def iot_dps_linked_hub_update(cmd,
client,
dps_name,
resource_group_name,
linked_hub,
apply_allocation_policy=None,
allocation_weight=None,
no_wait=False):
dps_linked_hubs = []
dps_linked_hubs.extend(
iot_dps_linked_hub_list(client, dps_name, resource_group_name))
if not _is_linked_hub_existed(dps_linked_hubs, linked_hub):
raise CLIError("Access policy {0} doesn't existed.".format(linked_hub))
for hub in dps_linked_hubs:
if hub.name == linked_hub:
if apply_allocation_policy is not None:
hub.apply_allocation_policy = apply_allocation_policy
if allocation_weight is not None:
hub.allocation_weight = allocation_weight
dps = iot_dps_get(client, dps_name, resource_group_name)
dps_property = IotDpsPropertiesDescription(
None, None, dps_linked_hubs, dps.properties.allocation_policy,
dps.properties.authorization_policies)
dps_description = ProvisioningServiceDescription(dps.location,
dps_property, dps.sku)
if no_wait:
return client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description)
LongRunningOperation(cmd.cli_ctx)(client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description))
return iot_dps_linked_hub_get(client, dps_name, resource_group_name,
linked_hub)
def iot_dps_linked_hub_delete(cmd,
client,
dps_name,
resource_group_name,
linked_hub,
no_wait=False):
dps_linked_hubs = []
dps_linked_hubs.extend(
iot_dps_linked_hub_list(client, dps_name, resource_group_name))
if not _is_linked_hub_existed(dps_linked_hubs, linked_hub):
raise CLIError("Linked hub {0} doesn't existed.".format(linked_hub))
updated_hub = [
p for p in dps_linked_hubs if p.name.lower() != linked_hub.lower()
]
dps = iot_dps_get(client, dps_name, resource_group_name)
dps_property = IotDpsPropertiesDescription(
None, None, updated_hub, dps.properties.allocation_policy,
dps.properties.authorization_policies)
dps_description = ProvisioningServiceDescription(dps.location,
dps_property, dps.sku)
if no_wait:
return client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description)
LongRunningOperation(cmd.cli_ctx)(client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description))
return iot_dps_linked_hub_list(client, dps_name, resource_group_name)
def iot_dps_access_policy_delete(cmd,
client,
dps_name,
resource_group_name,
access_policy_name,
no_wait=False):
dps_access_policies = []
dps_access_policies.extend(
iot_dps_access_policy_list(client, dps_name, resource_group_name))
if not _is_policy_existed(dps_access_policies, access_policy_name):
raise CLIError(
"Access policy {0} doesn't existed.".format(access_policy_name))
updated_policies = [
p for p in dps_access_policies
if p.key_name.lower() != access_policy_name.lower()
]
dps = iot_dps_get(client, dps_name, resource_group_name)
dps_property = IotDpsPropertiesDescription(
None, None, dps.properties.iot_hubs, dps.properties.allocation_policy,
updated_policies)
dps_description = ProvisioningServiceDescription(dps.location,
dps_property, dps.sku)
if no_wait:
return client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description)
LongRunningOperation(cmd.cli_ctx)(client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description))
return iot_dps_access_policy_list(client, dps_name, resource_group_name)
def iot_dps_linked_hub_create(cmd,
client,
dps_name,
resource_group_name,
connection_string,
location,
apply_allocation_policy=None,
allocation_weight=None,
no_wait=False):
dps_linked_hubs = []
dps_linked_hubs.extend(
iot_dps_linked_hub_list(client, dps_name, resource_group_name))
dps_linked_hubs.append(
IotHubDefinitionDescription(connection_string, location,
apply_allocation_policy,
allocation_weight))
dps = iot_dps_get(client, dps_name, resource_group_name)
dps_property = IotDpsPropertiesDescription(
None, None, dps_linked_hubs, dps.properties.allocation_policy,
dps.properties.authorization_policies)
dps_description = ProvisioningServiceDescription(dps.location,
dps_property, dps.sku)
if no_wait:
return client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description)
LongRunningOperation(cmd.cli_ctx)(client.iot_dps_resource.create_or_update(
resource_group_name, dps_name, dps_description))
return iot_dps_linked_hub_list(client, dps_name, resource_group_name)
def acr_task_credential_update(cmd,
client,
task_name,
registry_name,
login_server,
username=None,
password=None,
use_identity=None,
resource_group_name=None):
_, resource_group_name = validate_managed_registry(cmd, registry_name,
resource_group_name,
TASK_NOT_SUPPORTED)
existingCreds = client.get_details(resource_group_name, registry_name,
task_name).credentials
existingCreds = {} if not existingCreds else existingCreds.custom_registries
if login_server not in existingCreds:
