Fix the App Config + Key Vault sample (#22919)

* Apply previous PR feedback

Made previous changes but forgot to push. Found this in my reflog.

* Resolve Key Vault samples issues

Fixes #22913

* Resolve feedback

Author: heaths

samples/AppSecretsConfig/README.md

@@ -1,6 +1,7 @@
 ---
 page_type: sample
 languages:
+- aspx-csharp
 - csharp
 products:
 - azure
@@ -35,22 +36,31 @@ Examples of secrets that should be stored in Key Vault:
 
 To build and run this sample you will need:
 
+Software:
+
+* [.NET][dotnet_install]
+* [Azure CLI][azure_cli]
+
+Azure services:
+
 * [App Configuration][appconfig_overview]
 * [Key Vault][keyvault_overview]
+* (Optional) [App Service][appservice_overview] - needed to deploy the web application to Azure, which is provisioned in the [Bicep][bicep_overview] [template][sample_template].
 
-To deploy this sample you will also need:
+  > [!NOTE]
+  > App Service has [support for referencing Key Vault secrets][appservice_secrets] directly, but is used only as an example how to configure a web site to use App Configuration.
+  > If you choose to deploy your web application to another service, the same principles to configure the App Configuration connection string still apply.
 
-* [App Service][appservice_overview]
+* (Optional) [Application Insights][appinsights_overview] - to monitor web traffic and application traces, which is *not* provisioned in the Bicep template.
 
-Optionally, you may configure the App Service to use [Application Insights][appinsights_overview] to monitor traffic.
-
-[![Deploy to Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)][sample_deploy]
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)][sample_deploy]
 
 To deploy the template manually, make sure your [Azure CLI][azure_cli] is up to date and run:
 
 ```bash
+az bicep install # if deploying azuredeploy.bicep
 az group create --location {location} --resource-group {group-name}
-az deployment group create --resource-group {group-name} --template-file azuredeploy.bicep
+az deployment group create --resource-group {group-name} --template-file azuredeploy.bicep # or azuredeploy.json
 ```
 
