Merge pull request #256674 from msmbaldwin/managed-ccf-3

Azure Managed CCF initial doc release -- PR 3 of 7 (see first comment)

Author: v-regandowner

articles/managed-ccf/how-to-activate-members.md

@@ -0,0 +1,56 @@
+---
+title: Activate members in an Azure Managed CCF resource
+description: Learn to activate the members in an Azure Managed CCF resource
+author: msftsettiy
+ms.author: settiy
+ms.date: 09/08/2023
+ms.service: confidential-ledger
+ms.topic: how-to
+ms.custom: devx-track-azurecli
+---
+
+# Activate members in an Azure Managed CCF resource
+
+In this guide, you will learn how to activate the member(s) in an Azure Managed CCF (Managed CCF) resource. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.
+
+## Prerequisites
+
+- Python 3+.
+- Install the latest version of the [CCF Python package](https://pypi.org/project/ccf/).
+
+## Download the service identity
+
+[!INCLUDE [Download Service Identity](./includes/service-identity.md)]
+
+## Activate Member(s)
+
+When a member is added to a Managed CCF resource, they are in the accepted state. They cannot participate in governance until they are activated. To do so, the member must acknowledge that they are satisfied with the state of the service (for example, after auditing the current constitution and the nodes currently trusted).
+
+1. The member must update and retrieve the latest state digest. In doing so, the new member confirms that they are satisfied with the current state of the service.
+
+```Bash
+curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/ack/update_state_digest -X POST --cacert service_cert.pem --key member0_privk.pem --cert member0_cert.pem --silent | jq > request.json
+cat request.json
+{
+    "state_digest": <...>
+}
+```
+
+[!INCLUDE [Mac instructions](./includes/macos-instructions.md)]
+
+2. The member must sign the state digest using the ccf_cose_sign1 utility. This utility is installed along with the CCF Python package.
+
+```Bash
+ccf_cose_sign1 --ccf-gov-msg-type ack --ccf-gov-msg-created_at `date -Is` --signing-key member0_privk.pem --signing-cert member0_cert.pem --content request.json | \
+ curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/ack --cacert service_cert.pem --data-binary @- -H "content-type: application/cose"
+```
+
+3. After the command completes, the member is active and can participate in governance. The members can be viewed using the following command.
+
+[!INCLUDE [View members](./includes/view-members.md)]
+
+## Next steps
+
+- [Azure Managed CCF overview](overview.md)
+- [Quickstart: Create an Azure Managed CCF resource](quickstart-portal.md)
+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

