release 2.4.0 (#121)

CHANGELOG.md

@@ -5,6 +5,30 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.4.0] - 2020-07-09
+
+### Added
+
+- [#120](https://github.com/eitrtechnologies/idem-azurerm/pull/120) - Added Managed Service Identity authentication
+  support.
+- [#115](https://github.com/eitrtechnologies/idem-azurerm/pull/115) - Added exec modules for listing virtual machine
+  sizes.
+- [#114](https://github.com/eitrtechnologies/idem-azurerm/pull/114) - Added acct backend for pulling credentials out of
+  Key Vault secrets to be used for any other authentication purpose in Idem.
+- [#112](https://github.com/eitrtechnologies/idem-azurerm/pull/112) - Added exec and state modules for Key Vault
+  secrets.
+
+### Changed
+
+### Fixed
+
+- [#108](https://github.com/eitrtechnologies/idem-azurerm/pull/108) - Fixed exceptions that are being thrown from failed
+  policy assignments.
+
+### Deprecated
+
+### Removed
+
 ## [2.3.2] - 2020-06-16
 
 ### Added
@@ -165,6 +189,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Initial release of execution and state modules from Salt along with some additional functionality ported from
   salt-cloud for virtual machines.
 
+[2.4.0]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.3.2...v2.4.0
 [2.3.2]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.3.1...v2.3.2
 [2.3.1]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.3.0...v2.3.1
 [2.3.0]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.2.0...v2.3.0

docs/conf.py

@@ -21,8 +21,8 @@
 project = "idem-azurerm"
 copyright = "2020, EITR Technologies, LLC"  # pylint: disable=redefined-builtin
 author = "EITR Technologies, LLC"
-version = "2.3"
-release = "2.3.2"
+version = "2.4"
+release = "2.4.0"
 
 # -- General configuration ---------------------------------------------------
 

docs/releases/2.4.0.rst

@@ -0,0 +1,58 @@
+Version 2.4.0
+=============
+
+Managed Service Identities for Authentication
+*********************************************
+Up to this release, username and password or service principal credentials were required in order to use
+``idem-azurerm``. Now, we can use managed identities in order to authorize ``idem-azurerm`` to perform work in Azure. A
+great example of this use case is a provisioning host in Azure that's assigned a role in order to create more
+infrastructure. It's magic! Look Ma, no creds!
+
+Key Vault Secrets Modules
+*************************
+We already had support for keys in Key Vault. Now we have secrets too! All secret lifecycle actions should be supported
+at this time.
+
+Key Vault Backend for Acct
+**************************
+Backends for Acct are a great way to pull stored credentials from secure locations for use with Idem. In this release,
+we added the ability to get secrets from Azure Key Vault in order to use them for any purpose in Idem. That's right, you
+can use secrets stored in Key Vault to access AWS, Vultr, or any other Idem provider coming in the future!
+
+Here's an example of the backend configuration:
+
+.. code-block:: yaml
+
+    acct-backend:
+        azurerm_keyvault:
+            designator: "acct-provider-"
+            vault_url: "https://myvault.vault.azure.net"
+            client_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+            secret: "X2KRwdcdsQn9mwjdt0EbxsQR3w5TuBOR"
+            subscription_id: "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+            tenant: "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+To use this backend, configure the backend YAML as shown above for the credentials which can be used to access the Key
+Vault URL provided. A username and password can be used in lieu of the service principal credentials shown in the
+example, or just use the new Managed Service Identity support in this release! Any identity used will need secrets/list
+and secrets/get permissions to the vault in order to retrieve the credentials.
+
+Credentials stored in the Key Vault will need to be named in a prescribed way in order to be properly retrieved and used
+for acct:
+
+.. code-block::
+
+    {designator}{provider}-{profile}-{parameter}
+
+So, an example of secret names stored in Key Vault to be used for ``idem-azurerm`` would be:
+
+.. code-block::
+
+    acct-provider-azurerm-default-client-id
+    acct-provider-azurerm-default-secret
+    acct-provider-azurerm-default-subscription-id
+    acct-provider-azurerm-default-tenant
+
+This backend will only retrieve the latest version of a given secret, and the secret's value will only be retrieved from
+the vault if the naming matches the expected format. Note that any dashes after the profile field will be converted to
+underscores. This is due to limitations in secret naming and the fact that Python parameters shouldn't have dashes.

idem_azurerm/acct/azurerm_keyvault.py

@@ -23,10 +23,10 @@
 
     To use this backend, configure the backend YAML as shown above for the
     credentials which can be used to access the Key Vault URL provided. A
-    username and password can be used in lieu of the service principal
-    credentials shown in the example. Any identity used will need secrets/list
-    and secrets/get permissions to the vault in order to retrieve the
-    credentials.
+    username and password or Managed Service Identities can be used in lieu of
+    the service principal credentials shown in the example. Any identity used
+    will need secrets/list and secrets/get permissions to the vault in order to
+    retrieve the credentials.
 
     Credentials stored in the Key Vault will need to be named in a prescribed
     way in order to be properly retrieved and used for acct:

idem_azurerm/exec/azurerm/utils.py

@@ -202,7 +202,7 @@ async def get_client(hub, ctx, client_type, **kwargs):
             base_url=cloud_env.endpoints.resource_manager,
         )
 
-    client.config.add_user_agent("idem-azurerm/2.0.0")
+    client.config.add_user_agent("idem-azurerm")
 
     return client
 

idem_azurerm/version.py

@@ -1 +1 @@
-version = "2.3.2"
+version = "2.4.0"