 There are a number of parameters you can optional set. [View the template][sample_template] for details.
@@ -104,7 +114,9 @@ If you're logged in as a service principal, the `user.type` will be `servicePrin
 az keyvault set-policy -n {vault-host-name} --spn {spn} --secret-permissions get
 ```
 
-#### Visual Studio
+Next you'll need to add the App Configuration connection string from the template deployment outputs to your local user secrets:
+
+#### [Visual Studio](#tab/visualstudio)
 
 1. Right-click on the project
 2. Click **Managed User Secrets**
@@ -118,7 +130,7 @@ az keyvault set-policy -n {vault-host-name} --spn {spn} --secret-permissions get
 
 4. Click **Debug -> Start debugging (F5)** to run.
 
-#### Visual Studio Code
+#### [Visual Studio Code](#tab/visualstudiocode)
 
 1. In the project folder, run the following to add a variable named `ConnectionStrings:AppConfig` with the `value` of the `appConfigurationConnectionString` output variable:
 
@@ -129,7 +141,7 @@ az keyvault set-policy -n {vault-host-name} --spn {spn} --secret-permissions get
 2. With a *.cs* file open the command palette and run `Debug: Start debugging` or press `F5` (default binding).
 3. If prompted, select ".NET Core" to create a launch configuration and start debugging.
 
-#### dotnet CLI
+#### [.NET CLI](#tab/dotnet_cli)
 
 1. In the project folder, run the following to add a variable named `ConnectionStrings:AppConfig` with the `value` of the `appConfigurationConnectionString` output variable:
 
@@ -145,7 +157,7 @@ az keyvault set-policy -n {vault-host-name} --spn {spn} --secret-permissions get
 
 #### Deploying the sample
 
-See the [ASP.NET quickstart][aspnet_quickstart] for instructions to deploy for Visual Studio, Visual Studio Code, and the `dotnet` CLI. For Visual Studio and Visual Studio Code, make sure you select your existing resource if you deployed the Bicep template above; otherwise, for the `dotnet` CLI you can deploy to an existing resource by [configuring Local Git support][aspnet_deploy_localgit].
+See the [ASP.NET quickstart][aspnet_quickstart] for instructions to deploy for Visual Studio, Visual Studio Code, and the `dotnet` CLI. For Visual Studio and Visual Studio Code, make sure you select your existing resource if you deployed the Bicep template above; otherwise, for the `dotnet` CLI you can deploy to an existing resource by [configuring Git support][aspnet_deploy_localgit] and pushing source, which will be built automatically on the host.
 
 ## Configuring App Configuration with Key Vault references
 
@@ -230,12 +242,15 @@ In [ASP.NET Razor pages][aspnet_razor] as an example, you can then inject them i
 [appconfig_overview]: https://docs.microsoft.com/azure/azure-app-configuration/overview
 [appinsights_overview]: https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview
 [appservice_overview]: https://docs.microsoft.com/azure/app-service/overview
+[appservice_secrets]: https://docs.microsoft.com/azure/app-service/app-service-key-vault-references#rotation
 [aspnet_config]: https://docs.microsoft.com/aspnet/core/fundamentals/configuration
 [aspnet_deploy_localgit]: https://docs.microsoft.com/azure/app-service/deploy-local-git
 [aspnet_quickstart]: https://docs.microsoft.com/azure/app-service/quickstart-dotnetcore
 [aspnet_razor]: https://docs.microsoft.com/aspnet/core/razor-pages/
 [azure_cli]: https://docs.microsoft.com/cli/azure/
+[bicep_overview]: https://docs.microsoft.com/azure/azure-resource-manager/bicep/overview
 [dotnet_cli]: https://docs.microsoft.com/dotnet/core/tools/
+[dotnet_install]: https://dotnet.microsoft.com/download
 [identity_defaultazurecredential]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md#defaultazurecredential
 [identity_troubleshooting]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md#troubleshooting
 [keyvault_injection]: https://docs.microsoft.com/dotnet/api/overview/azure/microsoft.extensions.azure-readme-pre
@@ -245,7 +260,7 @@ In [ASP.NET Razor pages][aspnet_razor] as an example, you can then inject them i
 [keyvault_secretclient]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/keyvault/Azure.Security.KeyVault.Secrets/README.md#secretclient
 [nuget_azureappconfig]: https://nuget.org/packages/Microsoft.Extensions.Configuration.AzureAppConfiguration
 [nuget_azureextensions]: https://nuget.org/packages/Microsoft.Extensions.Azure
-[sample_deploy]: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-sdk-for-net%2Fmain%2Fsamples%2FAppSecretsConfig%2Fazuredeploy.bicep
+[sample_deploy]: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-sdk-for-net%2Fmain%2Fsamples%2FAppSecretsConfig%2Fazuredeploy.json
 [sample_template]: https://github.com/Azure/azure-sdk-for-net/blob/main/samples/AppSecretsConfig/azuredeploy.bicep
 [visualstudio]: https://visualstudio.microsoft.com/
 [visualstudiocode]: https://code.visualstudio.com/

samples/AppSecretsConfig/Startup.cs

@@ -42,9 +42,6 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             app.UseStaticFiles();
 
             app.UseRouting();
-
-            app.UseAuthorization();
-
             app.UseEndpoints(endpoints =>
             {
                 endpoints.MapRazorPages();

samples/AppSecretsConfig/azuredeploy.json

@@ -0,0 +1,181 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.4.451.19169",
+      "templateHash": "9923986087503436347"
+    }
+  },
+  "parameters": {
+    "name": {
+      "type": "string",
+      "defaultValue": "[uniqueString(resourceGroup().id)]",
+      "metadata": {
+        "description": "The base name for resources"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location for resources"
+      }
+    },
+    "secret": {
+      "type": "secureString",
+      "defaultValue": "[newGuid()]",
+      "metadata": {
+        "description": "A secret to use in the web application"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "F1",
+      "metadata": {
+        "description": "The web site hosting plan"
+      }
+    },
