def validate_both_start_end_dates(namespace):
"""Validates the existence of both start and end dates in the parameter or neither"""
if (namespace.start_date and not namespace.end_date) or (namespace.end_date and not namespace.start_date):
raise CLIError("usage error: Both --start-date and --end-date need to be supplied or neither.")
def enable_protection_for_vm(cmd, client, resource_group_name, vault_name, vm, policy_name, diskslist=None,
disk_list_setting=None, exclude_all_data_disks=None):
vm_name, vm_rg = _get_resource_name_and_rg(resource_group_name, vm)
vm = virtual_machines_cf(cmd.cli_ctx).get(vm_rg, vm_name)
vault = vaults_cf(cmd.cli_ctx).get(resource_group_name, vault_name)
policy = show_policy(protection_policies_cf(cmd.cli_ctx), resource_group_name, vault_name, policy_name)
if vm.location.lower() != vault.location.lower():
raise CLIError(
"""
The VM should be in the same location as that of the Recovery Services vault to enable protection.
""")
if policy.properties.backup_management_type != BackupManagementType.azure_iaas_vm.value:
raise CLIError(
"""
The policy type should match with the workload being protected.
Use the relevant get-default policy command and use it to protect the workload.
""")
# Get protectable item.
protectable_item = _get_protectable_item_for_vm(cmd.cli_ctx, vault_name, resource_group_name, vm_name, vm_rg)
if protectable_item is None:
raise CLIError(
"""
The specified Azure Virtual Machine Not Found. Possible causes are
1. VM does not exist
2. The VM name or the Service name needs to be case sensitive
3. VM is already Protected with same or other Vault.
Please Unprotect VM first and then try to protect it again.
Please contact Microsoft for further assistance.
""")
# Construct enable protection request object
container_uri = _get_protection_container_uri_from_id(protectable_item.id)
item_uri = _get_protectable_item_uri_from_id(protectable_item.id)
vm_item_properties = _get_vm_item_properties_from_vm_type(vm.type)
vm_item_properties.policy_id = policy.id
vm_item_properties.source_resource_id = protectable_item.properties.virtual_machine_id
if disk_list_setting is not None:
if diskslist is None:
raise CLIError("Please provide LUNs of disks that will be included or excluded.")
is_inclusion_list = False
if disk_list_setting == "include":
is_inclusion_list = True
disk_exclusion_properties = DiskExclusionProperties(disk_lun_list=diskslist,
is_inclusion_list=is_inclusion_list)
extended_properties = ExtendedProperties(disk_exclusion_properties=disk_exclusion_properties)
vm_item_properties.extended_properties = extended_properties
elif exclude_all_data_disks:
disk_exclusion_properties = DiskExclusionProperties(disk_lun_list=[],
is_inclusion_list=True)
extended_properties = ExtendedProperties(disk_exclusion_properties=disk_exclusion_properties)
vm_item_properties.extended_properties = extended_properties
vm_item = ProtectedItemResource(properties=vm_item_properties)
# Trigger enable protection and wait for completion
result = client.create_or_update(vault_name, resource_group_name, fabric_name,
container_uri, item_uri, vm_item, raw=True)
return _track_backup_job(cmd.cli_ctx, result, vault_name, resource_group_name)
def resume_protection(cmd, client, resource_group_name, vault_name, item, policy):
if item.properties.protection_state != "ProtectionStopped":
raise CLIError("Azure Virtual Machine is already protected")
return update_policy_for_item(cmd, client, resource_group_name, vault_name, item, policy)
def flexible_server_update_custom_func(cmd,
instance,
sku_name=None,
tier=None,
storage_mb=None,
backup_retention=None,
administrator_login_password=None,
ssl_enforcement=None,
