Obsolete connection strings for Azure services (#90)

* Obsolete connection strings for Azure services, instead using Azure.Identity exclusively.

* Doc edits.

Author: StephenMolloy

README.md

@@ -176,19 +176,20 @@ and currently exposes the format of the file which, as mentioned above, should b
 ```xml
 <add name="AzureAppConfig"
     [mode|@prefix|@stripPrefix|tokenPattern|@escapeExpandedValues|@optional=false]
-    (@endpoint="https://your-appconfig-store.azconfig.io" | @connectionString="Endpoint=https://your-appconfig-store.azconfig.io;Id=XXXXXXXXXX;Secret=XXXXXXXXXX")
+    @endpoint="https://your-appconfig-store.azconfig.io"
     [@keyFilter="string"]
     [@labelFilter="label"]
     [@acceptDateTime="DateTimeOffset"]
 	[@useAzureKeyVault="bool"]
     type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfig" />
 ```
 [AppConfiguration](https://docs.microsoft.com/en-us/azure/azure-app-configuration/overview) is a new offering from Azure, currently in preview. If you
-wish to use this new service for managing your configuration, then use this AzureAppConfigurationBuilder. Either `endpoint` or `connectionString` are
-required, but all other attributes are optional. If both `endpoint` and `connectionString` are used, then preference is given to the connection string.
-It is however, __strongly__ encouraged to use `endpoint` with a managed service identity in Azure.
+wish to use this new service for managing your configuration, then use this AzureAppConfigurationBuilder. `endpoint` is
+required, but all other attributes are optional.
+Previous iterations of this config builder allowed for a `connectionString` to connect to the
+App Configuration service. This method is no longer allowed, and this config builder now exclusively uses [DefaultAzureCredential](https://docs.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential)
+from the Azure.Identity package to handle credentials for connecting to the service.
   * `endpoint` - This specifies the AppConfiguration store to connect to.
-  * `connectionString` - This specifies the AppConfiguration store to connect to, along with the Id and Secret necessary to access the service.
   * `keyFilter` - Use this to select a set of configuration values matching a certain key pattern.
   * `labelFilter` - Only retrieve configuration values that match a certain label.
   * `acceptDateTime` - Instead of versioning ala Azure Key Vault, AppConfiguration uses timestamps. Use this attribute to go back in time
@@ -202,21 +203,20 @@ It is however, __strongly__ encouraged to use `endpoint` with a managed service
 <add name="AzureKeyVault"
     [mode|@prefix|@stripPrefix|tokenPattern|@escapeExpandedValues|@optional=false]
     (@vaultName="MyVaultName" | @uri="https://MyVaultName.vault.azure.net")
-    [@connectionString="connection string"]
     [@version="secrets version"]
     [@preloadSecretNames="true"]
     type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure" />
 ```
-If your secrets are kept in Azure Key Vault, then this config builder is for you. There are three additional attributes for this config builder. The `vaultName` is
-required. The other attributes allow you some manual control about which vault to connect to, but are only necessary if the application is not running in an
-environment that works magically with `Microsoft.Azure.Services.AppAuthentication`. The Azure Services Authentication library is used to automatically pick
-up connection information from the execution environment if possible, but you can override that feature by providing a connection string instead.
-  * `vaultName` - This is a required attribute. It specifies the name of the vault in your Azure subscription from which to read key/value pairs.
-  * `connectionString` - A connection string usable by [AzureServiceTokenProvider](https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#connection-string-support)
-  * `uri` - Connect to other Key Vault providers with this attribute. If not specified, Azure is the assumed Vault provider. If the uri _is_specified, then `vaultName` is no longer a required parameter.
+If your secrets are kept in Azure Key Vault, then this config builder is for you. There are three additional attributes for this config builder. The `vaultName`
+(or `uri`) is required. Previous iterations of this config builder allowed for a `connectionString` as a way to supply credential information for connecting to
+Azure Key Vault. This method is no longer allowed as it is not a supported scenario for the current `Azure.Identity` SDK which is used for connecting
+to Azure services. Instead, this iteration of the config builder exclusively uses [DefaultAzureCredential](https://docs.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential)