raise CLIError("Login server '{}' not found.".format(login_server))
TaskUpdateParameters = cmd.get_models('TaskUpdateParameters')
taskUpdateParameters = TaskUpdateParameters(
credentials=get_custom_registry_credentials(cmd=cmd,
login_server=login_server,
username=username,
password=password,
identity=use_identity))
resp = LongRunningOperation(cmd.cli_ctx)(client.update(
resource_group_name, registry_name, task_name, taskUpdateParameters))
resp = resp.credentials
return {} if not resp else resp.custom_registries
def _update_repo_permissions(cmd,
resource_group_name,
registry_name,
connected_registry,
add_actions_set,
remove_actions_set,
msg=None,
description=None):
scope_map_client = cf_acr_scope_maps(cmd.cli_ctx)
sync_token = get_token_from_id(
cmd, connected_registry.parent.sync_properties.token_id)
sync_scope_map = get_scope_map_from_id(cmd, sync_token.scope_map_id)
sync_scope_map_name = sync_scope_map.name
current_actions_set = set(sync_scope_map.actions)
final_actions_set = current_actions_set.union(add_actions_set).difference(
remove_actions_set)
if final_actions_set == current_actions_set:
return None
current_actions = list(final_actions_set)
logger.warning(msg)
ScopeMapUpdateParameters = cmd.get_models('ScopeMapUpdateParameters')
scope_map_update_parameters = ScopeMapUpdateParameters(
description=description, actions=current_actions)
poller = scope_map_client.begin_update(resource_group_name, registry_name,
sync_scope_map_name,
scope_map_update_parameters)
return LongRunningOperation(cmd.cli_ctx)(poller)
def add_vpn_server_config_ipsec_policy(cmd,
resource_group_name,
vpn_server_configuration_name,
sa_life_time_seconds,
sa_data_size_kilobytes,
ipsec_encryption,
ipsec_integrity,
ike_encryption,
ike_integrity,
dh_group,
pfs_group,
no_wait=False):
client = network_client_factory(cmd.cli_ctx).vpn_server_configurations
IpsecPolicy = cmd.get_models('IpsecPolicy')
vpn_server_config = client.get(resource_group_name,
vpn_server_configuration_name)
vpn_server_config.vpn_client_ipsec_policies.append(
IpsecPolicy(sa_life_time_seconds=sa_life_time_seconds,
sa_data_size_kilobytes=sa_data_size_kilobytes,
ipsec_encryption=ipsec_encryption,
ipsec_integrity=ipsec_integrity,
ike_encryption=ike_encryption,
ike_integrity=ike_integrity,
dh_group=dh_group,
pfs_group=pfs_group))
poller = sdk_no_wait(no_wait, client.create_or_update, resource_group_name,
vpn_server_configuration_name, vpn_server_config)
if no_wait:
return poller
from azure.cli.core.commands import LongRunningOperation
return LongRunningOperation(cmd.cli_ctx)(poller).vpn_client_ipsec_policies
def _ensure_subnet_service_endpoint(cli_ctx, subnet_id):
from msrestazure.tools import parse_resource_id
subnet_id_parts = parse_resource_id(subnet_id)
subnet_resource_group = subnet_id_parts['resource_group']
subnet_vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
vnet_client = network_client_factory(cli_ctx,
api_version=NETWORK_API_VERSION)
subnet_obj = vnet_client.subnets.get(subnet_resource_group,
subnet_vnet_name, subnet_name)
subnet_obj.service_endpoints = subnet_obj.service_endpoints or []
service_endpoint_exists = False
for s in subnet_obj.service_endpoints:
if s.service == "Microsoft.Web":
service_endpoint_exists = True
break
if not service_endpoint_exists:
web_service_endpoint = ServiceEndpointPropertiesFormat(
service="Microsoft.Web")
subnet_obj.service_endpoints.append(web_service_endpoint)
poller = vnet_client.subnets.create_or_update(
subnet_resource_group,
subnet_vnet_name,
subnet_name,
subnet_parameters=subnet_obj)
# Ensure subnet is updated to avoid update conflict
LongRunningOperation(cli_ctx)(poller)
def _ensure_ase_private_dns_zone(cli_ctx, resource_group_name, name,
inbound_vnet_id, inbound_ip_address):
# Private DNS Zone
private_dns_client = _get_private_dns_client_factory(cli_ctx)
zone_name = '{}.appserviceenvironment.net'.format(name)
zone = PrivateZone(location='global', tags=None)
poller = private_dns_client.private_zones.begin_create_or_update(
resource_group_name, zone_name, zone)
LongRunningOperation(cli_ctx)(poller)
link_name = '{}_link'.format(name)
link = VirtualNetworkLink(location='global', tags=None)
link.virtual_network = SubResource(id=inbound_vnet_id)
link.registration_enabled = False
private_dns_client.virtual_network_links.begin_create_or_update(
resource_group_name, zone_name, link_name, link, if_none_match='*')
ase_record = ARecord(ipv4_address=inbound_ip_address)
record_set = RecordSet(ttl=3600)
record_set.a_records = [ase_record]
private_dns_client.record_sets.create_or_update(resource_group_name,
zone_name, 'a', '*',
record_set)
private_dns_client.record_sets.create_or_update(resource_group_name,
zone_name, 'a', '@',
