Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

Commit

Permalink
assign scaleset to a role (#185)
Browse files Browse the repository at this point in the history
  • Loading branch information
@chkeita
chkeita authored Oct 28, 2020
1 parent 59cfc52 commit e76064b
Show file tree
Hide file tree
Showing 3 changed files with 207 additions and 119 deletions.
95 changes: 52 additions & 43 deletions src/deployment/deploy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,18 +12,20 @@
import subprocess
import sys
import tempfile
import time
import uuid
import zipfile
from datetime import datetime, timedelta

from azure.cli.core import CLIError
from azure.common.client_factory import get_client_from_cli_profile
from azure.common.credentials import get_cli_profile
from azure.core.exceptions import ResourceExistsError
from azure.cosmosdb.table.tableservice import TableService
from azure.graphrbac import GraphRbacManagementClient
from azure.graphrbac.models import (
Application,
ApplicationCreateParameters,
ApplicationUpdateParameters,
AppRole,
GraphErrorException,
OptionalClaims,
Expand All @@ -48,7 +50,6 @@
DeploymentMode,
DeploymentProperties,
)
import time
from azure.mgmt.storage import StorageManagementClient
from azure.storage.blob import (
BlobServiceClient,
Expand All @@ -59,12 +60,12 @@
from msrest.serialization import TZ_UTC

from data_migration import migrate
from register_pool_application import (
from registration import (
add_application_password,
authorize_application,
get_application,
register_application,
update_registration,
update_pool_registration,
)

USER_IMPERSONATION = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
Expand Down Expand Up @@ -225,12 +226,11 @@ def create_password(self, object_id):
while True:
time.sleep(wait)
count += 1
try:
return add_application_password(object_id)
except CLIError as err:
if count > timeout_seconds/wait:
raise err
logger.info("creating password failed, trying again")
password = add_application_password(object_id)
if password:
return password
if count > timeout_seconds/wait:
raise Exception("creating password failed, trying again")

def setup_rbac(self):
"""
Expand All @@ -256,6 +256,25 @@ def setup_rbac(self):
logger.error("unable to query RBAC. Provide client_id and client_secret")
sys.exit(1)

app_roles = [
AppRole(
allowed_member_types=["Application"],
display_name="CliClient",
id=str(uuid.uuid4()),
is_enabled=True,
description="Allows access from the CLI.",
value="CliClient",
),
AppRole(
allowed_member_types=["Application"],
display_name="ManagedNode",
id=str(uuid.uuid4()),
is_enabled=True,
description="Allow access from a lab machine.",
value="ManagedNode",
),
]

if not existing:
logger.info("creating Application registration")
url = "https://%s.azurewebsites.net" % self.application_name
Expand All @@ -273,24 +292,7 @@ def setup_rbac(self):
resource_app_id="00000002-0000-0000-c000-000000000000",
)
],
app_roles=[
AppRole(
allowed_member_types=["Application"],
display_name="CliClient",
id=str(uuid.uuid4()),
is_enabled=True,
description="Allows access from the CLI.",
value="CliClient",
),
AppRole(
allowed_member_types=["Application"],
display_name="LabMachine",
id=str(uuid.uuid4()),
is_enabled=True,
description="Allow access from a lab machine.",
value="LabMachine",
),
],
app_roles=app_roles,
)
app = client.applications.create(params)

Expand All @@ -303,7 +305,27 @@ def setup_rbac(self):
)
client.service_principals.create(service_principal_params)
else:
app = existing[0]
app: Application = existing[0]
existing_role_values = [app_role.value for app_role in app.app_roles]
has_missing_roles = any(
[role.value not in existing_role_values for role in app_roles]
)

if has_missing_roles:
# disabling the existing app role first to allow the update
# this is a requirement to update the application roles
for role in app.app_roles:
role.is_enabled = False

client.applications.patch(
app.object_id, ApplicationUpdateParameters(app_roles=app.app_roles)
)

# overriding the list of app roles
client.applications.patch(
app.object_id, ApplicationUpdateParameters(app_roles=app_roles)
)

creds = list(client.applications.list_password_credentials(app.object_id))
client.applications.update_password_credentials(app.object_id, creds)

Expand Down Expand Up @@ -612,7 +634,7 @@ def deploy_app(self):
def update_registration(self):
if not self.create_registration:
return
update_registration(self.application_name)
update_pool_registration(self.application_name)

def done(self):
logger.info(TELEMETRY_NOTICE)
Expand Down Expand Up @@ -766,19 +788,6 @@ def main():

logging.getLogger("deploy").setLevel(logging.INFO)

# TODO: using az_cli resets logging defaults. For now, force these
# to be WARN level
if not args.verbose:
for entry in [
"adal-python",
"msrest.universal_http",
"urllib3.connectionpool",
"az_command_data_logger",
"msrest.service_client",
"azure.core.pipeline.policies.http_logging_policy",
]:
logging.getLogger(entry).setLevel(logging.WARN)

if args.start_at != states[0][0]:
logger.warning(
"*** Starting at a non-standard deployment state. "
Expand Down
Loading

0 comments on commit e76064b

Please sign in to comment.