subnet_arm_resource_id=None,
tags=None,
auto_grow=None,
assign_identity=False,
ha_enabled=None,
replication_role=None,
maintenance_window=None,
iops=None):
# validator
location = ''.join(instance.location.lower().split())
sku_info, iops_info = get_mysql_list_skus_info(cmd, location)
mysql_arguments_validator(tier,
sku_name,
storage_mb,
backup_retention,
sku_info,
instance=instance)
from importlib import import_module
server_module_path = instance.__module__
module = import_module(
server_module_path
) # replacement not needed for update in flex servers
ServerForUpdate = getattr(module, 'ServerForUpdate')
if storage_mb:
instance.storage_profile.storage_mb = storage_mb * 1024
sku_rank = {
'Standard_B1s': 1,
'Standard_B1ms': 2,
'Standard_B2s': 3,
'Standard_D2ds_v4': 4,
'Standard_D4ds_v4': 5,
'Standard_D8ds_v4': 6,
'Standard_D16ds_v4': 7,
'Standard_D32ds_v4': 8,
'Standard_D48ds_v4': 9,
'Standard_D64ds_v4': 10,
'Standard_E2ds_v4': 11,
'Standard_E4ds_v4': 12,
'Standard_E8ds_v4': 13,
'Standard_E16ds_v4': 14,
'Standard_E32ds_v4': 15,
'Standard_E48ds_v4': 16,
'Standard_E64ds_v4': 17
}
if location == 'eastus2euap':
sku_rank.update({
'Standard_D2s_v3': 4,
'Standard_D4s_v3': 5,
'Standard_D8s_v3': 6,
'Standard_D16s_v3': 7,
'Standard_D32s_v3': 8,
'Standard_D48s_v3': 9,
'Standard_D64s_v3': 10,
'Standard_E2s_v3': 11,
'Standard_E4s_v3': 12,
'Standard_E8s_v3': 13,
'Standard_E16s_v3': 14,
'Standard_E32s_v3': 15,
'Standard_E48s_v3': 16,
'Standard_E64s_v3': 17
})
if iops:
if (tier is not None
and sku_name is None) or (tier is None
and sku_name is not None):
raise CLIError(
'Argument Error. If you pass --tier, --sku_name is a mandatory parameter and vice-versa.'
)
if tier is None and sku_name is None:
iops = _determine_iops(instance.storage_profile.storage_mb // 1024,
iops_info, iops, instance.sku.tier,
instance.sku.name)
else:
new_sku_rank = sku_rank[sku_name]
old_sku_rank = sku_rank[instance.sku.name]
supplied_iops = iops
max_allowed_iops_new_sku = iops_info[tier][sku_name]
default_iops = 100
free_iops = (instance.storage_profile.storage_mb // 1024) * 3
# Downgrading SKU
if new_sku_rank < old_sku_rank:
if supplied_iops > max_allowed_iops_new_sku:
iops = max_allowed_iops_new_sku
logger.warning(
'The max IOPS for your sku is %s. Provisioning the server with %s...',
iops, iops)
elif supplied_iops < default_iops:
if free_iops < default_iops:
iops = default_iops
logger.warning(
'The min IOPS is %s. Provisioning the server with %s...',
default_iops, default_iops)
else:
iops = min(max_allowed_iops_new_sku, free_iops)
logger.warning(
'Updating the server with %s free IOPS...', iops)
else: # Upgrading SKU
if supplied_iops > max_allowed_iops_new_sku:
iops = max_allowed_iops_new_sku
logger.warning(
'The max IOPS for your sku is %s. Provisioning the server with %s...',
iops, iops)
elif supplied_iops <= max_allowed_iops_new_sku:
iops = max(supplied_iops,
min(free_iops, max_allowed_iops_new_sku))
if iops != supplied_iops:
logger.warning(
'Updating the server with %s free IOPS...', iops)
elif supplied_iops < default_iops:
if free_iops < default_iops:
iops = default_iops
logger.warning(
'The min IOPS is %s. Updating the server with %s...',
default_iops, default_iops)
else:
iops = min(max_allowed_iops_new_sku, free_iops)
logger.warning(
'Updating the server with %s free IOPS...', iops)
instance.sku.name = sku_name
instance.sku.tier = tier
instance.storage_profile.storage_iops = iops
# pylint: disable=too-many-boolean-expressions
if (iops is None and tier is None
and sku_name) or (iops is None and sku_name is None and tier):
raise CLIError(
'Argument Error. If you pass --tier, --sku_name is a mandatory parameter and vice-versa.'
