func (b *Builder) createServicePrincipalToken() (*azure.ServicePrincipalToken, error) {
spt, err := azure.NewServicePrincipalToken(
b.config.ClientID,
b.config.ClientSecret,
b.config.TenantID,
azure.AzureResourceManagerScope)
return spt, err
}
// AuthenticateForARM uses LoadCredentials to load user credentials and uses them to authenticate
// and create a auth token that can be used by subsequent calls to ARM-based APIs.
//
// Note: Storing crendentials in a local file must be secured and not shared. It is used here
// simply to reduce code in the examples, but it is not suggested as a best (or even good)
// practice.
func AuthenticateForARM() (client arm.Client, err error) {
c, err := LoadCredentials()
if err != nil {
return
}
sid := c["subscriptionID"]
tid := c["tenantID"]
cid := c["clientID"]
secret := c["clientSecret"]
spt, err := azure.NewServicePrincipalToken(cid, secret, tid, azure.AzureResourceManagerScope)
if err != nil {
return
}
client = arm.NewClient(sid, spt)
return
}
func main() {
name := "storage-account-name"
c, err := helpers.LoadCredentials()
if err != nil {
log.Fatalf("Error: %v", err)
}
sid := c["subscriptionID"]
tid := c["tenantID"]
cid := c["clientID"]
secret := c["clientSecret"]
spt, err := azure.NewServicePrincipalToken(cid, secret, tid, azure.AzureResourceManagerScope)
if err != nil {
log.Fatalf("Error: %v", err)
}
arm := arm.NewClient(sid, spt)
arm.RequestInspector = helpers.WithInspection()
arm.ResponseInspector = helpers.ByInspecting()
ac := arm.StorageAccounts()
cna, err := ac.CheckNameAvailability(
storage.AccountCheckNameAvailabilityParameters{
Name: to.StringPtr(name),
Type: to.StringPtr("Microsoft.Storage/storageAccounts")})
if err != nil {
log.Fatalf("Error: %v", err)
} else {
if to.Bool(cna.NameAvailable) {
fmt.Printf("The name '%s' is available\n", name)
} else {
fmt.Printf("The name '%s' is unavailable because %s\n", name, to.String(cna.Message))
}
}
}
// getArmClient is a helper method which returns a fully instantiated
// *ArmClient based on the Config's current settings.
func (c *Config) getArmClient() (*ArmClient, error) {
spt, err := azure.NewServicePrincipalToken(c.ClientID, c.ClientSecret, c.TenantID, azure.AzureResourceManagerScope)
if err != nil {
return nil, err
}
// client declarations:
client := ArmClient{}
// NOTE: these declarations should be left separate for clarity should the
// clients be wished to be configured with custom Responders/PollingModess etc...
asc := compute.NewAvailabilitySetsClient(c.SubscriptionID)
setUserAgent(&asc.Client)
asc.Authorizer = spt
asc.Sender = autorest.CreateSender(withRequestLogging())
client.availSetClient = asc
uoc := compute.NewUsageOperationsClient(c.SubscriptionID)
setUserAgent(&uoc.Client)
uoc.Authorizer = spt
uoc.Sender = autorest.CreateSender(withRequestLogging())
client.usageOpsClient = uoc
vmeic := compute.NewVirtualMachineExtensionImagesClient(c.SubscriptionID)
setUserAgent(&vmeic.Client)
vmeic.Authorizer = spt
vmeic.Sender = autorest.CreateSender(withRequestLogging())
client.vmExtensionImageClient = vmeic
vmec := compute.NewVirtualMachineExtensionsClient(c.SubscriptionID)
setUserAgent(&vmec.Client)
vmec.Authorizer = spt
vmec.Sender = autorest.CreateSender(withRequestLogging())
client.vmExtensionClient = vmec
vmic := compute.NewVirtualMachineImagesClient(c.SubscriptionID)
