def validate_add_vnet(cmd, namespace): from azure.core.exceptions import ResourceNotFoundError as ResNotFoundError resource_group_name = namespace.resource_group_name from azure.cli.command_modules.network._client_factory import network_client_factory vnet_identifier = namespace.vnet name = namespace.name slot = namespace.slot if is_valid_resource_id(vnet_identifier): current_sub_id = get_subscription_id(cmd.cli_ctx) parsed_vnet = parse_resource_id(vnet_identifier) vnet_sub_id = parsed_vnet['subscription'] vnet_group = parsed_vnet['resource_group'] vnet_name = parsed_vnet['name'] cmd.cli_ctx.data['subscription_id'] = vnet_sub_id vnet_client = network_client_factory(cmd.cli_ctx) vnet_loc = vnet_client.virtual_networks.get( resource_group_name=vnet_group, virtual_network_name=vnet_name).location cmd.cli_ctx.data['subscription_id'] = current_sub_id else: vnet_client = network_client_factory(cmd.cli_ctx) try: vnet_loc = vnet_client.virtual_networks.get( resource_group_name=namespace.resource_group_name, virtual_network_name=vnet_identifier).location except ResNotFoundError: vnets = vnet_client.virtual_networks.list_all() vnet_loc = '' for v in vnets: if vnet_identifier == v.name: vnet_loc = v.location break if not vnet_loc: # Fall back to back end validation logger.warning("Failed to fetch vnet. Skipping location validation.") return webapp = _generic_site_operation(cmd.cli_ctx, resource_group_name, name, 'get', slot) webapp_loc = _normalize_location(cmd, webapp.location) vnet_loc = _normalize_location(cmd, vnet_loc) if vnet_loc != webapp_loc: raise ValidationError( "The app and the vnet resources are in different locations. " "Cannot integrate a regional VNET to an app in a different region")
def validate_add_vnet(cmd, namespace): resource_group_name = namespace.resource_group_name from azure.cli.command_modules.network._client_factory import network_client_factory vnet_client = network_client_factory(cmd.cli_ctx) list_all_vnets = vnet_client.virtual_networks.list_all() vnet = namespace.vnet name = namespace.name slot = namespace.slot vnet_loc = '' for v in list_all_vnets: if vnet in (v.name, v.id): vnet_loc = v.location break from ._appservice_utils import _generic_site_operation webapp = _generic_site_operation(cmd.cli_ctx, resource_group_name, name, 'get', slot) # converting geo region to geo location webapp_loc = webapp.location.lower().replace(" ", "") if vnet_loc != webapp_loc: raise CLIError( "The app and the vnet resources are in different locations. \ Cannot integrate a regional VNET to an app in a different region" )
def _ensure_subnet_service_endpoint(cli_ctx, subnet_id): from azure.cli.core.profiles import AD_HOC_API_VERSIONS, ResourceType subnet_id_parts = parse_resource_id(subnet_id) subnet_subscription_id = subnet_id_parts['subscription'] subnet_resource_group = subnet_id_parts['resource_group'] subnet_vnet_name = subnet_id_parts['name'] subnet_name = subnet_id_parts['resource_name'] if get_subscription_id(cli_ctx).lower() != subnet_subscription_id.lower(): raise ArgumentUsageError('Cannot validate subnet in different subscription for missing service endpoint.' ' Use --ignore-missing-endpoint or -i to' ' skip validation and manually verify service endpoint.') vnet_client = network_client_factory(cli_ctx, api_version=AD_HOC_API_VERSIONS[ResourceType.MGMT_NETWORK] ['appservice_ensure_subnet']) subnet_obj = vnet_client.subnets.get(subnet_resource_group, subnet_vnet_name, subnet_name) subnet_obj.service_endpoints = subnet_obj.service_endpoints or [] service_endpoint_exists = False for s in subnet_obj.service_endpoints: if s.service == "Microsoft.Web": service_endpoint_exists = True break if not service_endpoint_exists: web_service_endpoint = ServiceEndpointPropertiesFormat(service="Microsoft.Web") subnet_obj.service_endpoints.append(web_service_endpoint) poller = vnet_client.subnets.begin_create_or_update( subnet_resource_group, subnet_vnet_name, subnet_name, subnet_parameters=subnet_obj) # Ensure subnet is updated to avoid update conflict LongRunningOperation(cli_ctx)(poller)
def _create_nsg_rule(cli_ctx, resource_group_name, network_security_group_name, security_rule_name, priority, description=None, protocol=None, access=None, direction=None, source_port_range='*', source_address_prefix='*', destination_port_range=80, destination_address_prefix='*'): settings = SecurityRule( protocol=protocol, source_address_prefix=source_address_prefix, destination_address_prefix=destination_address_prefix, access=access, direction=direction, description=description, source_port_range=source_port_range, destination_port_range=destination_port_range, priority=priority, name=security_rule_name) network_client = network_client_factory(cli_ctx) poller = network_client.security_rules.create_or_update( resource_group_name, network_security_group_name, security_rule_name, settings) LongRunningOperation(cli_ctx)(poller)