)
if iops is None and sku_name and tier:
new_sku_rank = sku_rank[sku_name]
old_sku_rank = sku_rank[instance.sku.name]
instance.sku.name = sku_name
instance.sku.tier = tier
max_allowed_iops_new_sku = iops_info[tier][sku_name]
iops = instance.storage_profile.storage_iops
if new_sku_rank < old_sku_rank: # Downgrading
if instance.storage_profile.storage_iops > max_allowed_iops_new_sku:
iops = max_allowed_iops_new_sku
logger.warning('Updating the server with max %s IOPS...', iops)
else: # Upgrading
if instance.storage_profile.storage_iops < (
instance.storage_profile.storage_mb // 1024) * 3:
iops = min(max_allowed_iops_new_sku,
(instance.storage_profile.storage_mb // 1024) * 3)
logger.warning('Updating the server with free %s IOPS...',
iops)
instance.storage_profile.storage_iops = iops
if backup_retention:
instance.storage_profile.backup_retention_days = backup_retention
if auto_grow:
instance.storage_profile.storage_autogrow = auto_grow
if subnet_arm_resource_id:
instance.delegated_subnet_arguments.subnet_arm_resource_id = subnet_arm_resource_id
if maintenance_window:
logger.warning(
'If you are updating maintenancw window with other parameter, maintenance window will be updated first. Please update the other parameters later.'
)
# if disabled is pass in reset to default values
if maintenance_window.lower() == "disabled":
day_of_week = start_hour = start_minute = 0
custom_window = "Disabled"
else:
day_of_week, start_hour, start_minute = parse_maintenance_window(
maintenance_window)
custom_window = "Enabled"
# set values - if maintenance_window when is None when created then create a new object
if instance.maintenance_window is None:
instance.maintenance_window = mysql_flexibleservers.models.MaintenanceWindow(
day_of_week=day_of_week,
start_hour=start_hour,
start_minute=start_minute,
custom_window=custom_window)
else:
instance.maintenance_window.day_of_week = day_of_week
instance.maintenance_window.start_hour = start_hour
instance.maintenance_window.start_minute = start_minute
instance.maintenance_window.custom_window = custom_window
return ServerForUpdate(maintenance_window=instance.maintenance_window)
params = ServerForUpdate(
sku=instance.sku,
storage_profile=instance.storage_profile,
administrator_login_password=administrator_login_password,
ssl_enforcement=ssl_enforcement,
delegated_subnet_arguments=instance.delegated_subnet_arguments,
tags=tags,
ha_enabled=ha_enabled,
replication_role=replication_role)
if assign_identity:
if server_module_path.find('mysql'):
if instance.identity is None:
instance.identity = mysql_flexibleservers.models.Identity()
params.identity = instance.identity
return params
def acs_create(resource_group_name, deployment_name, name, ssh_key_value, dns_name_prefix=None, # pylint: disable=too-many-locals
admin_username="******", agent_count="3",
agent_vm_size="Standard_D2_v2", location=None, master_count="1",
orchestrator_type="dcos", service_principal=None, client_secret=None, tags=None,
windows=False, admin_password="", generate_ssh_keys=False, # pylint: disable=unused-argument
validate=False, no_wait=False):
"""Create a new Acs.
:param resource_group_name: The name of the resource group. The name
is case insensitive.
:type resource_group_name: str
:param deployment_name: The name of the deployment.
:type deployment_name: str
:param dns_name_prefix: Sets the Domain name prefix for the cluster.
The concatenation of the domain name and the regionalized DNS zone
make up the fully qualified domain name associated with the public
IP address.
:type dns_name_prefix: str
:param name: Resource name for the container service.
:type name: str
:param ssh_key_value: Configure all linux machines with the SSH RSA
public key string. Your key should include three parts, for example
'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm
:type ssh_key_value: str
:param content_version: If included it must match the ContentVersion
in the template.
:type content_version: str
:param admin_username: User name for the Linux Virtual Machines.
:type admin_username: str
:param agent_count: The number of agents for the cluster. Note, for
DC/OS clusters you will also get 1 or 2 public agents in addition to
these selected masters.
:type agent_count: str
:param agent_vm_size: The size of the Virtual Machine.
:type agent_vm_size: str
:param location: Location for VM resources.
:type location: str
:param master_count: The number of masters for the cluster.
:type master_count: str
:param orchestrator_type: The type of orchestrator used to manage the
applications on the cluster. Possible values include: 'dcos', 'swarm'
:type orchestrator_type: str or :class:`orchestratorType
<Default.models.orchestratorType>`
:param service_principal: The service principal used for cluster authentication
to Azure APIs. If not specified, it is created for you and stored in the
${HOME}/.azure directory.