setUserAgent(&vmic.Client)
vmic.Authorizer = spt
vmic.Sender = autorest.CreateSender(withRequestLogging())
client.vmImageClient = vmic
vmc := compute.NewVirtualMachinesClient(c.SubscriptionID)
setUserAgent(&vmc.Client)
vmc.Authorizer = spt
vmc.Sender = autorest.CreateSender(withRequestLogging())
client.vmClient = vmc
agc := network.NewApplicationGatewaysClient(c.SubscriptionID)
setUserAgent(&agc.Client)
agc.Authorizer = spt
agc.Sender = autorest.CreateSender(withRequestLogging())
client.appGatewayClient = agc
ifc := network.NewInterfacesClient(c.SubscriptionID)
setUserAgent(&ifc.Client)
ifc.Authorizer = spt
ifc.Sender = autorest.CreateSender(withRequestLogging())
client.ifaceClient = ifc
lbc := network.NewLoadBalancersClient(c.SubscriptionID)
setUserAgent(&lbc.Client)
lbc.Authorizer = spt
lbc.Sender = autorest.CreateSender(withRequestLogging())
client.loadBalancerClient = lbc
lgc := network.NewLocalNetworkGatewaysClient(c.SubscriptionID)
setUserAgent(&lgc.Client)
lgc.Authorizer = spt
lgc.Sender = autorest.CreateSender(withRequestLogging())
client.localNetConnClient = lgc
pipc := network.NewPublicIPAddressesClient(c.SubscriptionID)
setUserAgent(&pipc.Client)
pipc.Authorizer = spt
pipc.Sender = autorest.CreateSender(withRequestLogging())
client.publicIPClient = pipc
sgc := network.NewSecurityGroupsClient(c.SubscriptionID)
setUserAgent(&sgc.Client)
sgc.Authorizer = spt
sgc.Sender = autorest.CreateSender(withRequestLogging())
client.secGroupClient = sgc
src := network.NewSecurityRulesClient(c.SubscriptionID)
setUserAgent(&src.Client)
src.Authorizer = spt
src.Sender = autorest.CreateSender(withRequestLogging())
client.secRuleClient = src
snc := network.NewSubnetsClient(c.SubscriptionID)
setUserAgent(&snc.Client)
snc.Authorizer = spt
snc.Sender = autorest.CreateSender(withRequestLogging())
client.subnetClient = snc
vgcc := network.NewVirtualNetworkGatewayConnectionsClient(c.SubscriptionID)
setUserAgent(&vgcc.Client)
vgcc.Authorizer = spt
vgcc.Sender = autorest.CreateSender(withRequestLogging())
client.vnetGatewayConnectionsClient = vgcc
vgc := network.NewVirtualNetworkGatewaysClient(c.SubscriptionID)
setUserAgent(&vgc.Client)
vgc.Authorizer = spt
vgc.Sender = autorest.CreateSender(withRequestLogging())
client.vnetGatewayClient = vgc
vnc := network.NewVirtualNetworksClient(c.SubscriptionID)
setUserAgent(&vnc.Client)
vnc.Authorizer = spt
vnc.Sender = autorest.CreateSender(withRequestLogging())
client.vnetClient = vnc
rtc := network.NewRouteTablesClient(c.SubscriptionID)
setUserAgent(&rtc.Client)
rtc.Authorizer = spt
rtc.Sender = autorest.CreateSender(withRequestLogging())
client.routeTablesClient = rtc
rc := network.NewRoutesClient(c.SubscriptionID)
setUserAgent(&rc.Client)
rc.Authorizer = spt
rc.Sender = autorest.CreateSender(withRequestLogging())
client.routesClient = rc
rgc := resources.NewGroupsClient(c.SubscriptionID)
setUserAgent(&rgc.Client)
rgc.Authorizer = spt
rgc.Sender = autorest.CreateSender(withRequestLogging())
client.resourceGroupClient = rgc
pc := resources.NewProvidersClient(c.SubscriptionID)
setUserAgent(&pc.Client)
pc.Authorizer = spt
pc.Sender = autorest.CreateSender(withRequestLogging())
client.providers = pc
tc := resources.NewTagsClient(c.SubscriptionID)
setUserAgent(&tc.Client)
tc.Authorizer = spt