def _ensure_subnet_service_endpoint(cli_ctx, subnet_id): from msrestazure.tools import parse_resource_id subnet_id_parts = parse_resource_id(subnet_id) subnet_resource_group = subnet_id_parts['resource_group'] subnet_vnet_name = subnet_id_parts['name'] subnet_name = subnet_id_parts['resource_name'] vnet_client = network_client_factory(cli_ctx, api_version=NETWORK_API_VERSION) subnet_obj = vnet_client.subnets.get(subnet_resource_group, subnet_vnet_name, subnet_name) subnet_obj.service_endpoints = subnet_obj.service_endpoints or [] service_endpoint_exists = False for s in subnet_obj.service_endpoints: if s.service == "Microsoft.Web": service_endpoint_exists = True break if not service_endpoint_exists: web_service_endpoint = ServiceEndpointPropertiesFormat( service="Microsoft.Web") subnet_obj.service_endpoints.append(web_service_endpoint) poller = vnet_client.subnets.begin_create_or_update( subnet_resource_group, subnet_vnet_name, subnet_name, subnet_parameters=subnet_obj) # Ensure subnet is updated to avoid update conflict LongRunningOperation(cli_ctx)(poller)
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) try: ag_name = namespace.application_gateway_name except AttributeError: ag_name = namespace.resource_name if namespace.resource_group_name and ag_name: ag = client.application_gateways.get(namespace.resource_group_name, ag_name) return [r.name for r in getattr(ag, prop)]
def subnet_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) if namespace.resource_group_name and namespace.virtual_network_name: rg = namespace.resource_group_name vnet = namespace.virtual_network_name return [ r.name for r in client.subnets.list(resource_group_name=rg, virtual_network_name=vnet) ]
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) try: ag_name = namespace.application_gateway_name except AttributeError: ag_name = namespace.resource_name if namespace.resource_group_name and ag_name: ag = client.application_gateways.get(namespace.resource_group_name, ag_name) return [r.name for r in getattr(ag, prop)]
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) try: lb_name = namespace.load_balancer_name except AttributeError: lb_name = namespace.resource_name if namespace.resource_group_name and lb_name: lb = client.load_balancers.get(namespace.resource_group_name, lb_name) return [r.name for r in getattr(lb, prop)]
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) try: lb_name = namespace.load_balancer_name except AttributeError: lb_name = namespace.resource_name if namespace.resource_group_name and lb_name: lb = client.load_balancers.get(namespace.resource_group_name, lb_name) return [r.name for r in getattr(lb, prop)]
def ag_url_map_rule_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) try: ag_name = namespace.application_gateway_name except AttributeError: ag_name = namespace.resource_name if namespace.resource_group_name and ag_name: ag = client.application_gateways.get(namespace.resource_group_name, ag_name) url_map = next((x for x in ag.url_path_maps if x.name == namespace.url_path_map_name), None) # pylint: disable=no-member return [r.name for r in url_map.path_rules]
def ag_url_map_rule_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) try: ag_name = namespace.application_gateway_name except AttributeError: ag_name = namespace.resource_name if namespace.resource_group_name and ag_name: ag = client.application_gateways.get(namespace.resource_group_name, ag_name) url_map = next((x for x in ag.url_path_maps if x.name == namespace.url_path_map_name), None) # pylint: disable=no-member return [r.name for r in url_map.path_rules]
def _ensure_route_table(cli_ctx, resource_group_name, ase_name, location, subnet_id, force): from msrestazure.tools import parse_resource_id subnet_id_parts = parse_resource_id(subnet_id) vnet_resource_group = subnet_id_parts['resource_group'] vnet_name = subnet_id_parts['name'] subnet_name = subnet_id_parts['resource_name'] ase_route_table_name = ase_name + '-Route-Table' ase_route_name = ase_name + '-route' network_client = network_client_factory(cli_ctx) subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name, subnet_name) if subnet_obj.route_table is None or force: rt_list = network_client.route_tables.list(resource_group_name) rt_found = False for rt in list(rt_list): if rt.name.lower() == ase_route_table_name.lower(): rt_found = True break if not rt_found: logger.info('Ensure Route Table...') ase_route_table = RouteTable(location=location) poller = network_client.route_tables.create_or_update( resource_group_name, ase_route_table_name, ase_route_table) LongRunningOperation(cli_ctx)(poller) logger.info('Ensure Internet Route...') internet_route = Route(address_prefix='0.0.0.0/0', next_hop_type='Internet') poller = network_client.routes.create_or_update( resource_group_name, ase_route_table_name, ase_route_name, internet_route) LongRunningOperation(cli_ctx)(poller) rt = network_client.route_tables.get(resource_group_name, ase_route_table_name) if not subnet_obj.route_table or subnet_obj.route_table.id != rt.id: logger.info('Associate Route Table with Subnet...') subnet_obj.route_table = rt poller = network_client.subnets.create_or_update( vnet_resource_group, vnet_name, subnet_name, subnet_parameters=subnet_obj) LongRunningOperation(cli_ctx)(poller) else: route_table_id_parts = parse_resource_id(subnet_obj.route_table.id) rt_name = route_table_id_parts['name'] if rt_name.lower() != ase_route_table_name.lower(): raise CLIError('Route table already exists. \ Use --ignore-route-table to use existing route table. \ Use --force-route-table to replace existing route table' )
def completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = getattr(network_client_factory(cmd.cli_ctx), group) operation = getattr(client, operation_name) return operation(**kwargs)
def service_endpoint_completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx).available_endpoint_services location = namespace.location return [x.name for x in client.list(location=location)]
def _ensure_network_security_group(cli_ctx, resource_group_name, ase_name, location, subnet_id, force): from msrestazure.tools import parse_resource_id subnet_id_parts = parse_resource_id(subnet_id) vnet_resource_group = subnet_id_parts['resource_group'] vnet_name = subnet_id_parts['name'] subnet_name = subnet_id_parts['resource_name'] ase_nsg_name = ase_name + '-NSG' network_client = network_client_factory(cli_ctx) subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name, subnet_name) subnet_address_prefix = subnet_obj.address_prefix if subnet_obj.network_security_group is None or force: nsg_list = network_client.network_security_groups.list( resource_group_name) nsg_found = False for nsg in list(nsg_list): if nsg.name.lower() == ase_nsg_name.lower(): nsg_found = True break if not nsg_found: logger.info('Ensure Network Security Group...') ase_nsg = NetworkSecurityGroup(location=location) poller = network_client.network_security_groups.create_or_update( resource_group_name, ase_nsg_name, ase_nsg) LongRunningOperation(cli_ctx)(poller) logger.info('Ensure Network Security Group Rules...') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-management', 100, 'Used to manage ASE from public VIP', '*', 'Allow', 'Inbound', '*', 'AppServiceManagement', '454-455', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-load-balancer-keep-alive', 105, 'Allow communication to ASE from Load Balancer', '*', 'Allow', 'Inbound', '*', 'AzureLoadBalancer', '16001', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'ASE-internal-inbound', 110, 'ASE-internal-inbound', '*', 'Allow', 'Inbound', '*', subnet_address_prefix, '*', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-HTTP', 120, 'Allow HTTP', '*', 'Allow', 'Inbound', '*', '*', '80', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-HTTPS', 130, 'Allow HTTPS', '*', 'Allow', 'Inbound', '*', '*', '443', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-FTP', 140, 'Allow FTP', '*', 'Allow', 'Inbound', '*', '*', '21', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-FTPS', 150, 'Allow FTPS', '*', 'Allow', 'Inbound', '*', '*', '990', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-FTP-Data', 160, 'Allow FTP Data', '*', 'Allow', 'Inbound', '*', '*', '10001-10020', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Inbound-Remote-Debugging', 170, 'Visual Studio remote debugging', '*', 'Allow', 'Inbound', '*', '*', '4016-4022', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Outbound-443', 100, 'Azure Storage blob', '*', 'Allow', 'Outbound', '*', '*', '443', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Outbound-DB', 110, 'Database', '*', 'Allow', 'Outbound', '*', '*', '1433', 'Sql') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Outbound-DNS', 120, 'DNS', '*', 'Allow', 'Outbound', '*', '*', '53', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'ASE-internal-outbound', 130, 'Azure Storage queue', '*', 'Allow', 'Outbound', '*', '*', '*', subnet_address_prefix) _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Outbound-80', 140, 'Outbound 80', '*', 'Allow', 'Outbound', '*', '*', '80', '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Outbound-monitor', 150, 'Azure Monitor', '*', 'Allow', 'Outbound', '*', '*', 12000, '*') _create_nsg_rule(cli_ctx, resource_group_name, ase_nsg_name, 'Outbound-NTP', 160, 'Clock', '*', 'Allow', 'Outbound', '*', '*', '123', '*') nsg = network_client.network_security_groups.get( resource_group_name, ase_nsg_name) if not subnet_obj.network_security_group or subnet_obj.network_security_group.id != nsg.id: logger.info('Associate Network Security Group with Subnet...') subnet_obj.network_security_group = NetworkSecurityGroup(id=nsg.id) poller = network_client.subnets.create_or_update( vnet_resource_group, vnet_name, subnet_name, subnet_parameters=subnet_obj) LongRunningOperation(cli_ctx)(poller) else: nsg_id_parts = parse_resource_id(subnet_obj.network_security_group.id) nsg_name = nsg_id_parts['name'] if nsg_name.lower() != ase_nsg_name.lower(): raise CLIError('Network Security Group already exists. \ Use --ignore-network-security-group to use existing NSG. \ Use --force-network-security-group to replace existing NSG' )
def service_endpoint_completer(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx).available_endpoint_services location = namespace.location return [x.name for x in client.list(location=location)]
def subnet_completion_list(cmd, prefix, namespace, **kwargs): # pylint: disable=unused-argument client = network_client_factory(cmd.cli_ctx) if namespace.resource_group_name and namespace.virtual_network_name: rg = namespace.resource_group_name vnet = namespace.virtual_network_name return [r.name for r in client.subnets.list(resource_group_name=rg, virtual_network_name=vnet)]