Sample for managing resources via MSI Identity

.env_sample

@@ -0,0 +1,8 @@
+# This is a sample of what your .env file should look like if you wanted to run integration tests.
+# If you move this file to the .env and replace the environment variables with your own values, then the environment
+# will be included when the rake test tasks are executed. Otherwise, you could just export the environment vars
+# yourself.
+
+AZURE_TENANT_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+AZURE_SUBSCRIPTION_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+RESOURCE_GROUP_NAME="xxxxxxxxxxxx"

.gitignore

@@ -10,24 +10,10 @@
 /test/version_tmp/
 /tmp/
 
-# Used by dotenv library to load environment variables.
-# .env
-
 ## Specific to RubyMotion:
 .dat*
 .repl_history
 build/
-*.bridgesupport
-build-iPhoneOS/
-build-iPhoneSimulator/
-
-## Specific to RubyMotion (use of CocoaPods):
-#
-# We recommend against adding the Pods directory to your .gitignore. However
-# you should judge for yourself, the pros and cons are mentioned at:
-# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
-#
-# vendor/Pods/
 
 ## Documentation cache and generated files:
 /.yardoc/
@@ -48,3 +34,7 @@ build-iPhoneSimulator/
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
+
+/.idea/
+Gemfile.lock
+.env

CHANGELOG.md

@@ -0,0 +1,5 @@
+ ## 2017.09.12
+
+ *Features*
+ * Adding initial sample to show how to manage Azure resources using Managed Service Identity from MSI enabled Azure virtual machine.
+

Gemfile

@@ -0,0 +1,12 @@
+# encoding: utf-8
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+
+source 'https://rubygems.org'
+
+group :development, :test do
+  gem 'rake',               '~>11.1'
+  gem 'dotenv',             '~>2.1'
+end
+
+gem 'azure_mgmt_resources', '~>0.12.0'

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,127 @@
+---
+services: resources
+platforms: ruby
+author: vishrutshah
+---
+
+# Manage resources using Managed Service Identity using Ruby
+
+This sample demonstrates how to manage Azure resources via Managed Service Identity using the Ruby SDK.
+
+**On this page**
+
+- [Create an Azure VM with MSI extension](#pre-requisite)
+- [Run this sample](#run)
+- [What is example.rb doing?](#example)
+    - [Create an MSI Token Provider](#msi)
+    - [Create a resource client](#resource-client)
+    - [Create an Azure Vault](#create-vault)
+    - [Delete an Azure vault](#delete-vault)
+
+<a id="pre-requisite"></a>
+## Create an Azure VM with MSI extension
+
+[Azure Compute VM with MSI](https://github.com/Azure-Samples/compute-ruby-msi-vm)
+
+<a id="run"></a>
+## Run this sample
+
+1. log in to the above Azure virtual machine which has MSI service running and then follow the steps on that VM.
+
+2. If you don't already have it, [install Ruby and the Ruby DevKit](https://www.ruby-lang.org/en/documentation/installation/).
+
+3. If you don't have bundler, install it.
+
+    ```
+    gem install bundler
+    ```
+
+4. Clone the repository.
+
+    ```
+    git clone https://github.com/Azure-Samples/resources-ruby-manage-resources-with-msi.git
+    ```
+
+5. Install the dependencies using bundler.
+
+    ```
+    cd resources-ruby-manage-resources-with-msi
+    bundle install
+    ```
+
+6. Set the following environment variables using the information from the service principle that you created.
+
+    ```
+    export AZURE_TENANT_ID={your tenant id}
+    export AZURE_SUBSCRIPTION_ID={your subscription id}
+    export RESOURCE_GROUP_NAME={name of the resource group}    
+    ```
+
+    > [AZURE.NOTE] On Windows, use `set` instead of `export`.
+
+7. Run the sample.
+
+    ```
+    bundle exec ruby example.rb
+    ```
+
+<a id="example"></a>
+## What does example.rb doing?
+<a id="msi"></a>
+### Create an MSI Token Provider
+Initialize `subscription_id`, `tenant_id`, `resource_group_name` and `port` from environment variables.
+```ruby
+subscription_id = ENV['AZURE_SUBSCRIPTION_ID'] || '11111111-1111-1111-1111-111111111111'
+tenant_id = ENV['AZURE_TENANT_ID']
+resource_group_name = ENV['RESOURCE_GROUP_NAME']
+port = ENV['MSI_PORT'] || 50342 # If not provided then we assume the default port
+```
+
+Now, we will create token credential using `MSITokenProvider`. 
+```ruby
+# Create Managed Service Identity as the token provider
+provider = MsRestAzure::MSITokenProvider.new(port)
+credentials = MsRest::TokenCredentials.new(provider)
+```
+
+<a id="resource-client"></a>
+### Create a resource client
+Now, we will create a resource management client using Managed Service Identity token provider.
+
+```ruby
+client = Azure::ARM::Resources::ResourceManagementClient.new(credentials)
+client.subscription_id = subscription_id
+```
+<a id="create-vault"></a>
+### Create an Azure Vault
+Now, we will create an Azure key vault account using MSI authenticated resource client. This Azure Key Vault
+account resource is identical to normal account but it is just created under the resource group where MSI enabled 
+Azure VM has the permission to create resources. 
+
+```ruby
+puts 'Creating key vault account with MSI Identity...'
+key_vault_params = Azure::ARM::Resources::Models::GenericResource.new.tap do |rg|
+  rg.location = WEST_US
+  rg.properties = {
+      sku: { family: 'A', name: 'standard' },
+      tenantId: tenant_id,
+      accessPolicies: [],
+      enabledForDeployment: true,
+      enabledForTemplateDeployment: true,
+      enabledForDiskEncryption: true
+  }
+end
+```
+
+<a id="delete-vault"></a>
+### Delete an Azure vault
+Now, we will delete key vault account created using this example. Please comment this out to keep the resources alive in you Azure subscription.
+
+```ruby
+client.resources.delete(resource_group_name,
+                          'Microsoft.KeyVault',
+                          '',
+                          'vaults',
+                          KEY_VAULT_NAME,
+                          '2015-06-01')
+```

