Add Comment from review PR #1

.gitignore

@@ -2,7 +2,7 @@
 /dist/
 /lib/
 .pulumi
-/node_modules/
+node_modules/
 .DS_Store
 *.zip
 *.log

README.md

@@ -1,11 +1,11 @@
-# Azure ASC Pulumi Dynamic Provider (TS)
+# Pulumi Dynamic Provider for Azure App Service Certificate
 
-The goal of this library is to provide a simple way to provision and maintain ✨App Service Certificat✨, using Typescript/Javascript, with Pulumi.
+The goal of this library is to provide a simple way to provision and maintain ✨App Service Certificate✨, using Typescript/Javascript, with Pulumi.
 
-The reason why i create this provider is :
+The reason why I create this provider is :
 
--   with Azure Classic provider, is not possible to create an ASC (App Service Provider)
--   with Azure Native, Azure Rest API have a bug (https://github.com/pulumi/pulumi-azure-native/issues/1292)
+- with Azure Classic provider, it's not possible to create easily an ASC since the module is extremely limited in functionality
+- with Azure Native, Azure Rest API have a bug (https://github.com/pulumi/pulumi-azure-native/issues/1292)
 
 ## Requirement
 
@@ -35,20 +35,20 @@ Azure Native :
 
 ```yaml
 config:
-    azure-native:environment: public
-    azure-native:location: <location>
-    azure-native:subscriptionId: <xxxx-xxxx>
-    azure-native:tenantId: <xxxx-xxxx>
+  azure-native:environment: public
+  azure-native:location: <location>
+  azure-native:subscriptionId: <xxxx-xxxx>
+  azure-native:tenantId: <xxxx-xxxx>
 ```
 
 Azure Classic :
 
 ```yaml
 config:
-    azure:environment: public
-    azure:location: <location>
-    azure:subscriptionId: <xxxx-xxxx>
-    azure:tenantId: <xxxx-xxxx>
+  azure:environment: public
+  azure:location: <location>
+  azure:subscriptionId: <xxxx-xxxx>
+  azure:tenantId: <xxxx-xxxx>
 ```
 
 ### Execution Context
@@ -67,11 +67,11 @@ If you want to run your Pulumi in Github Action, it's work too.
 import * as azc from '@stawen/azure-certificate'
 
 export const cert = new azc.CertificateOrder({
-    fqdn: '*.foo.bar.domain.tld',
-    autoRenew: true,
-    suffix: '20230106',
-    resourceGroupName: rg.name,
-    keyVaultId: kv.id,
+  fqdn: '*.foo.bar.domain.tld',
+  autoRenew: true,
+  suffix: '20230106',
+  resourceGroupName: rg.name,
+  keyVaultId: kv.id,
 })
 ```
 
@@ -111,11 +111,11 @@ This names is based on the fqdn and the suffix properties
 import * as azc from '@stawen/azure-certificate'
 
 export const cert = new azc.AscCertificateOrder(`pulumi-certificate`, {
-    fqdn: '*.foo.bar.domain.tld',
-    autoRenew: true,
-    suffix: '20230106',
-    resourceGroupName: rg.name,
-    keyVaultId: kv.id,
+  fqdn: '*.foo.bar.domain.tld',
+  autoRenew: true,
+  suffix: '20230106',
+  resourceGroupName: rg.name,
+  keyVaultId: kv.id,
 })
 ```
 

examples/Pulumi.yaml

@@ -1,3 +1,3 @@
-name: app-services-cert
+name: app-services-cert-foo
 runtime: nodejs
 description: App-services-certificates Provider Examples

examples/README.md

@@ -4,7 +4,7 @@
 
 In this file, you must specify
 
-Azure Native :
+If you're using Azure Native :
 
 ```yaml
 config:
@@ -14,7 +14,7 @@ config:
   azure-native:tenantId: <xxxx-xxxx>
 ```
 
-Azure Classic :
+If you're using Azure Classic :
 
 ```yaml
 config:
@@ -24,12 +24,14 @@ config:
   azure:tenantId: <xxxx-xxxx>
 ```
 
-set your azure login name
+Set your Azure login name :
 
 ```yaml
 user:name: name@domain.tld
 ```
 