+from the `Azure.Identity` package to handle credentials for connecting to Azure Key Vault.
+  * `vaultName` - This (or `uri`) is a required attribute. It specifies the name of the vault in your Azure subscription from which to read key/value pairs.
+  * `uri` - Connect to non-Azure Key Vault providers with this attribute. If not specified, Azure is the assumed Vault provider. If the uri _is_ specified, then `vaultName` is no longer a required parameter.
   * `version` - Azure Key Vault provides a versioning feature for secrets. If this is specified, the builder will only retrieve secrets matching this version.
-  * `preloadSecretNames` - By default, this builder will query __all__ the key names in the key vault when it is initialized. If this is a concern, set
-  this attribute to 'false', and secrets will be retrieved one at a time. This could also be useful if the vault allows "Get" access but not
+  * `preloadSecretNames` - By default, this builder will query __all__ the key names in the key vault when it is initialized to improve performance. If this is
+  a concern, set this attribute to 'false', and secrets will be retrieved one at a time. This could also be useful if the vault allows "Get" access but not
   "List" access. (NOTE: Disabling preload is incompatible with Greedy mode.)
 Tip: Azure Key Vault uses random per-secret Guid assignments for versioning, which makes specifying a secret `version` tag on this builder rather
 limiting, as it will only ever update one config value. To make version handling more useful, V2 of this builder takes advantage of the new key-updating

src/Azure/AzureKeyVaultConfigBuilder.cs

@@ -22,14 +22,13 @@ public class AzureKeyVaultConfigBuilder : KeyValueConfigBuilder
     {
         #pragma warning disable CS1591 // No xml comments for tag literals.
         public const string vaultNameTag = "vaultName";
-        public const string connectionStringTag = "connectionString";
+        public const string connectionStringTag = "connectionString";   // obsolete
         public const string uriTag = "uri";
         public const string versionTag = "version";
         public const string preloadTag = "preloadSecretNames";
         #pragma warning restore CS1591 // No xml comments for tag literals.
 
         private string _vaultName;
-        private string _connectionString;
         private string _uri;
         private string _version;
         private bool _preload;
@@ -79,8 +78,14 @@ protected override void LazyInitialize(string name, NameValueCollection config)
             }
             _uri = _uri.TrimEnd(new char[] { '/' });
 
-            _connectionString = UpdateConfigSettingWithAppSettings(connectionStringTag);
-            _connectionString = String.IsNullOrWhiteSpace(_connectionString) ? null : _connectionString;
+            if (config[connectionStringTag] != null)
+            {
+                // A connection string was given. Connection strings are no longer supported. Azure.Identity is the preferred way to
+                // authenticate, and that library has various mechanisms other than a plain text connection string in config to obtain
+                // the necessary client credentials for connecting to Azure.
+                // Be noisy about this even if optional, as it is a fundamental misconfiguration going forward.
+                throw new ArgumentException("AzureKeyVaultConfigBuilder no longer supports connection strings as of version 2.", connectionStringTag);
+            }
 
             // Connect to KeyVault
             try

src/AzureAppConfig/AzureAppConfigurationBuilder.cs

@@ -28,15 +28,14 @@ public class AzureAppConfigurationBuilder : KeyValueConfigBuilder
 
         #pragma warning disable CS1591 // No xml comments for tag literals.
         public const string endpointTag = "endpoint";
-        public const string connectionStringTag = "connectionString";
+        public const string connectionStringTag = "connectionString";   // obsolete
         public const string keyFilterTag = "keyFilter";
         public const string labelFilterTag = "labelFilter";
         public const string dateTimeFilterTag = "acceptDateTime";
         public const string useKeyVaultTag = "useAzureKeyVault";
         #pragma warning restore CS1591 // No xml comments for tag literals.
 
         private Uri _endpoint;
-        private string _connectionString;
         private string _keyFilter;
         private string _labelFilter;
         private DateTimeOffset _dateTimeFilter;
@@ -83,40 +82,33 @@ protected override void LazyInitialize(string name, NameValueCollection config)
             if (_useKeyVault)
                 _kvClientCache = new ConcurrentDictionary<Uri, SecretClient>(EqualityComparer<Uri>.Default);
 
