Reconcile main from Release 1.2 (#12)

* Added parameters and updated documentation to support other azure clouds and private endpoints.

* updated integration manifest with new properties.

* Updated to search across all subscriptions and tenants for discovery.

* fixed resource ID in api request

* fixed subscription resource identifier in API call.

* updated CHANGELOG

* Update generated README

Author: fiddlermikey

AzureAppGatewayOrchestrator.sln

@@ -1,11 +1,18 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
-VisualStudioVersion = 17.0.33130.402
+VisualStudioVersion = 17.7.34221.43
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AzureAppGatewayOrchestrator", "AzureAppGatewayOrchestrator\AzureAppGatewayOrchestrator.csproj", "{F091A1E1-7168-47EC-854D-A05B36E83A68}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AzureAppGatewayTest", "AzureAppGatewayTest\AzureAppGatewayTest.csproj", "{140A37F7-A02E-4FA2-BB52-A82080DA0423}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AzureAppGatewayTest", "AzureAppGatewayTest\AzureAppGatewayTest.csproj", "{140A37F7-A02E-4FA2-BB52-A82080DA0423}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{3D61BD61-AAD0-41E8-A41D-194FED668C42}"
+	ProjectSection(SolutionItems) = preProject
+		CHANGELOG.md = CHANGELOG.md
+		integration-manifest.json = integration-manifest.json
+		readme_source.md = readme_source.md
+	EndProjectSection
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution

AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net6.0</TargetFramework>
     <RootNamespace>Keyfactor.Extensions.Orchestrator.AzureAppGateway</RootNamespace>
     <AssemblyName>Keyfactor.Extensions.Orchestrators.AzureAppGW</AssemblyName>
     <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
@@ -11,7 +11,7 @@
 
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
     <DefineConstants></DefineConstants>
-    <BaseOutputPath>C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions\AzureAppGW</BaseOutputPath>
+    <BaseOutputPath></BaseOutputPath>
   </PropertyGroup>
 
   <ItemGroup>

AzureAppGatewayOrchestrator/Client/AzureAppGatewayClient.cs

@@ -13,6 +13,9 @@
 // limitations under the License.
 
 using Azure.Core;
+using Azure.Identity;
+using System;
+using System.Collections.Generic;
 
 namespace Keyfactor.Extensions.Orchestrator.AzureAppGateway.Client
 {
@@ -21,5 +24,26 @@ public class AzureProperties
         public string TenantId { get; set; }
         public string ApplicationId { get; set; }
         public string ClientSecret { get; set; }
+        public string AzureCloud { get; set; }
+        public string StorePath { get; set; }
+        public List<string> TenantIdsForDiscovery { get; set; }
+        public Uri AzureCloudEndpoint
+        {
+            get
+            {
+                switch (AzureCloud)
+                {
+
+                    case "china":
+                        return AzureAuthorityHosts.AzureChina;
+                    case "germany":
+                        return AzureAuthorityHosts.AzureGermany;
+                    case "government":
+                        return AzureAuthorityHosts.AzureGovernment;
+                    default:
+                        return AzureAuthorityHosts.AzurePublicCloud;
+                }
+            }
+        }
     }
 }

AzureAppGatewayOrchestrator/Client/AzureProperties.cs

@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System.Collections.Generic;
 using System.Runtime.CompilerServices;
 using Azure.Core;
 using Keyfactor.Extensions.Orchestrator.AzureAppGateway.Client;
@@ -34,18 +35,19 @@ protected void Initialize(CertificateStore details)
             logger.LogDebug($"Certificate Store Configuration: {JsonConvert.SerializeObject(details)}");
             logger.LogDebug("Initializing AzureAppGatewayClient");
             dynamic properties = JsonConvert.DeserializeObject(details.Properties);
-            
+
             AzureProperties azureProperties = new AzureProperties
             {
                 TenantId = details.ClientMachine,
                 ApplicationId = properties?.ServerUsername,
-                ClientSecret = properties?.ServerPassword
-            };
-            
-            GatewayClient = new AzureAppGatewayClient(azureProperties)
-            {
-                AppGatewayResourceId = new ResourceIdentifier(details.StorePath)
+                ClientSecret = properties?.ServerPassword,
+                AzureCloud = properties?.AzureCloud,
+                StorePath = details?.StorePath                
             };
+
+            azureProperties.AzureCloud = azureProperties.AzureCloud?.ToLower();
+
+            GatewayClient = new AzureAppGatewayClient(azureProperties);
         }
 
         protected void Initialize(DiscoveryJobConfiguration config)
@@ -57,9 +59,28 @@ protected void Initialize(DiscoveryJobConfiguration config)
             {
                 TenantId = config.ClientMachine,
                 ApplicationId = config.ServerUsername,
-                ClientSecret = config.ServerPassword
+                ClientSecret = config.ServerPassword,
+
             };
-            
+            logger.LogTrace("Discovery job - getting tenant ids from directories to search field.");
+            azureProperties.TenantIdsForDiscovery = new List<string>();
+            var dirs = config.JobProperties?["dirs"] as string;
+            logger.LogTrace($"Directories to search: {dirs}");
+
+            if (!string.IsNullOrEmpty(dirs))
+            {
+                // parse the list of tenant ids to perform discovery on                                        
+                azureProperties.TenantIdsForDiscovery.AddRange(dirs.Split(','));
+            }
+            else
+            {
+                // if it is empty, we use the default provided Tenant Id only
+                azureProperties.TenantIdsForDiscovery.Add(azureProperties.TenantId);
+            }
+
+            azureProperties.TenantIdsForDiscovery.ForEach(tId => tId = tId.Trim());
+            azureProperties.TenantId = azureProperties.TenantId ?? azureProperties.TenantIdsForDiscovery[0];
+
             GatewayClient = new AzureAppGatewayClient(azureProperties);
         }
     }

