fix msi validate function (Azure#15477)

* fix msi validate function

* update azure context auto configuration

sdk/spring/azure-spring-boot-samples/azure-spring-cloud-eventhubs-binder-sample/README.adoc

@@ -96,15 +96,15 @@ spring.cloud.stream.bindings.output.destination=[eventhub-name]
 
 ==== Overview
 
-https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/[MSI] (Managed Service Identity, aka Managed Identity) for Azure resources provides Azure services with an automatically managed identity in https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis[Azure AD].
+https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/[MSI] (Managed Service Identity, aka Managed Identity) for Azure resources provides Azure services with an automatically managed identity in https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis[Azure AD].
 You can use this identity to authenticate to any service that supports Azure AD authentication without having any credentials in your code.
 
 ==== Prerequisites
 
-1. Create https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create[Azure Event Hubs].
+1. Create https://docs.microsoft.com/azure/event-hubs/event-hubs-create[Azure Event Hubs].
 Please note `Basic` tier is unsupported.
 
-2. Create https://docs.microsoft.com/en-us/azure/storage/[Azure Storage] for checkpoint use.
+2. Create https://docs.microsoft.com/azure/storage/[Azure Storage] for checkpoint use.
 
 ==== Setup Application
 
@@ -113,45 +113,41 @@ Please note your application should run in VM (Virtual Machine) or App Services
 ===== Method 1:  Setup VM and assign identity
 
 1. Create VM in Azure portal.
-Please refer to https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-portal[Create a Windows virtual machine in the Azure portal] or https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal[Create a Linux virtual machine in the Azure portal].
+Please refer to https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal[Create a Windows virtual machine in the Azure portal] or https://docs.microsoft.com/azure/virtual-machines/linux/quick-create-portal[Create a Linux virtual machine in the Azure portal].
 Choose any one according to your needs.
 
 2. Create an user-assigned identity in Azure Portal.
-Please refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal#create-a-user-assigned-managed-identity[Create an user-assigned managed identity].
+Please refer to https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal#create-a-user-assigned-managed-identity[Create an user-assigned managed identity].
 
 3. Assign the user-assigned identity to the VM.
-Please refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#assign-a-user-assigned-managed-identity-to-an-existing-vm[Assign an user-assigned managed identity to an existing VM].
+Please refer to https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#assign-a-user-assigned-managed-identity-to-an-existing-vm[Assign an user-assigned managed identity to an existing VM].
 
 ===== Method 2: Setup App Service and assign identity
 
 - 1. Deploy this sample's Spring Boot JAR file to App Service.
 
-You can follow  https://docs.microsoft.com/en-us/java/azure/spring-framework/deploy-spring-boot-java-app-with-maven-plugin?toc=%2Fazure%2Fapp-service%2Fcontainers%2Ftoc.json&view=azure-java-stable[
+You can follow  https://docs.microsoft.com/java/azure/spring-framework/deploy-spring-boot-java-app-with-maven-plugin?toc=%2Fazure%2Fapp-service%2Fcontainers%2Ftoc.json&view=azure-java-stable[
  Deploy a Spring Boot JAR file to Azure App Service] to deploy the JAR file.
 
-Another way to deploy an executable JAR is via FTP/S. Follow https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp[
+Another way to deploy an executable JAR is via FTP/S. Follow https://docs.microsoft.com/azure/app-service/deploy-ftp[
 Deploy your app to App Service using FTP/S].
 And the JAR file's name must be `app.jar`.
 
 - 2. Create a managed identity for App Service.
 
-If you choose system-assigned identity, follow https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity#adding-a-system-assigned-identity[
+If you choose system-assigned identity, follow https://docs.microsoft.com/azure/app-service/overview-managed-identity#adding-a-system-assigned-identity[
  Adding a system assigned identity].
 
-If you choose user-assigned identity, follow https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity#adding-a-user-assigned-identity[
+If you choose user-assigned identity, follow https://docs.microsoft.com/azure/app-service/overview-managed-identity#adding-a-user-assigned-identity[
  Adding a user assigned identity].
 
-==== Role Assignment
-
-Add role assignment to Event hub, Storage Account and Resource Group.
+==== Add Role Assignment for Resource Group
 
-- Event Hub: `Contributor` role.
-- Storage Account: `Storage Account Key Operator Service Role` role.
-- Resource Group: `Reader` role.
+- Resource Group: assign `Reader` role for managed identity.
 
-See https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-managed-service-identity[Managed identities for Azure resources with Event Hubs] to add role assignment for Event Hub, Storage Account and Resource Group are similar.
+See https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal[Add or remove Azure role assignments] to add the role assignment for Resource Group.
 
-For different built-in role's descriptions, please see https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles[Built-in role descriptions].
+For different built-in role's descriptions, please see https://docs.microsoft.com/azure/role-based-access-control/built-in-roles[Built-in role descriptions].
 
