scenario-notebooks/Hunting-Notebooks/Hunting-AzureResourceProvisioning.ipynb

{ "cells": [ { "cell_type": "markdown", "source": [ "# Hunting - Azure Resources Provisioning\n", "\n", "__Notebook Version:__ 1.0 \n", "__Python Version:__ Python 3.8 \n", "__Apache Spark Version:__ 3.1 \n", "__Required Packages:__ No \n", "__Platforms Supported:__ Azure Synapse Analytics\n", " \n", "__Data Source Required:__ No \n", " \n", "### Description\n", "This notebook provides step-by-step instructions and sample code to provision Azure Key Vault. \n", "*** Please run the cells sequentially to avoid errors. Please do not use \"run all cells\". *** \n", "\n", "## Table of Contents\n", "1. Warm-up\n", "2. Azure Authentication\n", "3. Create Azure Key Vault" ], "metadata": {} }, { "cell_type": "markdown", "source": [ "## 1. Warm-up" ], "metadata": {} }, { "cell_type": "code", "source": [ "# Load Python libraries that will be used in this notebook\n", "from azure.identity import AzureCliCredential, DefaultAzureCredential, ClientSecretCredential, DeviceCodeCredential\n", "from azure.core.exceptions import HttpResponseError \n", "\n", "from datetime import datetime, timezone, timedelta\n", "import pandas as pd\n", "import json\n", "import ipywidgets\n", "from IPython.display import display, HTML, Markdown" ], "outputs": [], "execution_count": null, "metadata": { "gather": { "logged": 1690302564605 } } }, { "cell_type": "markdown", "source": [ "## 2. Azure Authentication" ], "metadata": {} }, { "cell_type": "code", "source": [ "credential = DeviceCodeCredential()" ], "outputs": [], "execution_count": null, "metadata": { "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } } } }, { "cell_type": "markdown", "source": [ "## 3. Create Azure Key Vault" ], "metadata": { "nteract": { "transient": { "deleting": false } } } }, { "cell_type": "code", "source": [ "akv_json_string = \"\"\"\r\n", "{\r\n", " \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n", " \"contentVersion\": \"1.0.0.0\",\r\n", " \"metadata\": {\r\n", " \"_generator\": {\r\n", " \"name\": \"bicep\",\r\n", " \"version\": \"0.4.1008.15138\",\r\n", " \"templateHash\": \"9483075037702199064\"\r\n", " }\r\n", " },\r\n", " \"parameters\": {\r\n", " \"keyVaultName\": {\r\n", " \"type\": \"string\",\r\n", " \"defaultValue\": \"kvforsentinelhunting\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the name of the key vault.\"\r\n", " }\r\n", " },\r\n", " \"location\": {\r\n", " \"type\": \"string\",\r\n", " \"defaultValue\": \"[resourceGroup().location]\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the Azure location where the key vault should be created.\"\r\n", " }\r\n", " },\r\n", " \"enabledForDeployment\": {\r\n", " \"type\": \"bool\",\r\n", " \"defaultValue\": false,\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.\"\r\n", " }\r\n", " },\r\n", " \"enableSoftDelete\": {\r\n", " \"type\": \"bool\",\r\n", " \"defaultValue\": false,\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies whether the soft delete functionality is enabled for this key vault.\"\r\n", " }\r\n", " },\r\n", " \"enabledForDiskEncryption\": {\r\n", " \"type\": \"bool\",\r\n", " \"defaultValue\": false,\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.\"\r\n", " }\r\n", " },\r\n", " \"enabledForTemplateDeployment\": {\r\n", " \"type\": \"bool\",\r\n", " \"defaultValue\": false,\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.\"\r\n", " }\r\n", " },\r\n", " \"tenantId\": {\r\n", " \"type\": \"string\",\r\n", " \"defaultValue\": \"[subscription().tenantId]\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.\"\r\n", " }\r\n", " },\r\n", " \"spObjectId\": {\r\n", " \"type\": \"string\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the object ID of Synapse workspace.