[HOUSEKEEPING] Remove/Comment Out resources related to key vault for … (#458)

* [HOUSEKEEPING] Remove/Comment Out resources related to key vault for introspection

* remove commented out code

* Update onboard.test.ts

Co-authored-by: Andre Briggs <[email protected]>

Author: dennisseah

guides/service-introspection.md

@@ -44,22 +44,11 @@ introspection:
     table_name: "table-name"
     partition_key: "partition-key"
     key: "storage-access-key"
-    service_principal_id: "service-principal-id"
-    service_principal_secret: "service-principal-secret"
-    subscription_id: "subscription-id"
-    tenant_id: "tenant-id"
-    resource-group: "resource-group-name"
 ```
 
-## Prerequisites
-
-1. Service principal with owner access.
-   [Create a service principal with owner access.](#service-principal)
-2. Optionally, Azure Key Vault can be used to securely store and tightly control
-   access to tokens, passwords, API keys, and other secrets
-   [How to create key vault](https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli).
-3. Give the service principal get and list access. Follow step 2 from
-   [these instructions](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault).
+To create storage-account and table, use the `spk deployment onboard` command to
+create them where subscription Id, resource group name, service principal Id,
+password and tenant Id are required.
 
 ### Service Principal
 

src/commands/deployment/onboard.decorator.json

@@ -22,10 +22,6 @@
       "description": "Name of the resource group to create new storage account when it does not exist",
       "required": true
     },
-    {
-      "arg": "-k, --key-vault-name <key-vault-name>",
-      "description": "Name of the Azure key vault"
-    },
     {
       "arg": "--service-principal-id <service-principal-id>",
       "description": "Azure service principal id with `contributor` role in Azure Resource Group",

src/commands/deployment/onboard.test.ts

@@ -4,7 +4,6 @@ import yaml from "js-yaml";
 import * as path from "path";
 import { Config, loadConfiguration } from "../../config";
 import * as config from "../../config";
-import * as keyvault from "../../lib/azure/keyvault";
 import * as storage from "../../lib/azure/storage";
 import { createTempDir } from "../../lib/ioUtil";
 import { deepClone } from "../../lib/util";
@@ -15,7 +14,6 @@ import {
 } from "../../logger";
 import { AzureAccessOpts, ConfigYaml } from "../../types";
 import {
-  createKeyVault,
   execute,
   getStorageAccessKey,
   CommandOptions,
@@ -37,7 +35,6 @@ afterAll(() => {
 });
 
 const MOCKED_VALUES: CommandOptions = {
-  keyVaultName: "testKeyVault",
   servicePrincipalId: "servicePrincipalId",
   servicePrincipalPassword: "servicePrincipalPassword",
   storageAccountName: "testaccount",
@@ -49,7 +46,6 @@ const MOCKED_VALUES: CommandOptions = {
 };
 
 const MOCKED_CONFIG: OnBoardConfig = {
-  keyVaultName: "testKeyVault",
   servicePrincipalId: "servicePrincipalId",
   servicePrincipalPassword: "servicePrincipalPassword",
   storageAccountName: "testaccount",
@@ -108,7 +104,6 @@ const testPopulatedVal = (
 describe("test populateValues", () => {
   it("all values are set", () => {
     const values = populateValues(getMockedValues());
-    expect(values.keyVaultName).toBe(MOCKED_VALUES.keyVaultName);
     expect(values.servicePrincipalId).toBe(MOCKED_VALUES.servicePrincipalId);
     expect(values.servicePrincipalPassword).toBe(
       MOCKED_VALUES.servicePrincipalPassword
@@ -152,19 +147,6 @@ describe("test populateValues", () => {
       }
     );
   });
-  it("keyVaultName default to config.introspection.azure.key_vault_name", () => {
-    testPopulatedVal(
-      (configYaml: ConfigYaml) => {
-        configYaml.key_vault_name = "KeyVaultName";
-      },
-      (values: CommandOptions) => {
-        values.keyVaultName = undefined;
-      },
-      (values) => {
-        expect(values.keyVaultName).toBe("KeyVaultName");
-      }
-    );
-  });
   it("servicePrincipalId default to config.introspection.azure.service_principal_id", () => {
     testPopulatedVal(
       (configYaml: ConfigYaml) => {
@@ -316,37 +298,17 @@ describe("test validateAndCreateStorageAccount function", () => {
 
 describe("test getStorageAccessKey function", () => {
   it("already exist", async () => {
-    jest
-      .spyOn(storage, "getStorageAccountKey")
-      .mockReturnValueOnce(Promise.resolve("key"));
+    jest.spyOn(storage, "getStorageAccountKey").mockResolvedValueOnce("key");
     const values = getMockedConfig();
     const accessOpts = getMockedAccessOpts(values);
     const storageKey = await getStorageAccessKey(values, accessOpts);
     expect(storageKey).toBe("key");
   });
 });
 
-describe("test createKeyVault function", () => {
-  it("[+ve] not key vault value", async () => {
-    const values = getMockedConfig();
-    values.keyVaultName = undefined;
-    const accessOpts = getMockedAccessOpts(values);
-    // nothing is done
