Fix Azure#15091- Import-AzWebAppKeyVaultCertificate api version bug (Azure#15281)

Kotasudhakarreddy · web-flow · commit 65a203726e33 · 2021-06-21T09:56:18.000+08:00
* Fix Azure#15091- Import-AzWebAppKeyVaultCertificate api version bug * Updated changelog.md * Updated RequiredAssemblies for Az.Websites * Updated Test project to use Microsoft.Azure.Management.KeyVault Nuget * rolled back the AKV SDK changes * Addressed code review comments.
diff --git a/src/Websites/Websites.Test/SessionRecords/Microsoft.Azure.Commands.Websites.Test.ScenarioTests.CertificatesTests/TestImportAzWebAppKeyVaultCertificate.json b/src/Websites/Websites.Test/SessionRecords/Microsoft.Azure.Commands.Websites.Test.ScenarioTests.CertificatesTests/TestImportAzWebAppKeyVaultCertificate.json
diff --git a/src/Websites/Websites/ChangeLog.md b/src/Websites/Websites/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed `Import-AzWebAppKeyVaultCertificate` to support ServerFarmId [#15091] 
 
 ## Version 2.7.0
 * Fixed issue that prevented removing rules by name and unique identifier in `Remove-AzWebAppAccessRestrictionRule`
diff --git a/src/Websites/Websites/Cmdlets/Certificates/ImportAzWebAppKeyVaultCertificate.cs b/src/Websites/Websites/Cmdlets/Certificates/ImportAzWebAppKeyVaultCertificate.cs
@@ -19,7 +19,7 @@ public class ImportAzWebAppKeyVaultCertificate : WebAppBaseClientCmdLet
     {
         const string ParameterSet1Name = "S1";
 
-        [Parameter(ParameterSetName = ParameterSet1Name, Position = 0, Mandatory = true, HelpMessage = "The name of the keyvault.")]
+        [Parameter(ParameterSetName = ParameterSet1Name, Position = 0, Mandatory = true, HelpMessage = "The name of the keyvault or Id of the KeyVault.")]
         [ValidateNotNullOrEmpty]
         public string KeyVaultName { get; set; }
 
@@ -44,11 +44,10 @@ public override void ExecuteCmdlet()
         {
             if (!string.IsNullOrWhiteSpace(ResourceGroupName) && !string.IsNullOrWhiteSpace(WebAppName))
             {
+                string kvId = string.Empty, kvRgName = string.Empty, kvSubscriptionId = string.Empty;
                 var webApp = new PSSite(WebsitesClient.GetWebApp(ResourceGroupName, WebAppName, Slot));
                 var location = webApp.Location;
                 var serverFarmId = webApp.ServerFarmId;
-                string kvid = string.Empty;
-                string kvresourcegrpname = string.Empty;
                 var keyvaultResources = this.ResourcesClient.ResourceManagementClient.FilterResources(new FilterResourcesOptions
                 {
                     ResourceType = "Microsoft.KeyVault/Vaults"
@@ -58,19 +57,29 @@ public override void ExecuteCmdlet()
                 {
                     if (kv.Name == KeyVaultName)
                     {
-                        kvid = kv.Id;
-                        kvresourcegrpname = kv.ResourceGroupName;
+                        kvId = kv.Id;
+                        kvRgName = kv.ResourceGroupName;
                         break;
                     }
                 }
-                if (string.IsNullOrEmpty(kvid))
+                if (string.IsNullOrEmpty(kvId))
                 {
-                    kvid = KeyVaultName;
+                    kvId = KeyVaultName;
+                    if (CmdletHelpers.IsValidAKVResourceId(kvId))
+                    {
+                        var details = CmdletHelpers.GetResourceDetailsFromResourceId(kvId);
+                        kvRgName = details.ResourceGroupName;
+                        KeyVaultName = details.ResourceName;
+                        kvSubscriptionId = details.Subscription;
+                    }
+                    else //default to AppService RG 
+                    {
+                        kvRgName = ResourceGroupName;
+                    }
                 }
-                string keyvaultperm;
-                keyvaultperm = CmdletHelpers.CheckServicePrincipalPermissions(this.ResourcesClient, this.KeyvaultClient,kvresourcegrpname, KeyVaultName);
+                var kvpermission = CmdletHelpers.CheckServicePrincipalPermissions(this.ResourcesClient, this.KeyvaultClient, kvRgName, KeyVaultName, kvSubscriptionId);
                 var lnk = "https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html";
-                if ((keyvaultperm != "Get") & (keyvaultperm != "get"))
+                if (kvpermission.ToLower() != "get")
                 {
                     WriteWarning("Unable to verify Key Vault permissions.");
                     WriteWarning("You may need to grant Microsoft.Azure.WebSites service principal the Secret:Get permission");
@@ -80,7 +89,7 @@ public override void ExecuteCmdlet()
                 Certificate kvc = null;
                 var certificate = new Certificate(
                     location: location,
-                    keyVaultId: kvid,
+                    keyVaultId: kvId,
                     password: "",
                     keyVaultSecretName: CertName,
                     serverFarmId: serverFarmId
diff --git a/src/Websites/Websites/Utilities/CmdletHelpers.cs b/src/Websites/Websites/Utilities/CmdletHelpers.cs
@@ -54,6 +54,9 @@ public static class CmdletHelpers
         private static readonly Regex AppServicePlanResourceIdRegex =
            new Regex(@"^\/subscriptions\/(?<subscriptionName>[^\/]+)\/resourceGroups\/(?<resourceGroupName>[^\/]+)\/providers\/Microsoft.Web\/serverFarms\/(?<serverFarmName>[^\/]+)$", RegexOptions.IgnoreCase);
 
