add scripts and code change to use keyvault

.gitignore

@@ -91,4 +91,5 @@ out
 bin
 obj
 appsettings.json
-local.settings.json
+local.settings.json
+.env*

scripts/add-secrets.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# script to add secrets to keyvault
+#!/bin/bash
+
+set -e
+
+PREFIX=$(whoami)
+RESOURCE_GROUP="${PREFIX}-serverless-keyvault-demo-rg"
+KEYVAULT="${PREFIX}-serverless-demo-kv"
+REGION="westus"
+
+SECRET_NAME=${1:-"MySuperSecretName"}
+SECRET_VALUE=${2:-"ItIsASecret"}
+
+echo "-----> Create secret ${SECRET_NAME}"
+az keyvault secret set \
+  --vault-name ${KEYVAULT}  \
+  --name ${SECRET_NAME} \
+  --value ${SECRET_VALUE} \
+  -o table
+
+echo
+echo "------> Retrieve secret url for ${SECRET_NAME}"
+SECRET_ID=$(az keyvault secret show -n ${SECRET_NAME} --vault-name ${KEYVAULT} --query "id" -o tsv)
+echo "Secret id: - ${SECRET_ID}"
+
+echo 
+echo "REMEMBER ME!!! Secret url"
+echo "-------> @Microsoft.KeyVault(SecretUri=${SECRET_ID}) <--------"

scripts/create-keyvault.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# script to create keyvault
+#!/bin/bash
+
+set -e
+
+PREFIX=$(whoami)
+RESOURCE_GROUP="${PREFIX}-serverless-keyvault-demo-rg"
+KEYVAULT="${PREFIX}-serverless-demo-kv"
+REGION="westus"
+
+SUBSCRIPTION=$(az account show | jq .name)
+echo "You're using subscription: ${SUBSCRIPTION}"
+
+echo "-----> Creating resource group"
+az group create \
+  -n ${RESOURCE_GROUP} \
+  -l ${REGION} \
+  -o table
+
+echo 
+echo "-----> Creating Keyvault"
+az keyvault create \
+  -n ${KEYVAULT} \
+  -g ${RESOURCE_GROUP} \
+  -l ${REGION} \
+  -o table

scripts/generate-sp.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+###
+# This script generate a service principal using your currently set subscription
+#   then write out the credentials of your new sp in a file
+#   that you can export as environment variables
+###
+set -e
+
+if ! [[ -x "$(command -v jq)" ]]; then
+  echo "Please install [jq] before continuing -> https://stedolan.github.io/jq/download/.  Aborting."
+  exit 1
+fi
+
+SP_NAME=$1
+
+if [[ -z $SP_NAME ]]; then
+  SP_DEFAULT="FunctionsTestingPrincipal"
+  SP_NAME="$(whoami)-${SP_DEFAULT}"
+  echo "You didn't pass in a name for the service principal. We'll use the default: ${SP_NAME}"
+  echo
+fi
+
+SUBSCRIPTION=$(az account show | jq .name)
+echo "You're using subscription: ${SUBSCRIPTION}"
+echo "--> Creating service principal with name: ${SP_NAME}"
+SP_RESPONSE=$(az ad sp create-for-rbac --name "http://${SP_NAME}")
+
+FILE=".env.servicePrincipal"
+
+echo "--> Writing creds to '${FILE}'"
+cat <<EOF >${FILE}
+export AZURE_SUBSCRIPTION_ID=$(az account show | jq .id)
+export AZURE_TENANT_ID=$(echo "${SP_RESPONSE}" | jq .tenant)
+export AZURE_CLIENT_ID=$(echo "${SP_RESPONSE}" | jq .name)
+export AZURE_CLIENT_SECRET=$(echo "${SP_RESPONSE}" | jq .password)
+EOF
+
+echo "Run \"source ${FILE}\" to set your Azure account credentials "

scripts/grant-app-access.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -e
+
+## OPTIONAL: only if you're not using Serverless Framework to deploy the app
+
+# script to allow function app access to keyvault
+
+
+PREFIX=$(whoami)
+RESOURCE_GROUP="${PREFIX}-serverless-keyvault-demo-rg"
+KEYVAULT="${PREFIX}-serverless-demo-kv"
+REGION="westus"
+
+### NOTE: The function app and all dependent infrastructures have to be created first
+APP_RESOURCE_GROUP=$1
+if [[ -z $APP_RESOURCE_GROUP ]]; then
+  echo "You didn't pass in a resource group.  Abort..."
+  exit 1
+fi
+
+# this need to exist already
+APP_NAME=$2
+if [[ -z $APP_NAME ]]; then
+  echo "You didn't pass in a function app name.  Abort..."
+  exit 1
+fi
+
+echo "-----> Create system-assigned manage identity on function app"
+az functionapp identity assign \
+  -g ${APP_RESOURCE_GROUP} \
+  -n ${APP_NAME} \
+  -o table
+
+echo
+echo "-----> Retrieve principal id of function app"
+PRINCIPAL_ID=$(az functionapp identity show -g ${APP_RESOURCE_GROUP} -n ${APP_NAME} --query principalId -o tsv)
+echo ${PRINCIPAL_ID}
+
+echo
+echo "-----> Grant function app read access to keyvault"
+az keyvault set-policy \
+  -n ${KEYVAULT} \
+  -g ${RESOURCE_GROUP} \
+  --object-id ${PRINCIPAL_ID} \
+  --secret-permissions get \
+  -o table
+
+echo
+echo "-----> Verify that access policy for function app has been added"
+az keyvault show \
+  -n ${KEYVAULT} \
+  -g ${RESOURCE_GROUP} \
+  --query "properties.accessPolicies[?objectId=='${PRINCIPAL_ID}']" \
+  -o table

serverless.yml

@@ -27,7 +27,7 @@ provider:
   # type: premium  # premium azure functions
 
   environment: # these will be created as application settings
-    VARIABLE_FOO: "foo"
+    SUPER_SECRET: "@Microsoft.KeyVault(SecretUri=https://myho-serverless-demo-kv.vault.azure.net/secrets/MySuperSecretName/adfab37601be4db99b60d798c56ac255)"
 
   # you can define apim configuration here
   apim:
@@ -90,6 +90,15 @@ functions:
           methods:
             - GET
           authLevel: anonymous
+  secrets:
+    handler: src/handlers/secrets.printSecrets
+    events:
+      - http: true
+        x-azure-settings:
+          methods:
+            - GET
+          authLevel: anonymous
+
   # The following are a few examples of other events you can configure:
   # storageBlob:
   #   handler: src/handlers/storageBlob.printMessage

src/handlers/secrets.js

@@ -0,0 +1,15 @@
+"use strict";
+
+const superSecret = process.env["SUPER_SECRET"];
+
+module.exports.printSecrets = async function(context, req) {
+  context.log(
+    "JavaScript HTTP trigger function processed a request to display the secret in keyvault."
+  );
+
+  context.res = {
+    // status: 200, /* Defaults to 200 */
+    // FOR DEMO PURPOSE: DO NOT LOG SECRETS IN PRODUCTION
+    body: `Shhhhh.. it's a secret: ${superSecret}`
+  };
+};