Include all Azure config in the INI file.

Adds all the new config items to the INI file and adjusts some naming
conventions so that these values sort together. Also adds defaults for
some values where they're known.

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
     "lines": null
   },
-  "generated_at": "2020-01-27T19:24:43Z",
+  "generated_at": "2020-02-04T21:00:49Z",
   "plugins_used": [
     {
       "base64_limit": 4.5,
@@ -82,7 +82,7 @@
         "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 32,
+        "line_number": 43,
         "type": "Secret Keyword"
       }
     ],

atst/domain/csp/cloud/azure_cloud_provider.py

@@ -97,10 +97,14 @@ class AzureCloudProvider(CloudProviderInterface):
         self.secret_key = config["AZURE_SECRET_KEY"]
         self.tenant_id = config["AZURE_TENANT_ID"]
         self.vault_url = config["AZURE_VAULT_URL"]
-        self.ps_client_id = config["POWERSHELL_CLIENT_ID"]
-        self.owner_role_def_id = config["AZURE_OWNER_ROLE_DEF_ID"]
+        self.ps_client_id = config["AZURE_POWERSHELL_CLIENT_ID"]
         self.graph_resource = config["AZURE_GRAPH_RESOURCE"]
         self.default_aadp_qty = config["AZURE_AADP_QTY"]
+        self.roles = {
+            "owner": config["AZURE_ROLE_DEF_ID_OWNER"],
+            "contributor": config["AZURE_ROLE_DEF_ID_CONTRIBUTOR"],
+            "billing": config["AZURE_ROLE_DEF_ID_BILLING_READER"],
+        }
 
         if azure_sdk_provider is None:
             self.sdk = AzureSDKProvider()
@@ -602,7 +606,7 @@ class AzureCloudProvider(CloudProviderInterface):
     def create_tenant_admin_ownership(self, payload: TenantAdminOwnershipCSPPayload):
         mgmt_token = self._get_elevated_management_token(payload.tenant_id)
 
-        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
+        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
 
         request_body = {
             "properties": {
@@ -630,7 +634,7 @@ class AzureCloudProvider(CloudProviderInterface):
         mgmt_token = self._get_elevated_management_token(payload.tenant_id)
 
         # NOTE: the tenant_id is also the id of the root management group, once it is created
-        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
+        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
 
         request_body = {
             "properties": {

config/base.ini

@@ -1,9 +1,19 @@
 [default]
 ASSETS_URL
+AZURE_AADP_QTY=5
 AZURE_ACCOUNT_NAME
-AZURE_STORAGE_KEY
-AZURE_TO_BUCKET_NAME
+AZURE_CLIENT_ID
+AZURE_GRAPH_RESOURCE="https://graph.microsoft.com/"
 AZURE_POLICY_LOCATION=policies
+AZURE_POWERSHELL_CLIENT_ID
+AZURE_ROLE_DEF_ID_BILLING_READER="fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64"
+AZURE_ROLE_DEF_ID_CONTRIBUTOR="b24988ac-6180-42a0-ab88-20f7382dd24c"
+AZURE_ROLE_DEF_ID_OWNER="8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+AZURE_SECRET_KEY
+AZURE_STORAGE_KEY
+AZURE_TENANT_ID
+AZURE_TO_BUCKET_NAME
+AZURE_VAULT_URL
 BLOB_STORAGE_URL=http://localhost:8000/
 CAC_URL = http://localhost:8000/login-redirect
 CA_CHAIN = ssl/server-certs/ca-chain.pem
@@ -42,10 +52,10 @@ REDIS_TLS=False
 REDIS_USER
 SECRET_KEY = change_me_into_something_secret
 SERVER_NAME
-SESSION_COOKIE_NAME=atat
 SESSION_COOKIE_DOMAIN
-SESSION_KEY_PREFIX=session:
+SESSION_COOKIE_NAME=atat
 SESSION_COOKIE_SECURE=false
+SESSION_KEY_PREFIX=session:
 SESSION_TYPE = redis
 SESSION_USE_SIGNER = True
 SQLALCHEMY_ECHO = False

tests/mock_azure.py

@@ -9,8 +9,10 @@ AZURE_CONFIG = {
     "AZURE_TENANT_ID": "MOCK",
     "AZURE_POLICY_LOCATION": "policies",
     "AZURE_VAULT_URL": "http://vault",
-    "POWERSHELL_CLIENT_ID": "MOCK",
-    "AZURE_OWNER_ROLE_DEF_ID": "MOCK",
+    "AZURE_POWERSHELL_CLIENT_ID": "MOCK",
+    "AZURE_ROLE_DEF_ID_OWNER": "MOCK",
+    "AZURE_ROLE_DEF_ID_CONTRIBUTOR": "MOCK",
+    "AZURE_ROLE_DEF_ID_BILLING_READER": "MOCK",
     "AZURE_GRAPH_RESOURCE": "MOCK",
     "AZURE_AADP_QTY": 5,
 }