def __init__(self, subscripid, endpoint_uri, app_id, app_secret_key):
self.region = 'eastus'
# make sure you export these four env variables before you run this code
self.subscription_id = subscripid
self.AZURE_ENDPOINT_URL = endpoint_uri
self.AZURE_APP_ID = app_id
self.AZURE_APP_SECRET = app_secret_key
# create a token, you need to get create and assign role to an application before use this module
# check Readme.md in home directory
self.auth_token = self.get_token_from_client_credentials(
endpoint=self.AZURE_ENDPOINT_URL,
client_id=self.AZURE_APP_ID,
client_secret=self.AZURE_APP_SECRET)
# create a cred using the token
self.creds = SubscriptionCloudCredentials(self.subscription_id,
self.auth_token)
# now it is the time to manage the resource
self.compute_client = azure.mgmt.compute.ComputeManagementClient(
self.creds)
self.network_client = azure.mgmt.network.NetworkResourceProviderClient(
self.creds)
self.resource_client = azure.mgmt.resource.ResourceManagementClient(
self.creds)
def check_quota(subscription_id, tenant, client_id, secret, location,
numofcores):
from azure.mgmt.common import SubscriptionCloudCredentials
endpoint = "https://login.microsoftonline.com/{0}/oauth2/token".format(
tenant)
token = get_token_from_client_credentials(endpoint, client_id, secret)
creds = SubscriptionCloudCredentials(subscription_id, token)
from azure.mgmt.compute import ComputeManagementClient
compute_client = ComputeManagementClient(creds)
usage_paged = compute_client.usage.list(location).usages
core_usage = [
usage for usage in usage_paged if usage.name.value == 'cores'
]
available_cores = core_usage[0].limit - core_usage[0].current_value
print "Current Cores %d Current Limit %d Available Cores %d Requested Cores %d" % (
core_usage[0].current_value, core_usage[0].limit, available_cores,
numofcores)
print "###QUOTACHECK###"
if numofcores > available_cores:
print "CRITICAL Insufficient Quota, PCF will NOT deploy"
sys.exit(0)
else:
print "Subscription Has Enough Quota"
def create_mgmt_client(self, client_class):
creds = SubscriptionCloudCredentials(
self.settings.SUBSCRIPTION_ID,
self.settings.get_token(),
)
client = client_class(creds)
if self.is_playback():
client.long_running_operation_initial_timeout = 0
client.long_running_operation_retry_timeout = 0
return client
def get_azure_creds(module):
# management_cert_path = module.params.get('management_cert_path')
# if not management_cert_path:
# management_cert_path = os.environ.get('AZURE_CERT_PATH', None)
# if not management_cert_path:
# module.fail_json(msg="No management_cert_path provided. Please set 'AZURE_CERT_PATH' or use the 'management_cert_path' parameter")
client_id = module.params.get('client_id')
if not client_id:
client_id = os.environ.get('AZRUE_CLIENT_ID', None)
if not client_id:
module.fail_json(
msg=
"No azure_client_id provided. Please set 'AZURE_CLIENT_ID' or use the 'azure_client_id' parameter"
)
client_secret = module.params.get('client_secret')
if not client_secret:
client_secret = os.environ.get('AZRUE_CLIENT_SECRET', None)
if not client_secret:
module.fail_json(
msg=
"No azure_client_secret provided. Please set 'AZURE_CLIENT_SECRET' or use the 'azure_client_secret' parameter"
)
oauth_endpoint = module.params.get('oauth_endpoint')
if not oauth_endpoint:
oauth_endpoint = os.environ.get('AZRUE_OAUTH_ENDPOINT', None)
if not oauth_endpoint:
module.fail_json(
msg=
"No azure_client_secret provided. Please set 'AZRUE_OAUTH_ENDPOINT' or use the 'azure_oauth_endpoint' parameter"
)
# Check module args for credentials, then check environment vars
subscription_id = module.params.get('subscription_id')
if not subscription_id:
subscription_id = os.environ.get('AZURE_SUBSCRIPTION_ID', None)
if not subscription_id:
module.fail_json(
msg=
"No subscription_id provided. Please set 'AZURE_SUBSCRIPTION_ID' or use the 'subscription_id' parameter"
)
auth_token = get_token_from_client_credentials(module, oauth_endpoint,
client_id, client_secret)
return SubscriptionCloudCredentials(subscription_id, auth_token)
def get_mgmt_credentials(self):
with self.tokens_lock:
token_id = "{0}|||{1}|||{2}".format(self.authority_url,
self.app_id, self.app_key)
if token_id in self.tokens:
token = self.tokens[token_id]
else:
try:
context = adal.AuthenticationContext(self.authority_url)
token = context.acquire_token_with_client_credentials(
str(self.identifier_uri), str(self.app_id),
str(self.app_key))
except Exception as e:
e.args = ("Auth failure: {0}".format(
e.args[0]), ) + e.args[1:]
raise
self.tokens[token_id] = token
return SubscriptionCloudCredentials(self.subscription_id,
token['accessToken'])
def get_mgmt_credentials(self):
with self.tokens_lock:
token_id = "{0}|||{1}|||{2}".format(self.authority_url, self.user,
self.password)
if token_id in self.tokens:
token = self.tokens[token_id]
else:
try:
auth_func = (adal.acquire_token_with_client_credentials
if self.is_service_principal else
adal.acquire_token_with_username_password)
token = auth_func(str(self.authority_url), str(self.user),
str(self.password))
except Exception as e:
e.args = ("Auth failure: {0}".format(
e.args[0]), ) + e.args[1:]
raise
self.tokens[token_id] = token
return SubscriptionCloudCredentials(self.subscription_id,
token['accessToken'])
def _get_credentials(subscription_id):
auth_token = _get_auth_token()
return SubscriptionCloudCredentials(subscription_id, auth_token)
# cf specific configuration (configure security groups for haproxy)
bosh_address = "10.0.0.4"
deployment_name = "router-and-lb"
subscription_id = settings['SUBSCRIPTION-ID']
tenant = settings['TENANT-ID']
endpoint = "https://login.microsoftonline.com/{0}/oauth2/token".format(tenant)
client_token = settings['CLIENT-ID']
client_secret = settings['CLIENT-SECRET']
ip = get_job_ip_address("admin", "admin", bosh_address, deployment_name,
"haproxy")
token = get_token_from_client_credentials(endpoint, client_token,
client_secret)
creds = SubscriptionCloudCredentials(subscription_id, token)
network_client = azure.mgmt.network.NetworkResourceProviderClient(creds)
rules_client = azure.mgmt.network.networkresourceprovider.SecurityRuleOperations(
network_client)
ha_proxy_address = "10.0.16.200"
rule = azure.mgmt.network.SecurityRule(
description="",
protocol="*",
source_port_range="*",
destination_port_range="80",
source_address_prefix="*",
destination_address_prefix=ha_proxy_address,
access="Allow",
def main():
module = AnsibleModule(
argument_spec=dict(client_id=dict(required=True),
client_secret=dict(required=True),
tenant_id=dict(required=True),
subscription_id=dict(required=True),
template_src_json=dict(required=True),
param_src_json=dict(),
resource_group_name=dict(required=True),
resource_group_location=dict(),
deployment_name=dict(required=True)),
# Implementing check-mode using HEAD is impossible, since size/date is not 100% reliable
supports_check_mode=False,
)
if not HAS_ARM:
module.fail_json(msg='azure python sdk required for this module')
client_id = module.params.get('client_id')
client_secret = module.params.get('client_secret')
tenant_id = module.params.get('tenant_id')
subscription_id = module.params.get('subscription_id')
template_src_json = module.params.get('template_src_json')
if module.params['param_src_json']:
param_src_json = module.params.get('param_src_json')
else:
param_src_json = 'none'
resource_group_name = module.params.get('resource_group_name')
deployment_name = module.params.get('deployment_name')
if module.params['resource_group_location']:
resource_group_location = module.params.get('resource_group_location')
else:
resource_group_location = 'none'
#try:
endpoint = 'https://login.microsoftonline.com/' + tenant_id + '/oauth2/token'
#authenticate to azure
auth_token = get_token_from_client_credentials(
endpoint=endpoint,
client_id=client_id,
client_secret=client_secret,
)
creds = SubscriptionCloudCredentials(subscription_id, auth_token)
#construct resource client
resource_client = azure.mgmt.resource.ResourceManagementClient(creds)
#Check rg
try:
rg_list_result = resource_client.resource_groups.get(
resource_group_name)
rg_does_exist = 'True'
except:
rg_does_exist = 'False'
#Create RG if necessary
if (rg_does_exist == 'False'):
if (resource_group_location == 'none'):
module.fail_json(
msg=
'Resource group does not exist, and resource_group_location isnt specified'
)
result = resource_client.resource_groups.create_or_update(
resource_group_name,
azure.mgmt.resource.ResourceGroup(
location=resource_group_location, ),
)
#read template file and params file
templatefile = open(template_src_json)
template = templatefile.read()
templatefile.close()
#If param file doesnt exist, use an empty json thingy
if (param_src_json == 'none'):
param = '{}'
elif (os.path.isfile(param_src_json)):
paramfile = open(param_src_json)
param = paramfile.read()
paramfile.close()
else:
param = '{}'
#create deployment props
properties = azure.mgmt.resource.resourcemanagement.DeploymentProperties(
mode="incremental", template=template, parameters=param)
deploy_parameter = azure.mgmt.resource.Deployment()
deploy_parameter.properties = properties
#invoke the thing
result = resource_client.deployments.create_or_update(
resource_group_name=resource_group_name,
deployment_name=deployment_name,
parameters=deploy_parameter)
while True:
status = resource_client.deployments.get(resource_group_name,
deployment_name)
time.sleep(1)
print(status.deployment.properties.provisioning_state)
if status.deployment.properties.provisioning_state == 'Succeeded':
break
if status.deployment.properties.provisioning_state == 'Failed':
module.fail_json(msg='Deployment failed')
break
#except:
# module.fail_json(msg=sys.exc_info()[0],endpoint=endpoint)
module.exit_json(changed=True, status=status.request_id)
def do_step(context):
settings = context.meta['settings']
username = settings["username"]
home_dir = os.path.join("/home", username)
f = open("{0}/manifests/elastic-runtime.yml".format(home_dir))
manifest = yaml.safe_load(f)
f.close()
api_endpoint = "https://api.{0}".format(manifest['system_domain'])
metabroker_name = "meta-azure-service-broker"
metabroker_url = "https://{0}.{1}".format(metabroker_name,
manifest['apps_domain'])
cf_admin_password = manifest['properties']['admin_password']
cf_user = "******"
sshpubkey = settings['adminSSHKey']
sqlservernameFQDN = settings["sqlServerFQDN"]
sqlservername = settings["sqlServerName"]
sqlusername = settings["sqlServerAdminLogin"]
sqlpassword = settings["sqlServerAdminPassword"]
docdb_hostendpoint = settings["documentdb-endpoint"]
docdb_masterkey = settings["documentdb-masterkey"]
metabroker_user = "******"
metabroker_environment = settings["metabrokerenvironment"]
call(
"/usr/local/bin/mssql --server {0} --database azuremetabroker --user {1}@{2} --pass {3} --encrypt -q '.read ./meta-azure-service-broker/scripts/schema.sql'"
.format(sqlservernameFQDN, sqlusername, sqlservername, sqlpassword),
shell=True)
subscription_id = settings['SUBSCRIPTION-ID']
tenant = settings['TENANT-ID']
endpoint = "https://login.microsoftonline.com/{0}/oauth2/token".format(
tenant)
client_token = settings['CLIENT-ID']
client_secret = settings['CLIENT-SECRET']
token = get_token_from_client_credentials(endpoint, client_token,
client_secret)
creds = SubscriptionCloudCredentials(subscription_id, token)
metabroker_password = password(sqlpassword, sshpubkey, True)
