[Key Vault] Update test resource deployment template for policy changes (Azure#39594)

Author: mccoyp

sdk/keyvault/azure-keyvault-administration/tests/_async_test_case.py

@@ -18,7 +18,8 @@ def __init__(self, **kwargs) -> None:
         playback_sas_token = "fake-sas"
 
         if self.is_live:
-            self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
+            hsm = os.environ.get("AZURE_MANAGEDHSM_URL")
+            self.managed_hsm_url = hsm if hsm else None
             storage_url = os.environ.get("BLOB_STORAGE_URL")
             container_name = os.environ.get("BLOB_CONTAINER_NAME")
             self.container_uri = f"{storage_url}/{container_name}"

sdk/keyvault/azure-keyvault-administration/tests/_test_case.py

@@ -19,7 +19,8 @@ def __init__(self, **kwargs) -> None:
         playback_sas_token = "fake-sas"
 
         if self.is_live:
-            self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
+            hsm = os.environ.get("AZURE_MANAGEDHSM_URL")
+            self.managed_hsm_url = hsm if hsm else None
             storage_url = os.environ.get("BLOB_STORAGE_URL")
             container_name = os.environ.get("BLOB_CONTAINER_NAME")
             self.container_uri = f"{storage_url}/{container_name}"

sdk/keyvault/azure-keyvault-keys/tests/_async_test_case.py

@@ -63,7 +63,8 @@ def __init__(self, *args, **kwargs):
 
         if self.is_live:
             self.vault_url = os.environ["AZURE_KEYVAULT_URL"]
-            self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
+            hsm = os.environ.get("AZURE_MANAGEDHSM_URL")
+            self.managed_hsm_url = hsm if hsm else None
         else:
             self.vault_url = vault_playback_url
             self.managed_hsm_url = hsm_playback_url

sdk/keyvault/azure-keyvault-keys/tests/_test_case.py

@@ -67,7 +67,8 @@ def __init__(self, *args, **kwargs):
         if self.is_live:
             self.vault_url = os.environ["AZURE_KEYVAULT_URL"]
             self.vault_url = self.vault_url.rstrip("/")
-            self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL", None)
+            hsm = os.environ.get("AZURE_MANAGEDHSM_URL")
+            self.managed_hsm_url = hsm if hsm else None
             if self.managed_hsm_url:
                 self.managed_hsm_url = self.managed_hsm_url.rstrip("/")
         else:

sdk/keyvault/test-resources-cleanup.py

@@ -22,7 +22,7 @@
 if "KEYVAULT_CLIENT_SECRET" not in os.environ:
     raise EnvironmentError("Missing a client secret for Key Vault")
 
-hsm_present = "AZURE_MANAGEDHSM_URL" in os.environ
+hsm_present = bool(os.environ.get("AZURE_MANAGEDHSM_URL"))
 
 credential = ClientSecretCredential(
     tenant_id=os.environ["KEYVAULT_TENANT_ID"],

sdk/keyvault/test-resources-post.ps1

@@ -111,3 +111,7 @@ Log "Creating additional required role assignments for resource access."
 New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto Officer" -ObjectID $testApplicationOid
 New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto User" -ObjectID $testApplicationOid
 Log "Role assignments created for '$testApplicationOid'"
+
+Log "Associating managed identity with managed HSM"
+Update-AzKeyVaultManagedHsm -HsmName $hsmName -ResourceGroupName $DeploymentOutputs["KEYVAULT_RESOURCE_GROUP"] -UserAssignedIdentity $DeploymentOutputs["MANAGED_IDENTITY_ID"]
+Log "Managed identity associated with managed HSM - backup and restore using managed identity is enabled"

