This sample shows how to convert a Spring Cloud Application with Cosmos DB to be using App Configuration + Key Vault
-
Use the Azure CLI az cosmosdb create.
az cosmosdb create --name my-cosmos-db --resource-group MyResourceGroup
This operation will return json, among them is a documentEndpoint, record this.
{ ... "documentEndpoint": "https://my-cosmos.documents.azure.com:443/", ... }
-
Then use the az cosmosdb keys list.
az cosmosdb keys list --name my-cosmos-db -g MyResourceGroup
Record the primaryMasterKey.
{ "primaryMasterKey": "...", "primaryReadonlyMasterKey": "...", "secondaryMasterKey": "...", "secondaryReadonlyMasterKey": "..." }
In this section, you clone a containerized Spring Boot application and test it locally.
-
Open a command prompt or terminal window and create a local directory to hold your Spring Boot application, and change to that directory; for example:
md C:\SpringBoot cd C:\SpringBoot
-- or --
md /users/robert/SpringBoot cd /users/robert/SpringBoot
-
Clone the [Spring Boot on Docker Getting Started] sample project into the directory you created; for example:
git clone https://github.com/Azure-Samples/azure-spring-boot-samples.git
-
Change directory to the initial project; for example:
cd azure-spring-boot-samples/azure-appconfiguration-convert-sample-initial
-
Navigate to
src/main/resources
and openapplication.properties
. -
Replace below properties in
application.properties
with information from your database.spring.cloud.azure.cosmos.endpoint=${COSMOS-URL} spring.cloud.azure.cosmos.key=${COSMOS-KEY} spring.cloud.azure.cosmos.database=${COSMOS-DATABASENAME}
-
Build the JAR file using Maven; for example:
mvn clean package
-
When the web app has been created, start the web app using Maven; for example:
mvn spring-boot:run
-
View the results in the console.
-
You should see the following message displayed: findOne in User collection get result: testFirstName
-
Use the Azure CLI az keyvault create
az keyvault create --name myVaultName -g MyResourceGroup
-
Use the Azure CLI az ad sp
az ad sp create-for-rbac -n "http://mySP" --sdk-auth
This operation returns a series of key/value pairs:
{ "clientId": "7da18cae-779c-41fc-992e-0527854c6583", "clientSecret": "[generated client secret]", "subscriptionId": "443e30da-feca-47c4-b68f-1636b75e16b3", "tenantId": "35ad10f1-7799-4766-9acf-f2d946161b77", "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", "resourceManagerEndpointUrl": "https://management.azure.com/", "activeDirectoryGraphResourceId": "https://graph.windows.net/", "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", "galleryEndpointUrl": "https://gallery.azure.com/", "managementEndpointUrl": "https://management.core.windows.net/" }
-
Run the following command to let the service principal access your key vault:
az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get
-
Use the Azure CLI az appconfig create
az appconfig create -n myAppconfigName -g MyResourceGroup -l westus --sku Standard
-
Run the following command to get your object-id, then add it to App Configuration.
az ad sp show --id <clientId-of-your-service-principal> az role assignment create --role "App Configuration Data Reader" --assignee-object-id <objectId-of-your-service-principal> --resource-group <your-resource-group>
-
Create the following environment variables, using the values for the service principal that were displayed in the previous step:
- AZURE_CLIENT_ID: clientId
- AZURE_CLIENT_SECRET: clientSecret
- AZURE_TENANT_ID: tenantId
-
Upload your Cosmos DB key to Key Vault.
az keyvault secret set --vault-name myVaultName --name "COSMOSDB-KEY" --value your-cosmosdb-key
-
Upload your Configurations Cosmos DB name and URI to App Configuration
az appconfig kv set --name myConfigStoreName --key "/application/azure.cosmos.database" --value your-cosmos-db-databasename --yes az appconfig kv set --name myConfigStoreName --key "/application/azure.cosmos.uri" --value your-cosmosdb-uri --yes
-
Add a Key Vault Reference to App Configuration, make sure to update the uri with your config store name.
az appconfig kv set-keyvault --name myConfigStoreName --key "/application/azure.cosmos.key" --secret-identifier https://myVaultName.vault.azure.net/secrets/COSMOSDB-KEY --yes
-
Delete
application.propertes
fromsrc/main/resources
. -
Create a new file called
bootstrap.properties
insrc/main/resources
, and add the following.spring.cloud.azure.appconfiguration.stores[0].endpoint=https://{my-configstore-name}.azconfig.io
-
Update the pom.xml file to now include.
<dependency> <groupId>com.azure.spring</groupId> <artifactId>spring-cloud-azure-appconfiguration-config</artifactId> <version>4.10.0</version> </dependency>
-
Create a new file called AzureCredentials.java and add the code below.
/* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. See LICENSE in the project root for * license information. */ package sample.convert; import com.azure.core.credential.TokenCredential; import com.azure.identity.EnvironmentCredentialBuilder; import com.microsoft.azure.spring.cloud.config.AppConfigurationCredentialProvider; import com.microsoft.azure.spring.cloud.config.KeyVaultCredentialProvider; public class AzureCredentials implements AppConfigurationCredentialProvider, KeyVaultCredentialProvider{ @Override public TokenCredential getKeyVaultCredential(String uri) { return getCredential(); } @Override public TokenCredential getAppConfigCredential(String uri) { return getCredential(); } private TokenCredential getCredential() { return new EnvironmentCredentialBuilder().build(); } }
- Create a new file called AppConfiguration.java. And add the code below.
/* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. See LICENSE in the project root for * license information. */ package sample.convert; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @Configuration public class AppConfiguration { @Bean public AzureCredentials azureCredentials() { return new AzureCredentials(); } }
-
Create a new folder in your resources directory called META-INF. Then in that folder create a file called spring.factories and add.
org.springframework.cloud.bootstrap.BootstrapConfiguration=\ sample.convert.AppConfiguration
-
Build the JAR file using Maven; for example:
mvn clean package
-
When the web app has been created, start the web app using Maven; for example:
mvn spring-boot:run
-
View the results in the console.
-
You should see the following message displayed: findOne in User collection get result: testFirstName
Now that you have the Spring Boot application running locally, it's time to move it to production. Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. To deploy your application to Azure Spring Apps, see Deploy your first application to Azure Spring Apps.