\"\r\n", " }\r\n", " },\r\n", " \"userObjectId\": {\r\n", " \"type\": \"string\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the object ID of a user in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets.\"\r\n", " }\r\n", " },\r\n", " \"keysPermissions\": {\r\n", " \"type\": \"array\",\r\n", " \"defaultValue\": [\"list\"],\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge.\"\r\n", " }\r\n", " },\r\n", " \"secretsPermissions\": {\r\n", " \"type\": \"array\",\r\n", " \"defaultValue\": [\"list\", \"get\", \"set\"],\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge.\"\r\n", " }\r\n", " },\r\n", " \"skuName\": {\r\n", " \"type\": \"string\",\r\n", " \"defaultValue\": \"standard\",\r\n", " \"allowedValues\": [\"standard\", \"premium\"],\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies whether the key vault is a standard vault or a premium vault.\"\r\n", " }\r\n", " },\r\n", " \"clientIdName\": {\r\n", " \"type\": \"string\",\r\n", " \"defaultValue\": \"clientid\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the name of the secret that you want to create.\"\r\n", " }\r\n", " },\r\n", " \"clientIdValue\": {\r\n", " \"type\": \"secureString\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the value of the secret that you want to create.\"\r\n", " }\r\n", " },\r\n", " \"clientSecretName\": {\r\n", " \"type\": \"string\",\r\n", " \"defaultValue\": \"clientsecret\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the name of the secret that you want to create.\"\r\n", " }\r\n", " },\r\n", " \"clientSecretValue\": {\r\n", " \"type\": \"secureString\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the value of the secret that you want to create.\"\r\n", " }\r\n", " },\r\n", " \"entAppObjectId\": {\r\n", " \"type\": \"string\",\r\n", " \"metadata\": {\r\n", " \"description\": \"Specifies the value of Enterprise Application object id.\"\r\n", " }\r\n", " }\r\n", " },\r\n", " \"functions\": [],\r\n", " \"variables\": {\r\n", " \"SentinelObjectId\": \"35700b08-27a2-4e14-b588-8dc8d05f9621\"\r\n", " },\r\n", " \"resources\": [\r\n", " {\r\n", " \"type\": \"Microsoft.KeyVault/vaults\",\r\n", " \"apiVersion\": \"2021-10-01\",\r\n", " \"name\": \"[parameters('keyVaultName')]\",\r\n", " \"location\": \"[parameters('location')]\",\r\n", " \"properties\": {\r\n", " \"enabledForDeployment\": \"[parameters('enabledForDeployment')]\",\r\n", " \"enabledForDiskEncryption\": \"[parameters('enabledForDiskEncryption')]\",\r\n", " \"enabledForTemplateDeployment\": \"[parameters('enabledForTemplateDeployment')]\",\r\n", " \"enableSoftDelete\": \"[parameters('enableSoftDelete')]\",\r\n", " \"tenantId\": \"[parameters('tenantId')]\",\r\n", " \"accessPolicies\": [\r\n", " {\r\n", " \"objectId\": \"[parameters('entAppObjectId')]\",\r\n", " \"tenantId\": \"[parameters('tenantId')]\",\r\n", " \"permissions\": {\r\n", " \"secrets\": \"[parameters('secretsPermissions')]\"\r\n", " }\r\n", " },\r\n", " {\r\n", " \"objectId\": \"[parameters('spObjectId')]\",\r\n", " \"tenantId\": \"[parameters('tenantId')]\",\r\n", " \"permissions\": {\r\n", " \"keys\": \"[parameters('keysPermissions')]\",\r\n", " \"secrets\": \"[parameters('secretsPermissions')]\"\r\n", " }\r\n", " },\r\n", " {\r\n", " \"objectId\": \"[variables('SentinelObjectId')]\",\r\n", " \"tenantId\": \"[parameters('tenantId')]\",\r\n", " \"permissions\": {\r\n", " \"keys\": \"[parameters('keysPermissions')]\",\r\n", " \"secrets\": \"[parameters('secretsPermissions')]\"\r\n", " }\r\n", " },\r\n", " {\r\n", " \"objectId\": \"[parameters('userObjectId')]\",\r\n", " \"tenantId\": \"[parameters('tenantId')]\",\r\n", " \"permissions\": {\r\n", " \"keys\": \"[parameters('keysPermissions')]\",\r\n", " \"secrets\": \"[parameters('secretsPermissions')]\"\r\n", " }\r\n", " }\r\n", " ],\r\n", " \"sku\": {\r\n", " \"name\": \"[parameters('skuName')