 ==== Add MSI related properties
 
@@ -164,8 +160,9 @@ spring.cloud.azure.msi-enabled=true
 # Fill subscription ID copied from portal
 spring.cloud.azure.subscription-id=[subscription-id]
 
-# Fill client ID if user-assigned identity is used in App Service
-spring.cloud.azure.managed-identity.client-id=[The ID of the user-assigned identity to be used]
+# Fill client ID of managed identity
+# Fill Client ID when using User-Assigned Identity, fill Object Id when using System-Assigned Identity
+spring.cloud.azure.managed-identity.client-id=[The ID of managed identity]
 
 # Fill resource group name
 spring.cloud.azure.resource-group=[resource-group]
@@ -186,6 +183,18 @@ spring.cloud.stream.bindings.output.destination=[eventhub-name]
 spring.cloud.stream.eventhub.bindings.input.consumer.checkpoint-mode=MANUAL
 ....
 
+==== Add Role Assignment for Event Hub and Storage Account
+
+- Event Hub: assign `Contributor` role for managed identity.
+- Storage Account: assign `Storage Account Key Operator Service Role` role for managed identity.
+
+See https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal[Managed identities for Azure resources with Event Hubs] to add role assignment for Event Hub, Storage Account is similar.
+
+
+=== Redeploy Application
+If you update the `spring.cloud.azure.managed-identity.client-id` property after deploying the app, or update the role assignment for services, then redeploy the app again.
+
+
 === How to run
 
 1. Run the `mvn clean spring-boot:run` in the root of the code sample to get the app running.

sdk/spring/azure-spring-boot-samples/azure-spring-cloud-eventhubs-binder-sample/pom.xml

@@ -75,11 +75,15 @@
 
   <build>
     <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+      </plugin>
       <!--  mvn azure-webapp:config -->
       <plugin>
         <groupId>com.microsoft.azure</groupId>
         <artifactId>azure-webapp-maven-plugin</artifactId>
-        <version>1.6.0</version>
+        <version>1.10.0</version>
       </plugin>
     </plugins>
   </build>

sdk/spring/azure-spring-boot-samples/azure-spring-cloud-eventhubs-binder-sample/src/main/resources/application.properties

@@ -17,7 +17,7 @@ spring.cloud.azure.eventhub.namespace=[eventhub-namespace]
 
 #spring.cloud.azure.msi-enabled=true
 #spring.cloud.azure.subscription-id=[subscription-id]
-#spring.cloud.azure.managed-identity.client-id=[The ID of the user-assigned identity to be used]
+#spring.cloud.azure.managed-identity.client-id=[The ID of managed identity]
 
 #spring.cloud.azure.resource-group=[resource-group]
 #spring.cloud.azure.eventhub.namespace=[eventhub-namespace]

sdk/spring/azure-spring-boot-samples/azure-spring-cloud-eventhubs-multibinders-sample/pom.xml

@@ -76,11 +76,15 @@
 
   <build>
     <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+      </plugin>
       <!--  mvn azure-webapp:config -->
       <plugin>
         <groupId>com.microsoft.azure</groupId>
         <artifactId>azure-webapp-maven-plugin</artifactId>
-        <version>1.6.0</version>
+        <version>1.10.0</version>
       </plugin>
     </plugins>
   </build>

sdk/spring/azure-spring-cloud-context/pom.xml

@@ -19,7 +19,7 @@
 
   <properties>
     <jacoco.min.linecoverage>0.10</jacoco.min.linecoverage>
-    <jacoco.min.branchcoverage>0.15</jacoco.min.branchcoverage>
+    <jacoco.min.branchcoverage>0.14</jacoco.min.branchcoverage>
   </properties>
 
   <dependencies>

sdk/spring/azure-spring-cloud-context/src/main/java/com/microsoft/azure/spring/cloud/autoconfigure/context/AzureContextAutoConfiguration.java

@@ -47,7 +47,7 @@ public ResourceManagerProvider resourceManagerProvider(Azure azure, AzurePropert
 
     @Bean
     @ConditionalOnMissingBean
-    public Azure azure(AzureTokenCredentials credentials) throws IOException {
+    public Azure azure(AzureTokenCredentials credentials, AzureProperties azureProperties) throws IOException {
         RestClient restClient = new RestClient.Builder()
             .withBaseUrl(credentials.environment(), AzureEnvironment.Endpoint.RESOURCE_MANAGER)
             .withCredentials(credentials).withSerializerAdapter(new AzureJacksonAdapter())
@@ -56,7 +56,11 @@ public Azure azure(AzureTokenCredentials credentials) throws IOException {
             .withInterceptor(new ResourceManagerThrottlingInterceptor()).withUserAgent(SPRING_CLOUD_USER_AGENT)
             .build();
 
-        return Azure.authenticate(restClient, credentials.domain()).withDefaultSubscription();
+        if (azureProperties.getSubscriptionId() == null) {
+            return Azure.authenticate(restClient, credentials.domain()).withDefaultSubscription();
+        } else {
+            return Azure.authenticate(restClient, credentials.domain()).withSubscription(azureProperties.getSubscriptionId());
+        }
     }
 
     @Bean

sdk/spring/azure-spring-cloud-context/src/main/java/com/microsoft/azure/spring/cloud/context/core/config/AzureProperties.java

@@ -41,7 +41,7 @@ private void validate() {
         }
 
         if (msiEnabled && Strings.isNullOrEmpty(subscriptionId)) {
-            Assert.hasText(this.region, "When msi is enabled, spring.cloud.azure.subscription-id must be provided");
+            Assert.hasText(this.subscriptionId, "When msi is enabled, spring.cloud.azure.subscription-id must be provided");
         }
     }