+You will need to set your name, otherwise you will not be able to access the keyvault because it is configured in AccessPolicy and not RBAC
+
 ## Init Pulumi project
 
 ```bash

examples/package.json

@@ -10,18 +10,13 @@
         "test": "npm run unit"
     },
     "devDependencies": {
-        "@types/node": "^14.14.37",
-        "@typescript-eslint/eslint-plugin": "^4.21.0",
-        "@typescript-eslint/parser": "^4.21.0",
-        "eslint": "^7.23.0",
-        "eslint-config-prettier": "^8.1.0",
-        "eslint-plugin-prettier": "^3.3.1",
-        "prettier": "^2.2.1"
+        "@types/node": "^14.14.37"
     },
     "dependencies": {
         "@pulumi/azure-native": "^1.89.1",
         "@pulumi/azuread": "^5.32.0",
         "@pulumi/pulumi": "^3.50.0",
-        "@stawen/azure-certificate": "^0.1.8"
+        "@stawen/azure-certificate": "^0.1.8",
+        "@pulumi/random": "^4.2.0"
     }
 }

examples/src/certificate.ts

@@ -1,5 +1,4 @@
 import * as pulumi from '@pulumi/pulumi'
-// import { CertificateOrder } from '../../src/ascCertificate'
 import * as asc from '@stawen/azure-certificate'
 
 import { kv, rg } from './kv'

examples/src/kv.ts

@@ -3,12 +3,12 @@ import * as resources from '@pulumi/azure-native/resources'
 import { keyvault as keyvaultEnums } from '@pulumi/azure-native/types/enums'
 import * as azuread from '@pulumi/azuread'
 import * as pulumi from '@pulumi/pulumi'
+import * as random from '@pulumi/random'
 
 export const tenantId = new pulumi.Config('azure-native').require('tenantId')
 const userName = new pulumi.Config('user').require('name')
 
-// Common ressource group
-const rgName = `rg-test-app-serv-cert`
+const rgName = `rg-app-serv-cert-foo`
 export const rg = new resources.ResourceGroup(rgName, {
     resourceGroupName: rgName,
 })
@@ -18,7 +18,7 @@ export const rg = new resources.ResourceGroup(rgName, {
 const certificateRegistration = azuread.getServicePrincipal({
     displayName: 'Microsoft.Azure.CertificateRegistration',
 })
-// Not sure mandatory, App Service can get a cert into this kv
+// ADD App Service Identity
 const azureAppServiceRegistration = azuread.getServicePrincipal({
     displayName: 'Microsoft Azure App Service',
 })
@@ -27,59 +27,66 @@ const userObjectId = azuread.getUser({
     userPrincipalName: userName,
 })
 
-const kvname = `kv-test-asc-foobar`
+const randomSuffix = new random.RandomString(`kv-rnd-name`, {
+    length: 5,
+    upper: false,
+    special: false,
+})
+
+export const kvName = pulumi.interpolate`kv-test-asc-${randomSuffix.result}`
 
-export const kv = new keyvault.Vault(
-    kvname,
-    {
-        vaultName: kvname,
-        resourceGroupName: rg.name,
-        properties: {
-            accessPolicies: [
-                {
-                    objectId: certificateRegistration.then((sp) => sp.id),
-                    permissions: {
-                        secrets: [keyvaultEnums.SecretPermissions.All],
-                        certificates: [keyvaultEnums.CertificatePermissions.All],
+export const kv = kvName.apply((name) => {
+    return new keyvault.Vault(
+        name,
+        {
+            vaultName: name,
+            resourceGroupName: rg.name,
+            properties: {
+                accessPolicies: [
+                    {
+                        objectId: certificateRegistration.then((sp) => sp.id),
+                        permissions: {
+                            secrets: [keyvaultEnums.SecretPermissions.All],
+                            certificates: [keyvaultEnums.CertificatePermissions.All],
+                        },
+                        tenantId: tenantId,
                     },
-                    tenantId: tenantId,
-                },
-                {
-                    objectId: azureAppServiceRegistration.then((sp) => sp.id),
-                    permissions: {
-                        secrets: [keyvaultEnums.SecretPermissions.Get],
-                        certificates: [keyvaultEnums.CertificatePermissions.Get],
+                    {
+                        objectId: azureAppServiceRegistration.then((sp) => sp.id),
+                        permissions: {
+                            secrets: [keyvaultEnums.SecretPermissions.Get],
+                            certificates: [keyvaultEnums.CertificatePermissions.Get],
+                        },
+                        tenantId: tenantId,
                     },
-                    tenantId: tenantId,
-                },
-                {
-                    objectId: userObjectId.then((o) => o.id), // Your User Object ID
-                    // objectId: '10a78cce-ec22-4726-8478-4eb1906192a5', // My User Object ID
-                    permissions: {
-                        certificates: [keyvaultEnums.CertificatePermissions.All],
-                        keys: [keyvaultEnums.KeyPermissions.All],
-                        secrets: [keyvaultEnums.SecretPermissions.All],
+                    {
+                        objectId: userObjectId.then((o) => o.id), // It's Your User Object ID
+                        permissions: {
+                            certificates: [keyvaultEnums.CertificatePermissions.All],
+                            keys: [keyvaultEnums.KeyPermissions.All],
+                            secrets: [keyvaultEnums.SecretPermissions.All],
+                        },
+                        tenantId: tenantId,
                     },
-                    tenantId: tenantId,
+                ],
+                enabledForDeployment: true,
+                enabledForDiskEncryption: true,
+                enabledForTemplateDeployment: true,
+                enableSoftDelete: true,
+
+                enableRbacAuthorization: false,
+                networkAcls: {
+                    defaultAction: keyvaultEnums.NetworkRuleAction.Deny,
+                    bypass: keyvaultEnums.NetworkRuleBypassOptions.AzureServices,
                 },
-            ],
-            enabledForDeployment: true,
-            enabledForDiskEncryption: true,
-            enabledForTemplateDeployment: true,
-            enableSoftDelete: true,
-            // enablePurgeProtection: false,
-            enableRbacAuthorization: false,
-            networkAcls: {
-                defaultAction: keyvaultEnums.NetworkRuleAction.Deny,
-                bypass: keyvaultEnums.NetworkRuleBypassOptions.AzureServices,
-            },
 
-            sku: {
-                family: keyvaultEnums.SkuFamily.A,
-                name: keyvaultEnums.SkuName.Standard,
+                sku: {
+                    family: keyvaultEnums.SkuFamily.A,
+                    name: keyvaultEnums.SkuName.Standard,
+                },
+                tenantId,
             },
-            tenantId,
         },
-    },
-    { ignoreChanges: ['properties'] },
-)
+        { ignoreChanges: ['properties'] },
+    )
+})