feat(e2e): Updating script to support msi resources. (#1952)

Azure · May 11, 2021 · ed28d8c · ed28d8c
1 parent 66bea5b
commit ed28d8c
Show file tree

Hide file tree

Showing 3 changed files with 141 additions and 185 deletions.
diff --git a/e2e/test/prerequisites/E2ETestsSetup/e2eTestsSetup.ps1 b/e2e/test/prerequisites/E2ETestsSetup/e2eTestsSetup.ps1
@@ -15,12 +15,12 @@ param(
 
     # Specify this on the first execution to get everything installed in powershell. It does not need to be run every time.
     [Parameter()]
-    [switch] $InstallDependencies,
+    [bool] $InstallDependencies,
 
     # Set this to true if you are generating resources for the DevOps test pipeline.
     # This will create resources capable of handling the test pipeline traffic, which is greater than what you would generally require for local testing.
     [Parameter()]
-    [switch] $GenerateResourcesForDevOpsPipeline
+    [bool] $GenerateResourcesForDevOpsPipeline
 )
 
 $startTime = (Get-Date)
@@ -120,7 +120,7 @@ $iotHubAadTestAppRegName = "$ResourceGroup-IotHubAadApp"
 $uploadCertificateName = "group1-certificate"
 $hubUploadCertificateName = "rootCA"
 $iothubUnitsToBeCreated = 1
-
+$managedIdentityName = "$ResourceGroup-user-msi"
 
 # OpenSSL has dropped support for SHA1 signed certificates in ubuntu 20.04, so our test resources will use SHA256 signed certificates instead.
 $certificateHashAlgorithm = "SHA256"
@@ -389,7 +389,8 @@ az deployment group create `
     KeyVaultName=$keyVaultName `
     DpsCustomAllocatorRunCsxContent=$dpsCustomAllocatorRunCsxContent `
     DpsCustomAllocatorProjContent=$dpsCustomAllocatorProjContent `
-    HubUnitsCount=$iothubUnitsToBeCreated
+    HubUnitsCount=$iothubUnitsToBeCreated `
+    UserAssignedManagedIdentityName=$managedIdentityName
 
 if ($LastExitCode -ne 0)
 {
@@ -438,14 +439,20 @@ $iotHubAadTestAppPassword = az ad sp create-for-rbac -n $iotHubAadTestAppRegUrl
 $iotHubAadTestAppId = az ad app list --display-name $iotHubAadTestAppRegName --query "[?displayName=='$iotHubAadTestAppRegName'].appId" --output tsv
 Write-Host "`nApplication $iotHubAadTestAppRegName with Id $iotHubAadTestAppId was created successfully."
 
+#################################################################################################################################################
+# Add role assignement for User assinged managed identity to be able to perform import and export jobs on the IoT hub.
+#################################################################################################################################################
+Write-Host "`nGranting the user assigned managed identity $managedIdentityName Storage Blob Data Contributor permissions on resource group: $ResourceGroup."
+$msiPrincipalId = az identity show -n $managedIdentityName -g $ResourceGroup --query principalId --output tsv
+$msiResourceId = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$managedIdentityName"
+az role assignment create --assignee $msiPrincipalId --role 'Storage Blob Data Contributor' --scope $resourceGroupId --output none
+
 ##################################################################################################################################
 # Granting the iot hub system idenitty Storage blob contributor access on the resoruce group
 ##################################################################################################################################
 Write-Host "`nGranting the system identity on the hub $iotHubName Storage Blob Data Contributor permissions on resource group: $ResourceGroup."
-
 $systemIdentityPrincipal = az resource list -n $iotHubName --query [0].identity.principalId --out tsv
-
-az role assignment create --assignee $systemIdentityPrincipal --role "Storage Blob Data Contributor" --scope $resourceGroupId
+az role assignment create --assignee $systemIdentityPrincipal --role "Storage Blob Data Contributor" --scope $resourceGroupId --output none
 
 ##################################################################################################################################
 # Uploading ROOT CA certificate to IoTHub and verifying
@@ -607,6 +614,7 @@ az keyvault secret set --vault-name $keyVaultName --name "HUB-CHAIN-ROOT-CA-CERT
 az keyvault secret set --vault-name $keyVaultName --name "HUB-CHAIN-INTERMEDIATE1-CERTIFICATE" --value $iothubX509Intermediate1Certificate --output none
 az keyvault secret set --vault-name $keyVaultName --name "HUB-CHAIN-INTERMEDIATE2-CERTIFICATE" --value $iothubX509Intermediate2Certificate --output none
 az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-X509-CHAIN-DEVICE-NAME" --value $iotHubCertChainDeviceCommonName --output none
+az keyvault secret set --vault-name $keyVaultName --name "IOTHUB-USER-ASSIGNED-MSI-RESOURCE-ID" --value $msiResourceId --output none
 