tc.Sender = autorest.CreateSender(withRequestLogging())
client.tagsClient = tc
jc := scheduler.NewJobsClient(c.SubscriptionID)
setUserAgent(&jc.Client)
jc.Authorizer = spt
jc.Sender = autorest.CreateSender(withRequestLogging())
client.jobsClient = jc
jcc := scheduler.NewJobCollectionsClient(c.SubscriptionID)
setUserAgent(&jcc.Client)
jcc.Authorizer = spt
jcc.Sender = autorest.CreateSender(withRequestLogging())
client.jobsCollectionsClient = jcc
ssc := storage.NewAccountsClient(c.SubscriptionID)
setUserAgent(&ssc.Client)
ssc.Authorizer = spt
ssc.Sender = autorest.CreateSender(withRequestLogging())
client.storageServiceClient = ssc
suc := storage.NewUsageOperationsClient(c.SubscriptionID)
setUserAgent(&suc.Client)
suc.Authorizer = spt
suc.Sender = autorest.CreateSender(withRequestLogging())
client.storageUsageClient = suc
cpc := cdn.NewProfilesClient(c.SubscriptionID)
setUserAgent(&cpc.Client)
cpc.Authorizer = spt
cpc.Sender = autorest.CreateSender(withRequestLogging())
client.cdnProfilesClient = cpc
cec := cdn.NewEndpointsClient(c.SubscriptionID)
setUserAgent(&cec.Client)
cec.Authorizer = spt
cec.Sender = autorest.CreateSender(withRequestLogging())
client.cdnEndpointsClient = cec
return &client, nil
}
// getArmClient is a helper method which returns a fully instantiated
// *ArmClient based on the Config's current settings.
func (c *Config) getArmClient() (*ArmClient, error) {
// client declarations:
client := ArmClient{}
rivieraClient, err := riviera.NewClient(&riviera.AzureResourceManagerCredentials{
ClientID: c.ClientID,
ClientSecret: c.ClientSecret,
TenantID: c.TenantID,
SubscriptionID: c.SubscriptionID,
})
if err != nil {
return nil, fmt.Errorf("Error creating Riviera client: %s", err)
}
// validate that the credentials are correct using Riviera. Note that this must be
// done _before_ using the Microsoft SDK, because Riviera handles errors. Using a
// namespace registration instead of a simple OAuth token refresh guarantees that
// service delegation is correct. This has the effect of registering Microsoft.Compute
// which is neccessary anyway.
if err := registerProviderWithSubscription("Microsoft.Compute", rivieraClient); err != nil {
return nil, err
}
client.rivieraClient = rivieraClient
spt, err := azure.NewServicePrincipalToken(c.ClientID, c.ClientSecret, c.TenantID, azure.AzureResourceManagerScope)
if err != nil {
return nil, err
}
// NOTE: these declarations should be left separate for clarity should the
// clients be wished to be configured with custom Responders/PollingModess etc...
asc := compute.NewAvailabilitySetsClient(c.SubscriptionID)
setUserAgent(&asc.Client)
asc.Authorizer = spt
asc.Sender = autorest.CreateSender(withRequestLogging())
client.availSetClient = asc
uoc := compute.NewUsageOperationsClient(c.SubscriptionID)
setUserAgent(&uoc.Client)
uoc.Authorizer = spt
uoc.Sender = autorest.CreateSender(withRequestLogging())
client.usageOpsClient = uoc
vmeic := compute.NewVirtualMachineExtensionImagesClient(c.SubscriptionID)
setUserAgent(&vmeic.Client)
vmeic.Authorizer = spt
vmeic.Sender = autorest.CreateSender(withRequestLogging())
client.vmExtensionImageClient = vmeic
vmec := compute.NewVirtualMachineExtensionsClient(c.SubscriptionID)
setUserAgent(&vmec.Client)
vmec.Authorizer = spt
vmec.Sender = autorest.CreateSender(withRequestLogging())