articles/managed-ccf/how-to-backup-restore-resource.md

@@ -0,0 +1,134 @@
+---
+title: Backup and restore an Azure Managed CCF resource
+description: Learn to back up and restore an Azure Managed CCF resource
+services: managed-ccf
+author: pallabpaul
+ms.service: confidential-ledger
+ms.topic: how-to
+ms.date: 09/07/2023
+ms.author: pallabpaul
+#Customer intent: As a developer, I want to know how to perform a backup and restore of my Managed CCF app so that I can can access backups of my app files and restore my app in another region in the case of a disaster recovery.
+---
+
+# Perform a backup and restore
+
+In this article, you'll learn to perform backup of an Azure Managed CCF (Managed CCF) resource and restore it to create a copy of the original Managed CCF resource. Here are some of the use cases that warrant this capability:  
+
+- A Managed CCF resource is an append only ledger at the core. It is impossible to delete few erroneous transactions without impacting the integrity of the ledger. To keep the data clean, a business could decide to recreate the resource sans the erroneous transactions.  
+- A developer could add reference data into a Managed CCF resource and create a back of it. The developer can use the copy later to create a fresh Managed CCF resource and save time.
+
+This article uses the commands found at the [Managed CCF's REST API Docs](/rest/api/confidentialledger/managed-ccf).
+
+## Prerequisites
+
+- Install the [Azure CLI](/cli/azure/install-azure-cli).
+- An Azure Storage Account.
+
+## Setup
+
+### Generate an access token
+
+An access token is required to use the Managed CCF REST API. Execute the following command to generate an access token.
+
+> [!NOTE]
+> An access token has a finite lifetime after which it is unusable. Generate a new token if the API request fails due to a HTTP 401 Unauthorized error.
+
+```bash
+az account get-access-token –subscription <subscription_id>
+```
+
+### Generate a Shared Access Signature token
+
+The backup is stored in an Azure Storage Fileshare that is owned and controlled by you. The backup and restore API requests require a [Shared Access Signature](../storage/common/storage-sas-overview.md) token to grant temporary read and write access to the Fileshare. Follow these steps:
+
+> [!NOTE]
+> A Shared Access Signature(SAS) token has a finite lifetime after which it is unusable. We recommend using short lived tokens to avoid tokens being leaked into the public and misused.
+
+1. Navigate to the Azure Storage Account where the backups will be stored.
+2. Navigate to the `Security + networking` -> `Shared access signature` blade.
+3. Generate a SAS token with the following configuration:
+
+    :::image type="content" source="./media/how-to/cedr-sas-uri.png" lightbox="./media/how-to/cedr-sas-uri.png" alt-text="Screenshot of the Azure portal in a web browser, showing the required SAS Generation configuration.":::
+4. Save the `File service SAS URL`.
+
+## Backup
+
+### Create a backup
+
+Creating a backup of the Managed CCF resource creates a Fileshare in the storage account. This backup can be used to restore the Managed CCF resource at a later time.
+
+Follow these steps to perform a backup.
+
+1. [Generate and save a bearer token](#generate-an-access-token) generated for the subscription that your Managed CCF resource is located in.
+1. [Generate a SAS token](#generate-a-shared-access-signature-token) for the Storage Account to store the backup.
+1. Execute the following command to trigger a backup. You must supply a few parameters:
+   - **subscription_id**: The subscription where the Managed CCF resource is deployed.
+   - **resource_group**: The resource group name of the Managed CCF resource.
+   - **app_name**: The name of the Managed CCF resource.
+   - **sas_token**: The Shared Access Signature token.
+   - **restore_region**: An optional parameter to indicate a region where the backup would be restored. It can be ignored if you expect to restore the backup in the same region as the Managed CCF resource.
+    ```bash
+    curl --request POST 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ConfidentialLedger/ManagedCCFs/<app_name>/backup?api-version=2023-06-28-preview' \
+    --header 'Authorization: Bearer <bearer_token>' \
+    --header 'Content-Type: application/json' \
+    --data-raw '{
+      "uri": "<sas_token>",
+      "restoreRegion": "<restore_region>"
+    }'
+    ```
+1. A Fileshare is created in the Azure Storage Account with the name `<mccf_app_name>-<timestamp>`.
+
+### Explore the backup files
+
+After the backup completes, you can view the files stored in your Azure Storage Fileshare.
+
+:::image type="content" source="./media/how-to/cedr-backup-file-share.png" lightbox="./media/how-to/cedr-backup-file-share.png" alt-text="Screenshot of the Azure portal in a web browser, showing a sample Fileshare folder structure.":::
+
+Refer to the following articles to explore the backup files.
+
+- [Understanding your Ledger and Snapshot Files](https://microsoft.github.io/CCF/main/operations/ledger_snapshot.html)
+- [Viewing your Ledger and Snapshot Files](https://microsoft.github.io/CCF/main/audit/python_library.html)
+
+## Restore
+
+### Create a Managed CCF resource using the backup files
+
+This restores the Managed CCF resource using a copy of the files in the backup Fileshare. The resource will be restored to the same state and transaction ID at the time of the backup.
+
+> [!IMPORTANT]
+> The restore will fail if the backup files are older than 90 days.
+
+> [!NOTE]
+> The original Managed CCF resource must be deleted before a restore is initiated. The restore command will fail if the original instance exists. [Delete your original Managed CCF resource](/cli/azure/confidentialledger/managedccfs?#az-confidentialledger-managedccfs-delete).
+>
+> The **app_name** should be the same as the original Managed CCF resource.
+
+Follow these steps to perform a restore.
+
+1. [Generate a Bearer token](#generate-an-access-token) for the subscription that the Managed CCF resource is located in.
+2. [Generate a SAS token](#generate-a-shared-access-signature-token) for the storage account that has the backup files.
+3. Execute the following command to trigger a restore. You must supply a few parameters.
+    - **subscription_id**: The subscription where the Managed CCF resource is deployed.
+    - **resource_group**: The resource group name of the Managed CCF resource.
+    - **app_name**: The name of the Managed CCF resource.
+    - **sas_token**: The Shared Access Signature token.
+    - **restore_region**: An optional parameter to indicate a region where the backup would be restored. It can be ignored if you expect to restore the backup in the same region as the Managed CCF resource.
+    - **fileshare_name**: The name of the Fileshare where the backup files are located.
+
+    ```bash
+    curl --request POST 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ConfidentialLedger/ManagedCCFs/<app_name>/restore?api-version=2023-06-28-preview' \
+    --header 'Authorization: Bearer <bearer_token>' \
+    --header 'Content-Type: application/json' \
+    --data-raw '{
+      "uri": "<sas_token>",
+      "restoreRegion": "<restore_region>",
+      "fileShareName": "<fileshare_name>"
+    }'
+    ```
+1. At the end of the command, the Managed CCF resource is restored.
+
+## Next steps
+
+- [Azure Managed CCF overview](overview.md)
+- [Quickstart: Azure portal](quickstart-portal.md)
+- [Quickstart: Azure CLI](quickstart-python.md)

