Merge branch 'master' into split

2019-01-15 15:04:34 -05:00 · 2019-01-15 15:04:34 -05:00 · 58b6d6e692
--- a/src/vfxt/README.md
+++ b/src/vfxt/README.md
@ -33,8 +33,10 @@ The following table shows the roles required for each of the avere operations:

 Here are the instructions to create custom Avere Roles:
  1. "avere-cluster" - use instructions from [the Avere documention for runtime role creation](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role).  Microsoft employees should specify already defined role "Avere Cluster Runtime Operator".
-  1. "Avere Contributor" - apply the ["Avere Contributor" role file](src/roles/AvereContributor.txt), using instructions from [the Avere documentation for runtime role creation](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role).  Microsoft employees should specify already defined role "Avere Cluster Create".
-   
+  1. "Avere Contributor" - apply the ["Avere Contributor" role file](src/roles/AvereContributor.txt), using instructions from [the Avere documentation for runtime role creation](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role).  Microsoft employees should specify already defined roleName "Avere Cluster Create" with roleId  "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3".
+
+After creating the contributor role, you will need to get the role ID to pass to template (Microsoft employees use roleId "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3").  The AAD role id is a GUID used for creating of the vFXT cluster.  This is the ID obtained using the following az command: az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'Avere Contributor'.  Currently the template defaults to the [Owner role](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) with GUID 8e3af657-a8ff-443c-a75c-2fe8c4bcb635.
+
 There are two deployment modes of the Avere vFXT: standalone and "bring your own VNET".  In the standalone case, the deployment deploys the controller and vFXT cluster into a brand new VNET.  In the "bring your own VNET" deployment, the controller and vFXT cluster uses ip addresses from an existing vnet subnet.  Both of these cases require different role configurations.  The following two sections highlight show the strictest scoping to a service principal, but these can be generalized to any user principal.

 ### Example: Create Service principal for Standalone Administrator
--- a/src/vfxt/azuredeploy-auto.json
+++ b/src/vfxt/azuredeploy-auto.json
@ -112,9 +112,9 @@
    },
    "avereCreateClusterRoleId": {
      "type": "string",
-      "defaultValue": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3",
+      "defaultValue": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "metadata": {
-        "description": "The AAD role id used for creating of the vFXT cluster.  This is the ID obtained using the following az command: az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'Avere Cluster Create'."
+        "description": "The AAD role id used for creation of the vFXT cluster.  The default GUID is the Owner built-in role.  However, we recommend you create your own role as described in https://github.com/Azure/Avere/tree/master/src/vfxt#managed-identity-and-roles.  After role creation, obtain the ID by using the following az command: az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'Avere Contributor'.  Microsoft employees use 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3'."
      }
    },
    "avereClusterRole": {
--- a/src/vfxt/src/base-template.json
+++ b/src/vfxt/src/base-template.json
@ -112,9 +112,9 @@
    },
    "avereCreateClusterRoleId": {
      "type": "string",
-      "defaultValue": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3",
+      "defaultValue": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "metadata": {
-        "description": "The AAD role id used for creating of the vFXT cluster.  This is the ID obtained using the following az command: az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'Avere Cluster Create'."
+        "description": "The AAD role id used for creation of the vFXT cluster.  The default GUID is the Owner built-in role.  However, we recommend you create your own role as described in https://github.com/Azure/Avere/tree/master/src/vfxt#managed-identity-and-roles.  After role creation, obtain the ID by using the following az command: az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'Avere Contributor'.  Microsoft employees use 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3'."