:type service_principal: str
:param client_secret: The secret associated with the service principal. If
--service-principal is specified, then secret should also be specified. If
--service-principal is not specified, the secret is auto-generated for you
and stored in ${HOME}/.azure/ directory.
:param tags: Tags object.
:type tags: object
:param windows: If true, the cluster will be built for running Windows container.
:type windows: bool
:param admin_password: The adminstration password for Windows nodes. Only available if --windows=true
:type admin_password: str
:param bool raw: returns the direct response alongside the
deserialized response
:rtype:
:class:`AzureOperationPoller<msrestazure.azure_operation.AzureOperationPoller>`
instance that returns :class:`DeploymentExtended
<Default.models.DeploymentExtended>`
:rtype: :class:`ClientRawResponse<msrest.pipeline.ClientRawResponse>`
if raw=true
:raises: :class:`CloudError<msrestazure.azure_exceptions.CloudError>`
"""
if ssh_key_value is not None and not _is_valid_ssh_rsa_public_key(ssh_key_value):
raise CLIError('Provided ssh key ({}) is invalid or non-existent'.format(ssh_key_value))
subscription_id = _get_subscription_id()
if not dns_name_prefix:
# Use subscription id to provide uniqueness and prevent DNS name clashes
dns_name_prefix = '{}-{}-{}'.format(name, resource_group_name, subscription_id[0:6])
register_providers()
groups = _resource_client_factory().resource_groups
# Just do the get, we don't need the result, it will error out if the group doesn't exist.
rg = groups.get(resource_group_name)
if orchestrator_type == 'Kubernetes' or orchestrator_type == 'kubernetes':
# TODO: This really needs to be broken out and unit tested.
client = _graph_client_factory()
if not service_principal:
# --service-principal not specified, try to load it from local disk
principalObj = load_acs_service_principal(subscription_id)
if principalObj:
service_principal = principalObj.get('service_principal')
client_secret = principalObj.get('client_secret')
_validate_service_principal(client, service_principal)
else:
# Nothing to load, make one.
if not client_secret:
client_secret = binascii.b2a_hex(os.urandom(10)).decode('utf-8')
salt = binascii.b2a_hex(os.urandom(3)).decode('utf-8')
url = 'http://{}.{}.{}.cloudapp.azure.com'.format(salt, dns_name_prefix, location)
service_principal = _build_service_principal(client, name, url, client_secret)
logger.info('Created a service principal: %s', service_principal)
store_acs_service_principal(subscription_id, client_secret, service_principal)
# Either way, update the role assignment, this fixes things if we fail part-way through
if not _add_role_assignment('Contributor', service_principal):
raise CLIError(
'Could not create a service principal with the right permissions. Are you an Owner on this project?')
else:
# --service-principal specfied, validate --client-secret was too
if not client_secret:
raise CLIError('--client-secret is required if --service-principal is specified')
_validate_service_principal(client, service_principal)
return _create_kubernetes(resource_group_name, deployment_name, dns_name_prefix, name,
ssh_key_value, admin_username=admin_username,
agent_count=agent_count, agent_vm_size=agent_vm_size,
location=location, service_principal=service_principal,
client_secret=client_secret, master_count=master_count,
windows=windows, admin_password=admin_password,
validate=validate, no_wait=no_wait, tags=tags)
if windows:
raise CLIError('--windows is only supported for Kubernetes clusters')
if location is None:
location = rg.location # pylint:disable=no-member
return _create_non_kubernetes(resource_group_name, deployment_name, dns_name_prefix, name,
ssh_key_value, admin_username, agent_count, agent_vm_size, location,
orchestrator_type, master_count, tags, validate, no_wait)
def validate_acr(namespace):
if namespace.attach_acr and namespace.detach_acr:
raise CLIError(
'Cannot specify "--attach-acr" and "--detach-acr" at the same time.'