articles/managed-ccf/how-to-enable-azure-monitor.md

@@ -0,0 +1,41 @@
+---
+title: View application logs in Azure Monitor
+description: Learn to view the application logs in Azure Monitor
+author: msftsettiy
+ms.author: settiy
+ms.date: 09/09/2023
+ms.service: confidential-ledger
+ms.topic: how-to
+ms.custom: devx-track-azurecli
+---
+
+# View the application logs in Azure Monitor
+
+In this tutorial, you will learn how to view the application logs in Azure Monitor by creating a Log Analytics workspace. This tutorial builds on the Azure Managed CCF (Managed CCF) resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial. Logs are essential pieces of information to understand, analyze and optimize the logic and performance of an application.
+
+The logs from your TypeScript and JavaScript application can be viewed in Azure Monitor by creating a Log Analytics workspace.
+
+## Create the Log Analytics workspace
+
+1. Follow the instructions at [Create a workspace](../azure-monitor/logs/quick-create-workspace.md) to create a workspace.
+2. After the workspace is created, make a note of the Resource ID from the properties page.
+    :::image type="content" source="media/how-to/log-analytics-workspace-properties.png" alt-text="Screenshot that shows the properties of a Log Analytics workspace screen.":::
+1. Navigate to the Managed CCF resource and make a note of the Resource ID from the properties page.
+
+## Link the Log Analytics workspace to the Managed CCF resource
+
+1. After the workspace is created, it must be linked with the Managed CCF resource. It takes a few minutes after linking for the logs to appear in the workspace.
+
+    ```azurecli
+    > az login
+    
+    > az monitor diagnostic-settings create --name confidentialbillingapplogs --resource <Resource Id of the Managed CCF resource> --workspace <Resource Id of the workspace> --logs [{\"category\":\"applicationlogs\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}}]
+    ```
+1. Open the Logs page. Navigate to the Queries tab and group the queries by Resource type from the drop-down. Navigate to the 'Azure Managed CCF' resource and run the 'CCF application errors' query. Remove the 'Level' filter to view all the logs.
+
+    :::image type="content" source="media/how-to/log-analytics-logs.png" alt-text="Screenshot that shows the Managed CCF resource query in the Log Analytics screen.":::
+
+## Next steps
+
+- [Azure Managed CCF overview](overview.md)
+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