+    "configSku": {
+      "type": "string",
+      "defaultValue": "standard",
+      "allowedValues": [
+        "free",
+        "standard"
+      ],
+      "metadata": {
+        "description": "The App Configuration SKU. Only \"standard\" supports customer-managed keys from Key Vault"
+      }
+    }
+  },
+  "functions": [],
+  "resources": [
+    {
+      "type": "Microsoft.AppConfiguration/configurationStores/keyValues",
+      "apiVersion": "2020-07-01-preview",
+      "name": "[format('{0}/{1}', format('{0}config', parameters('name')), 'APPCONFIG_VALUE')]",
+      "properties": {
+        "contentType": "text/plain",
+        "value": "not a secret"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.AppConfiguration/configurationStores', format('{0}config', parameters('name')))]"
+      ]
+    },
+    {
+      "type": "Microsoft.AppConfiguration/configurationStores/keyValues",
+      "apiVersion": "2020-07-01-preview",
+      "name": "[format('{0}/{1}', format('{0}config', parameters('name')), 'KEYVAULT_SECRET')]",
+      "properties": {
+        "contentType": "application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8",
+        "value": "[format('{{\"uri\":\"{0}\"}}', reference(resourceId('Microsoft.KeyVault/vaults/secrets', split(format('{0}/{1}secret', format('kv{0}', parameters('name')), parameters('name')), '/')[0], split(format('{0}/{1}secret', format('kv{0}', parameters('name')), parameters('name')), '/')[1])).secretUri)]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.AppConfiguration/configurationStores', format('{0}config', parameters('name')))]",
+        "[resourceId('Microsoft.KeyVault/vaults/secrets', split(format('{0}/{1}secret', format('kv{0}', parameters('name')), parameters('name')), '/')[0], split(format('{0}/{1}secret', format('kv{0}', parameters('name')), parameters('name')), '/')[1])]"
+      ]
+    },
+    {
+      "type": "Microsoft.AppConfiguration/configurationStores",
+      "apiVersion": "2020-06-01",
+      "name": "[format('{0}config', parameters('name'))]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('configSku')]"
+      }
+    },
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "[format('kv{0}', parameters('name'))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "tenantId": "[subscription().tenantId]",
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[reference(resourceId('Microsoft.Web/sites', format('{0}web', parameters('name'))), '2020-12-01', 'full').identity.principalId]",
+            "permissions": {
+              "secrets": [
+                "get"
+              ]
+            }
+          }
+        ]
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/sites', format('{0}web', parameters('name')))]"
+      ]
+    },
+    {
+      "type": "Microsoft.KeyVault/vaults/secrets",
+      "apiVersion": "2019-09-01",
+      "name": "[format('{0}/{1}secret', format('kv{0}', parameters('name')), parameters('name'))]",
+      "properties": {
+        "contentType": "text/plain",
+        "value": "[parameters('secret')]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.KeyVault/vaults', format('kv{0}', parameters('name')))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2020-12-01",
+      "name": "[format('{0}plan', parameters('name'))]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]"
+      },
+      "kind": "linux",
+      "properties": {
+        "reserved": true
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2020-12-01",
+      "name": "[format('{0}web', parameters('name'))]",
+      "location": "[parameters('location')]",
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "httpsOnly": true,
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', format('{0}plan', parameters('name')))]",
+        "siteConfig": {
+          "linuxFxVersion": "DOTNETCORE|3.1",
+          "connectionStrings": [
+            {
+              "name": "AppConfig",
+              "connectionString": "[listKeys(resourceId('Microsoft.AppConfiguration/configurationStores', format('{0}config', parameters('name'))), '2020-06-01').value[0].connectionString]"
+            }
+          ]
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.AppConfiguration/configurationStores', format('{0}config', parameters('name')))]",
+        "[resourceId('Microsoft.Web/serverfarms', format('{0}plan', parameters('name')))]"
+      ]
+    }
+  ],
+  "outputs": {
+    "appConfigConnectionString": {
+      "type": "string",
+      "value": "[listKeys(resourceId('Microsoft.AppConfiguration/configurationStores', format('{0}config', parameters('name'))), '2020-06-01').value[0].connectionString]"
+    },
+    "siteUrl": {
+      "type": "string",
+      "value": "[format('https://{0}/', reference(resourceId('Microsoft.Web/sites', format('{0}web', parameters('name')))).defaultHostName)]"
+    },
+    "vaultUrl": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.KeyVault/vaults', format('kv{0}', parameters('name')))).vaultUri]"
+    }
+  }
+}

samples/Directory.Build.targets

@@ -0,0 +1,21 @@
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+  <Target Name="_GetBicepTemplates">
+    <ItemGroup>
+      <_BicepTemplate Include="@(None)" Condition="'%(Extension)' == '.bicep'" />
+    </ItemGroup>
+  </Target>
+
+  <Target Name="_BuildBicepTemplates"
+          Condition="'$(BuildBicepTemplates)' != 'false'"
+          DependsOnTargets="_GetBicepTemplates"
+          BeforeTargets="CoreCompile"
+          Inputs="@(_BicepTemplate)"
+          Outputs="@(_BicepTemplate->'%(RelativeDir)%(Filename).json')">
+    <Exec Command="az bicep build --file &quot;@(_BicepTemplate)&quot; --outfile &quot;@(_BicepTemplate->'%(RelativeDir)%(Filename).json')&quot;">
+      <Output TaskParameter="Outputs" ItemName="@(_BicepTemplate->'%(RelativeDir)%(Filename).json')" />
+    </Exec>
+    <Message Text="@(_BicepTemplate) -> @(_BicepTemplate->'%(RelativeDir)%(Filename).json')" Importance="high" />
+  </Target>
+
+</Project>