Add run as deployment using identity/keyvault sample (#316)

* Add run as deployment using identity/keyvault sample
2019-12-11 20:29:07 -08:00 · 2019-12-11 20:29:07 -08:00 · 8b0dca295b
--- a/docs/tasks/run-as-deployment/README.md
+++ b/docs/tasks/run-as-deployment/README.md
@ -7,6 +7,7 @@ title: Deploy with ARM templates
 The following set of samples show how to use an ARM template to execute various Task workflows.

 1. [Deploy a docker build on an existing registry](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuild-on-existing-registry)
+1. [Deploy a docker build on an existing registry using identity and keyvault](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault)
 1. [Create a Registry and perform a docker build from a GitHub repository](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuild)
 1. [Create a Registry and perform a docker build from a GitHub repository with a Managed Identity](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuild)
 1. [Create a registry and schedule a quick task with task definition as an argument](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickrun)
--- a/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/README.md
+++ b/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/README.md
@ -0,0 +1,83 @@
+# Quick Docker build using identity and keyvault
+
+## Create a resource group
+
+```bash
+az group create \
+  -n mytaskrunrg \
+  -l westus
+```
+
+## Create a Registry
+
+```bash
+az acr create \
+   -n myreg -g mytaskrunrg --sku Standard
+```
+
+## Create a Custom Registry and enable the admin user
+
+```bash
+az acr create \
+   -n mycustomreg -g mytaskrunrg --sku Standard --admin-enabled true
+```
+
+## Create a User Identity
+
+```bash
+az identity create \
+  -g mytaskrunrg \
+  -n myquickdockerbuildrunwithidentity
+```
+
+## Create KeyVault
+
+```bash
+az keyvault create --name mykeyvault --resource-group mytaskrunrg --location eastus2
+```
+
+## Save registry username/password in the keyvault
+
+```bash
+#Get password of admin user
+password=$(az acr credential show --name mycustomreg --query passwords[0].value --output tsv)
+
+az keyvault secret set --name username --value mycustomreg --vault-name mykeyvault
+az keyvault secret set --name password --value $password --vault-name mykeyvault
+```
+
+## Grant identity access to key vault (object-id is the Object ID of managed identity)
+```bash
+#Get principal id of the identity
+principalId=$(az identity show --resource-group mytaskrunrg --name myquickdockerbuildrunwithidentity --query principalId --output tsv)
+
+az keyvault set-policy --name mykeyvault --resource-group mytaskrunrg --object-id $principalId --secret-permissions get 
+```
+
+## Deploy a quick run
+
+```bash
+#Get the custom registry name
+customregistryName=$(az acr show -n mycustomreg --query loginServer --output tsv)
+
+#Get the KeyVault UserName Url
+userNameUrl=$(az keyvault secret show --name username --vault-name mykeyvault --query id --output tsv)
+
+#Get the KeyVault Password Url
+passwordUrl=$(az keyvault secret show --name password --vault-name mykeyvault --query id --output tsv)
+
+#Get the ID of ManagedIdentity
+managedId=$(az identity show --resource-group mytaskrunrg --name myquickdockerbuildrunwithidentity --query id --output tsv)
+
+az group deployment create --resource-group "mytaskrunrg" --template-file azuredeploy.json \
+	--parameters azuredeploy.parameters.json \
+	--parameters registryName="myreg" \
+	--parameters taskRunName="mytaskrun" \
+	--parameters customRegistryName=$customregistryName \
+	--parameters userNameUrl=$userNameUrl \
+	--parameters userPasswordUrl=$passwordUrl \
+	--parameters repository="hello-world" \
+	--parameters managedIdResourceId=$managedIdResourceId \
+	--parameters sourceLocation="https://github.com/Azure-Samples/acr-build-helloworld-node.git"
+```
+
--- a/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/azuredeploy.json
+++ b/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/azuredeploy.json
@ -0,0 +1,135 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "registryName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of your Azure Container Registry"
+      }
+    },
+    "taskRunName": {
+      "type": "string",
+      "minLength": 5,
+      "maxLength": 50,
+      "metadata": {
+        "description": "Name of your Task Run"
+      }
+    },
+    "userNameUrl": {
+      "type": "string",
+      "metadata": {
+        "description": "The keyvault Url to the UserName"
+      }
+    },
+    "userPasswordUrl": {
+      "type": "string",
+      "metadata": {
+        "description": "The keyvault Url to the Password"
+      }
+    },
+    "customRegistryName": {
+      "type": "string",
+      "metadata": {
+        "description": "The full name of the Custom Registry"
+      }
+    },
+    "repository": {
+      "type": "string",
+      "metadata": {
+        "description": "Repository name for the the build output"
+      }
+    },
+    "sourceLocation": {
+      "type": "string",
+      "metadata": {
+        "description": "The location of the source to build the image"
+      }
+    },
+    "dockerFilePath": {
+      "type": "string",
+      "metadata": {
+        "description": "The relative path of the dockerfile in the source location"
+      },
+      "defaultValue": "Dockerfile"
+    },
+    "managedIdResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "The Full Path Of ManagedIdentity"
+      }
+    }
+  },
+  "variables": {
+    "imageName": "[concat(parameters('repository'), ':', parameters('taskRunName'))]",
+    "idApiVersion": "[first(providers('Microsoft.ManagedIdentity', 'userAssignedIdentities').apiVersions)]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries/taskRuns/",
+      "name": "[concat(parameters('registryName'), '/', parameters('taskRunName'))]",
+      "location": "[parameters('location')]",
+      "apiVersion": "2019-06-01-preview",
+      "identity": {
+        "principalId": null,
+        "tenantId": null,
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+          "[parameters('managedIdResourceId')]": {}
+        }
+      },
+      "properties": {
+        "runRequest": {
+          "type": "DockerBuildRequest",
+          "imageNames": [
+            "[variables('imageName')]"
+          ],
+          "sourceLocation": "[parameters('sourceLocation')]",
+          "dockerFilePath": "[parameters('dockerFilePath')]",
+          "values": [],
+          "isPushEnabled": true,
+          "platform": {
+            "os": "linux",
+            "architecture": "amd64"
+          },
+          "credentials": {
+            "apiVersion": "2018-09-01",
+            "customRegistries": {
+              "[parameters('customRegistryName')]": {
+                "userName": {
+                  "type": "Vaultsecret",
+                  "value": "[parameters('userNameUrl')]"
+                },
+                "passsword": {
+                  "type": "Vaultsecret",
+                  "value": "[parameters('userPasswordUrl')]"
+                },
+                "identity": "[reference(parameters('managedIdResourceId'), variables('idApiVersion'), 'Full').properties.clientId]"
+              }
+            },
+            "sourceRegistry": {
+              "loginMode": "Default"
+            }
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "registry": {
+      "type": "string",
+      "value": "[parameters('registryName')]"
+    },
+    "repository": {
+      "type": "string",
+      "value": "[parameters('taskRunName')]"
+    }
+  }
+}
--- a/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/azuredeploy.parameters.json
+++ b/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/azuredeploy.parameters.json
@ -0,0 +1,12 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+      "registryName": {
+        "value": "mytaskrunregistry"
+      },
+      "taskRunName": {
+        "value": "myquickdockerbuildrun"
+      }
+    }
+  }