Easily Terraforming & Interacting with an Azure Confidential Ledger
Azure Confidential Ledger, a managed and decentralized ledger for data entries backed by blockchain, enables maintaining data integrity by either using Azure Active Directory or client certificates to control access and modification permissions with tamper-proof storage and hardware-backed secure enclaves used in Azure confidential computing.
In this article we will be covering how to deploy an Azure Confidential Ledger using Terraform, which is surprisingly simple, and then create a simple script to interact with both the control plain and the data plain.
Prerequisites
Will be using Terraform and its azurerm provider to deploy the ledger and Python to interact with the ledger, so we will be needing the following installed on our workstation:
- Terraform: installation guide is here.
- Azure CLI: installation guide is here.
- Python: installation guide is here.
Example Repository
A complete Terraform script that creates a resource group and deploys an Azure Confidential Ledger, and a Python script that interacts with the deployed ledger is available in the following GitHub repository:
Deployment Script
As mentioned earlier, it is surprisingly easy to Terraform an Azure Confidential Ledger, as it only requires creating a resource group and then an Azure Confidential Ledger resource, which in our case, we will grant the user who’s running the script admin permissions on the ledger.
The entire Terraform script should be similar to the following:
To run the script, make sure to run az login first, so Terraform can interact with Azure, then run terraform apply and after a few minutes, you should have a ledger ready for use.
Using The Ledger
To interact with the ledger, we will be writing a small Python script, that both access the management plain to retrieve ledger properties, and the data plain to write and read transactions.
We will start by creating a requirements.txt file for the required dependencies:
And then execute pip install -r requirements.txt to install those dependencies.
Next, we will create the script file, test-ledger.py, starting with the imports and variables with info on our deployed ledger:
Then create a ledger management client and retrieve some of the ledger’s properties (name, location, and ID):
Afterwards we create a ledger certificate client to retrieve the ledger’s identity certificate:
And lastly, create a ledger client to write and read data:
The only thing left now is to run the script using python .\test-ledger.py and you should see the info printed out by the script and the certificate file downloaded locally.
Conclusion
Although, for simplicity, the above script only associated a single user to the ledger, in a real-world scenario this might have multiple different associations of both users and service accounts, using either Azure Active Directory identities and/or client certificates to control who can access the ledger and with what permissions.
