Provide terraform scripts for AAD samples

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md

@@ -5,7 +5,7 @@
 This demo project  explains the usage of the stateless authentication filter `AadAppRoleStatelessAuthenticationFilter`.
 This project is composed of a vue.js frontend and a simple backend with three endpoints
 * `/public` (accessible by anyone)
-* `/authorized` (role "user" required)
+* `/authorized` (role "UserRule" required)
 * `/admin/demo` (role "admin" required).
 
 ## Getting started
@@ -42,11 +42,11 @@ For the test SPA provided with this example you should create the following role
       "allowedMemberTypes": [
         "User"
       ],
-      "displayName": "User",
+      "displayName": "UserRule",
       "id": "f8ed78b5-fabc-488e-968b-baa48a570001",
       "isEnabled": true,
       "description": "Normal user access",
-      "value": "User"
+      "value": "UserRule"
     }
   ],
 ```
@@ -61,7 +61,11 @@ Furthermore enable the implicit flow in the manifest for the demo application
 "oauth2AllowImplicitFlow": "true",
 ```
 
-## Examples
+## Running Sample With Terraform
+Please refer to [README.md](terraform/README.md) if you want to start the sample with Terraform in just a few steps.
+
+## Running Sample Step by Step
+
 ### Configure the sample
 
 #### Configure application.properties

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/src/main/java/com/azure/spring/sample/aad/controller/MainController.java

@@ -19,7 +19,7 @@ public String publicMethod() {
 
     @GetMapping("/authorized")
     @ResponseBody
-    @PreAuthorize("hasRole('ROLE_User')")
+    @PreAuthorize("hasRole('ROLE_UserRule')")
     public String onlyAuthorizedUsers() {
         return "authorized endpoint response";
     }

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md

@@ -0,0 +1,113 @@
+# Spring Boot application with Azure Active Directory
+
+## What You Need
+
+- [An Azure subscription](https://azure.microsoft.com/free/)
+- [Terraform](https://www.terraform.io/)
+- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli)
+- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later
+- Maven
+- You can also import the code straight into your IDE:
+    - [IntelliJ IDEA](https://www.jetbrains.com/idea/download)
+
+## Provision Azure Resources Required to Run This Sample
+
+### Authenticate Using the Azure CLI
+Terraform must authenticate to Azure to create infrastructure.
+
+In your terminal, use the Azure CLI tool to setup your account permissions locally.
+
+```shell
+az login --tenant  [your-tenant] --allow-no-subscriptions
+```
+
+Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use.
+
+```shell
+You have logged in. Now let us find all the subscriptions to which you have access...
+
+[
+  {
+    "cloudName": "AzureCloud",
+    "homeTenantId": "home-Tenant-Id",
+    "id": "subscription-id",
+    "isDefault": true,
+    "managedByTenants": [],
+    "name": "Subscription-Name",
+    "state": "Enabled",
+    "tenantId": "0envbwi39-TenantId",
+    "user": {
+      "name": "[email protected]",
+      "type": "user"
+    }
+  }
+]
+```
+
+### Provision the Resources
+
+After login Azure CLI with your account, now you can use the terraform script to create Azure Resources.
+
+#### Run with Bash
+
+```shell
+# In the root directory of aad-resource-server-by-filter-stateless
+# Initialize your Terraform configuration
+terraform -chdir=./terraform init
+
+# Apply your Terraform Configuration
+terraform -chdir=./terraform apply -auto-approve
+
+```
+
+It may take a few minutes to run the script. After successful running, you will see prompt information like below:
+
+```shell
+...
+Apply complete! Resources: * added, * changed, * destroyed.
+
+```
+
+You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created.
+
+### Export Output to Your Local Environment
+Running the command below to export environment values:
+
+#### Run with Bash
+
+```shell
+source ./terraform/setup_env.sh
+```
+You will see output like below, save this output to use later.
+```shell
+
+AZURE_CLIENT_ID=...
+AZURE_TENANT_ID=...
+--------created user--------
+USER_NAME=...
+USER_PASSWORD=...
+
+```
+
+## Run Locally
+
+In your current terminal, run `mvn clean spring-boot:run`.
+
+```shell
+mvn clean spring-boot:run
+```
+
+## Verify This Sample
+
+
+## Clean Up Resources
+After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing.
+
+The terraform destroy command terminates resources managed by your Terraform project.   
+To destroy the resources you created.
+
+#### Run with Bash
+
+```shell
+terraform -chdir=./terraform destroy -auto-approve
+```