client.vmExtensionClient = vmec
vmic := compute.NewVirtualMachineImagesClient(c.SubscriptionID)
setUserAgent(&vmic.Client)
vmic.Authorizer = spt
vmic.Sender = autorest.CreateSender(withRequestLogging())
client.vmImageClient = vmic
vmc := compute.NewVirtualMachinesClient(c.SubscriptionID)
setUserAgent(&vmc.Client)
vmc.Authorizer = spt
vmc.Sender = autorest.CreateSender(withRequestLogging())
client.vmClient = vmc
agc := network.NewApplicationGatewaysClient(c.SubscriptionID)
setUserAgent(&agc.Client)
agc.Authorizer = spt
agc.Sender = autorest.CreateSender(withRequestLogging())
client.appGatewayClient = agc
ifc := network.NewInterfacesClient(c.SubscriptionID)
setUserAgent(&ifc.Client)
ifc.Authorizer = spt
ifc.Sender = autorest.CreateSender(withRequestLogging())
client.ifaceClient = ifc
lbc := network.NewLoadBalancersClient(c.SubscriptionID)
setUserAgent(&lbc.Client)
lbc.Authorizer = spt
lbc.Sender = autorest.CreateSender(withRequestLogging())
client.loadBalancerClient = lbc
lgc := network.NewLocalNetworkGatewaysClient(c.SubscriptionID)
setUserAgent(&lgc.Client)
lgc.Authorizer = spt
lgc.Sender = autorest.CreateSender(withRequestLogging())
client.localNetConnClient = lgc
pipc := network.NewPublicIPAddressesClient(c.SubscriptionID)
setUserAgent(&pipc.Client)
pipc.Authorizer = spt
pipc.Sender = autorest.CreateSender(withRequestLogging())
client.publicIPClient = pipc
sgc := network.NewSecurityGroupsClient(c.SubscriptionID)
setUserAgent(&sgc.Client)
sgc.Authorizer = spt
sgc.Sender = autorest.CreateSender(withRequestLogging())
client.secGroupClient = sgc
src := network.NewSecurityRulesClient(c.SubscriptionID)
setUserAgent(&src.Client)
src.Authorizer = spt
src.Sender = autorest.CreateSender(withRequestLogging())
client.secRuleClient = src
snc := network.NewSubnetsClient(c.SubscriptionID)
setUserAgent(&snc.Client)
snc.Authorizer = spt
snc.Sender = autorest.CreateSender(withRequestLogging())
client.subnetClient = snc
vgcc := network.NewVirtualNetworkGatewayConnectionsClient(c.SubscriptionID)
setUserAgent(&vgcc.Client)
vgcc.Authorizer = spt
vgcc.Sender = autorest.CreateSender(withRequestLogging())
client.vnetGatewayConnectionsClient = vgcc
vgc := network.NewVirtualNetworkGatewaysClient(c.SubscriptionID)
setUserAgent(&vgc.Client)
vgc.Authorizer = spt
vgc.Sender = autorest.CreateSender(withRequestLogging())
client.vnetGatewayClient = vgc
vnc := network.NewVirtualNetworksClient(c.SubscriptionID)
setUserAgent(&vnc.Client)
vnc.Authorizer = spt
vnc.Sender = autorest.CreateSender(withRequestLogging())
client.vnetClient = vnc
rtc := network.NewRouteTablesClient(c.SubscriptionID)
setUserAgent(&rtc.Client)
rtc.Authorizer = spt
rtc.Sender = autorest.CreateSender(withRequestLogging())
client.routeTablesClient = rtc
rc := network.NewRoutesClient(c.SubscriptionID)
setUserAgent(&rc.Client)
rc.Authorizer = spt
rc.Sender = autorest.CreateSender(withRequestLogging())
client.routesClient = rc
rgc := resources.NewGroupsClient(c.SubscriptionID)
setUserAgent(&rgc.Client)
rgc.Authorizer = spt
rgc.Sender = autorest.CreateSender(withRequestLogging())
client.resourceGroupClient = rgc
pc := resources.NewProvidersClient(c.SubscriptionID)
setUserAgent(&pc.Client)
pc.Authorizer = spt
pc.Sender = autorest.CreateSender(withRequestLogging())
client.providers = pc