AzureAppGatewayOrchestrator/Jobs/AzureAppGatewayJob.cs

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 using System;
-using Azure.ResourceManager.Network.Models;
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;

AzureAppGatewayOrchestrator/Jobs/Management.cs

@@ -1,8 +1,8 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net6.0</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>

AzureAppGatewayTest/AzureAppGatewayTest.csproj

@@ -54,10 +54,7 @@ public Program()
                 ClientSecret = Environment.GetEnvironmentVariable("AZURE_CLIENT_SECRET") ?? string.Empty
             };
 
-            Client = new AzureAppGatewayClient(properties)
-            {
-                AppGatewayResourceId = new ResourceIdentifier(Environment.GetEnvironmentVariable("AZURE_GATEWAY_RESOURCE_ID") ?? string.Empty)
-            };
+            Client = new AzureAppGatewayClient(properties);            
         }
 
         private AzureAppGatewayClient Client { get; }
@@ -67,7 +64,7 @@ public void TestGetCertificates()
             Console.Write("Getting App Gateway Certificates...\n");
             foreach (CurrentInventoryItem certInv in Client.GetAppGatewaySslCertificates())
             {
-                Console.Write($"    Found certificate called {certInv.Alias}\n");
+                Console.Write($"Found certificate called {certInv.Alias}\n");
             }
         }
 

AzureAppGatewayTest/Program.cs

@@ -1,2 +1,6 @@
-v1.1.0
-- First production release
+- 1.1.0
+  - First production release
+
+- 1.2.0
+  - Added support for additional Azure global cloud instances (Government, China, Germany)
+  - New store type property ("Azure Cloud")

CHANGELOG.md

@@ -16,7 +16,7 @@ The Universal Orchestrator is the successor to the Windows Orchestrator. This Or
 
 ## Support for Azure Application Gateway Orchestrator
 
-Azure Application Gateway Orchestrator is open source and there is **no SLA** for this tool/library/client. Keyfactor will address issues as resources become available. Keyfactor customers may request escalation by opening up a support ticket through their Keyfactor representative.
+Azure Application Gateway Orchestrator is open source and supported on best effort level for this tool/library/client.  This means customers can report Bugs, Feature Requests, Documentation amendment or questions as well as requests for customer information required for setup that needs Keyfactor access to obtain. Such requests do not follow normal SLA commitments for response or resolution. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com/
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -26,6 +26,10 @@ Azure Application Gateway Orchestrator is open source and there is **no SLA** fo
 
 
 
+## Keyfactor Version Supported
+
+The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1
+
 ## Platform Specific Notes
 
 The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
@@ -110,6 +114,22 @@ by Keyfactor Orchestrators. To create the Azure Application Gateway Certificate
          "DefaultValue": null,
          "Required": true
        },
+       {
+         "Name": "AzureCloud",
+         "DisplayName": "Azure Cloud",
+         "Type": "MultipleChoice",
+         "DependsOn": "",
+         "DefaultValue": "public,china,germany,government",
+         "Required": false
+       },
+       {
+         "Name": "PrivateEndpoint",
+         "DisplayName": "Private KeyVault Endpoint",
+         "Type": "String",
+         "DependsOn": "",
+         "DefaultValue": null,
+         "Required": false
+       },
        {
          "Name": "ServerUseSsl",
          "DisplayName": "Use SSL",
@@ -161,9 +181,14 @@ fill the form with the following values:
 | Store Path      | Application Gateway resource ID | Azure resource ID of the application gateway in the form `/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/applicationGateways/<application-gateway-name>` |
 | Server Username | Application ID                  | Application ID of the service principal that will be used to manage the Application Gateway                                                                                                                 |
 | Server Password | Client Secret                   | Secret of the service principal that will be used to manage the Application Gateway                                                                                                                         |
+| Azure Cloud | Azure Global Cloud Authority Host | The Azure Cloud field, if necessary, should contain one of the following values: "china, germany, government".  This is the Azure Cloud instance your organization uses.  If using the standard "public" cloud, this field can be left blank or omitted entirely from the store type definition. |
+| Private Endpoint | Azure Private Endpoint URL prefix | The Private Endpoint field should be used if you have a custom url assigned to your keyvault resources and they are not accessible via the standard endpoint associated with the Azure Cloud instance (\*.vault.azure.net, \*.vault.azure.cn, etc.).  This field should contain the base url for your vault instance(s), excluding the vault name.  If using the standard endpoints corresponding to your Azure Cloud instance, this field can be left blank or omitted entirely from the store type definition.|
 
 For the discovery job, populate the _Directories to search_ with any value. The extension will discover all Application Gateways accessible by the Azure Service Principal.
 
+> :warning: Discovery jobs are not supported for KeyVaults located outside of the Azure Public cloud or Keyvaults accessed via a private url endpoint.  
+> All other job types implemented by this integration are supported for alternate Azure clouds and private endpoints.
+
 ### Important note about Certificate Renewal
 The Azure Application Gateway Orchestrator extension supports certificate renewal. If a certificate is renewed and is associated with an HTTP Listener,
 the extension will automatically re-associate the renewed certificate with the listener. The renewal workflow is as follows: