Use Product and API Subscriptions in all Infrastructures and Samples (#79)

Author: simonkurtz-MSFT

infrastructure/afd-apim-pe/create.ipynb

@@ -118,6 +118,7 @@
     "    apim_service_id     = output.get('apimServiceId', 'APIM Service Id')\n",
     "    apim_gateway_url    = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
     "    afd_endpoint_url    = output.get('fdeSecureUrl', 'Front Door Endpoint URL')\n",
+    "    apim_apis           = output.getJson('apiOutputs', 'APIs')\n",
     "\n",
     "utils.print_ok('Deployment completed')\n"
    ]
@@ -187,9 +188,11 @@
     "from apimrequests import ApimRequests\n",
     "from apimtesting import ApimTesting\n",
     "\n",
-    "reqs = ApimRequests(apim_gateway_url)\n",
     "tests = ApimTesting(\"AFD-APIM-PE Tests (Pre-Lockdown)\", deployment, deployment)\n",
     "\n",
+    "api_subscription_key = apim_apis[0]['subscriptionPrimaryKey']\n",
+    "reqs = ApimRequests(apim_gateway_url, api_subscription_key)\n",
+    "\n",
     "utils.print_message('Calling Hello World (Root) API via API Management Gateway URL. Expect 200 (if run before disabling API Management public network access).')\n",
     "output = reqs.singleGet('/')\n",
     "tests.verify(output, 'Hello World from API Management!')\n",
@@ -228,8 +231,9 @@
     "    raise SystemExit('Deployment failed')\n",
     "    \n",
     "if output.success and output.json_data:\n",
-    "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
     "    afd_endpoint_url = output.get('fdeSecureUrl', 'Front Door Endpoint URL')\n",
+    "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
+    "    apim_apis        = output.getJson('apiOutputs', 'APIs')\n",
     "\n",
     "utils.print_ok('Deployment completed')\n"
    ]
@@ -250,35 +254,47 @@
    "outputs": [],
    "source": [
     "import utils\n",
-    "import json\n",
     "from apimrequests import ApimRequests\n",
     "from apimtesting import ApimTesting\n",
     "\n",
-    "reqsApim = ApimRequests(apim_gateway_url)\n",
-    "reqsAfd  = ApimRequests(afd_endpoint_url)\n",
     "tests = ApimTesting(\"AFD-APIM-PE Tests (Post-Lockdown)\", deployment, deployment)\n",
     "\n",
+    "api_subscription_key = apim_apis[0]['subscriptionPrimaryKey']\n",
+    "reqsApim = ApimRequests(apim_gateway_url, api_subscription_key)\n",
+    "reqsAfd  = ApimRequests(afd_endpoint_url, api_subscription_key)\n",
+    "\n",
     "# 1) Unsuccessful call to APIM Gateway URL (should fail with 403 Forbidden)\n",
     "output = reqsApim.singleGet('/', msg = '1) Calling Hello World (Root) API via API Management Gateway URL. Expect 403 as APIM public access is disabled now.')\n",
-    "tests.verify(json.loads(output)['statusCode'], 403)\n",
+    "outputJson = utils.get_json(output)\n",
+    "tests.verify(outputJson['statusCode'], 403)\n",
     "\n",
     "# 2) Successful call to Front Door (200)\n",
     "output = reqsAfd.singleGet('/', msg = '2) Calling Hello World (Root) API via Azure Front Door. Expect 200.')\n",
     "tests.verify(output, 'Hello World from API Management!')\n",
     "\n",
     "# 3) Successful calls to Front Door -> APIM -> ACA (200)\n",
     "if use_ACA:\n",
+    "    reqsAfd  = ApimRequests(afd_endpoint_url, apim_apis[1]['subscriptionPrimaryKey'])\n",
     "    output = reqsAfd.singleGet('/aca-1', msg = '3) Calling Hello World (ACA 1) API via Azure Front Door. Expect 200.')\n",
     "    tests.verify(output, 'Hello World!')\n",
     "\n",
+    "    reqsAfd  = ApimRequests(afd_endpoint_url, apim_apis[2]['subscriptionPrimaryKey'])\n",
     "    output = reqsAfd.singleGet('/aca-2', msg = '4) Calling Hello World (ACA 2) API via Azure Front Door. Expect 200.')\n",
     "    tests.verify(output, 'Hello World!')\n",
     "\n",
+    "    reqsAfd  = ApimRequests(afd_endpoint_url, apim_apis[3]['subscriptionPrimaryKey'])\n",
     "    output = reqsAfd.singleGet('/aca-pool', msg = '5) Calling Hello World (ACA Pool) API via Azure Front Door. Expect 200.')\n",
     "    tests.verify(output, 'Hello World!')\n",
     "else:\n",
     "    utils.print_message('ACA APIs were not created. Skipping ACA API calls.', blank_above = True)\n",
     "\n",
+    "# 4) Unsuccessful call to Front Door without API subscription key (should fail with 401 Unauthorized)\n",
+    "reqsNoApiSubscription = ApimRequests(afd_endpoint_url)\n",
+    "output = reqsNoApiSubscription.singleGet('/', msg = 'Calling Hello World (Root) API without API subscription key. Expect 401.')\n",
+    "outputJson = utils.get_json(output)\n",
+    "tests.verify(outputJson['statusCode'], 401)\n",
+    "tests.verify(outputJson['message'], 'Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API.')\n",
+    "\n",
     "tests.print_summary()\n",
     "\n",
     "utils.print_ok('All done!')"

