Add python SDK call example

Author: Vivek Lakshmanan

README.md

@@ -177,6 +177,7 @@ Example   | Description |
 [Azure Kubernetes Service](azure-py-aks) | Create an Azure Kubernetes Service (AKS) Cluster.
 [Azure App Service](azure-py-appservice) | Build a web application hosted in App Service and provision Azure SQL Database and Azure Application Insights.
 [Azure App Service with Docker](azure-py-appservice-docker) | Build a web application hosted in App Service from Docker images.
+[Azure SDK integration](azure-py-call-azure-sdk) | Call Azure SDK functions from a Pulumi program in Python.
 [Azure Cosmos DB and LogicApp](azure-py-cosmosdb-logicapp) | Define Cosmos DB, API connections, and link them to a logic app.
 [Minecraft Server](azure-py-minecraft-server) | Deploy an Azure Virtual Machine and provision a Minecraft server.
 [Static Website](azure-py-static-website) | Configure static website hosting in Azure Storage.
@@ -192,6 +193,7 @@ Example   | Description |
 [Azure Kubernetes Service](azure-go-aks) | Create an Azure Kubernetes Service (AKS) Cluster.
 [Azure App Service with Docker](azure-go-appservice-docker) | Build a web application hosted in App Service from Docker images.
 [Static Website](azure-go-static-website) | Configure static website hosting in Azure Storage.
+[Azure SDK integration](azure-go-call-azure-sdk) | Call Azure SDK functions from a Pulumi programin Go.
 
 ### C#
 
@@ -388,4 +390,4 @@ Example   | Description |
 
 ## Automation API
 
-[Automation API Examples](https://github.com/pulumi/automation-api-examples)
+[Automation API Examples](https://github.com/pulumi/automation-api-examples)

azure-py-call-azure-sdk/.gitignore

@@ -0,0 +1,2 @@
+*.pyc
+venv/

azure-py-call-azure-sdk/Pulumi.yaml

@@ -0,0 +1,6 @@
+name: azure-py-call-azure-sdk
+runtime:
+  name: python
+  options:
+    virtualenv: venv
+description: An example of integrating an Azure SDK call to a Pulumi program.

azure-py-call-azure-sdk/README.md

@@ -0,0 +1,43 @@
+[![Deploy](https://get.pulumi.com/new/button.svg)](https://app.pulumi.com/new)
+
+# Demo of Integrating the native Azure Pulumi provider with the Microsoft Azure SDK
+
+The native Azure Pulumi provider exposes the entire resource model of Azure Resource Manager. Each resource can be created, updated, deleted, or refreshed (read).
+
+However, Azure API has many endpoints that don't map to our resource model. For examples, finding resources given some filter criteria is not supported directly.
+
+However, you can easily integrate an Azure SDK call inside your Pulumi program using the same programming language. We provide a helper function `authorization.get_client_token()` that returns a valid authentication token for the same login context that the Pulumi provider is using.
+
+This example demonstrates how to use such integration to lookup a role definition ID based on its name and scope. It then creates a role assignment for the resulting definition to allow pulling container images from a registry.
+
+## Running the App
+
+1.  Create a new stack:
+
+    ```
+    $ pulumi stack init dev
+    ```
+
+1.  Login to Azure CLI (you will be prompted to do this during deployment if you forget this step):
+
+    ```
+    $ az login
+    ```
+
+1. Set the Azure region location to use:
+
+    ```
+    $ pulumi config set azure-native:location WestUS
+    ```
+
+1.  Run `pulumi up` to preview and deploy changes:
+
+    ``` 
+    $ pulumi up
+    Previewing changes:
+    ...
+    Performing changes:
+    ...
+    Resources:
+       + 4 created
+    ```

azure-py-call-azure-sdk/__main__.py

@@ -0,0 +1,52 @@
+"""A program to demonstrate accessing Azure Python SDK"""
+
+from azure.core.credentials import AccessToken
+from azure.mgmt.authorization import AuthorizationManagementClient
+from pulumi_azure_native import authorization, containerregistry, resources
+
+
+class TokenCred:
+    def __init__(self, token):
+        self.token = token
+
+    def get_token(self, *scopes, **kwargs) -> 'AccessToken':
+        return AccessToken(token=self.token, expires_on=-1)
+
+
+def get_role_id_by_name(name, scope=""):
+    config = authorization.get_client_config()
+    client_token = authorization.get_client_token()
+    client = AuthorizationManagementClient(
+        TokenCred(client_token.token), config.subscription_id)
+    def_pages = client.role_definitions.list(
+        scope, filter=f'roleName eq {name}')
+    role = None
+    for x in def_pages:
+        role = x.id
+        break
+    if role is None:
+        raise Exception(f'role \'{name}\' not found at scope \'{scope}\'')
+    return role
+
+
+# Create an Azure Resource Group
+resource_group = resources.ResourceGroup('resource_group')
+
+# Create a container registry
+container_registry = containerregistry.Registry(
+    'registry',
+    resource_group_name=resource_group.name,
+    sku=containerregistry.SkuArgs(name='Basic'),
+    admin_user_enabled=True)
+
+client_config = authorization.get_client_config()
+current_principal = client_config.object_id
+
+roledef = get_role_id_by_name('AcrPull')
+
+authorization.RoleAssignment("access-from-cluster",
+                             principal_id=current_principal,
+                             # adjust this if running as service principal
+                             principal_type=authorization.PrincipalType.USER,
+                             role_definition_id=roledef,
+                             scope=container_registry.id)

azure-py-call-azure-sdk/requirements.txt

@@ -0,0 +1,3 @@
+pulumi>=3.0.0,<4.0.0
+pulumi-azure-native>=1.0.0,<2.0.0
+azure-mgmt-authorization>=1.0.0

misc/test/azure_test.go

@@ -166,6 +166,15 @@ func TestAccAzurePyWebserver(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
+func TestAccAzurePyCallAzureSdk(t *testing.T) {
+	test := getAzureBase(t).
+		With(integration.ProgramTestOptions{
+			Dir: path.Join(getCwd(t), "..", "..", "azure-py-call-azure-sdk"),
+		})
+
+	integration.ProgramTest(t, &test)
+}
+
 func TestAccAzureTsAppService(t *testing.T) {
 	test := getAzureBase(t).
 		With(integration.ProgramTestOptions{