articles/managed-ccf/how-to-manage-members.md

@@ -0,0 +1,82 @@
+---
+title: Quickstart – Add and remove members from a Microsoft Azure Managed CCF resource
+description: Learn to manage the members from a Microsoft Azure Managed CCF resource
+author: msftsettiy
+ms.author: settiy
+ms.date: 09/10/2023
+ms.service: confidential-ledger
+ms.topic: how-to
+---
+
+# Add and remove members from an Azure Managed CCF resource
+
+Members can be added and removed from an Azure Managed CCF (Managed CCF) resource using governance operations. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.
+
+## Prerequisites
+
+[!INCLUDE [Prerequisites](./includes/proposal-prerequisites.md)]
+
+## Download the service identity
+
+[!INCLUDE [Download Service Identity](./includes/service-identity.md)]
+
+[!INCLUDE [Mac instructions](./includes/macos-instructions.md)]
+
+## Add a member
+
+[!INCLUDE [Create a member identity](./includes/create-member.md)]
+
+1. Submit a proposal to add the member.
+    ```bash
+    $cat set_member.json
+    {
+      "actions": [
+        {
+          "name": "set_member",
+          "args": {
+            "cert": "-----BEGIN CERTIFICATE-----\nMIIBtDCCATqgAwIBAgIUV...sy93h74oqHk=\n-----END CERTIFICATE-----",
+            "encryption_pub_key": ""
+          }
+        }
+      ]
+    }
+    
+    $ proposal_id=$( (ccf_cose_sign1 --content set_member.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem) )
+    ```
+1. Accept the proposal by submitting a vote. Repeat the step for all the members in the resource.
+    [!INCLUDE [Submit a vote](./includes/submit-vote.md)]
+1. When the command completes, the member is added in the Managed CCF resource. But, they cannot participate in the governance operations unless they are activated. Refer to the quickstart tutorial [Activate a member](how-to-activate-members.md) to activate the member.
+1. View the members in the network using the following command.
+
+[!INCLUDE [View members](./includes/view-members.md)]
+
+## Remove a member
+
+1. Submit a proposal to remove the member. The member is identified by their public certificate.
+    ```bash
+    $cat remove_member.json
+    {
+      "actions": [
+        {
+          "name": "remove_member",
+          "args": {
+            "cert": "-----BEGIN CERTIFICATE-----\nMIIBtDCCATqgAwIBAgIUV...sy93h74oqHk=\n-----END CERTIFICATE-----",
+          }
+        }
+      ]
+    }
+    
+    $ proposal_id=$( (ccf_cose_sign1 --content remove_member.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem) )
+    ```
+2. Accept the proposal by submitting a vote. Repeat the step for all the members in the resource.
+    [!INCLUDE [Submit a vote](./includes/submit-vote.md)]
+3. When the command completes, the member is removed from the Managed CCF resource and they can no longer participate in the governance operations.
+4. View the members in the network using the following command.
+
+[!INCLUDE [View members](./includes/view-members.md)]
+
+## Next steps
+
+- [Microsoft Azure Managed CCF overview](overview.md)
+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)
+- [How to: Activate members](how-to-activate-members.md)

articles/managed-ccf/how-to-update-application.md

@@ -0,0 +1,40 @@
+---
+title: Quickstart – Update the JavaScript application on a Microsoft Azure Managed CCF resource
+description: Learn to update the JavaScript application on a Microsoft Azure Managed CCF resource
+author: msftsettiy
+ms.author: settiy
+ms.date: 09/10/2023
+ms.service: confidential-ledger
+ms.topic: how-to
+---
+
+# Quickstart: Update the JavaScript application
+
+With Azure Managed CCF (Managed CCF), it is simple and quick to update an application when new functionality is introduced or when bugs fixes are available. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.
+
+## Prerequisites
+
+[!INCLUDE [Prerequisites](./includes/proposal-prerequisites.md)]
+
+## Download the service identity
+
+[!INCLUDE [Download Service Identity](./includes/service-identity.md)]
+
+## Update the application
+
+[!INCLUDE [Mac instructions](./includes/macos-instructions.md)]
+
+> [!NOTE]
+> This tutorial assumes that the updated application bundle is created using the instructions available [here](https://microsoft.github.io/CCF/main/build_apps/js_app_bundle.html) and saved to set_js_app.json.
+> 
+> Updating an application does not reset the JavaScript runtime options.
+
+[!INCLUDE [Deploy an application](./includes/deploy-update-application.md)]
+
+When the command completes, the application will be updated and ready to accept user transactions.
+
+## Next steps
+
+- [Microsoft Azure Managed CCF overview](overview.md)
+- [How to: View application logs in Azure Monitor](how-to-enable-azure-monitor.md)
+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)