)
def validate_load_balancer_idle_timeout(namespace):
"""validate load balancer profile idle timeout"""
if namespace.load_balancer_idle_timeout is not None:
if namespace.load_balancer_idle_timeout < 4 or namespace.load_balancer_idle_timeout > 120:
raise CLIError(
"--load-balancer-idle-timeout must be in the range [4,120]")
def validate_vnet(cmd, namespace):
if not namespace.vnet and not namespace.app_subnet and \
not namespace.service_runtime_subnet and not namespace.reserved_cidr_range:
return
validate_vnet_required_parameters(namespace)
vnet_id = ''
if namespace.vnet:
vnet_id = namespace.vnet
# format the app_subnet and service_runtime_subnet
if not is_valid_resource_id(vnet_id):
if vnet_id.count('/') > 0:
raise CLIError(
'--vnet {0} is not a valid name or resource ID'.format(
vnet_id))
vnet_id = resource_id(subscription=get_subscription_id(
cmd.cli_ctx),
resource_group=namespace.resource_group,
namespace='Microsoft.Network',
type='virtualNetworks',
name=vnet_id)
else:
vnet = parse_resource_id(vnet_id)
if vnet['namespace'].lower() != 'microsoft.network' or vnet[
'type'].lower() != 'virtualnetworks':
raise CLIError(
'--vnet {0} is not a valid VirtualNetwork resource ID'.
format(vnet_id))
namespace.app_subnet = _construct_subnet_id(vnet_id,
namespace.app_subnet)
namespace.service_runtime_subnet = _construct_subnet_id(
vnet_id, namespace.service_runtime_subnet)
else:
app_vnet_id = _parse_vnet_id_from_subnet(namespace.app_subnet)
service_runtime_vnet_id = _parse_vnet_id_from_subnet(
namespace.service_runtime_subnet)
if app_vnet_id.lower() != service_runtime_vnet_id.lower():
raise CLIError(
'--app-subnet and --service-runtime-subnet should be in the same Virtual Networks.'
)
vnet_id = app_vnet_id
if namespace.app_subnet.lower() == namespace.service_runtime_subnet.lower(
):
raise CLIError(
'--app-subnet and --service-runtime-subnet should not be the same.'
)
vnet_obj = _get_vnet(cmd, vnet_id)
instance_location = namespace.location
if instance_location is None:
instance_location = _get_rg_location(cmd.cli_ctx,
namespace.resource_group)
else:
instance_location_slice = instance_location.split(" ")
instance_location = "".join(
[piece.lower() for piece in instance_location_slice])
if vnet_obj.location.lower() != instance_location.lower():
raise CLIError(
'--vnet and Azure Spring Cloud instance should be in the same location.'
)
for subnet in vnet_obj.subnets:
_validate_subnet(namespace, subnet)
if namespace.reserved_cidr_range:
_validate_cidr_range(namespace)
else:
namespace.reserved_cidr_range = _set_default_cidr_range(vnet_obj.address_space.address_prefixes) if \
vnet_obj and vnet_obj.address_space and vnet_obj.address_space.address_prefixes \
else '10.234.0.0/16,10.244.0.0/16,172.17.0.1/16'
def validate_sku(namespace):
if namespace.sku is not None:
namespace.sku = namespace.sku.upper()
if namespace.sku not in ['BASIC', 'STANDARD']:
raise CLIError(
"The pricing tier only accepts value [Basic, Standard]")
def add_extension(
cmd=None,
source=None,
extension_name=None,
index_url=None,
yes=None, # pylint: disable=unused-argument, too-many-statements
pip_extra_index_urls=None,
pip_proxy=None,
system=None,
version=None,
cli_ctx=None,
upgrade=None):
ext_sha256 = None
version = None if version == 'latest' else version
cmd_cli_ctx = cli_ctx or cmd.cli_ctx
if extension_name:
cmd_cli_ctx.get_progress_controller().add(message='Searching')
ext = None
try:
ext = get_extension(extension_name)
except ExtensionNotInstalledException:
pass
if ext:
if isinstance(ext, WheelExtension):
if not upgrade:
logger.warning("Extension '%s' is already installed.",
extension_name)
return
logger.warning("Extension '%s' %s is already installed.",
extension_name, ext.get_version())
if version and version == ext.get_version():
return
logger.warning(
"It will be overriden with version {}.".format(version)
if version else "It will be updated if available.")