+        private static readonly Regex KeyVaultResourceIdRegex =
+            new Regex(@"^\/subscriptions\/(?<subscriptionName>[^\/]+)\/resourceGroups\/(?<resourceGroupName>[^\/]+)\/providers\/Microsoft.KeyVault\/vaults\/(?<vaultName>[^\/]+)$", RegexOptions.IgnoreCase);
+
         private static readonly Dictionary<string, int> WorkerSizes = new Dictionary<string, int>(StringComparer.OrdinalIgnoreCase) { { "Small", 1 }, { "Medium", 2 }, { "Large", 3 }, { "ExtraLarge", 4 } };
 
         private const string ProductionSlotName = "Production";
@@ -178,7 +181,7 @@ internal static bool ShouldUseDeploymentSlot(string webSiteName, string slotName
 
             return result;
         }
-                
+
         internal static HostingEnvironmentProfile CreateHostingEnvironmentProfile(string subscriptionId, string resourceGroupName, string aseResourceGroupName, string aseName)
         {
             var rg = string.IsNullOrEmpty(aseResourceGroupName) ? resourceGroupName : aseResourceGroupName;
@@ -222,7 +225,7 @@ internal static string BuildMetricFilter(DateTime? startTime, DateTime? endTime,
 
             return filter;
         }
-                
+
         internal static bool TryParseWebAppMetadataFromResourceId(string resourceId, out string resourceGroupName,
             out string webAppName, out string slotName, bool failIfSlot = false)
         {
@@ -271,6 +274,10 @@ internal static bool TryParseAppServicePlanMetadataFromResourceId(string resourc
             return false;
         }
 
+        internal static bool IsValidAKVResourceId(string resourceId)
+        {
+            return KeyVaultResourceIdRegex.Match(resourceId).Success;
+        }
         internal static string GetSkuName(string tier, int workerSize)
         {
             string sku;
@@ -309,7 +316,7 @@ internal static string GetSkuName(string tier, int workerSize)
 
         internal static string GetSkuName(string tier, string workerSize)
         {
-            return GetSkuName(tier, WorkerSizes[workerSize]);            
+            return GetSkuName(tier, WorkerSizes[workerSize]);
         }
 
         internal static bool IsDeploymentSlot(string name)
@@ -373,6 +380,11 @@ internal static string GetSubscriptionIdFromResourceId(string resourceId)
             return new ResourceIdentifier(resourceId).Subscription;
         }
 