infrastructure/afd-apim-pe/main.bicep

@@ -311,5 +311,16 @@ output apimResourceGatewayURL string = apimModule.outputs.gatewayUrl
 output fdeHostName string = afdModule.outputs.fdeHostName
 output fdeSecureUrl string = afdModule.outputs.fdeSecureUrl
 
-#disable-next-line outputs-should-not-contain-secrets
-//output apimSubscription1Key string = apimModule.outputs.[0].listSecrets().primaryKey
+// API outputs
+output apiOutputs array = [for i in range(0, length(apis)): {
+  name: apis[i].name
+  resourceId: apisModule[i].?outputs.?apiResourceId ?? ''
+  displayName: apisModule[i].?outputs.?apiDisplayName ?? ''
+  productAssociationCount: apisModule[i].?outputs.?productAssociationCount ?? 0
+  subscriptionResourceId: apisModule[i].?outputs.?subscriptionResourceId ?? ''
+  subscriptionName: apisModule[i].?outputs.?subscriptionName ?? ''
+  subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
+  subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
+}]
+
+// [ADD RELEVANT OUTPUTS HERE]

infrastructure/apim-aca/create.ipynb

@@ -104,9 +104,10 @@
     "    raise SystemExit('Deployment failed')\n",
     "\n",
     "if output.success and output.json_data:\n",
-    "    apim_gateway_url    = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
-    "    aca_url_1           = output.get('acaUrl1', 'ACA Backend 1 URL')\n",
-    "    aca_url_2           = output.get('acaUrl2', 'ACA Backend 2 URL')\n",
+    "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
+    "    aca_url_1        = output.get('acaUrl1', 'ACA Backend 1 URL')\n",
+    "    aca_url_2        = output.get('acaUrl2', 'ACA Backend 2 URL')\n",
+    "    apim_apis        = output.getJson('apiOutputs', 'APIs')\n",
     "\n",
     "utils.print_ok('Deployment completed')"
    ]
@@ -130,24 +131,33 @@
     "from apimrequests import ApimRequests\n",
     "from apimtesting import ApimTesting\n",
     "\n",
-    "reqs = ApimRequests(apim_gateway_url)\n",
     "tests = ApimTesting(\"APIM-ACA Tests\", deployment, deployment)\n",
     "\n",
+    "reqs = ApimRequests(apim_gateway_url, apim_apis[0]['subscriptionPrimaryKey'])\n",
     "output = reqs.singleGet('/', msg = 'Calling Hello World (Root) API')\n",
     "tests.verify(output, 'Hello World from API Management!')\n",
     "\n",
+    "reqs = ApimRequests(apim_gateway_url, apim_apis[1]['subscriptionPrimaryKey'])\n",
     "output = reqs.singleGet('/aca-1/', msg = 'Calling Hello World (ACA Backend 1) API')\n",
     "tests.verify(output, 'Hello World!')\n",
     "\n",
+    "reqs = ApimRequests(apim_gateway_url, apim_apis[2]['subscriptionPrimaryKey'])\n",
     "output = reqs.singleGet('/aca-2/', msg = 'Calling Hello World (ACA Backend 2) API')\n",
     "tests.verify(output, 'Hello World!')\n",
     "\n",
+    "reqs = ApimRequests(apim_gateway_url, apim_apis[3]['subscriptionPrimaryKey'])\n",
     "output = reqs.multiGet('/aca-pool/', 3, msg = 'Calling Hello World (ACA Backend Pool) API')\n",
     "tests.verify(len(output), 3)\n",
     "tests.verify(output[0]['response'], 'Hello World!')\n",