tc := resources.NewTagsClient(c.SubscriptionID)
setUserAgent(&tc.Client)
tc.Authorizer = spt
tc.Sender = autorest.CreateSender(withRequestLogging())
client.tagsClient = tc
jc := scheduler.NewJobsClient(c.SubscriptionID)
setUserAgent(&jc.Client)
jc.Authorizer = spt
jc.Sender = autorest.CreateSender(withRequestLogging())
client.jobsClient = jc
jcc := scheduler.NewJobCollectionsClient(c.SubscriptionID)
setUserAgent(&jcc.Client)
jcc.Authorizer = spt
jcc.Sender = autorest.CreateSender(withRequestLogging())
client.jobsCollectionsClient = jcc
ssc := storage.NewAccountsClient(c.SubscriptionID)
setUserAgent(&ssc.Client)
ssc.Authorizer = spt
ssc.Sender = autorest.CreateSender(withRequestLogging(), withPollWatcher())
client.storageServiceClient = ssc
suc := storage.NewUsageOperationsClient(c.SubscriptionID)
setUserAgent(&suc.Client)
suc.Authorizer = spt
suc.Sender = autorest.CreateSender(withRequestLogging())
client.storageUsageClient = suc
cpc := cdn.NewProfilesClient(c.SubscriptionID)
setUserAgent(&cpc.Client)
cpc.Authorizer = spt
cpc.Sender = autorest.CreateSender(withRequestLogging())
client.cdnProfilesClient = cpc
cec := cdn.NewEndpointsClient(c.SubscriptionID)
setUserAgent(&cec.Client)
cec.Authorizer = spt
cec.Sender = autorest.CreateSender(withRequestLogging())
client.cdnEndpointsClient = cec
dc := resources.NewDeploymentsClient(c.SubscriptionID)
setUserAgent(&dc.Client)
dc.Authorizer = spt
dc.Sender = autorest.CreateSender(withRequestLogging())
client.deploymentsClient = dc
return &client, nil
}
func validateConfig(newCfg, oldCfg *config.Config) (*azureModelConfig, error) {
err := config.Validate(newCfg, oldCfg)
if err != nil {
return nil, err
}
validated, err := newCfg.ValidateUnknownAttrs(configFields, configDefaults)
if err != nil {
return nil, err
}
// Ensure required configuration is provided.
for _, key := range requiredConfigAttributes {
if value, ok := validated[key].(string); !ok || value == "" {
return nil, errors.Errorf("%q config not specified", key)
}
}
if oldCfg != nil {
// Ensure immutable configuration isn't changed.
oldUnknownAttrs := oldCfg.UnknownAttrs()
for _, key := range immutableConfigAttributes {
oldValue, hadValue := oldUnknownAttrs[key].(string)
if hadValue {
newValue, haveValue := validated[key].(string)
if !haveValue {
return nil, errors.Errorf(
"cannot remove immutable %q config", key,
)
}
if newValue != oldValue {
return nil, errors.Errorf(
"cannot change immutable %q config (%v -> %v)",
key, oldValue, newValue,
)
}
}
// It's valid to go from not having to having.
}
// TODO(axw) figure out how we intend to handle changing
// secrets, such as application key
}
location := canonicalLocation(validated[configAttrLocation].(string))
appId := validated[configAttrAppId].(string)
subscriptionId := validated[configAttrSubscriptionId].(string)
tenantId := validated[configAttrTenantId].(string)
appPassword := validated[configAttrAppPassword].(string)
storageAccount, _ := validated[configAttrStorageAccount].(string)
storageAccountKey, _ := validated[configAttrStorageAccountKey].(string)
storageAccountType := validated[configAttrStorageAccountType].(string)
controllerResourceGroup := validated[configAttrControllerResourceGroup].(string)
if newCfg.FirewallMode() == config.FwGlobal {
// We do not currently support the "global" firewall mode.