record_set)
private_dns_client.record_sets.create_or_update(resource_group_name,
zone_name, 'a', '*.scm',
record_set)
def _create_nsg_rule(cli_ctx,
resource_group_name,
network_security_group_name,
security_rule_name,
priority,
description=None,
protocol=None,
access=None,
direction=None,
source_port_range='*',
source_address_prefix='*',
destination_port_range=80,
destination_address_prefix='*'):
settings = SecurityRule(
protocol=protocol,
source_address_prefix=source_address_prefix,
destination_address_prefix=destination_address_prefix,
access=access,
direction=direction,
description=description,
source_port_range=source_port_range,
destination_port_range=destination_port_range,
priority=priority,
name=security_rule_name)
network_client = _get_network_client_factory(cli_ctx)
poller = network_client.security_rules.begin_create_or_update(
resource_group_name, network_security_group_name, security_rule_name,
settings)
LongRunningOperation(cli_ctx)(poller)
def _ensure_subnet_delegation(cli_ctx, subnet_id, delegation_service_name):
network_client = _get_network_client_factory(cli_ctx)
subnet_id_parts = parse_resource_id(subnet_id)
vnet_resource_group = subnet_id_parts['resource_group']
vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name,
subnet_name)
delegations = subnet_obj.delegations
delegated = False
for d in delegations:
if d.service_name.lower() == delegation_service_name.lower():
delegated = True
if not delegated:
subnet_obj.delegations = [
Delegation(name="delegation", service_name=delegation_service_name)
]
try:
poller = network_client.subnets.begin_create_or_update(
vnet_resource_group,
vnet_name,
subnet_name,
subnet_parameters=subnet_obj)
LongRunningOperation(cli_ctx)(poller)
except Exception:
err_msg = 'Subnet must be delegated to {}.'.format(
delegation_service_name)
rec_msg = 'Use: az network vnet subnet update --delegations "{}"'.format(
delegation_service_name)
validation_error = ValidationError(err_msg)
validation_error.set_recommendation(rec_msg)
raise validation_error
def acr_build_task_run(
cmd,
client, # cf_acr_builds
build_task_name,
registry_name,
no_format=False,
no_logs=False,
resource_group_name=None):
_, resource_group_name = validate_managed_registry(
cmd.cli_ctx, registry_name, resource_group_name,
BUILD_TASKS_NOT_SUPPORTED)
from ._client_factory import cf_acr_registries_builds
client_registries = cf_acr_registries_builds(cmd.cli_ctx)
queued_build = LongRunningOperation(cmd.cli_ctx)(
client_registries.queue_build(
resource_group_name, registry_name,
BuildTaskBuildRequest(build_task_name=build_task_name)))
build_id = queued_build.build_id
logger.warning("Queued a build with ID: %s", build_id)
logger.warning("Waiting for agent...")
if no_logs:
return get_build_with_polling(client, build_id, registry_name,
resource_group_name)
return stream_logs(client, build_id, registry_name, resource_group_name,
no_format, True)
def _ensure_subnet_private_endpoint_network_policy(cli_ctx, subnet_id,
network_policy_enabled):
network_client = _get_network_client_factory(cli_ctx)
subnet_id_parts = parse_resource_id(subnet_id)
vnet_resource_group = subnet_id_parts['resource_group']
vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name,
subnet_name)
target_state = 'Enabled' if network_policy_enabled else 'Disabled'
if subnet_obj.private_endpoint_network_policies != target_state:
subnet_obj.private_endpoint_network_policies = target_state
try:
poller = network_client.subnets.begin_create_or_update(
vnet_resource_group,
vnet_name,
subnet_name,
subnet_parameters=subnet_obj)
LongRunningOperation(cli_ctx)(poller)
except Exception:
err_msg = 'Subnet must have Private Endpoint Network Policy {}.'.format(
target_state)
rec_msg = 'Use: az network vnet subnet update --disable-private-endpoint-network-policies'
validation_error = ValidationError(err_msg)
validation_error.set_recommendation(rec_msg)
raise validation_error
def acr_create(cmd,
client,
registry_name,
resource_group_name,
sku,
location=None,
storage_account_name=None,
admin_enabled='false',
deployment_name=None):
if sku == SkuName.basic.value and storage_account_name:
raise CLIError(
"Please specify '--sku Basic' without providing an existing storage account "
"to create a managed registry, or specify '--sku Classic --storage-account-name {}' "
"to create a Classic registry using storage account `{}`.".format(
storage_account_name, storage_account_name))
admin_user_enabled = admin_enabled == 'true'
if sku == SkuName.classic.value:
logger.warning(
"Due to the planned deprecation of the Classic registry SKU, we recommend using "
"Basic, Standard, or Premium for all new registries. See https://aka.ms/acr/skus for details."