+        internal static ResourceIdentifier GetResourceDetailsFromResourceId(string resourceId)
+        {
+            return new ResourceIdentifier(resourceId);
+        }
+
         internal static void ExtractWebAppPropertiesFromWebApp(Site webapp, out string resourceGroupName, out string webAppName, out string slot)
         {
             resourceGroupName = GetResourceGroupFromResourceId(webapp.Id);
@@ -414,26 +426,23 @@ internal static Certificate[] GetCertificates(ResourceClient resourceClient, Web
             return certificates.ToArray();
         }
 
-        internal static string CheckServicePrincipalPermissions(ResourceClient resourceClient, KeyVaultClient keyVaultClient, string resourceGroupName, string keyVault)
+        internal static string CheckServicePrincipalPermissions(ResourceClient resourceClient, KeyVaultClient keyVaultClient, string resourceGroupName, string keyVault, string kvSubscriptionId)
         {
-            var perm1 = " ";
-            var kv2 = keyVaultClient.GetKeyVault(resourceGroupName, keyVault);
-            foreach (var policy in kv2.Properties.AccessPolicies)
+            var kv = keyVaultClient.GetKeyVault(resourceGroupName, keyVault, kvSubscriptionId);
+            foreach (var policy in kv.Properties.AccessPolicies)
             {
                 if (policy.ObjectId == ("f8daea97-62e7-4026-becf-13c2ea98e8b4"))
                 {
                     foreach (var perm in policy.Permissions.Secrets)
                     {
-                        if ((perm == "Get") || (perm == "get"))
+                        if (perm.ToLower() == "get")
                         {
-                            perm1 = perm;
-                            Console.WriteLine("Success");
-                            break;
+                            return perm;
                         }
                     }
                 }
             }
-            return perm1.ToString();
+            return string.Empty;
         }
 
         internal static SiteConfigResource ConvertToSiteConfigResource(this SiteConfig config)
diff --git a/src/Websites/Websites/Utilities/KeyVaultClient.cs b/src/Websites/Websites/Utilities/KeyVaultClient.cs
@@ -25,11 +25,21 @@ public KeyVaultManagementClient WrappedKeyVaultClient
             private set;
         }
 
-        public Vault GetKeyVault(string resourceGroupName, string vaultName)
+        public Vault GetKeyVault(string resourceGroupName, string vaultName, string kvSubscriptionId = null)
         {
             try
             {
-                return this.WrappedKeyVaultClient.Vaults.Get(resourceGroupName, vaultName);
+                string originalSubscreptionId = this.WrappedKeyVaultClient.SubscriptionId;
+
+                // Replacing the actual Subscription to fetch the Vaults from other Subscriptions.
+                if (!String.IsNullOrEmpty(kvSubscriptionId) && originalSubscreptionId != kvSubscriptionId)
+                    this.WrappedKeyVaultClient.SubscriptionId = kvSubscriptionId;
+
+                var vault = this.WrappedKeyVaultClient.Vaults.Get(resourceGroupName, vaultName);
+                // Replacing back to the original Subscription after fetching Vault.
+                this.WrappedKeyVaultClient.SubscriptionId = originalSubscreptionId;
+
+                return vault;
             }
             catch (Exception ex)
             {
diff --git a/src/Websites/Websites/help/Import-AzWebAppKeyVaultCertificate.md b/src/Websites/Websites/help/Import-AzWebAppKeyVaultCertificate.md
@@ -73,7 +73,7 @@ Accept wildcard characters: False
 ```
 
 ### -KeyVaultName
-The name of the keyvault.
+The name of the keyvault or Id of the KeyVault.
 