 # Below Environment variables are only used in Java
 az keyvault secret set --vault-name $keyVaultName --name "IOT-DPS-CONNECTION-STRING" --value $dpsConnectionString --output none # DPS Connection string Environment variable for Java

diff --git a/e2e/test/prerequisites/E2ETestsSetup/test-resources.bicep b/e2e/test/prerequisites/E2ETestsSetup/test-resources.bicep
@@ -1,138 +1,69 @@
-param ApplicationInsightsName string {
-  default: '${resourceGroup().name}-ai'
-  metadata: {
-      description: 'The name of application insights.'
-  }
-}
+@description('The name of application insights.')
+param ApplicationInsightsName string = '${resourceGroup().name}-ai'
 
-param StorageAccountName string {
-  minLength: 3
-  maxLength: 24
-  metadata: {
-    description: 'The name of the storage account used by the IoT hub.'
-  }
-}
+@minLength(3)
+@maxLength(24)
+@description('The name of the storage account used by the IoT hub.')
+param StorageAccountName string
 
-param UserObjectId string {
-  metadata: {
-    description: 'Signed in user objectId'
-  }
-}
+@description('Signed in user objectId')
+param UserObjectId string
 
 param DpsCustomAllocatorRunCsxContent string
 
 param DpsCustomAllocatorProjContent string
 
-param FarRegion string {
-  default: 'southeastasia'
-  metadata: {
-    description: 'The region for the second IoT hub in a DPS that is far away from the test devices.'
-  }
-}
+@description('The region for the second IoT hub in a DPS that is far away from the test devices.')
+param FarRegion string ='southeastasia'
 
-param WebRegion string {
-  default: 'CentralUS'
-  metadata: {
-    description: 'The region for the website hosting the Azure function.'
-  }
-}
+@description('The region for the website hosting the Azure function.')
+param WebRegion string = 'CentralUS'
 
-param HubName string {
-  default: '${resourceGroup().name}-hub'
-  metadata: {
-    description: 'The name of the main IoT hub used by tests.'
-  }
-}
+@description('The name of the main IoT hub used by tests.')
+param HubName string = '${resourceGroup().name}-hub'
 
-param HubUnitsCount int {
-  default: 1
-  metadata: {
-    description: 'The number of IoT Hub units to be deployed.'
-  }
-}
+@description('The number of IoT hub units to be deployed.')
+param HubUnitsCount int = 1
 
-param ConsumerGroupName string {
-  default: 'e2e-tests'
-  metadata: {
-    description: 'The IotHub consumer group name.'
-  }
-}
+@description('The IoT hub consumer group name.')
+param ConsumerGroupName string = 'e2e-tests'
 
-param FarHubName string {
-  default: '${resourceGroup().name}-hubfar'
-  metadata: {
-    description: 'The name of the far away IoT hub used by tests.'
-  }
-}
+@description('The name of the far away IoT hub used by tests.')
+param FarHubName string = '${resourceGroup().name}-hubfar'
 
-param DpsName string {
-  default: '${resourceGroup().name}-dps'
-  metadata: {
-    description: 'The name of DPS used by tests.'
-  }
-}
+@description('The name of DPS used by tests.')
+param DpsName string ='${resourceGroup().name}-dps'
 
-param DpsCustomAllocatorFunctionName string {
-  default: 'DpsCustomAllocator'
-}
+param DpsCustomAllocatorFunctionName string = 'DpsCustomAllocator'
 
-param KeyVaultName string {
-  default: '${resourceGroup().name}-kv'
-  minLength: 3
-  maxLength: 24
-  metadata: {
-    description: 'The name of the key vault for storing secrets needed for running tests.'
-  }
-}
+@minLength(3)
+@maxLength(24)
+@description('The name of the key vault for storing secrets needed for running tests.')
+param KeyVaultName string = '${resourceGroup().name}-kv'
 
-param OperationalInsightsName string {
-  default: '${resourceGroup().name}-oi'
-  metadata: {
-    description: 'The name of the operational insights instance.'
-  }
-}
+@description('The name of the operational insights instance.')
+param OperationalInsightsName string = '${resourceGroup().name}-oi'
 
-param OperationInsightsLocation string {
-  default: 'westus2'
-  metadata: {
-    description: 'The location for Microsoft.OperationalInsights/workspaces.'
-  }
-}
+@description('The location for Microsoft.OperationalInsights/workspaces.')
+param OperationInsightsLocation string = 'westus2'
 