)
if storage_account_name is None:
storage_account_name = random_storage_account_name(
cmd.cli_ctx, registry_name)
logger.warning(
"A new storage account '%s' will be created in resource group '%s'.",
storage_account_name, resource_group_name)
LongRunningOperation(cmd.cli_ctx)(arm_deploy_template_new_storage(
cmd.cli_ctx, resource_group_name, registry_name, location, sku,
storage_account_name, admin_user_enabled, deployment_name))
else:
LongRunningOperation(
cmd.cli_ctx)(arm_deploy_template_existing_storage(
cmd.cli_ctx, resource_group_name, registry_name, location,
sku, storage_account_name, admin_user_enabled,
deployment_name))
else:
if storage_account_name:
logger.warning(
"The registry '%s' in '%s' SKU is a managed registry. The specified storage account will be ignored.",
registry_name, sku)
LongRunningOperation(cmd.cli_ctx)(arm_deploy_template_managed_storage(
cmd.cli_ctx, resource_group_name, registry_name, location, sku,
admin_user_enabled, deployment_name))
return client.get(resource_group_name, registry_name)
def update_service(cmd,
client,
resource_group_name,
cluster_name,
application_name,
service_name,
default_move_cost=None,
placement_constraints=None,
target_replica_set_size=None,
min_replica_set_size=None,
service_placement_time_limit=None,
stand_by_replica_keep_duration=None,
quorum_loss_wait_duration=None,
replica_restart_wait_duration=None,
instance_count=None,
min_instance_count=None,
min_instance_percentage=None,
tags=None):
try:
currentService = client.services.get(resource_group_name, cluster_name,
application_name, service_name)
state = currentService.properties.service_kind
logger.info("Updating service '%s'", service_name)
if tags:
currentService.tags = tags
if state.lower() == ServiceKind.STATELESS.lower():
if instance_count is not None:
currentService.properties.instance_count = instance_count
currentService.properties = _set_stateless_service_properties(
currentService.properties, min_instance_count,
min_instance_percentage)
elif state.lower() == ServiceKind.STATEFUL.lower():
if min_replica_set_size is not None:
currentService.properties.min_replica_set_size = min_replica_set_size
if target_replica_set_size is not None:
currentService.properties.target_replica_set_size = target_replica_set_size
currentService.properties = _set_stateful_service_properties(
currentService.properties, None, service_placement_time_limit,
stand_by_replica_keep_duration, quorum_loss_wait_duration,
replica_restart_wait_duration)
else:
raise InvalidArgumentValueError(
"Invalid --state '%s': service state is not valid." % state)
if default_move_cost is not None:
currentService.properties.default_move_cost = default_move_cost
if placement_constraints is not None:
currentService.properties.placement_constraints = placement_constraints
poller = client.services.begin_create_or_update(
resource_group_name, cluster_name, application_name, service_name,
currentService)
return LongRunningOperation(cmd.cli_ctx)(poller)
except HttpResponseError as ex:
logger.error("HttpResponseError: %s", ex)
raise
def _ensure_route_table(cli_ctx, resource_group_name, ase_name, location, subnet_id, force):
subnet_id_parts = parse_resource_id(subnet_id)
vnet_resource_group = subnet_id_parts['resource_group']
vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
ase_route_table_name = ase_name + '-Route-Table'
ase_route_name = ase_name + '-route'
network_client = _get_network_client_factory(cli_ctx)
subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name, subnet_name)
if subnet_obj.route_table is None or force:
rt_list = network_client.route_tables.list(resource_group_name)
rt_found = False
for rt in list(rt_list):
if rt.name.lower() == ase_route_table_name.lower():
rt_found = True
break
if not rt_found:
logger.info('Ensure Route Table...')
ase_route_table = RouteTable(location=location)
poller = network_client.route_tables.begin_create_or_update(resource_group_name,
ase_route_table_name, ase_route_table)
LongRunningOperation(cli_ctx)(poller)
logger.info('Ensure Internet Route...')
internet_route = Route(address_prefix='0.0.0.0/0', next_hop_type='Internet')
poller = network_client.routes.begin_create_or_update(resource_group_name, ase_route_table_name,
ase_route_name, internet_route)
LongRunningOperation(cli_ctx)(poller)
rt = network_client.route_tables.get(resource_group_name, ase_route_table_name)
if not subnet_obj.route_table or subnet_obj.route_table.id != rt.id:
logger.info('Associate Route Table with Subnet...')
subnet_obj.route_table = rt
poller = network_client.subnets.begin_create_or_update(
vnet_resource_group, vnet_name,
subnet_name, subnet_parameters=subnet_obj)
LongRunningOperation(cli_ctx)(poller)
else:
route_table_id_parts = parse_resource_id(subnet_obj.route_table.id)
rt_name = route_table_id_parts['name']
if rt_name.lower() != ase_route_table_name.lower():
raise CLIError('Route table already exists. \
Use --ignore-route-table to use existing route table. \
Use --force-route-table to replace existing route table')
def acr_create(cmd,
client,
registry_name,
resource_group_name,
sku,
location=None,
admin_enabled=False,
default_action=None,
workspace=None,
identity=None,
key_encryption_key=None,
public_network_enabled=None,
zone_redundancy=None,
tags=None):
if default_action and sku not in get_premium_sku(cmd):
raise CLIError(NETWORK_RULE_NOT_SUPPORTED)
if sku not in get_managed_sku(cmd):
raise CLIError(
"Classic SKU is no longer supported. Please select a managed SKU.")
Registry, Sku, NetworkRuleSet = cmd.get_models('Registry', 'Sku',
'NetworkRuleSet')
registry = Registry(location=location,
sku=Sku(name=sku),
admin_user_enabled=admin_enabled,
zone_redundancy=zone_redundancy,
tags=tags)
if default_action:
registry.network_rule_set = NetworkRuleSet(
default_action=default_action)
if public_network_enabled is not None:
_configure_public_network_access(cmd, registry, public_network_enabled)
if identity or key_encryption_key:
_configure_cmk(cmd, registry, resource_group_name, identity,
key_encryption_key)
lro_poller = client.create(resource_group_name, registry_name, registry)
if workspace:
from msrestazure.tools import is_valid_resource_id, resource_id
from azure.cli.core.commands import LongRunningOperation
from azure.cli.core.commands.client_factory import get_subscription_id
acr = LongRunningOperation(cmd.cli_ctx)(lro_poller)
if not is_valid_resource_id(workspace):
workspace = resource_id(subscription=get_subscription_id(
cmd.cli_ctx),
resource_group=resource_group_name,
namespace='microsoft.OperationalInsights',
type='workspaces',
name=workspace)
_create_diagnostic_settings(cmd.cli_ctx, acr, workspace)
return acr
return lro_poller
def _generate_log_analytics_if_not_provided(cmd, logs_customer_id, logs_key, location, resource_group_name):
if logs_customer_id is None and logs_key is None:
logger.warning("No Log Analytics workspace provided.")
