Add SAS token function for the service bus/event hub resource

[garimasi514]

Developers wishing to send messages to the service bus using the SAS token need to create the token themselves, as described here: https://docs.microsoft.com/en-us/rest/api/eventhub/generate-sas-token

This is error prone and also convoluted to do in bicep because of the hashing step.

Ideally this should be available as a native property on the service bus resource. In the meantime, we should also be able to add support in bicep to have a list*() function that is able to create the SAS token for the service bus resource: value: serviceBus.generateSAStoken()

[anthony-c-martin]

This is error prone and also convoluted to do in bicep because of the hashing step.

Out of interest, do you have an example to share of how you currently do this in Bicep or ARM Templates?

[garimasi514]

This is error prone and also convoluted to do in bicep because of the hashing step.

Out of interest, do you have an example to share of how you currently do this in Bicep or ARM Templates?

I am currently doing this in an Ev2 shell extension bash script. Check out - https://docs.microsoft.com/en-us/rest/api/eventhub/generate-sas-token#bash

I explored doing this in bicep inside an ARM 'Microsoft.Resources/deploymentScripts' resource but hit a snag at the openssl sha256 hashing step because I didn't find appropriate inbuilt functions for doing it inside the resource.

[anthony-c-martin]

I explored doing this in bicep inside an ARM 'Microsoft.Resources/deploymentScripts' resource but hit a snag at the openssl sha256 hashing step because I didn't find appropriate inbuilt functions for doing it inside the resource.

Thanks for the context! I think the biggest challenge here is probably going to be idempotency - the same call to listXYZ() at a different time will result in a different SAS key (different start + end time), but this is something we'll certainly discuss.

Just to probe a little further - do you know what was missing with the deploymentScripts implementation? Was it the openssl binary that was missing?

[stan-sz]

Microsoft.Storage RP provides the listAccountSas function that hides the cryptographic logic (and idempotency?) and I'd envision this issue is about having a similar solution for ServiceBus (and optionally Event Hub).

[garimasi514]

I explored doing this in bicep inside an ARM 'Microsoft.Resources/deploymentScripts' resource but hit a snag at the openssl sha256 hashing step because I didn't find appropriate inbuilt functions for doing it inside the resource.

Thanks for the context! I think the biggest challenge here is probably going to be idempotency - the same call to listXYZ() at a different time will result in a different SAS key (different start + end time), but this is something we'll certainly discuss.

Just to probe a little further - do you know what was missing with the deploymentScripts implementation? Was it the openssl binary that was missing?

Yes.

[anthony-c-martin]

Just to probe a little further - do you know what was missing with the deploymentScripts implementation? Was it the openssl binary that was missing?

Yes.

@jorgecotillo / @alex-frankel - is openssl something we've considered adding to the base deploymentScripts image (or had other asks for)? Feels like it would be pretty useful generally.

[alex-frankel]

Right now it's a large work item to add customizations to the base image(s) that we are using. We have it on our backlog to make this easier, as we have had asks for a variety of binaries to be added to the images we use.

cc @marcre

[stan-sz]

Can this be fixed by engaging the RP for ServiceBus and EventHub?