-param SecuritySolutionName string {
-  default: '${resourceGroup().name}-ss'
-  metadata: {
-    description: 'The name of the security solution instance.'
-  }
-}
+@description('The name of the security solution instance.')
+param SecuritySolutionName string = '${resourceGroup().name}-ss'
 
-param ServerFarmName string {
-  default: '${resourceGroup().name}-srv'
-  metadata: {
-    description: 'The name of the server farm to host a function app for DPS custom allocation.'
-  }
-}
+@description('The name of the server farm to host a function app for DPS custom allocation.')
+param ServerFarmName string = '${resourceGroup().name}-srv'
 
-param WebsiteName string {
-  default: '${resourceGroup().name}-web'
-  metadata: {
-    description: 'The name of the server farm to host a function app for DPS custom allocation'
-  }
-}
+@description('The name of the server farm to host a function app for DPS custom allocation')
+param WebsiteName string = '${resourceGroup().name}-web'
 
-param BlobServiceName string {
-  default: 'default'
-  metadata: {
-    description: 'The name of BlobService inside the StorageAccount.'
-  }
-}
+@description('The name of BlobService inside the StorageAccount.')
+param BlobServiceName string = 'default'
 
-param ContainerName string {
-  default: 'fileupload'
-  metadata: {
-    description: 'The name of the Container inside the BlobService.'
-  }
-}
+@description('The name of the Container inside the BlobService.')
+param ContainerName string = 'fileupload'
+
+@description('The name of the user assigned managed identity.')
+param UserAssignedManagedIdentityName string
 
 var hubKeysId = resourceId('Microsoft.Devices/IotHubs/Iothubkeys', HubName, 'iothubowner')
 var farHubKeysId =  resourceId('Microsoft.Devices/IotHubs/Iothubkeys', FarHubName, 'iothubowner')
@@ -189,7 +120,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2018-02-14' = {
   }
 }
 
-resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
   name: StorageAccountName
   location: resourceGroup().location
   sku: {
@@ -215,7 +146,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
   }
 }
 
-resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01' = {
+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2021-02-01' = {
   name: '${storageAccount.name}/${BlobServiceName}'
   properties: {
     deleteRetentionPolicy: {
@@ -224,20 +155,26 @@ resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01'
   }
 }
 
-resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
+resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-02-01' = {
   name: '${blobService.name}/${ContainerName}'
   properties: {
     publicAccess: 'None'
   }
 }
 
-resource iotHub 'Microsoft.Devices/IotHubs@2020-01-01' = {
+resource userAssignedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+  name: UserAssignedManagedIdentityName
+  location: resourceGroup().location
+}
+
+resource iotHub 'Microsoft.Devices/IotHubs@2021-03-03-preview' = {
   name: HubName
   location: resourceGroup().location
   identity: {
-    principalId: ''
-    tenantId: ''
-    type: 'SystemAssigned'
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${userAssignedManagedIdentity.id}' : {}
+    }
   }
   properties: {
     eventHubEndpoints: {
@@ -283,8 +220,6 @@ resource iotHub 'Microsoft.Devices/IotHubs@2020-01-01' = {
 
 resource consumerGroups 'Microsoft.Devices/IotHubs/eventHubEndpoints/ConsumerGroups@2018-04-01' = {
   name: '${iotHub.name}/events/${ConsumerGroupName}'
-  properties: {
-  }
 }
 
 resource farIotHub 'Microsoft.Devices/IotHubs@2020-01-01' = {
@@ -430,7 +365,7 @@ output farHubHostName string = reference(farIotHub.id).hostName
 output farHubConnectionString string = 'HostName=${FarHubName}.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=${listkeys(farHubKeysId, '2019-11-04').primaryKey}'
 output dpsName string = DpsName
 output dpsConnectionString string = 'HostName=${DpsName}.azure-devices-provisioning.net;SharedAccessKeyName=provisioningserviceowner;SharedAccessKey=${listkeys(dpsKeysId, '2017-11-15').primaryKey}'
-output storageAccountConnectionString string = 'DefaultEndpointsProtocol=https;AccountName=${StorageAccountName}AccountKey=${listkeys(storageAccount.id, '2019-06-01').keys[0].value};EndpointSuffix=core.windows.net'
+output storageAccountConnectionString string = 'DefaultEndpointsProtocol=https;AccountName=${StorageAccountName};AccountKey=${listkeys(storageAccount.id, '2019-06-01').keys[0].value};EndpointSuffix=core.windows.net'
 output workspaceId string = '${reference(operationalInsightsWorkspaces.id, '2017-03-15-preview').customerId}'
 output customAllocationPolicyWebhook string = 'https://${WebsiteName}.azurewebsites.net/api/${DpsCustomAllocatorFunctionName}?code=${listkeys(functionKeysId, '2019-08-01').default}'
 output keyVaultName string = KeyVaultName