_validate_subscription_registered(cmd, LOG_ANALYTICS_RP)
try:
log_analytics_client = log_analytics_client_factory(cmd.cli_ctx)
log_analytics_shared_key_client = log_analytics_shared_key_client_factory(cmd.cli_ctx)
log_analytics_location = location
try:
_ensure_location_allowed(cmd, log_analytics_location, LOG_ANALYTICS_RP, "workspaces")
except Exception: # pylint: disable=broad-except
log_analytics_location = _get_default_log_analytics_location(cmd)
from azure.cli.core.commands import LongRunningOperation
from azure.mgmt.loganalytics.models import Workspace
workspace_name = _generate_log_analytics_workspace_name(resource_group_name)
workspace_instance = Workspace(location=log_analytics_location)
logger.warning("Generating a Log Analytics workspace with name \"{}\"".format(workspace_name)) # pylint: disable=logging-format-interpolation
poller = log_analytics_client.begin_create_or_update(resource_group_name, workspace_name, workspace_instance)
log_analytics_workspace = LongRunningOperation(cmd.cli_ctx)(poller)
logs_customer_id = log_analytics_workspace.customer_id
logs_key = log_analytics_shared_key_client.get_shared_keys(
workspace_name=workspace_name,
resource_group_name=resource_group_name).primary_shared_key
except Exception as ex:
raise ValidationError("Unable to generate a Log Analytics workspace. You can use \"az monitor log-analytics workspace create\" to create one and supply --logs-customer-id and --logs-key") from ex
elif logs_customer_id is None:
raise ValidationError("Usage error: Supply the --logs-customer-id associated with the --logs-key")
elif logs_key is None: # Try finding the logs-key
log_analytics_client = log_analytics_client_factory(cmd.cli_ctx)
log_analytics_shared_key_client = log_analytics_shared_key_client_factory(cmd.cli_ctx)
log_analytics_name = None
log_analytics_rg = None
log_analytics = log_analytics_client.list()
for la in log_analytics:
if la.customer_id and la.customer_id.lower() == logs_customer_id.lower():
log_analytics_name = la.name
parsed_la = parse_resource_id(la.id)
log_analytics_rg = parsed_la['resource_group']
if log_analytics_name is None:
raise ValidationError('Usage error: Supply the --logs-key associated with the --logs-customer-id')
shared_keys = log_analytics_shared_key_client.get_shared_keys(workspace_name=log_analytics_name, resource_group_name=log_analytics_rg)
if not shared_keys or not shared_keys.primary_shared_key:
raise ValidationError('Usage error: Supply the --logs-key associated with the --logs-customer-id')
logs_key = shared_keys.primary_shared_key
return logs_customer_id, logs_key
def acr_token_create(cmd,
client,
registry_name,
token_name,
scope_map_name=None,
repository_actions_list=None,
gateway_actions_list=None,
status=None,
resource_group_name=None,
no_passwords=None,
expiration=None,
expiration_in_days=None):
from knack.log import get_logger
from ._utils import get_resource_id_by_registry_name
if (bool(repository_actions_list)
or bool(gateway_actions_list)) == bool(scope_map_name):
raise CLIError(
"usage error: can't use --scope-map and --repository | --gateway")
if no_passwords and (expiration_in_days is not None
or expiration is not None):
raise CLIError(
"usage error: --no-passwords and expiration arguments are mutually exclusive."
)
if expiration_in_days is not None and expiration is not None:
raise CLIError(
"usage error: --expiration and --expiration-in-days are mutually exclusive."
)
resource_group_name = get_resource_group_name_by_registry_name(
cmd.cli_ctx, registry_name, resource_group_name)
logger = get_logger(__name__)
if repository_actions_list or gateway_actions_list:
scope_map_id = create_default_scope_map(
cmd, resource_group_name, registry_name,
DEFAULT_SCOPE_MAP_NAME.format(token_name), repository_actions_list,
gateway_actions_list, "Created by token: {}".format(token_name)).id
else:
arm_resource_id = get_resource_id_by_registry_name(
cmd.cli_ctx, registry_name)
scope_map_id = '{}/{}/{}'.format(arm_resource_id, SCOPE_MAPS,
scope_map_name)
Token = cmd.get_models('Token')
poller = client.begin_create(
resource_group_name, registry_name, token_name,
Token(scope_map_id=scope_map_id, status=status))
if no_passwords:
return poller
token = LongRunningOperation(cmd.cli_ctx)(poller)
_create_default_passwords(cmd, resource_group_name, registry_name, token,
logger, expiration_in_days, expiration)
return token
def _execute_command(kwargs):
from msrest.paging import Paged
from msrest.exceptions import ValidationError, ClientRequestError
from msrestazure.azure_operation import AzureOperationPoller
from azure.cli.core._profile import Profile
from azure.cli.command_modules.keyvault.keyvaultclient import \
(KeyVaultClient, KeyVaultAuthentication)
from azure.cli.command_modules.keyvault.keyvaultclient.generated import \
(KeyVaultClient as BaseKeyVaultClient)
from azure.cli.command_modules.keyvault.keyvaultclient.generated.models import \
(KeyVaultErrorException)
try:
def get_token(server, resource, scope): # pylint: disable=unused-argument
return Profile().get_login_credentials(
resource)[0]._token_retriever() # pylint: disable=protected-access
op = get_op_handler(operation)
# since the convenience client can be inconvenient, we have to check and create the
# correct client version
if 'generated' in op.__module__:
client = BaseKeyVaultClient(KeyVaultAuthentication(get_token))
else:
client = KeyVaultClient(KeyVaultAuthentication(get_token)) # pylint: disable=redefined-variable-type
result = op(client, **kwargs)
# apply results transform if specified
if transform_result:
return _encode_hex(transform_result(result))
# otherwise handle based on return type of results
if isinstance(result, AzureOperationPoller):
return _encode_hex(
LongRunningOperation('Starting {}'.format(name))(result))
elif isinstance(result, Paged):
try:
return _encode_hex(list(result))
except TypeError:
# TODO: Workaround for an issue in either KeyVault server-side or msrest
# See https://github.com/Azure/autorest/issues/1309
return []
else:
return _encode_hex(result)
except (ValidationError, KeyVaultErrorException) as ex:
try:
raise CLIError(ex.inner_exception.error.message)
except AttributeError:
raise CLIError(ex)
except ClientRequestError as ex:
if 'Failed to establish a new connection' in str(
ex.inner_exception):
raise CLIError(
'Max retries exceeded attempting to connect to vault. '
'The vault may not exist or you may need to flush your DNS cache '
'and try again later.')