-    await createKeyVault(values, accessOpts, "accessString");
-  });
-  it("[+ve] with key vault value", async () => {
-    jest.spyOn(keyvault, "setSecret").mockReturnValueOnce(Promise.resolve());
-    const values = getMockedConfig();
-    const accessOpts = getMockedAccessOpts(values);
-    await createKeyVault(values, accessOpts, "accessString");
-  });
-});
-
 describe("onboard", () => {
   test("empty location", async () => {
-    jest
-      .spyOn(storage, "isStorageAccountExist")
-      .mockReturnValueOnce(Promise.resolve(false));
+    jest.spyOn(storage, "isStorageAccountExist").mockResolvedValueOnce(false);
 
     try {
       const values = getMockedConfig();
@@ -392,9 +354,6 @@ describe("onboard", () => {
     jest
       .spyOn(storage, "createStorageAccount")
       .mockReturnValueOnce(Promise.resolve({ location: "test" }));
-    jest
-      .spyOn(onboardImpl, "createKeyVault")
-      .mockReturnValueOnce(Promise.resolve());
     jest.spyOn(onboardImpl, "setConfiguration").mockReturnValueOnce(true);
 
     const data = {

src/commands/deployment/onboard.ts

@@ -4,7 +4,6 @@ import commander from "commander";
 import fs from "fs";
 import yaml from "js-yaml";
 import { Config, defaultConfigFile, readYaml } from "../../config";
-import { setSecret } from "../../lib/azure/keyvault";
 import {
   createStorageAccount,
   createTableIfNotExists,
@@ -29,7 +28,6 @@ export interface CommandOptions {
   storageTableName: string | undefined;
   storageLocation: string | undefined;
   storageResourceGroupName: string | undefined;
-  keyVaultName: string | undefined;
   servicePrincipalId: string | undefined;
   servicePrincipalPassword: string | undefined;
   tenantId: string | undefined;
@@ -44,7 +42,6 @@ export interface OnBoardConfig {
   servicePrincipalPassword: string;
   subscriptionId: string;
   tenantId: string;
-  keyVaultName?: string;
   storageLocation?: string;
 }
 
@@ -61,7 +58,6 @@ export const populateValues = (opts: CommandOptions): CommandOptions => {
     opts.storageAccountName || azure?.account_name || undefined;
   opts.storageTableName =
     opts.storageTableName || azure?.table_name || undefined;
-  opts.keyVaultName = opts.keyVaultName || config.key_vault_name || undefined;
   opts.servicePrincipalId =
     opts.servicePrincipalId || azure?.service_principal_id || undefined;
   opts.servicePrincipalPassword =
@@ -111,7 +107,6 @@ export const validateValues = (opts: CommandOptions): OnBoardConfig => {
     servicePrincipalPassword: opts.servicePrincipalPassword || "",
     subscriptionId: opts.subscriptionId || "",
     tenantId: opts.tenantId || "",
-    keyVaultName: opts.keyVaultName,
     storageLocation: opts.storageLocation,
   };
 };
@@ -207,45 +202,9 @@ export const getStorageAccessKey = async (
   return accessKey;
 };
 
-/**
- * Creates Key Vault if value from commander has value for `keyVaultName`
- *
- * @param values values from commander
- * @param accessOpts Azure Access Opts
- * @param accessKey Access Key
- */
-export const createKeyVault = async (
-  values: OnBoardConfig,
-  accessOpts: AzureAccessOpts,
-  accessKey: string
-): Promise<void> => {
-  // if key vault is not specified, exit without reading storage account
-  // key and setting it in the key vault
-  if (values.keyVaultName) {
-    logger.debug(
-      `Calling setSecret with storage account primary key ***
-        and ${values.keyVaultName}`
-    );
-    await setSecret(
-      values.keyVaultName,
-      `${values.storageAccountName}Key`,
-      accessKey,
-      accessOpts
-    );
-  } else {
-    // notify the user to set the environment variable with storage access key
-    logger.info(
-      `Please set the storage account access key in environment variable
-      INTROSPECTION_STORAGE_ACCESS_KEY before issuing any deployment commands.`
-    );
-    logger.info(`Storage account ${values.storageAccountName} access key: ***`);
-  }
-};
-
 /**
  * Creates the Storage account `accountName` in resource group `resourceGroup`,
- * sets storage account access key in keyvalut, and updates pipelines
- * (acr-hld, hld->manifests)
+ * and updates pipelines (acr-hld, hld->manifests)
  *
  * @param values Values from commander.
  */
@@ -254,7 +213,7 @@ export const onboard = async (
 ): Promise<StorageAccount | undefined> => {
   logger.debug(
     `onboard called with ${values.storageAccountName}, ${values.storageTableName},
-    ${values.storageResourceGroupName}, ${values.storageLocation}, and ${values.keyVaultName}`
+    ${values.storageResourceGroupName} and ${values.storageLocation}`
   );
 
   const accessOpts: AzureAccessOpts = {
@@ -288,8 +247,6 @@ export const onboard = async (
       table ${values.storageTableName} exist.`);
   }
 
-  await createKeyVault(values, accessOpts, accessKey);
-
   // save storage account and table names in configuration
   setConfiguration(values.storageAccountName, values.storageTableName);
   return storageAccount;