-            // Always allow 'connectionString' to override black magic. But we expect this to be null most of the time.
-            _connectionString = UpdateConfigSettingWithAppSettings(connectionStringTag);
-            if (String.IsNullOrWhiteSpace(_connectionString))
+            // Config Store Endpoint
+            string uri = UpdateConfigSettingWithAppSettings(endpointTag);
+            if (!String.IsNullOrWhiteSpace(uri))
             {
-                _connectionString = null;
-
-                // Use MSI Connector instead.
-                string uri = UpdateConfigSettingWithAppSettings(endpointTag);
-                if (!String.IsNullOrWhiteSpace(uri))
+                try
                 {
-                    try
-                    {
-                        _endpoint = new Uri(uri);
-                        _client = new ConfigurationClient(_endpoint, new DefaultAzureCredential());
-                    }
-                    catch (Exception ex)
-                    {
-                        if (!Optional)
-                            throw new ArgumentException($"Exception encountered while creating connection to Azure App Configuration store.", ex);
-                    }
+                    _endpoint = new Uri(uri);
+                    _client = new ConfigurationClient(_endpoint, new DefaultAzureCredential());
                 }
-                else
+                catch (Exception ex)
                 {
-                    throw new ArgumentException($"An endpoint URI or connection string must be provided for connecting to Azure App Configuration service via the '{endpointTag}' or '{connectionStringTag}' attributes.");
+                    if (!Optional)
+                        throw new ArgumentException($"Exception encountered while creating connection to Azure App Configuration store.", ex);
                 }
             }
             else
             {
-                // If we get here, then we should try to connect with a connection string.
-                try
-                {
-                    _client = new ConfigurationClient(_connectionString);
-                }
-                catch (Exception e) when (Optional && ((e.InnerException is System.Net.Http.HttpRequestException) || (e.InnerException is UnauthorizedAccessException))) { }
+                throw new ArgumentException($"An endpoint URI must be provided for connecting to Azure App Configuration service via the '{endpointTag}' attribute.");
+            }
+
+            if (config[connectionStringTag] != null)
+            {
+                // A connection string was given. Connection strings are no longer supported. Azure.Identity is the preferred way to
+                // authenticate, and that library has various mechanisms other than a plain text connection string in config to obtain
+                // the necessary client credentials for connecting to Azure.
+                // Be noisy about this even if optional, as it is a fundamental misconfiguration going forward.
+                throw new ArgumentException("AzureAppConfigurationBuilder no longer supports connection strings.", connectionStringTag);
             }
 
             // At this point we've got all our ducks in a row and are ready to go. And we know that

src/packages/ConfigurationBuilders.Azure.nupkg/tools/Net471/Install.ps1

@@ -14,7 +14,7 @@ $keyVaultConfigBuilder = [BuilderDescription]@{
 	AllowedParameters=@( $keyValueCommonParameters +
 		[ParameterDescription]@{ Name="vaultName"; IsRequired=$false; DefaultValue="[VaultName]" },
 		[ParameterDescription]@{ Name="uri"; IsRequired=$false },
-		[ParameterDescription]@{ Name="connectionString"; IsRequired=$false },
+		[ParameterDescription]@{ Name="connectionString"; IsRequired=$false }, # Obsolete, but don't complain about it here. Still preserve it so people can revert back to the version that allows this.
 		[ParameterDescription]@{ Name="version"; IsRequired=$false },
 		[ParameterDescription]@{ Name="preloadSecretNames"; IsRequired=$false });
 }

src/packages/ConfigurationBuilders.AzureAppConfiguration.nupkg/tools/Net471/Install.ps1

@@ -12,8 +12,7 @@ $keyVaultConfigBuilder = [BuilderDescription]@{
 	Version="$assemblyVersion$";
 	DefaultName="AzureAppConfig";
 	AllowedParameters=@( $keyValueCommonParameters +
-		[ParameterDescription]@{ Name="endpoint"; IsRequired=$false; DefaultValue="[Config_Store_Endpoint_Url]" },
-		[ParameterDescription]@{ Name="connectionString"; IsRequired=$false },
+		[ParameterDescription]@{ Name="endpoint"; IsRequired=$true; DefaultValue="[Config_Store_Endpoint_Url]" },
 		[ParameterDescription]@{ Name="keyFilter"; IsRequired=$false },
 		[ParameterDescription]@{ Name="labelFilter"; IsRequired=$false },
 		[ParameterDescription]@{ Name="acceptDateTime"; IsRequired=$false };