raise CLIError(ex)
def reset(cmd, client, resource_group_name, account_name, live_event_name,
no_wait=False):
if no_wait:
return sdk_no_wait(no_wait, client.reset, resource_group_name, account_name, live_event_name)
LongRunningOperation(cmd.cli_ctx)(client.reset(resource_group_name, account_name, live_event_name))
return client.get(resource_group_name, account_name, live_event_name)
def _deploy_arm_template_core(cmd,
resource_group_name,
template,
parameters,
deployment_name=None,
mode='incremental',
validate_only=False,
no_wait=False):
DeploymentProperties = cmd.get_models(
'DeploymentProperties',
resource_type=ResourceType.MGMT_RESOURCE_RESOURCES)
properties = DeploymentProperties(template=template,
template_link=None,
parameters=parameters,
mode=mode)
client = resource_client_factory(cmd.cli_ctx)
if cmd.supported_api_version(
min_api='2019-10-01',
resource_type=ResourceType.MGMT_RESOURCE_RESOURCES):
Deployment = cmd.get_models(
'Deployment', resource_type=ResourceType.MGMT_RESOURCE_RESOURCES)
deployment = Deployment(properties=properties)
if validate_only:
deploy_poll = sdk_no_wait(no_wait, client.deployments.validate,
resource_group_name, deployment_name,
deployment)
else:
deploy_poll = sdk_no_wait(no_wait,
client.deployments.create_or_update,
resource_group_name, deployment_name,
deployment)
return LongRunningOperation(cmd.cli_ctx)(deploy_poll)
if validate_only:
deploy_poll = sdk_no_wait(no_wait, client.deployments.validate,
resource_group_name, deployment_name,
properties)
else:
deploy_poll = sdk_no_wait(no_wait, client.deployments.create_or_update,
resource_group_name, deployment_name,
properties)
return LongRunningOperation(cmd.cli_ctx)(deploy_poll)
def decrypt_vmss(resource_group_name,
vmss_name,
volume_type=None,
force=False):
from azure.cli.core.profiles import get_sdk, ResourceType
UpgradeMode, VirtualMachineScaleSetExtension = get_sdk(
ResourceType.MGMT_COMPUTE,
'UpgradeMode',
'VirtualMachineScaleSetExtension',
mod='models',
operation_group='virtual_machine_scale_sets')
compute_client = _compute_client_factory()
vmss = compute_client.virtual_machine_scale_sets.get(
resource_group_name, vmss_name)
os_type = 'Linux' if vmss.virtual_machine_profile.os_profile.linux_configuration else 'Windows'
is_linux = _is_linux_vm(os_type)
extension = vmss_extension_info[os_type]
# 1. be nice, figure out the default volume type
volume_type = _handles_default_volume_type_for_vmss_encryption(
is_linux, volume_type, force)
# 2. update the disk encryption extension
public_config = {
'VolumeType': volume_type,
'EncryptionOperation': 'DisableEncryption',
}
ext = VirtualMachineScaleSetExtension(
name=extension['name'],
publisher=extension['publisher'],
type=extension['name'],
type_handler_version=extension['version'],
settings=public_config,
auto_upgrade_minor_version=True,
force_update_tag=uuid.uuid4())
if (not vmss.virtual_machine_profile.extension_profile
or not vmss.virtual_machine_profile.extension_profile.extensions):
extensions = []
else:
extensions = vmss.virtual_machine_profile.extension_profile.extensions
ade_extension = [x for x in extensions if
x.type.lower() == extension['name'].lower() and x.publisher.lower() == extension['publisher'].lower()] # pylint: disable=line-too-long
if not ade_extension:
raise CLIError("VM scale set '{}' was not encrypted".format(vmss_name))
index = vmss.virtual_machine_profile.extension_profile.extensions.index(
ade_extension[0])
vmss.virtual_machine_profile.extension_profile.extensions[index] = ext
poller = compute_client.virtual_machine_scale_sets.create_or_update(
resource_group_name, vmss_name, vmss)
LongRunningOperation()(poller)
_show_post_action_message(resource_group_name, vmss.name,
vmss.upgrade_policy.mode == UpgradeMode.manual,
False)
def decrypt_vmss(cmd,
resource_group_name,
vmss_name,
volume_type=None,
force=False):
UpgradeMode, VirtualMachineScaleSetExtension = cmd.get_models(
'UpgradeMode', 'VirtualMachineScaleSetExtension')
compute_client = _compute_client_factory(cmd.cli_ctx)
vmss = compute_client.virtual_machine_scale_sets.get(
resource_group_name, vmss_name)
is_linux = _is_linux_os(vmss.virtual_machine_profile)
extension = vm_extension_info['Linux' if is_linux else 'Windows']
# 1. be nice, figure out the default volume type
volume_type = _handles_default_volume_type_for_vmss_encryption(
is_linux, volume_type, force)
# 2. update the disk encryption extension
public_config = {
'VolumeType': volume_type,
'EncryptionOperation': 'DisableEncryption',
}
ext = VirtualMachineScaleSetExtension(
name=extension['name'],
publisher=extension['publisher'],
type_properties_type=extension['name'],
type_handler_version=extension['version'],
settings=public_config,
auto_upgrade_minor_version=True,
force_update_tag=uuid.uuid4())
if (not vmss.virtual_machine_profile.extension_profile