resource_client = ResourceManagementClient(creds)
resource_client.providers.register('Microsoft.DocumentDB')
resource_client.providers.register('Microsoft.ServiceBus')
resource_client.providers.register('Microsoft.Sql')
resource_client.providers.register('Microsoft.Storage')
resource_client.providers.register('Microsoft.Cache')
template_context = {
'service_broker_auth_user': metabroker_user,
'service_broker_auth_password': metabroker_password,
'service_broker_sql_server': sqlservernameFQDN,
'service_broker_sql_user': sqlusername,
'service_broker_sql_password': sqlpassword,
'service_broker_sql_database_name': 'azuremetabroker',
'environment': metabroker_environment,
'subscription_id': subscription_id,
'tenant_id': tenant,
'client_id': client_token,
'client_secret': client_secret,
'docdb_hostendpoint': docdb_hostendpoint,
'docdb_masterkey': docdb_masterkey
}
default_config = Template(DEFAULT_JSON).render(template_context)
manifest = Template(MANIFEST_YAML).render(template_context)
with open('meta-azure-service-broker/config/default.json', 'w') as f:
f.write(default_config)
with open('meta-azure-service-broker/manifest.yml', 'w') as f:
f.write(manifest)
call("./cf login --skip-ssl-validation -a {0} -u {1} -p {2}".format(
api_endpoint, cf_user, cf_admin_password),
shell=True)
call("./cf create-space development", shell=True)
call("./cf target -o system -s development", shell=True)
call(
"./cf push -p ./meta-azure-service-broker -f ./meta-azure-service-broker/manifest.yml",
shell=True)
call("./cf create-service-broker demo-service-broker {0} {1} {2}".format(
metabroker_user, metabroker_password, metabroker_url),
shell=True)
call("./cf enable-service-access azure-storageblob", shell=True)
call("./cf enable-service-access azure-rediscache", shell=True)
call("./cf enable-service-access azure-documentdb", shell=True)
call("./cf enable-service-access azure-servicebus", shell=True)
call("./cf enable-service-access azure-sqldb", shell=True)
return context
def do_step(context):
settings = context.meta['settings']
# cf specific configuration (configure security groups for haproxy)
subscription_id = settings['SUBSCRIPTION-ID']
tenant = settings['TENANT-ID']
endpoint = "https://login.microsoftonline.com/{0}/oauth2/token".format(
tenant)
client_token = settings['CLIENT-ID']
client_secret = settings['CLIENT-SECRET']
protectedSettings = get_protected_settings()
print "Client sercret from protectedSettings %s" % protectedSettings[
'CLIENT-SECRET']
ha_proxy_address = get_ha_proxy_address(context)
token = get_token_from_client_credentials(endpoint, client_token,
client_secret)
creds = SubscriptionCloudCredentials(subscription_id, token)
network_client = NetworkResourceProviderClient(creds)
rules_client = SecurityRuleOperations(network_client)
rule = SecurityRule(description="",
protocol="*",
source_port_range="*",
destination_port_range="80",
source_address_prefix="*",
destination_address_prefix=ha_proxy_address,
access="Allow",
priority=1100,
direction="InBound")
rules_client.create_or_update(settings['RESOURCE-GROUP-NAME'],
settings['NSG-NAME-FOR-CF'], "http_inbound",
rule)
rule = SecurityRule(description="",
protocol="*",
source_port_range="*",
destination_port_range="443",
source_address_prefix="*",
destination_address_prefix=ha_proxy_address,
access="Allow",
priority=1200,
direction="InBound")
rules_client.create_or_update(settings['RESOURCE-GROUP-NAME'],
settings['NSG-NAME-FOR-CF'], "https_inbound",
rule)
rule = SecurityRule(description="",
protocol="*",
source_port_range="*",
destination_port_range="2222",
source_address_prefix="*",
destination_address_prefix=ha_proxy_address,
access="Allow",
priority=1300,
direction="InBound")
rules_client.create_or_update(settings['RESOURCE-GROUP-NAME'],
settings['NSG-NAME-FOR-CF'],
"ssh_proxy_inbound", rule)