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf

@@ -0,0 +1,128 @@
+terraform {
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.19.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.1.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "3.1.0"
+    }
+  }
+}
+
+resource "random_string" "random" {
+  length    = 5
+  min_lower = 5
+  special   = false
+}
+
+data "azuread_client_config" "current" {}
+
+resource "random_uuid" "role-admin" {
+}
+
+resource "random_uuid" "role-user" {
+}
+
+# Configure the Azure Active Directory Provider
+provider "azuread" {
+}
+
+# Configure an app
+resource "azuread_application" "resourceserver" {
+  display_name = "aad-resource-server-by-filter-stateless-${random_string.random.result}"
+
+  owners           = [data.azuread_client_config.current.object_id]
+  sign_in_audience = "AzureADMultipleOrgs"
+
+  required_resource_access {
+    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
+
+    resource_access {
+      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
+      type = "Role"
+    }
+
+    resource_access {
+      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
+      type = "Scope"
+    }
+
+    resource_access {
+      id   = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Directory.Read.All
+      type = "Scope"
+    }
+  }
+
+  single_page_application {
+    redirect_uris = ["http://localhost:8080/"]
+  }
+
+  app_role {
+    allowed_member_types = ["User"]
+    description          = "Full admin access"
+    display_name         = "Admin"
+    enabled              = true
+    id                   = random_uuid.role-admin.result
+    value                = "Admin"
+  }
+
+  app_role {
+    allowed_member_types = ["User"]
+    description          = "User rule"
+    display_name         = "UserRule"
+    enabled              = true
+    id                   = random_uuid.role-user.result
+    value                = "UserRule"
+  }
+
+  web {
+    implicit_grant {
+      access_token_issuance_enabled = true
+      id_token_issuance_enabled     = true
+    }
+  }
+}
+
+resource "azuread_service_principal" "resourceserver" {
+  application_id               = azuread_application.resourceserver.application_id
+  app_role_assignment_required = false
+  owners                       = [data.azuread_client_config.current.object_id]
+}
+
+# Retrieve domain information
+data "azuread_domains" "current" {
+  only_initial = true
+}
+
+# Create a user
+resource "azuread_user" "user" {
+  user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.current.domains.0.domain_name}"
+  display_name        = "security-${random_string.random.result}"
+  password            = "Azure123456@"
+}
+
+resource "azuread_app_role_assignment" "admin" {
+  app_role_id         = random_uuid.role-admin.result
+  principal_object_id = azuread_user.user.object_id
+  resource_object_id  = azuread_service_principal.resourceserver.object_id
+}
+
+resource "azuread_app_role_assignment" "user_role" {
+  app_role_id         = random_uuid.role-user.result
+  principal_object_id = azuread_user.user.object_id
+  resource_object_id  = azuread_service_principal.resourceserver.object_id
+}
+
+resource "null_resource" "set_env" {
+  depends_on = [azuread_service_principal.resourceserver]
+
+  provisioner "local-exec" {
+    command = "/bin/bash set_identifier_uris.sh"
+  }
+}

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf

@@ -0,0 +1,20 @@
+output "AZURE_TENANT_ID" {
+  value       = data.azuread_client_config.current.tenant_id
+  description = "The Azure tenant id."
+}
+
+output "AZURE_CLIENT_ID" {
+  value       = azuread_application.resourceserver.application_id
+  description = "The application id."
+}
+
+output "USER_NAME" {
+  value       = azuread_user.user.user_principal_name
+  description = "The user name of the user created by terraform."
+}
+
+output "USER_PASSWORD" {
+  value       = azuread_user.user.password
+  sensitive   = true
+  description = "The password of the user created by terraform."
+}

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh

@@ -0,0 +1,6 @@
+AZURE_CLIENT_ID=$(terraform output -raw AZURE_CLIENT_ID)
+
+# set identifier_uris
+echo "----------update identifier-uris start----------"
+az ad app update --id $AZURE_CLIENT_ID --identifier-uris api://$AZURE_CLIENT_ID
+echo "----------update identifier-uris completed----------"

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh

@@ -0,0 +1,11 @@
+export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID)
+export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID)
+export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME)
+export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD)
+
+echo AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
+echo AZURE_TENANT_ID=${AZURE_TENANT_ID}
+
+echo "--------created user--------"
+echo USER_NAME=${USER_NAME}
+echo USER_PASSWORD=${USER_PASSWORD}

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/README.md

@@ -26,7 +26,10 @@ To run this sample, you'll need:
 #### Note
 - If you are not the admin, you need consent from your admin for the the `Directory.Read.All` permission. For details see [Directory Permissions](https://docs.microsoft.com/graph/permissions-reference#directory-permissions)
 
-## Examples
+## Running Sample With Terraform
+Please refer to [README.md](terraform/README.md) if you want to start the sample with Terraform in just a few steps.
+
+## Running Sample Step by Step
 
 ### Step 1:  Clone or download this repository
 

aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml

@@ -20,4 +20,4 @@ spring:
         user-group:
           allowed-group-names: group1,group2
         redirect-uri-template: http://localhost:8080/
-
+        jwt-connect-timeout: 5000