update_extension(cmd=cmd,
extension_name=extension_name,
index_url=index_url,
pip_extra_index_urls=pip_extra_index_urls,
pip_proxy=pip_proxy,
cli_ctx=cli_ctx,
version=version)
return
logger.warning(
"Overriding development version of '%s' with production version.",
extension_name)
try:
source, ext_sha256 = resolve_from_index(extension_name,
index_url=index_url,
target_version=version,
cli_ctx=cmd_cli_ctx)
except NoExtensionCandidatesError as err:
logger.debug(err)
if version:
err = "No matching extensions for '{} ({})'. Use --debug for more information.".format(
extension_name, version)
else:
err = "No matching extensions for '{}'. Use --debug for more information.".format(
extension_name)
raise CLIError(err)
extension_name = _add_whl_ext(cli_ctx=cmd_cli_ctx,
source=source,
ext_sha256=ext_sha256,
pip_extra_index_urls=pip_extra_index_urls,
pip_proxy=pip_proxy,
system=system)
try:
ext = get_extension(extension_name)
_augment_telemetry_with_ext_info(extension_name, ext)
if extension_name and ext.experimental:
logger.warning(
"The installed extension '%s' is experimental and not covered by customer support. "
"Please use with discretion.", extension_name)
elif extension_name and ext.preview:
logger.warning("The installed extension '%s' is in preview.",
extension_name)
CommandIndex().invalidate()
except ExtensionNotInstalledException:
pass
def _add_whl_ext(cli_ctx,
source,
ext_sha256=None,
pip_extra_index_urls=None,
pip_proxy=None,
system=None): # pylint: disable=too-many-statements
cli_ctx.get_progress_controller().add(message='Analyzing')
if not source.endswith('.whl'):
raise ValueError(
'Unknown extension type. Only Python wheels are supported.')
url_parse_result = urlparse(source)
is_url = (url_parse_result.scheme == 'http'
or url_parse_result.scheme == 'https')
logger.debug('Extension source is url? %s', is_url)
whl_filename = os.path.basename(
url_parse_result.path) if is_url else os.path.basename(source)
parsed_filename = WHEEL_INFO_RE(whl_filename)
# Extension names can have - but .whl format changes it to _ (PEP 0427). Undo this.
extension_name = parsed_filename.groupdict().get('name').replace(
'_', '-') if parsed_filename else None
if not extension_name:
raise CLIError(
'Unable to determine extension name from {}. Is the file name correct?'
.format(source))
if extension_exists(extension_name, ext_type=WheelExtension):
raise CLIError(
'The extension {} already exists.'.format(extension_name))
if extension_name == 'rdbms-connect':
_install_deps_for_psycopg2()
ext_file = None
if is_url:
# Download from URL
tmp_dir = tempfile.mkdtemp()
ext_file = os.path.join(tmp_dir, whl_filename)
logger.debug('Downloading %s to %s', source, ext_file)
import requests
try:
cli_ctx.get_progress_controller().add(message='Downloading')
_whl_download_from_url(url_parse_result, ext_file)
except (requests.exceptions.ConnectionError,
requests.exceptions.HTTPError) as err:
raise CLIError(
'Please ensure you have network connection. Error detail: {}'.
format(str(err)))
logger.debug('Downloaded to %s', ext_file)
else:
# Get file path
ext_file = os.path.realpath(os.path.expanduser(source))
if not os.path.isfile(ext_file):
raise CLIError("File {} not found.".format(source))
# Validate the extension
logger.debug('Validating the extension %s', ext_file)
if ext_sha256:
valid_checksum, computed_checksum = is_valid_sha256sum(
ext_file, ext_sha256)
if valid_checksum:
logger.debug("Checksum of %s is OK", ext_file)
else:
logger.debug(
"Invalid checksum for %s. Expected '%s', computed '%s'.",
ext_file, ext_sha256, computed_checksum)
raise CLIError(
"The checksum of the extension does not match the expected value. "
"Use --debug for more information.")
try:
cli_ctx.get_progress_controller().add(message='Validating')
_validate_whl_extension(ext_file)
except AssertionError:
logger.debug(traceback.format_exc())
raise CLIError(
'The extension is invalid. Use --debug for more information.')