 ```yaml
 Type: System.String

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ public static class CmdletHelpers`
`54`	`54`	`private static readonly Regex AppServicePlanResourceIdRegex =`
`55`	`55`	`new Regex(@"^\/subscriptions\/(?<subscriptionName>[^\/]+)\/resourceGroups\/(?<resourceGroupName>[^\/]+)\/providers\/Microsoft.Web\/serverFarms\/(?<serverFarmName>[^\/]+)$", RegexOptions.IgnoreCase);`
`56`	`56`
	`57`	`+ private static readonly Regex KeyVaultResourceIdRegex =`
	`58`	`+ new Regex(@"^\/subscriptions\/(?<subscriptionName>[^\/]+)\/resourceGroups\/(?<resourceGroupName>[^\/]+)\/providers\/Microsoft.KeyVault\/vaults\/(?<vaultName>[^\/]+)$", RegexOptions.IgnoreCase);`
	`59`	`+`
`57`	`60`	`private static readonly Dictionary<string, int> WorkerSizes = new Dictionary<string, int>(StringComparer.OrdinalIgnoreCase) { { "Small", 1 }, { "Medium", 2 }, { "Large", 3 }, { "ExtraLarge", 4 } };`
`58`	`61`
`59`	`62`	`private const string ProductionSlotName = "Production";`
`@@ -178,7 +181,7 @@ internal static bool ShouldUseDeploymentSlot(string webSiteName, string slotName`
`178`	`181`
`179`	`182`	`return result;`
`180`	`183`	`}`
`181`		`-`
	`184`	`+`
`182`	`185`	`internal static HostingEnvironmentProfile CreateHostingEnvironmentProfile(string subscriptionId, string resourceGroupName, string aseResourceGroupName, string aseName)`
`183`	`186`	`{`
`184`	`187`	`var rg = string.IsNullOrEmpty(aseResourceGroupName) ? resourceGroupName : aseResourceGroupName;`
`@@ -222,7 +225,7 @@ internal static string BuildMetricFilter(DateTime? startTime, DateTime? endTime,`
`222`	`225`
`223`	`226`	`return filter;`
`224`	`227`	`}`
`225`		`-`
	`228`	`+`
`226`	`229`	`internal static bool TryParseWebAppMetadataFromResourceId(string resourceId, out string resourceGroupName,`
`227`	`230`	`out string webAppName, out string slotName, bool failIfSlot = false)`
`228`	`231`	`{`
`@@ -271,6 +274,10 @@ internal static bool TryParseAppServicePlanMetadataFromResourceId(string resourc`
`271`	`274`	`return false;`
`272`	`275`	`}`
`273`	`276`
	`277`	`+ internal static bool IsValidAKVResourceId(string resourceId)`
	`278`	`+ {`
	`279`	`+ return KeyVaultResourceIdRegex.Match(resourceId).Success;`
	`280`	`+ }`
`274`	`281`	`internal static string GetSkuName(string tier, int workerSize)`
`275`	`282`	`{`
`276`	`283`	`string sku;`
`@@ -309,7 +316,7 @@ internal static string GetSkuName(string tier, int workerSize)`
`309`	`316`
`310`	`317`	`internal static string GetSkuName(string tier, string workerSize)`
`311`	`318`	`{`
`312`		`- return GetSkuName(tier, WorkerSizes[workerSize]);`
	`319`	`+ return GetSkuName(tier, WorkerSizes[workerSize]);`
`313`	`320`	`}`
`314`	`321`
`315`	`322`	`internal static bool IsDeploymentSlot(string name)`
`@@ -373,6 +380,11 @@ internal static string GetSubscriptionIdFromResourceId(string resourceId)`
`373`	`380`	`return new ResourceIdentifier(resourceId).Subscription;`
`374`	`381`	`}`
`375`	`382`
	`383`	`+ internal static ResourceIdentifier GetResourceDetailsFromResourceId(string resourceId)`
	`384`	`+ {`
	`385`	`+ return new ResourceIdentifier(resourceId);`