     "tests.verify(output[1]['response'], 'Hello World!')\n",
     "tests.verify(output[2]['response'], 'Hello World!')\n",
     "\n",
+    "reqsNoApiSubscription = ApimRequests(apim_gateway_url)\n",
+    "output = reqsNoApiSubscription.singleGet('/', msg = 'Calling Hello World (Root) API without API subscription key. Expect 401.')\n",
+    "outputJson = utils.get_json(output)\n",
+    "tests.verify(outputJson['statusCode'], 401)\n",
+    "tests.verify(outputJson['message'], 'Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API.')\n",
+    "\n",
     "tests.print_summary()\n",
     "\n",
     "utils.print_ok('All done!')"

infrastructure/apim-aca/main.bicep

@@ -181,3 +181,17 @@ output apimServiceName string = apimModule.outputs.name
 output apimResourceGatewayURL string = apimModule.outputs.gatewayUrl
 output acaUrl1 string = 'https://${acaModule1.outputs.containerAppFqdn}'
 output acaUrl2 string = 'https://${acaModule2.outputs.containerAppFqdn}'
+
+// API outputs
+output apiOutputs array = [for i in range(0, length(apis)): {
+  name: apis[i].name
+  resourceId: apisModule[i].?outputs.?apiResourceId ?? ''
+  displayName: apisModule[i].?outputs.?apiDisplayName ?? ''
+  productAssociationCount: apisModule[i].?outputs.?productAssociationCount ?? 0
+  subscriptionResourceId: apisModule[i].?outputs.?subscriptionResourceId ?? ''
+  subscriptionName: apisModule[i].?outputs.?subscriptionName ?? ''
+  subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
+  subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
+}]
+
+// [ADD RELEVANT OUTPUTS HERE]

infrastructure/simple-apim/create.ipynb

@@ -89,6 +89,7 @@
     "\n",
     "if output.success and output.json_data:\n",
     "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
+    "    apim_apis = output.getJson('apiOutputs', 'APIs')\n",
     "\n",
     "utils.print_ok('Deployment completed')"
    ]
@@ -112,12 +113,20 @@
     "from apimrequests import ApimRequests\n",
     "from apimtesting import ApimTesting\n",
     "\n",
-    "reqs = ApimRequests(apim_gateway_url)\n",
     "tests = ApimTesting(\"Simple APIM Tests\", deployment, deployment)\n",
     "\n",
-    "output = reqs.singleGet('/', msg = 'Calling Hello World (Root) API')\n",
+    "api_subscription_key = apim_apis[0]['subscriptionPrimaryKey']\n",
+    "reqs = ApimRequests(apim_gateway_url, api_subscription_key)\n",
+    "\n",
+    "output = reqs.singleGet('/', msg = 'Calling Hello World (Root) API. Expect 200.')\n",
     "tests.verify(output, 'Hello World from API Management!')\n",
     "\n",
+    "reqsNoApiSubscription = ApimRequests(apim_gateway_url)\n",
+    "output = reqsNoApiSubscription.singleGet('/', msg = 'Calling Hello World (Root) API without API subscription key. Expect 401.')\n",
+    "outputJson = utils.get_json(output)\n",
+    "tests.verify(outputJson['statusCode'], 401)\n",
+    "tests.verify(outputJson['message'], 'Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API.')\n",
+    "\n",
     "tests.print_summary()\n",
     "\n",
     "utils.print_ok('All done!')"