return context
def main():
module = AnsibleModule(
argument_spec=dict(client_id=dict(required=True),
client_secret=dict(required=True),
tenant_id=dict(required=True),
subscription_id=dict(required=True),
src_json=dict(),
resource_group_name=dict(required=True),
resource_group_location=dict(),
resource_url=dict(required=True),
state=dict(default='present',
choices=['absent', 'present'])),
# Implementing check-mode using HEAD is impossible, since size/date is not 100% reliable
supports_check_mode=False,
)
p = module.params
if not HAS_ARM:
module.fail_json(msg='azure python sdk required for this module')
client_id = module.params.get('client_id')
client_secret = module.params.get('client_secret')
tenant_id = module.params.get('tenant_id')
subscription_id = module.params.get('subscription_id')
if module.params['src_json']:
src_json = module.params.get('src_json')
else:
src_json = 'none'
resource_group_name = module.params.get('resource_group_name')
resource_url = module.params.get('resource_url')
if module.params['resource_group_location']:
resource_group_location = module.params.get('resource_group_location')
else:
resource_group_location = 'none'
url_method = 'put'
#try:
endpoint = 'https://login.microsoftonline.com/' + tenant_id + '/oauth2/token'
#authenticate to azure
auth_token = get_token_from_client_credentials(
endpoint=endpoint,
client_id=client_id,
client_secret=client_secret,
)
creds = SubscriptionCloudCredentials(subscription_id, auth_token)
#construct resource client
resource_client = azure.mgmt.resource.ResourceManagementClient(creds)
#Check rg
try:
rg_list_result = resource_client.resource_groups.get(
resource_group_name)
rg_does_exist = 'True'
except:
rg_does_exist = 'False'
#Create RG if necessary
if p['state'] == 'present':
if (rg_does_exist == 'False'):
if (resource_group_location == 'none'):
module.fail_json(
msg=
'Resource group does not exist, and resource_group_location isnt specified'
)
result = resource_client.resource_groups.create_or_update(
resource_group_name,
azure.mgmt.resource.ResourceGroup(
location=resource_group_location, ),
)
#read template file and params file
if (src_json != 'none'):
jsonfilefile = open(src_json)
jsonpayload = jsonfilefile.read()
jsonfilefile.close()
else:
jsonpayload = None
url = "https://management.azure.com/subscriptions/" + subscription_id + "/resourceGroups/" + resource_group_name + "/" + resource_url
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization': 'Bearer ' + auth_token
}
class Object(object):
pass
returnobj = Object()
#Check if the resource exists
does_exist_request = requests.get(url, headers=headers)
if does_exist_request.status_code in (400, 404):
does_exist = False
else:
does_exist = True
if ((does_exist == False) and (p['state'] == 'present')):
if (src_json == 'none'):
result = requests.put(url, headers=headers)
else:
result = requests.put(url, headers=headers, data=jsonpayload)
if ((does_exist == False) and (p['state'] == 'absent')):
module.exit_json(changed=False, status_code=None, url=url)
if ((does_exist == True) and (p['state'] == 'present')):
module.exit_json(changed=False,
status_code=does_exist_request.status_code,
url=url,
content=does_exist_request.json())
if ((does_exist == True) and (p['state'] == 'absent')):
result = requests.delete(url, headers=headers)
returnobj.status_code = result.status_code
returnobj.url = url
if result.status_code in (200, 201):
returnobj.changed = True
module.exit_json(changed=True,
status_code=result.status_code,
url=url,
content=result.json())
elif result.status_code == 204:
module.exit_json(changed=True, status_code=result.status_code, url=url)
else:
module.fail_json(msg='Error', status_code=result.status_code, url=url)
module.exit_json(changed=True, status=result.text, url=url)