or not vmss.virtual_machine_profile.extension_profile.extensions):
extensions = []
else:
extensions = vmss.virtual_machine_profile.extension_profile.extensions
ade_extension = [x for x in extensions if
x.type_properties_type.lower() == extension['name'].lower() and x.publisher.lower() == extension['publisher'].lower()] # pylint: disable=line-too-long
if not ade_extension:
from knack.util import CLIError
raise CLIError("VM scale set '{}' was not encrypted".format(vmss_name))
index = vmss.virtual_machine_profile.extension_profile.extensions.index(
ade_extension[0])
vmss.virtual_machine_profile.extension_profile.extensions[index] = ext
# Avoid unnecessary permission error
vmss.virtual_machine_profile.storage_profile.image_reference = None
poller = compute_client.virtual_machine_scale_sets.begin_create_or_update(
resource_group_name, vmss_name, vmss)
LongRunningOperation(cmd.cli_ctx)(poller)
_show_post_action_message(resource_group_name, vmss.name,
vmss.upgrade_policy.mode == UpgradeMode.manual,
False)
def stop(cmd, client, resource_group_name, account_name,
streaming_endpoint_name, no_wait=False):
if no_wait:
return sdk_no_wait(no_wait, client.begin_stop, resource_group_name, account_name,
streaming_endpoint_name)
LongRunningOperation(cmd.cli_ctx)(client.begin_stop(resource_group_name, account_name,
streaming_endpoint_name))
return client.get(resource_group_name, account_name, streaming_endpoint_name)
def _ensure_network_security_group(cli_ctx, resource_group_name, ase_name, location, subnet_id, force):
subnet_id_parts = parse_resource_id(subnet_id)
vnet_resource_group = subnet_id_parts['resource_group']
vnet_name = subnet_id_parts['name']
subnet_name = subnet_id_parts['resource_name']
ase_nsg_name = ase_name + '-NSG'
network_client = _get_network_client_factory(cli_ctx)
subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name, subnet_name)
subnet_address_prefix = subnet_obj.address_prefix
if subnet_obj.network_security_group is None or force:
nsg_list = network_client.network_security_groups.list(resource_group_name)
nsg_found = False
for nsg in list(nsg_list):
if nsg.name.lower() == ase_nsg_name.lower():
nsg_found = True
break
if not nsg_found:
logger.info('Ensure Network Security Group...')
ase_nsg = NetworkSecurityGroup(location=location)
poller = network_client.network_security_groups.begin_create_or_update(resource_group_name,
ase_nsg_name, ase_nsg)
LongRunningOperation(cli_ctx)(poller)
_create_asev2_nsg_rules(cli_ctx, resource_group_name, ase_nsg_name, subnet_address_prefix)
nsg = network_client.network_security_groups.get(resource_group_name, ase_nsg_name)
if not subnet_obj.network_security_group or subnet_obj.network_security_group.id != nsg.id:
logger.info('Associate Network Security Group with Subnet...')
subnet_obj.network_security_group = NetworkSecurityGroup(id=nsg.id)
poller = network_client.subnets.begin_create_or_update(
vnet_resource_group, vnet_name, subnet_name, subnet_parameters=subnet_obj)
LongRunningOperation(cli_ctx)(poller)
else:
nsg_id_parts = parse_resource_id(subnet_obj.network_security_group.id)
nsg_name = nsg_id_parts['name']
if nsg_name.lower() != ase_nsg_name.lower():
err_msg = 'Network Security Group already exists.'
rec_msg = 'Use --ignore-network-security-group to use existing NSG ' \
'or --force-network-security-group to replace existing NSG'
validation_error = ValidationError(err_msg, rec_msg)
raise validation_error
def _deploy_arm_template_core(cli_ctx, resource_group_name, deployment_name, template, parameters):
from azure.mgmt.resource.resources.models import DeploymentProperties
from azure.cli.core.commands import LongRunningOperation
properties = DeploymentProperties(template=template, parameters=parameters, mode='incremental')
client = resource_client_factory(cli_ctx)
deploy_poll = client.deployments.create_or_update(resource_group_name, deployment_name, properties, raw=False)
result = LongRunningOperation(cli_ctx)(deploy_poll)
return result
def sqlvm_aglistener_create(client,
cmd,
availability_group_listener_name,
sql_virtual_machine_group_name,
resource_group_name,
availability_group_name,
ip_address,
subnet_resource_id,
load_balancer_resource_id,
probe_port,
sql_virtual_machine_instances,
port=1433,
public_ip_address_resource_id=None):
'''
Creates an availability group listener
'''
if not is_valid_resource_id(subnet_resource_id):
raise CLIError("Invalid subnet resource id.")
if not is_valid_resource_id(load_balancer_resource_id):
raise CLIError("Invalid load balancer resource id.")
if public_ip_address_resource_id and not is_valid_resource_id(
public_ip_address_resource_id):
raise CLIError("Invalid public IP address resource id.")
for sqlvm in sql_virtual_machine_instances:
if not is_valid_resource_id(sqlvm):
raise CLIError("Invalid SQL virtual machine resource id.")
