Granular Access Control for AI Messaging on Azure Service Bus

Question

Pulumi · Accepted Answer

To create a granular access control for AI messaging on Azure Service Bus, we will follow these steps:

1. Create a new Azure Service Bus Namespace, which is a container for all messaging components.
2. Within the namespace, create a Topic which is a publish-subscribe messaging pattern where senders (publishers) send messages to the topic, and receivers (subscribers) receive messages from subscriptions on the topic.
3. Create a Subscription under the topic to receive messages published to the topic.
4. Implement access control by creating NamespaceAuthorizationRule and TopicAuthorizationRule that define the rights of users or services to access these messaging entities.

We will use the `azure-native` package for this:

- **Azure Service Bus Namespace**: A namespace is a scoping container for multiple messaging entities that includes its own set of access policies and messages.
- **Topic**: This entity is used to categorize messages into a specific group, with subscribers only receiving messages of interest.
- **Subscription**: Subscriptions are sub-queues that receive a copy of each message sent to the topic.
- **NamespaceAuthorizationRule**: The authorization rule for the namespace that defines what operations are allowed.
- **TopicAuthorizationRule**: The authorization rule for the topic that defines what operations are allowed for the topic.

Here is the Pulumi program to accomplish the setup:

```python
import pulumi
import pulumi_azure_native.servicebus as servicebus

# Create an Azure Service Bus Namespace
service_bus_namespace = servicebus.Namespace("myNamespace",
    resource_group_name="myResourceGroup",
    location="East US",
    sku={
        "name": "Standard",  # Choose between Basic, Standard, and Premium
    },
    tags={
        "environment": "production",
    })

# Create a Service Bus Topic inside the Namespace
topic = servicebus.Topic("myTopic",
    namespace_name=service_bus_namespace.name,
    resource_group_name="myResourceGroup",
    enable_batched_operations=True,  # Set message batching on or off
    support_ordering=True)  # Ensure ordered delivery of messages

# Create a Service Bus Subscription on the Topic
subscription = servicebus.Subscription("mySubscription",
    resource_group_name="myResourceGroup",
    namespace_name=service_bus_namespace.name,
    topic_name=topic.name,
    max_delivery_count=10,  # Number of immediate retries before dead-lettering
    lock_duration="PT1M",  # Message lock duration (ISO 8601)
    requires_session=True)  # Sessions enable joint and ordered handling of unbounded message sequences.

# Create an access policy for the Service Bus Namespace with manage rights
namespace_auth_rule = servicebus.NamespaceAuthorizationRule("myNamespaceAuthRule",
    namespace_name=service_bus_namespace.name,
    resource_group_name="myResourceGroup",
    rights=["Listen", "Send", "Manage"])  # Rights can include Listen, Send, and Manage

# Create an access policy for the Service Bus Topic with listen and send rights
topic_auth_rule = servicebus.TopicAuthorizationRule("myTopicAuthRule",
    topic_name=topic.name,
    namespace_name=service_bus_namespace.name,
    resource_group_name="myResourceGroup",
    rights=["Listen", "Send"])  # Rights can include Listen and Send for topics

# Output the Service Bus Namespace name and primary connection string
connection_string_output = pulumi.Output.all(service_bus_namespace.name, namespace_auth_rule.name, "myResourceGroup").apply(
    lambda args: servicebus.get_namespace_authorization_rule_primary_connection_string(
        authorization_rule_name=args[1],
        namespace_name=args[0],
        resource_group_name=args[2]))

pulumi.export("serviceBusNamespaceName", service_bus_namespace.name)
pulumi.export("serviceBusNamespaceConnectionString", connection_string_output)
```

In the above code:

- We created a Service Bus Namespace using `servicebus.Namespace` which acts as a container for messaging entities.
- A Topic is created using `servicebus.Topic` to which messages can be sent.
- A Subscription is created using `servicebus.Subscription` which allows messages from the Topic to be received.
- Authorization rules are set up using `servicebus.NamespaceAuthorizationRule` and `servicebus.TopicAuthorizationRule` which define access rights to the namespace and topic respectively.
- Finally, we export the namespace name and obtain the primary connection string of our created namespace authorization rule using `servicebus.get_namespace_authorization_rule_primary_connection_string` which is useful to connect your application to the Service Bus namespace.

Make sure your Azure account is properly configured with Pulumi before running this program. When you run `pulumi up`, these resources will be created in your Azure account. The output of the program will include the namespace name and primary connection string you need to use Azure Service Bus with your applications.