sdk/keyvault/test-resources.bicep

@@ -0,0 +1,181 @@
+param hsmLocation string = 'brazilsouth'
+
+param baseName string = resourceGroup().name
+param tenantId string = '72f988bf-86f1-41af-91ab-2d7cd011db47'
+param testApplicationOid string
+param provisionerApplicationOid string
+param location string = resourceGroup().location
+param enableHsm bool = false
+param keyVaultSku string = 'premium'
+param attestationImage string = 'keyvault-mock-attestation:latest'
+
+var attestationFarm = '${baseName}farm'
+var attestationSite = '${baseName}site'
+var attestationImageUri = 'DOCKER|azsdkengsys.azurecr.io/${attestationImage}'
+var kvName = baseName
+var hsmName = '${baseName}hsm'
+var blobContainerName = 'hsmbackups'
+var primaryAccountName = '${replace(baseName, '-', '')}prim'
+var kvAdminDefinitionId = '00482a5a-887f-4fb3-b363-3b7fe8e74483'
+var kvAdminAssignmentName = guid(resourceGroup().id, kvAdminDefinitionId, testApplicationOid)
+var encryption = {
+  services: {
+    blob: {
+      enabled: true
+    }
+  }
+  keySource: 'Microsoft.Storage'
+}
+var networkAcls = {
+  bypass: 'AzureServices'
+  virtualNetworkRules: []
+  ipRules: []
+  defaultAction: 'Allow'
+}
+var managedIdentityName = '${baseName}-managedIdentity'
+var managedIdentityId = managedIdentity.id
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (enableHsm) {
+  name: managedIdentityName
+  location: location
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
+  name: kvName
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: keyVaultSku
+    }
+    tenantId: tenantId
+    enabledForDeployment: false
+    enabledForDiskEncryption: false
+    enabledForTemplateDeployment: false
+    enableSoftDelete: true
+    enableRbacAuthorization: true
+    softDeleteRetentionInDays: 7
+  }
+}
+
+resource kvRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: kvAdminAssignmentName
+  properties: {
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', kvAdminDefinitionId)
+    principalId: testApplicationOid
+  }
+}
+
+resource managedHsm 'Microsoft.KeyVault/managedHSMs@2024-04-01-preview' = if (enableHsm) {
+  name: hsmName
+  location: hsmLocation
+  sku: {
+    family: 'B'
+    name: 'Standard_B1'
+  }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityId}': {}
+    }
+  }
+  properties: {
+    publicNetworkAccess: 'Enabled'
+    networkAcls: networkAcls
+    tenantId: tenantId
+    initialAdminObjectIds: union([testApplicationOid], [provisionerApplicationOid])
+    enablePurgeProtection: false
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 7
+  }
+}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
+  name: primaryAccountName
+  location: location
+  sku: {
+    name: 'Standard_RAGRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    networkAcls: networkAcls
+    supportsHttpsTrafficOnly: true
+    encryption: encryption
+    accessTier: 'Hot'
+    allowSharedKeyAccess: false
+  }
+}
+
+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-05-01' = {
+  name: 'default'
+  properties: {
+    cors: {
+      corsRules: []
+    }
+    deleteRetentionPolicy: {
+      enabled: false
+    }
+  }
+  parent: storageAccount
+}
+
+resource blobContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-05-01' = {
+  name: blobContainerName
+  properties: {
+    publicAccess: 'None'
+  }
+  parent: blobService
+}
+
+resource managedIdentityRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableHsm) {
+  name: guid(resourceGroup().id, 'StorageBlobContributor', managedIdentityId)
+  properties: {
+    roleDefinitionId: subscriptionResourceId(
+      'Microsoft.Authorization/roleDefinitions',
+      'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    )
+    principalId: managedIdentity.properties.principalId
+    scope: resourceGroup().id
+    principalType: 'ServicePrincipal'
+  }
+}
+
+resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = {
+  name: attestationFarm
+  location: location
+  kind: 'linux'
+  sku: {
+    name: 'B1'
+  }
+  properties: {
+    reserved: true
+  }
+}
+
+resource webApp 'Microsoft.Web/sites@2023-12-01' = {
+  name: attestationSite
+  location: location
+  properties: {
+    httpsOnly: true
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      alwaysOn: true
+      linuxFxVersion: attestationImageUri
+      appSettings: [
+        {
+          name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE'
+          value: 'false'
+        }
+      ]
+    }
+  }
+}
+
+output AZURE_KEYVAULT_URL string = keyVault.properties.vaultUri
+output AZURE_MANAGEDHSM_URL string = (enableHsm) ? managedHsm.properties.hsmUri : ''
+output KEYVAULT_SKU string = keyVault.properties.sku.name
+output CLIENT_OBJECTID string = testApplicationOid
+output BLOB_STORAGE_URL string = storageAccount.properties.primaryEndpoints.blob
+output BLOB_CONTAINER_NAME string = blobContainerName
+output AZURE_KEYVAULT_ATTESTATION_URL string = 'https://${webApp.properties.defaultHostName}/'
+output MANAGED_IDENTITY_CLIENT_ID string = managedIdentityId