	`386`	`+ }`
	`387`	`+`
`376`	`388`	`internal static void ExtractWebAppPropertiesFromWebApp(Site webapp, out string resourceGroupName, out string webAppName, out string slot)`
`377`	`389`	`{`
`378`	`390`	`resourceGroupName = GetResourceGroupFromResourceId(webapp.Id);`
`@@ -414,26 +426,23 @@ internal static Certificate[] GetCertificates(ResourceClient resourceClient, Web`
`414`	`426`	`return certificates.ToArray();`
`415`	`427`	`}`
`416`	`428`
`417`		`- internal static string CheckServicePrincipalPermissions(ResourceClient resourceClient, KeyVaultClient keyVaultClient, string resourceGroupName, string keyVault)`
	`429`	`+ internal static string CheckServicePrincipalPermissions(ResourceClient resourceClient, KeyVaultClient keyVaultClient, string resourceGroupName, string keyVault, string kvSubscriptionId)`
`418`	`430`	`{`
`419`		`- var perm1 = " ";`
`420`		`- var kv2 = keyVaultClient.GetKeyVault(resourceGroupName, keyVault);`
`421`		`- foreach (var policy in kv2.Properties.AccessPolicies)`
	`431`	`+ var kv = keyVaultClient.GetKeyVault(resourceGroupName, keyVault, kvSubscriptionId);`
	`432`	`+ foreach (var policy in kv.Properties.AccessPolicies)`
`422`	`433`	`{`
`423`	`434`	`if (policy.ObjectId == ("f8daea97-62e7-4026-becf-13c2ea98e8b4"))`
`424`	`435`	`{`
`425`	`436`	`foreach (var perm in policy.Permissions.Secrets)`
`426`	`437`	`{`
`427`		`- if ((perm == "Get") \|\| (perm == "get"))`
	`438`	`+ if (perm.ToLower() == "get")`
`428`	`439`	`{`
`429`		`- perm1 = perm;`
`430`		`- Console.WriteLine("Success");`
`431`		`- break;`
	`440`	`+ return perm;`
`432`	`441`	`}`
`433`	`442`	`}`
`434`	`443`	`}`
`435`	`444`	`}`
`436`		`- return perm1.ToString();`
	`445`	`+ return string.Empty;`
`437`	`446`	`}`
`438`	`447`
`439`	`448`	`internal static SiteConfigResource ConvertToSiteConfigResource(this SiteConfig config)`
Original file line number	Diff line number	Diff line change
`@@ -25,11 +25,21 @@ public KeyVaultManagementClient WrappedKeyVaultClient`
`25`	`25`	`private set;`
`26`	`26`	`}`
`27`	`27`
`28`		`- public Vault GetKeyVault(string resourceGroupName, string vaultName)`
	`28`	`+ public Vault GetKeyVault(string resourceGroupName, string vaultName, string kvSubscriptionId = null)`
`29`	`29`	`{`
`30`	`30`	`try`
`31`	`31`	`{`
`32`		`- return this.WrappedKeyVaultClient.Vaults.Get(resourceGroupName, vaultName);`
	`32`	`+ string originalSubscreptionId = this.WrappedKeyVaultClient.SubscriptionId;`
	`33`	`+`
	`34`	`+ // Replacing the actual Subscription to fetch the Vaults from other Subscriptions.`
	`35`	`+ if (!String.IsNullOrEmpty(kvSubscriptionId) && originalSubscreptionId != kvSubscriptionId)`
	`36`	`+ this.WrappedKeyVaultClient.SubscriptionId = kvSubscriptionId;`
	`37`	`+`
	`38`	`+ var vault = this.WrappedKeyVaultClient.Vaults.Get(resourceGroupName, vaultName);`
	`39`	`+ // Replacing back to the original Subscription after fetching Vault.`
	`40`	`+ this.WrappedKeyVaultClient.SubscriptionId = originalSubscreptionId;`
	`41`	`+`
	`42`	`+ return vault;`
`33`	`43`	`}`
`34`	`44`	`catch (Exception ex)`
`35`	`45`	`{`