infrastructure/simple-apim/main.bicep

@@ -91,5 +91,16 @@ output apimServiceId string = apimModule.outputs.id
 output apimServiceName string = apimModule.outputs.name
 output apimResourceGatewayURL string = apimModule.outputs.gatewayUrl
 
-#disable-next-line outputs-should-not-contain-secrets
-//output apimSubscription1Key string = apimModule.outputs.[0].listSecrets().primaryKey
+// API outputs
+output apiOutputs array = [for i in range(0, length(apis)): {
+  name: apis[i].name
+  resourceId: apisModule[i].?outputs.?apiResourceId ?? ''
+  displayName: apisModule[i].?outputs.?apiDisplayName ?? ''
+  productAssociationCount: apisModule[i].?outputs.?productAssociationCount ?? 0
+  subscriptionResourceId: apisModule[i].?outputs.?subscriptionResourceId ?? ''
+  subscriptionName: apisModule[i].?outputs.?subscriptionName ?? ''
+  subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
+  subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
+}]
+
+// [ADD RELEVANT OUTPUTS HERE]

samples/_TEMPLATE/create.ipynb

@@ -77,8 +77,10 @@
     "output = nb_helper.deploy_bicep(bicep_parameters)\n",
     "\n",
     "if output.json_data:\n",
-    "    apim_name = output.get('apimServiceName', 'APIM Service Name')\n",
+    "    afd_endpoint_url = output.get('fdeSecureUrl', 'Front Door Endpoint URL')    # may be deleted if Front Door is not part of a supported infrastructure\n",
+    "    apim_name        = output.get('apimServiceName', 'APIM Service Name')\n",
     "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
+    "    apim_apis        = output.getJson('apiOutputs', 'APIs')\n",
     "\n",
     "utils.print_ok('Deployment completed')"
    ]
@@ -102,12 +104,17 @@
    "source": [
     "import utils\n",
     "from apimrequests import ApimRequests\n",
+    "from apimtesting import ApimTesting\n",
     "\n",
-    "# [ADD RELEVANT TESTS HERE]\n",
+    "tests = ApimTesting(\"Simple APIM Tests\", deployment, deployment)\n",
     "\n",
     "# 1) Issue a direct request to API Management\n",
-    "# reqsApim = ApimRequests(apim_gateway_url)\n",
-    "# reqsApim.singleGet('/request-headers', msg = 'Calling Request Headers API via API Management Gateway URL. Response codes 200 and 403 are both valid depending on the infrastructure used.')\n",
+    "\n",
+    "api_subscription_key = apim_apis[0]['subscriptionPrimaryKey']\n",
+    "reqsApim = ApimRequests(apim_gateway_url, api_subscription_key)\n",
+    "reqsAfd  = ApimRequests(afd_endpoint_url, api_subscription_key)     # may be deleted if Front Door is not part of a supported infrastructure\n",
+    "\n",
+    "# reqsApim.singleGet('/', msg = 'Calling Hello World (Root) API via API Management Gateway URL. Response codes 200 and 403 are both valid depending on the infrastructure used.')\n",
     "\n",
     "# # 2) Issue requests against Front Door.\n",
     "# # Check if the infrastructure architecture deployment uses Azure Front Door.\n",
@@ -116,7 +123,14 @@
     "\n",
     "# if afd_endpoint_url:\n",
     "#     reqsAfd = ApimRequests(afd_endpoint_url)\n",
-    "#     reqsAfd.singleGet('/request-headers', msg = 'Calling Request Headers API via via Azure Front Door. Expect 200.')\n",
+    "#     reqsAfd.singleGet('/', msg = 'Calling Hello World (Root) API via via Azure Front Door. Expect 200.')\n",
+    "\n",
+    "# # 3) Unsuccessful call to Front Door without API subscription key (should fail with 401 Unauthorized)\n",
+    "# reqsNoApiSubscription = ApimRequests(afd_endpoint_url)\n",
+    "# output = reqsNoApiSubscription.singleGet('/', msg = 'Calling Hello World (Root) API without API subscription key. Expect 401.')\n",
+    "# outputJson = utils.get_json(output)\n",
+    "# tests.verify(outputJson['statusCode'], 401)\n",
+    "# tests.verify(outputJson['message'], 'Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API.')\n",
     "\n",
     "utils.print_ok('All done!')"
    ]

