1. Granular Access Control for AI Messaging on Azure Service Bus


    To create a granular access control for AI messaging on Azure Service Bus, we will follow these steps:

    1. Create a new Azure Service Bus Namespace, which is a container for all messaging components.
    2. Within the namespace, create a Topic which is a publish-subscribe messaging pattern where senders (publishers) send messages to the topic, and receivers (subscribers) receive messages from subscriptions on the topic.
    3. Create a Subscription under the topic to receive messages published to the topic.
    4. Implement access control by creating NamespaceAuthorizationRule and TopicAuthorizationRule that define the rights of users or services to access these messaging entities.

    We will use the azure-native package for this:

    • Azure Service Bus Namespace: A namespace is a scoping container for multiple messaging entities that includes its own set of access policies and messages.
    • Topic: This entity is used to categorize messages into a specific group, with subscribers only receiving messages of interest.
    • Subscription: Subscriptions are sub-queues that receive a copy of each message sent to the topic.
    • NamespaceAuthorizationRule: The authorization rule for the namespace that defines what operations are allowed.
    • TopicAuthorizationRule: The authorization rule for the topic that defines what operations are allowed for the topic.

    Here is the Pulumi program to accomplish the setup:

    import pulumi import pulumi_azure_native.servicebus as servicebus # Create an Azure Service Bus Namespace service_bus_namespace = servicebus.Namespace("myNamespace", resource_group_name="myResourceGroup", location="East US", sku={ "name": "Standard", # Choose between Basic, Standard, and Premium }, tags={ "environment": "production", }) # Create a Service Bus Topic inside the Namespace topic = servicebus.Topic("myTopic", namespace_name=service_bus_namespace.name, resource_group_name="myResourceGroup", enable_batched_operations=True, # Set message batching on or off support_ordering=True) # Ensure ordered delivery of messages # Create a Service Bus Subscription on the Topic subscription = servicebus.Subscription("mySubscription", resource_group_name="myResourceGroup", namespace_name=service_bus_namespace.name, topic_name=topic.name, max_delivery_count=10, # Number of immediate retries before dead-lettering lock_duration="PT1M", # Message lock duration (ISO 8601) requires_session=True) # Sessions enable joint and ordered handling of unbounded message sequences. # Create an access policy for the Service Bus Namespace with manage rights namespace_auth_rule = servicebus.NamespaceAuthorizationRule("myNamespaceAuthRule", namespace_name=service_bus_namespace.name, resource_group_name="myResourceGroup", rights=["Listen", "Send", "Manage"]) # Rights can include Listen, Send, and Manage # Create an access policy for the Service Bus Topic with listen and send rights topic_auth_rule = servicebus.TopicAuthorizationRule("myTopicAuthRule", topic_name=topic.name, namespace_name=service_bus_namespace.name, resource_group_name="myResourceGroup", rights=["Listen", "Send"]) # Rights can include Listen and Send for topics # Output the Service Bus Namespace name and primary connection string connection_string_output = pulumi.Output.all(service_bus_namespace.name, namespace_auth_rule.name, "myResourceGroup").apply( lambda args: servicebus.get_namespace_authorization_rule_primary_connection_string( authorization_rule_name=args[1], namespace_name=args[0], resource_group_name=args[2])) pulumi.export("serviceBusNamespaceName", service_bus_namespace.name) pulumi.export("serviceBusNamespaceConnectionString", connection_string_output)

    In the above code:

    • We created a Service Bus Namespace using servicebus.Namespace which acts as a container for messaging entities.
    • A Topic is created using servicebus.Topic to which messages can be sent.
    • A Subscription is created using servicebus.Subscription which allows messages from the Topic to be received.
    • Authorization rules are set up using servicebus.NamespaceAuthorizationRule and servicebus.TopicAuthorizationRule which define access rights to the namespace and topic respectively.
    • Finally, we export the namespace name and obtain the primary connection string of our created namespace authorization rule using servicebus.get_namespace_authorization_rule_primary_connection_string which is useful to connect your application to the Service Bus namespace.

    Make sure your Azure account is properly configured with Pulumi before running this program. When you run pulumi up, these resources will be created in your Azure account. The output of the program will include the namespace name and primary connection string you need to use Azure Service Bus with your applications.