Add Azure PostgreSQL managed identity #5930
Conversation
Similar to dotnet#5930, we add a new API pattern for working with Azure resources that may also be local containers. - Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default. - Add an API to convert managed identity to password based auth, so users can still go that route if they need to. - Add RunAsContainer following the RunAsEmulator model. This allows local development against a Redis container and publish to go to a manged Azure Cache for Redis. Fix dotnet#5794
eerhardt
force-pushed
the
PostgresManagedIdentity
branch
from
1c73ff2 to
38f0274
Compare
* Support Managed Identity in Azure Cache for Redis Similar to #5930, we add a new API pattern for working with Azure resources that may also be local containers. - Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default. - Add an API to convert managed identity to password based auth, so users can still go that route if they need to. - Add RunAsContainer following the RunAsEmulator model. This allows local development against a Redis container and publish to go to a manged Azure Cache for Redis. Fix #5794
|
@eerhardt is this something you want to get in for 9.0 or 9.x? |
|
The downside of this approach is composability of resources. Let's say I wanted to have a resource that depended on a Postgres database instance. With this change the implementor of that would need to have extensions for each cloud provider (unless they just allow any IResourceWithConnectionString). |
That can be solved with an IPostgresResource interface right? |
9.0. Azure PostgreSQL should support managed identity (dotnet/aspire#5793) is in the 9.0 milestone. |
We already have a "composability of resources" problem with the current API. You can't call
Yes, we can add that, if necessary. |
eerhardt
force-pushed
the
PostgresManagedIdentity
branch
from
a5d6f5d to
c272c30
Compare
- Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default. - Add an API to convert managed identity to password based auth, so users can still go that route if they need to. - Add RunAsContainer following the RunAsEmulator model. This allows local development against a PostreSQL container and publish to go to a manged Azure PostgreSQL flexible server. Fix dotnet#5793
Add Obsolete to old APIs
Fix up playground apps.
eerhardt
force-pushed
the
PostgresManagedIdentity
branch
from
c272c30 to
e3e903a
Compare
|
This PR is ready for review. I believe I have everything ready for this to be merged. |
| @@ -98,7 +99,7 @@ param outputs_azure_container_apps_environment_id string | |||
| } | |||
| } | |||
| """; | |||
|
|
|||
| output.WriteLine(bicep); | |||
There was a problem hiding this comment.
You want this for when the bicep changes and you need to update it. You can copy and paste the new output from the test log
|
I believe it would be good to add an |
| var pg = builder.AddPostgres("postgres2", administratorLogin, administratorLoginPassword) | ||
| .AsAzurePostgresFlexibleServer() | ||
| var pg = builder.AddAzurePostgresFlexibleServer("postgres2") | ||
| .WithPasswordAuth(administratorLogin, administratorLoginPassword) |
There was a problem hiding this comment.
Should this be WithPasswordAuthentication?
There was a problem hiding this comment.
The reason I chose these names (WithPasswordAuth here and WithAccessKeyAuth in Reds) is because they match the APIs from Azure.Provisioning (which I assume just match the names in the rest API).
aspire/src/Aspire.Hosting.Azure.PostgreSQL/AzurePostgresExtensions.cs
Lines 192 to 196 in e3e903a
But looking again at Redis, the name is DisableAccessKeyAuthentication, which is inconsistent with the above Postgres APIs. So it is probably better we just completely follow .NET Design Guidelines with our APIs here and use full words.
There was a problem hiding this comment.
FYI - @tg-msft. I'm assuming this isn't something we can change/fix in Azure.Provisioning since it is just generated from the service APIs / typespec.
There was a problem hiding this comment.
We should do an API review, WithAccessKey is not intuitive. We should take the liberty here to add some opinions to this layer of the stack. We can do this in a follow up PR.
There was a problem hiding this comment.
WithAccessKey is not intuitive
Where is that? For Redis it is:
var redis = builder.AddAzureRedis("cache")
.WithAccessKeyAuthentication();now that I renamed Auth to be Authentication.
There was a problem hiding this comment.
@philon-msft - is there a reason that the portal / ARM use the term "access key"?
There was a problem hiding this comment.
Azure Redis doesn't let you choose your own (like a "password") - instead it generates one for you (more like an "access key").
So in general Redis terminology it's a password, but for Azure Redis it's an access key.
There was a problem hiding this comment.
Correct, it's passwordAuth on the wire and we're not looking to deviate from our automated translation of the existing ARM experience. There's no way Azure.Provisioning would scale to all of Azure otherwise.
There was a problem hiding this comment.
Azure Redis doesn't let you choose your own (like a "password") - instead it generates one for you (more like an "access key"). So in general Redis terminology it's a password, but for Azure Redis it's an access key.
Does Azure Redis let me add users with their own passwords and ACLs?
There was a problem hiding this comment.
Not standard Redis users+passwords, but you can add Entra users/apps/ManagedIdentities and assign them to roles for ACL functionality. See doc for the Entra experience
|
Overall I think this looks good. I do think that there is another approach we could take here (just putting it out there for sake of completeness. We could do this: var builder = DistributedApplication.Create(args);
var db = builder.AddPostgres("pgsql").AsAzure(out var azpgsql).AddDatabase("db");
azpgsql.DoAzureyApiStuff();Folks have historically avoided out vars but we see them a lot more these days. All that said I think your approach here is fine. |
Opened Add interfaces to PostgreSQL, Redis, and SqlServer Hosting Resources (dotnet/aspire#6055) |
Description
Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default.
Add an API to convert managed identity to password based auth, so users can still go that route if they need to.
Add RunAsContainer following the RunAsEmulator model. This allows local development against a PostreSQL container and publish to go to a manged Azure PostgreSQL flexible server.
Fix #5793
Checklist
<remarks />and<code />elements on your triple slash comments?Microsoft Reviewers: Open in CodeFlow