return nil, errNoFwGlobal
}
if !isKnownStorageAccountType(storageAccountType) {
return nil, errors.Errorf(
"invalid storage account type %q, expected one of: %q",
storageAccountType, knownStorageAccountTypes,
)
}
token, err := azure.NewServicePrincipalToken(
appId, appPassword, tenantId,
azure.AzureResourceManagerScope,
)
if err != nil {
return nil, errors.Annotate(err, "constructing service principal token")
}
azureConfig := &azureModelConfig{
newCfg,
token,
subscriptionId,
location,
storageAccount,
storageAccountKey,
storage.AccountType(storageAccountType),
controllerResourceGroup,
}
return azureConfig, nil
}
func validateConfig(newCfg, oldCfg *config.Config) (*azureModelConfig, error) {
err := config.Validate(newCfg, oldCfg)
if err != nil {
return nil, err
}
validated, err := newCfg.ValidateUnknownAttrs(configFields, configDefaults)
if err != nil {
return nil, err
}
// Ensure required configuration is provided.
for _, key := range requiredConfigAttributes {
if value, ok := validated[key].(string); !ok || value == "" {
return nil, errors.Errorf("%q config not specified", key)
}
}
if oldCfg != nil {
// Ensure immutable configuration isn't changed.
oldUnknownAttrs := oldCfg.UnknownAttrs()
for _, key := range immutableConfigAttributes {
oldValue, hadValue := oldUnknownAttrs[key].(string)
if hadValue {
newValue, haveValue := validated[key].(string)
if !haveValue {
return nil, errors.Errorf(
"cannot remove immutable %q config", key,
)
}
if newValue != oldValue {
return nil, errors.Errorf(
"cannot change immutable %q config (%v -> %v)",
key, oldValue, newValue,
)
}
}
// It's valid to go from not having to having.
}
// TODO(axw) figure out how we intend to handle changing
// secrets, such as application key
}
// Resource group names must not exceed 80 characters. Resource group
// names are based on the model UUID and model name, the latter of
// which the model creator controls.
modelTag := names.NewModelTag(newCfg.UUID())
resourceGroup := resourceGroupName(modelTag, newCfg.Name())
if n := len(resourceGroup); n > resourceNameLengthMax {
smallestResourceGroup := resourceGroupName(modelTag, "")
return nil, errors.Errorf(`resource group name %q is too long
Please choose a model name of no more than %d characters.`,
resourceGroup,
resourceNameLengthMax-len(smallestResourceGroup),
)
}
location := canonicalLocation(validated[configAttrLocation].(string))
endpoint := validated[configAttrEndpoint].(string)
storageEndpoint := validated[configAttrStorageEndpoint].(string)
appId := validated[configAttrAppId].(string)
subscriptionId := validated[configAttrSubscriptionId].(string)
tenantId := validated[configAttrTenantId].(string)
appPassword := validated[configAttrAppPassword].(string)
storageAccount, _ := validated[configAttrStorageAccount].(string)
storageAccountKey, _ := validated[configAttrStorageAccountKey].(string)
storageAccountType := validated[configAttrStorageAccountType].(string)
controllerResourceGroup := validated[configAttrControllerResourceGroup].(string)
if newCfg.FirewallMode() == config.FwGlobal {
// We do not currently support the "global" firewall mode.
return nil, errNoFwGlobal
}
if !isKnownStorageAccountType(storageAccountType) {
return nil, errors.Errorf(
"invalid storage account type %q, expected one of: %q",
storageAccountType, knownStorageAccountTypes,
)
}
// The Azure storage code wants the endpoint host only, not the URL.
storageEndpointURL, err := url.Parse(storageEndpoint)
if err != nil {
return nil, errors.Annotate(err, "parsing storage endpoint URL")
}
token, err := azure.NewServicePrincipalToken(
appId, appPassword, tenantId,
azure.AzureResourceManagerScope,
)
if err != nil {
return nil, errors.Annotate(err, "constructing service principal token")
}
azureConfig := &azureModelConfig{
newCfg,
token,
subscriptionId,
location,
endpoint,
storageEndpointURL.Host,
storageAccount,
storageAccountKey,
storage.AccountType(storageAccountType),
controllerResourceGroup,
}
return azureConfig, nil
}
// NewServicePrincipalTokenFromCredentials creates a new ServicePrincipalToken using values of the
// passed credentials map.
func NewServicePrincipalTokenFromCredentials(c map[string]string, scope string) (*azure.ServicePrincipalToken, error) {
return azure.NewServicePrincipalToken(c["clientID"], c["clientSecret"], c["tenantID"], scope)
}