      }
    },
    "avereClusterRole": {
--- a/src/vfxt/src/createUiDefinition.json
+++ b/src/vfxt/src/createUiDefinition.json
@ -59,6 +59,29 @@
            "hidePassword": false
          },
          "osPlatform": "Linux"
+        },
+        {
+          "name": "textAADClusterCreateRole",
+          "type": "Microsoft.Common.TextBlock",
+          "visible": true,
+          "options": {
+            "text": "Please provide the AAD role GUID used to create the Avere vFXT.",
+            "link": {
+              "label": "Learn more",
+              "uri": "https://github.com/Azure/Avere/tree/master/src/vfxt#managed-identity-and-roles"
+            }
+          }
+        },
+        {
+          "name": "avereClusterCreateRoleId",
+          "type": "Microsoft.Common.TextBox",
+          "label": "Avere cluster create role ID",
+          "defaultValue": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
+          "toolTip": "The AAD role id used for creation of the vFXT cluster.  The default is the 'Owner' role.  However, we recommend you create your own role as described in the managed identity documentation, and you obtain the GUID by using the following az command: az role definition list --query '[*].{roleName:roleName, name:name}' -o table --name 'Avere Contributor'.",
+          "constraints": {
+            "required": true
+          },
+          "visible": true
        }
      ],
      "steps": [
@ -223,55 +246,16 @@
              },
              "visible": true
            },
-            {
-              "name": "useAvereBackedStorageAccount",
-              "type": "Microsoft.Common.DropDown",
-              "label": "Use blob storage",
-              "defaultValue": "true",
-              "toolTip": "If true, create the storage account and use that for the backing storage account.  If false, the minimal Avere vFXT cluster will be created.",
-              "constraints": {
-                "allowedValues": [
-                  {
-                    "label": "true",
-                    "value": "true"
-                  },
-                  {
-                    "label": "false",
-                    "value": "false"
-                  }
-                ],
-                "required": true
-              },
-              "visible": true
-            },
-            {
-              "name": "avereBackedStorageAccountName",
-              "type": "Microsoft.Storage.StorageAccountSelector",
-              "label": "Storage account",
-              "toolTip": "A unique storage account to be created for backing the Avere vFXT.  If 'useAvereBackedStorageAccount' is set to false, this field is unused.",
-              "defaultValue": {
-                "type": "Standard_LRS"
-              },
-              "constraints": {
-                "allowedTypes": [
-                    "Standard_LRS"
-                ]
-              },
-              "options": {
-                "hideExisting": true
-              },
-              "visible": "[contains(steps('AvereVFXTConfiguration').useAvereBackedStorageAccount, 'true')]"
-            },
            {
              "name": "virtualNetwork",
              "type": "Microsoft.Network.VirtualNetworkCombo",
              "label": {
                "virtualNetwork": "Virtual network",
-                "subnets": "Subnets"
+                "subnets": "Subnet"
              },
              "toolTip": {
                "virtualNetwork": "Name of the virtual network",
-                "subnets": "Subnets for the virtual network"
+                "subnets": "Subnet for the virtual network"
              },
              "defaultValue": {
                "name": "VirtualNetwork",
@ -294,6 +278,39 @@
                  }
                }
              }
+            },
+            {
+              "name": "useAvereBackedStorageAccount",
+              "type": "Microsoft.Common.DropDown",
+              "label": "Use blob storage",
+              "defaultValue": "true",
+              "toolTip": "If true, create the storage account and use that for the backing storage account.  If false, the minimal Avere vFXT cluster will be created.",
+              "constraints": {
+                "allowedValues": [
+                  {
+                    "label": "true",
+                    "value": "true"
+                  },
+                  {
+                    "label": "false",
+                    "value": "false"
+                  }
+                ],
+                "required": true
+              },
+              "visible": true
+            },
+            {
+              "name": "avereBackedStorageAccountName",
+              "type": "Microsoft.Common.TextBox",
+              "label": "Storage account",
+              "toolTip": "A unique storage account to be created for backing the Avere vFXT.  If 'Use blob storage' is set to false, this field is unused.",
+              "constraints": {
+                "required": true,
+                "regex": "^[a-z0-9]{3,24}$",
+                "validationMessage": "The field can contain only lowercase letters and numbers.  Name must be between 3 and 24 characters."
+              },
+              "visible": "[contains(steps('AvereVFXTConfiguration').useAvereBackedStorageAccount, 'true')]"
            }
          ]
        }
@ -304,6 +321,7 @@
        "controllerAuthenticationType": "[basics('controllerSSHKeyData').authenticationType]",
        "controllerPassword": "[basics('controllerSSHKeyData').password]",
        "controllerSSHKeyData": "[basics('controllerSSHKeyData').sshPublicKey]",
+        "avereCreateClusterRoleId": "[basics('avereClusterCreateRoleId')]",
        
        "avereNodeCount": "[steps('AvereVFXTConfiguration').avereNodeCount]",
        "adminPassword": "[steps('AvereVFXTConfiguration').adminPassword]",
@ -311,14 +329,14 @@
        "avereClusterName": "[steps('AvereVFXTConfiguration').avereClusterName]",