Rakefile

@@ -0,0 +1,4 @@
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec

example.rb

@@ -0,0 +1,72 @@
+#!/usr/bin/env ruby
+
+require 'azure_mgmt_resources'
+require 'dotenv'
+
+Dotenv.load!(File.join(__dir__, './.env'))
+
+WEST_US = 'westus'
+KEY_VAULT_NAME = 'sampleVault8976'
+
+# This script expects that the following environment vars are set:
+#
+# AZURE_TENANT_ID: with your Azure Active Directory tenant id or domain
+# AZURE_SUBSCRIPTION_ID: with your Azure Subscription Id
+# RESOURCE_GROUP_NAME: Name of the Azure resource group to create resource in where Managed Service Identity has enough permissions
+#
+def run_example
+  #
+  # Create the Resource Manager Client with an Managed Service Identity token provider
+  #
+  MsRest.use_ssl_cert
+  subscription_id = ENV['AZURE_SUBSCRIPTION_ID'] || '11111111-1111-1111-1111-111111111111' # your Azure Subscription Id
+  tenant_id = ENV['AZURE_TENANT_ID']
+  resource_group_name = ENV['RESOURCE_GROUP_NAME']
+  port = ENV['MSI_PORT'] || 50342 # If not provided then we assume the default port
+
+  # Create Managed Service Identity as the token provider
+  provider = MsRestAzure::MSITokenProvider.new(port)
+  credentials = MsRest::TokenCredentials.new(provider)
+
+  # Create a resource client
+  client = Azure::ARM::Resources::ResourceManagementClient.new(credentials)
+  client.subscription_id = subscription_id
+
+  # Create a Key Vault in the Resource Group
+  puts 'Creating key vault account with MSI Identity...'
+  key_vault_params = Azure::ARM::Resources::Models::GenericResource.new.tap do |rg|
+    rg.location = WEST_US
+    rg.properties = {
+        sku: { family: 'A', name: 'standard' },
+        tenantId: tenant_id,
+        accessPolicies: [],
+        enabledForDeployment: true,
+        enabledForTemplateDeployment: true,
+        enabledForDiskEncryption: true
+    }
+  end
+
+  puts JSON.pretty_generate(client.resources.create_or_update(resource_group_name,
+                                                              'Microsoft.KeyVault',
+                                                              '',
+                                                              'vaults', KEY_VAULT_NAME,
+                                                              '2015-06-01',
+                                                              key_vault_params).properties)  + "\n\n"
+
+  puts 'Now that we have created a Key Vault, lets delete it.'
+  puts 'Press any key to continue'
+  gets
+  puts 'Deleting key vault account with MSI Identity...'
+  client.resources.delete(resource_group_name,
+                          'Microsoft.KeyVault',
+                          '',
+                          'vaults',
+                          KEY_VAULT_NAME,
+                          '2015-06-01')
+
+  puts 'Thanks for learning about managing resources via Managed Service Identity.'
+end
+
+if $0 == __FILE__
+  run_example
+end