samples/_TEMPLATE/main.bicep

@@ -53,4 +53,17 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
 output apimServiceId string = apimService.id
 output apimServiceName string = apimService.name
 output apimResourceGatewayURL string = apimService.properties.gatewayUrl
+
+// API outputs
+output apiOutputs array = [for i in range(0, length(apis)): {
+  name: apis[i].name
+  resourceId: apisModule[i].?outputs.?apiResourceId ?? ''
+  displayName: apisModule[i].?outputs.?apiDisplayName ?? ''
+  productAssociationCount: apisModule[i].?outputs.?productAssociationCount ?? 0
+  subscriptionResourceId: apisModule[i].?outputs.?subscriptionResourceId ?? ''
+  subscriptionName: apisModule[i].?outputs.?subscriptionName ?? ''
+  subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
+  subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
+}]
+
 // [ADD RELEVANT OUTPUTS HERE]

samples/authX-pro/create.ipynb

@@ -121,9 +121,9 @@
     "output = nb_helper.deploy_bicep(bicep_parameters)\n",
     "\n",
     "if output.json_data:\n",
-    "    apim_name = output.get('apimServiceName', 'APIM Service Name')\n",
+    "    apim_name        = output.get('apimServiceName', 'APIM Service Name')\n",
     "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
-    "    apim_products = output.getJson('productOutputs', 'Products')\n",
+    "    apim_products    = output.getJson('productOutputs', 'Products')\n",
     "\n",
     "utils.print_ok('Deployment completed')"
    ]
@@ -152,11 +152,10 @@
     "from users import UserHelper\n",
     "from authfactory import AuthFactory\n",
     "\n",
-    "# Test the function\n",
-    "hr_product_apim_subscription_key = apim_products[0]['subscriptionPrimaryKey']\n",
-    "\n",
     "tests = ApimTesting(\"AuthX-Pro Sample Tests\", sample_folder, deployment)\n",
     "\n",
+    "hr_product_apim_subscription_key = apim_products[0]['subscriptionPrimaryKey']\n",
+    "\n",
     "# Preflight: Check if the infrastructure architecture deployment uses Azure Front Door. If so, assume that APIM is not directly accessible and use the Front Door URL instead.\n",
     "endpoint_url = utils.test_url_preflight_check(deployment, rg_name, apim_gateway_url)\n",
     "\n",

samples/authX-pro/main.bicep

@@ -108,15 +108,16 @@ output apimResourceGatewayURL string = apimService.properties.gatewayUrl
 
 // Product outputs
 output productOutputs array = [for i in range(0, length(products)): {
-  productResourceId: productModule[i].outputs.productResourceId
-  productName: productModule[i].outputs.productName
-  productDisplayName: productModule[i].outputs.productDisplayName
-  productState: productModule[i].outputs.productState
+  resourceId: productModule[i].outputs.productResourceId
+  name: productModule[i].outputs.productName
+  displayName: productModule[i].outputs.productDisplayName
+  state: productModule[i].outputs.productState
   subscriptionRequired: productModule[i].outputs.subscriptionRequired
   approvalRequired: productModule[i].outputs.approvalRequired
   policyResourceId: productModule[i].outputs.policyResourceId
   hasPolicyAttached: productModule[i].outputs.hasPolicyAttached
   subscriptionResourceId: productModule[i].outputs.subscriptionResourceId
+  subscriptionName: productModule[i].outputs.subscriptionName
   subscriptionPrimaryKey: productModule[i].outputs.subscriptionPrimaryKey
   subscriptionSecondaryKey: productModule[i].outputs.subscriptionSecondaryKey
 }]