        "avereInstanceType": "[steps('AvereVFXTConfiguration').avereInstanceType]",
        "avereCacheSizeGB": "[steps('AvereVFXTConfiguration').avereCacheSizeGB]",
-        "useAvereBackedStorageAccount": "[contains(steps('AvereVFXTConfiguration').useAvereBackedStorageAccount, 'true')]",
-        "avereBackedStorageAccountName": "[coalesce(steps('AvereVFXTConfiguration').avereBackedStorageAccountName.name,'nostorage')]",
        "createVirtualNetwork": "[contains(steps('AvereVFXTConfiguration').virtualNetwork.newOrExisting, 'new')]",
        "virtualNetworkResourceGroup": "[steps('AvereVFXTConfiguration').virtualNetwork.resourceGroup]",
        "virtualNetworkName": "[steps('AvereVFXTConfiguration').virtualNetwork.name]",
        "virtualNetworkSubnetName": "[steps('AvereVFXTConfiguration').virtualNetwork.subnets.subnet1.name]",
        "vnetAddressSpacePrefix": "[first(steps('AvereVFXTConfiguration').virtualNetwork.addressPrefixes)]",
-        "subnetAddressRangePrefix": "[steps('AvereVFXTConfiguration').virtualNetwork.subnets.subnet1.addressPrefix]"
+        "subnetAddressRangePrefix": "[steps('AvereVFXTConfiguration').virtualNetwork.subnets.subnet1.addressPrefix]",
+        "useAvereBackedStorageAccount": "[contains(steps('AvereVFXTConfiguration').useAvereBackedStorageAccount, 'true')]",
+        "avereBackedStorageAccountName": "[steps('AvereVFXTConfiguration').avereBackedStorageAccountName]"
      }
    }
  }
--- a/src/vfxt/src/marketplace.zip
+++ b/src/vfxt/src/marketplace.zip
--- a/src/vfxt/src/roles/AvereContributor.txt
+++ b/src/vfxt/src/roles/AvereContributor.txt
@ -1,36 +1,26 @@
-[
-  {
-    "Description": "Can create and manage an Avere vFXT cluster.",
-    "IsServiceRole": false,
-    "DataLayerProperty": {},
-    "IsBuiltIn": false,
-    "Name": "Avere Contributor",
-    "Permissions": [
-      {
-        Actions": [
-          "Microsoft.Authorization/*/read",
-          "Microsoft.Authorization/roleAssignments/*",
-          "Microsoft.Compute/*/read",
-          "Microsoft.Compute/availabilitySets/*",
-          "Microsoft.Compute/virtualMachines/*",
-          "Microsoft.Compute/disks/*",
-          "Microsoft.Network/*/read",
-          "Microsoft.Network/networkInterfaces/*",
-          "Microsoft.Network/virtualNetworks/subnets/join/action",
-          "Microsoft.Network/virtualNetworks/subnets/read",
-          "Microsoft.Resources/subscriptions/resourceGroups/read",
-          "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
-          "Microsoft.Storage/*/read",
-          "Microsoft.Storage/storageAccounts/listKeys/action"
-      ],
-        "NotActions": [],
-        "DataActions": [],
-        "NotDataActions": [],
-        "Condition": null
-      }
-    ],
-    "Scopes": [
-      "/"
-    ]
-  }
-]
+{
+  "AssignableScopes": [
+    "/subscriptions/<subscription here>"
+  ],
+  "Name": "Avere Contributor",
+  "IsCustom": true,
+  "Description": "Can create and manage an Avere vFXT cluster.",
+  "NotActions": [],
+  "Actions": [
+    "Microsoft.Authorization/*/read",
+    "Microsoft.Authorization/roleAssignments/*",
+    "Microsoft.Compute/*/read",
+    "Microsoft.Compute/availabilitySets/*",
+    "Microsoft.Compute/virtualMachines/*",
+    "Microsoft.Compute/disks/*",
+    "Microsoft.Network/*/read",
+    "Microsoft.Network/networkInterfaces/*",
+    "Microsoft.Network/virtualNetworks/subnets/join/action",
+    "Microsoft.Network/virtualNetworks/subnets/read",
+    "Microsoft.Resources/subscriptions/resourceGroups/read",
+    "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
+    "Microsoft.Storage/*/read",
+    "Microsoft.Storage/storageAccounts/listKeys/action"
+  ],
+  "DataActions": []
+}
--- a/src/vfxt/src/roles/AvereOperator.txt
+++ b/src/vfxt/src/roles/AvereOperator.txt
@ -1,36 +1,27 @@
-[
-  {
-    "Description": "Used by the Avere vFXT cluster to manage the cluster",
-    "IsServiceRole": false,
-    "DataLayerProperty": {},
-    "IsBuiltIn": false,
-    "Name": "Avere Operator",
-    "Permissions": [
-      {
-        Actions": [
-          "Microsoft.Compute/virtualMachines/read",
-          "Microsoft.Network/networkInterfaces/read",
-          "Microsoft.Network/networkInterfaces/write",
-          "Microsoft.Network/virtualNetworks/subnets/read",
-          "Microsoft.Network/virtualNetworks/subnets/join/action",
-          "Microsoft.Network/networkSecurityGroups/join/action",
-          "Microsoft.Resources/subscriptions/resourceGroups/read",
-          "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
-          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-          "Microsoft.Storage/storageAccounts/blobServices/containers/write"
-        ],
-        "NotActions": [],
-        "DataActions": [
-          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
-          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
-          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
-        ],
-        "NotDataActions": [],
-        "Condition": null
-      }
+{
+    "AssignableScopes": [
+        "/subscriptions/<subscription here>"
    ],
-    "Scopes": [
-      "/"
+    "Name": "Avere Operator",
+    "IsCustom": "true",
+    "Description": "Used by the Avere vFXT cluster to manage the cluster",
+    "NotActions": [],
+    "Actions": [
+        "Microsoft.Compute/virtualMachines/read",
+        "Microsoft.Network/networkInterfaces/read",
+        "Microsoft.Network/networkInterfaces/write",
+        "Microsoft.Network/virtualNetworks/subnets/read",
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        "Microsoft.Network/networkSecurityGroups/join/action",
+        "Microsoft.Resources/subscriptions/resourceGroups/read",
+        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
+    ],
+    "DataActions": [
+        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    ]
-  }
-]
+}
+