI extension can create the resource group.
 
 ## Create input file
 
@@ -32,6 +32,8 @@ Once you execute this command, a vnf-input.jsonc file is generated.
 
 > [!NOTE]
 > Edit the vnf-input.jsonc file, replacing it with the values shown in the sample. Save the file as **input-vnf-nfd.jsonc**.
+>
+> If you are using an existing resource group, change the `publisher_resource_group_name` field to match it.
 
 Here is a sample input-vnf-nfd.jsonc file:
 
@@ -155,6 +157,13 @@ These files are created in a subdirectory called **vnf-cli-output**:
 
 Execute the following command to publish the Network Function Definition (NFD) and upload the associated artifacts:
 
+> [!NOTE]
+> Publisher names must be unique within a region. It is quite likely that the 'ubuntu-publisher' defined in the example config file already exists.
+>
+>If you get an error saying "**A private publisher resource with the name 'ubuntu-publisher' already exists in the provided region**", edit the `publisher_name` field in the config file so that it is unique (e.g. add a random string suffix), re-run the `build` command (above), and then re-run this `publish` command.
+>
+>If you go on to create a network service design, you will need to use this new pubilsher name in the `resource_element_templates` array.
+
 ```azurecli
 az aosm nfd publish --build-output-folder vnf-cli-output --definition-type vnf
 ```

articles/operator-service-manager/quickstart-virtualized-network-function-create-site-network-service.md

@@ -103,3 +103,8 @@ Wait for the deployment to reach the 'Succeeded' state. After completion, your V
 1. Select the link under **Current State -> Resources**. The link takes you to the managed resource group created by Azure Operator Service Manager.
 
 Congratulations! You have successfully created a Site Network Service for Ubuntu Virtual Machine (VM) as a Virtual Network Function (VNF) in Azure. You can now manage and monitor your Virtual Network Function (VNF) through the Azure portal.
+
+When you have finished, remember to delete the resources. To do this:
+
+1. Delete the Operator Resource Group.
+1. When step 1 is complete, delete the Publisher Resource Group.

articles/operator-service-manager/quickstart-virtualized-network-function-network-design.md

@@ -30,6 +30,10 @@ An `nsd-input.jsonc` file is generated when you run this command.
 
 > [!NOTE]
 > Edit the nsd-input.jsonc file, replacing it with the values shown in the sample. Remove the section where resource_element_type is set to ArmTemplate. This is for adding infrastructure (such as VNets) to more complicated NSDs, which is not needed in this quickstart. Save the file as **input-vnf-nsd.jsonc**.
+>
+> If you changed the name of the publisher when publishing the NFDV, use your publisher name for both the `publisher_name` and `publisher` fields (the latter is within the `resource_element_templates` array).
+>
+> If you have used a different resource group name, update both the `publisher_resource_group_name` and `publisher_resource_group` fields (the latter is within the `resource_element_templates` array).
 
 ```json
 {