]\",\r\n", " \"family\": \"A\"\r\n", " },\r\n", " \"networkAcls\": {\r\n", " \"defaultAction\": \"Allow\",\r\n", " \"bypass\": \"AzureServices\"\r\n", " }\r\n", " }\r\n", " },\r\n", " {\r\n", " \"type\": \"Microsoft.KeyVault/vaults/secrets\",\r\n", " \"apiVersion\": \"2021-10-01\",\r\n", " \"name\": \"[format('{0}/{1}', parameters('keyVaultName'), parameters('clientIdName'))]\",\r\n", " \"properties\": {\r\n", " \"value\": \"[parameters('clientIdValue')]\"\r\n", " },\r\n", " \"dependsOn\": [\"[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]\"]\r\n", " },\r\n", " {\r\n", " \"type\": \"Microsoft.KeyVault/vaults/secrets\",\r\n", " \"apiVersion\": \"2021-10-01\",\r\n", " \"name\": \"[format('{0}/{1}', parameters('keyVaultName'), parameters('clientSecretName'))]\",\r\n", " \"properties\": {\r\n", " \"value\": \"[parameters('clientSecretValue')]\"\r\n", " },\r\n", " \"dependsOn\": [\"[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]\"]\r\n", " }\r\n", " ]\r\n", "}\r\n", "\r\n", "\"\"\"" ], "outputs": [], "execution_count": null, "metadata": { "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1690304357739 } } }, { "cell_type": "code", "source": [ "# User inputs \r\n", "tenant_id = \"\"\r\n", "subscription_id = \"\"\r\n", "resource_group_name = \"\"\r\n", "location = \"\"\r\n", "\r\n", "kayvault_name = \"\"\r\n", "synapse_workspace_object_id = \"\"\r\n", "user_object_id = \"\"\r\n", "ent_app_object_id = \"\"" ], "outputs": [], "execution_count": null, "metadata": { "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } } } }, { "cell_type": "code", "source": [ "client_id_value = \"\r\n", "client_secret_value = \"\"" ], "outputs": [], "execution_count": null, "metadata": { "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } } } }, { "cell_type": "code", "source": [ "from azure.mgmt.resource import ResourceManagementClient\r\n", "from azure.mgmt.resource.resources.models import DeploymentMode\r\n", "\r\n", "resource_client = ResourceManagementClient(credential, subscription_id)\r\n", "template_body = json.loads(akv_json_string)\r\n", "\r\n", "rg_deployment_result = resource_client.deployments.begin_create_or_update(\r\n", " resource_group_name,\r\n", " \"exampleDeployment\",\r\n", " {\r\n", " \"properties\": {\r\n", " \"template\": template_body,\r\n", " \"parameters\": {\r\n", " \"location\": {\r\n", " \"value\": location\r\n", " },\r\n", " \"KeyvaultName\": {\r\n", " \"value\": kayvault_name\r\n", " },\r\n", " \"spObjectId\": {\r\n", " \"value\": synapse_workspace_object_id\r\n", " },\r\n", " \"userObjectId\": {\r\n", " \"value\": user_object_id\r\n", " },\r\n", " \"entAppObjectId\": {\r\n", " \"value\": ent_app_object_id\r\n", " },\r\n", " \"clientIdValue\": {\r\n", " \"value\": client_id_value\r\n", " },\r\n", " \"clientSecretValue\": {\r\n", " \"value\": client_secret_value\r\n", " }\r\n", " },\r\n", " \"mode\": DeploymentMode.incremental\r\n", " }\r\n", " }\r\n", ")" ], "outputs": [], "execution_count": null, "metadata": { "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1690304363715 } } }, { "cell_type": "code", "source": [ "if rg_deployment_result.status() != \"Succeeded\":\r\n", " print(rg_deployment_result.status())\r\n", " print('Run the cell until stauts=Succeeded or when you see Failed.')\r\n", "else:\r\n", " print('Done')" ], "outputs": [], "execution_count": null, "metadata": { "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1690305286390 } } } ], "metadata": { "kernelspec": { "name": "synapse_pyspark", "display_name": "Synapse PySpark" }, "language_info": { "name": "python" }, "description": null, "save_output": true, "synapse_widget": { "version": "0.1", "state": {} } }, "nbformat": 4, "nbformat_minor": 2 }

scenario-notebooks/Hunting-Notebooks/Hunting-AzureResourceProvisioning.ipynb (476 lines of code) (raw):