# Create the private ip address
private_ip_object = PrivateIPAddress(
ip_address=ip_address,
subnet_resource_id=subnet_resource_id
if is_valid_resource_id(subnet_resource_id) else None)
# Create the load balancer configurations
load_balancer_object = LoadBalancerConfiguration(
private_ip_address=private_ip_object,
public_ip_address_resource_id=public_ip_address_resource_id,
load_balancer_resource_id=load_balancer_resource_id,
probe_port=probe_port,
sql_virtual_machine_instances=sql_virtual_machine_instances)
# Create the availability group listener object
ag_listener_object = AvailabilityGroupListener(
availability_group_name=availability_group_name,
load_balancer_configurations=load_balancer_object,
port=port)
LongRunningOperation(cmd.cli_ctx)(sdk_no_wait(
False, client.create_or_update, resource_group_name,
sql_virtual_machine_group_name, availability_group_listener_name,
ag_listener_object))
return client.get(resource_group_name, sql_virtual_machine_group_name,
availability_group_listener_name)
def _get_install_info(cmd,
client,
connected_registry_name,
registry_name,
regenerate_credentials,
resource_group_name=None):
_, resource_group_name = validate_managed_registry(cmd, registry_name,
resource_group_name)
connected_registry = acr_connected_registry_show(cmd, client,
connected_registry_name,
registry_name,
resource_group_name)
parent_gateway_endpoint = connected_registry.parent.sync_properties.gateway_endpoint
if parent_gateway_endpoint is None or parent_gateway_endpoint == '':
parent_gateway_endpoint = "<parent gateway endpoint>"
parent_id = connected_registry.parent.id
# if parent_id is not none, parent is a connected registry
if parent_id:
parent_endpoint_protocol = "<http or https>"
# if parent_id is none, parent is a cloud registry
else:
parent_endpoint_protocol = "https"
sync_token_name = connected_registry.parent.sync_properties.token_id.split(
'/tokens/')[1]
connected_registry_login_server = "<Optional: connected registry login server. " + \
"More info at https://aka.ms/acr/connected-registry>"
if regenerate_credentials:
from ._client_factory import cf_acr_token_credentials
from .token import acr_token_credential_generate
cred_client = cf_acr_token_credentials(cmd.cli_ctx)
poller = acr_token_credential_generate(
cmd,
cred_client,
registry_name,
sync_token_name,
password1=True,
password2=False,
resource_group_name=resource_group_name)
credentials = LongRunningOperation(cmd.cli_ctx)(poller)
sync_username = credentials.username
sync_password = credentials.passwords[0].value
logger.warning('Please store your generated credentials safely.')
else:
sync_username = sync_token_name
sync_password = "******"
connection_string = "ConnectedRegistryName=%s;" % connected_registry_name + \
"SyncTokenName=%s;SyncTokenPassword=%s;" % (sync_username, sync_password) + \
"ParentGatewayEndpoint=%s;ParentEndpointProtocol=%s" % (parent_gateway_endpoint, parent_endpoint_protocol)
return {
"ACR_REGISTRY_CONNECTION_STRING": connection_string,
"ACR_REGISTRY_LOGIN_SERVER": connected_registry_login_server
}
def acr_create(registry_name,
resource_group_name,
sku,
location=None,
storage_account_name=None,
admin_enabled='false',
deployment_name=None):
"""Creates a container registry.
:param str registry_name: The name of container registry
:param str resource_group_name: The name of resource group
:param str sku: The SKU of the container registry
:param str location: The name of location
:param str storage_account_name: The name of storage account
:param str admin_enabled: Indicates whether the admin user is enabled
:param str deployment_name: The name of the deployment
"""
if location is None:
location = get_location_from_resource_group(resource_group_name)
client = get_acr_service_client().registries
admin_user_enabled = admin_enabled == 'true'
if storage_account_name is None:
storage_account_name = random_storage_account_name(registry_name)
LongRunningOperation()(arm_deploy_template_new_storage(
resource_group_name, registry_name, location, sku,
storage_account_name, admin_user_enabled, deployment_name))
else:
LongRunningOperation()(arm_deploy_template_existing_storage(
resource_group_name, registry_name, location, sku,
storage_account_name, admin_user_enabled, deployment_name))
registry = client.get(resource_group_name, registry_name)
logger.warning('\nCreate a new service principal and assign access:')
logger.warning(
' az ad sp create-for-rbac --scopes %s --role Owner --password <password>',
registry.id) # pylint: disable=no-member
logger.warning('\nUse an existing service principal and assign access:')
logger.warning(
' az role assignment create --scope %s --role Owner --assignee <app-id>',
registry.id) # pylint: disable=no-member
return registry