except CLIError as e:
raise e
logger.debug('Validation successful on %s', ext_file)
# Check for distro consistency
check_distro_consistency()
cli_ctx.get_progress_controller().add(message='Installing')
# Install with pip
extension_path = build_extension_path(extension_name, system)
pip_args = ['install', '--target', extension_path, ext_file]
if pip_proxy:
pip_args = pip_args + ['--proxy', pip_proxy]
if pip_extra_index_urls:
for extra_index_url in pip_extra_index_urls:
pip_args = pip_args + ['--extra-index-url', extra_index_url]
logger.debug('Executing pip with args: %s', pip_args)
with HomebrewPipPatch():
pip_status_code = _run_pip(pip_args, extension_path)
if pip_status_code > 0:
logger.debug(
'Pip failed so deleting anything we might have installed at %s',
extension_path)
shutil.rmtree(extension_path, ignore_errors=True)
raise CLIError(
'An error occurred. Pip failed with status code {}. '
'Use --debug for more information.'.format(pip_status_code))
# Save the whl we used to install the extension in the extension dir.
dst = os.path.join(extension_path, whl_filename)
shutil.copyfile(ext_file, dst)
logger.debug('Saved the whl to %s', dst)
return extension_name
def _install_deps_for_psycopg2(): # pylint: disable=too-many-statements
# Below system dependencies are required to install the psycopg2 dependency for Linux and macOS
import platform
import subprocess
from azure.cli.core.util import get_linux_distro
from azure.cli.core._environment import _ENV_AZ_INSTALLER
installer = os.getenv(_ENV_AZ_INSTALLER)
system = platform.system()
if system == 'Darwin':
subprocess.call(['xcode-select', '--install'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
if installer != 'HOMEBREW':
from shutil import which
if which('brew') is None:
logger.warning(
'You may need to install postgresql with homebrew first before you install this extension.'
)
return
exit_code = subprocess.call(['brew', 'list', 'postgresql'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
if exit_code != 0:
update_cmd = ['brew', 'install', 'postgresql']
logger.warning(
'This extension depends on postgresql and it will be installed first.'
)
logger.debug("Install dependencies with '%s'",
" ".join(update_cmd))
subprocess.call(update_cmd)
# Fix the issue of -lssl not found during building psycopg2
if os.environ.get('LIBRARY_PATH') is None:
os.environ['LIBRARY_PATH'] = '/usr/local/opt/openssl/lib/'
else:
os.environ['LIBRARY_PATH'] = os.pathsep.join([
os.environ.get('LIBRARY_PATH'), '/usr/local/opt/openssl/lib/'
])
elif system == 'Linux':
distname, _ = get_linux_distro()
distname = distname.lower().strip()
if installer == 'DEB' or any(x in distname
for x in ['ubuntu', 'debian']):
from azure.cli.core.util import in_cloud_console
if in_cloud_console():
raise CLIError(
"This extension is not supported in Cloud Shell as you do not have permission to install extra dependencies."
)
exit_code = subprocess.call(
['dpkg', '-s', 'gcc', 'libpq-dev', 'python3-dev'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
if exit_code != 0:
logger.warning(
'This extension depends on gcc, libpq-dev, python3-dev and they will be installed first.'
)
apt_update_cmd = 'apt-get update'.split()
apt_install_cmd = 'apt-get install -y gcc libpq-dev python3-dev'.split(
)
if os.geteuid() != 0: # pylint: disable=no-member
apt_update_cmd.insert(0, 'sudo')
apt_install_cmd.insert(0, 'sudo')
exit_code = subprocess.call(apt_update_cmd, True)
if exit_code == 0:
logger.debug("Install dependencies with '%s'",
" ".join(apt_install_cmd))
subprocess.call(apt_install_cmd, True)
elif installer == 'RPM' or any(x in distname for x in [
'centos', 'rhel', 'red hat', 'fedora', 'opensuse', 'suse',
'sles'
]):
if any(x in distname
for x in ['centos', 'rhel', 'red hat', 'fedora']):
yum_install_cmd = 'yum install -y gcc postgresql-devel python3-devel'.split(
)
if os.geteuid() != 0: # pylint: disable=no-member
yum_install_cmd.insert(0, 'sudo')
logger.debug("Install dependencies with '%s'",
" ".join(yum_install_cmd))
logger.warning(
'This extension depends on gcc, postgresql-devel, python3-devel and they will be installed first if not exist.'
)
subprocess.call(yum_install_cmd)
elif any(x in distname for x in ['opensuse', 'suse', 'sles']):
zypper_refresh_cmd = ['zypper', 'refresh']
zypper_install_cmd = 'zypper install -y gcc postgresql-devel python3-devel'.split(
)
logger.warning(
'This extension depends on gcc postgresql-devel, python3-devel and they will be installed first if not exist.'
)
if os.geteuid() != 0: # pylint: disable=no-member
zypper_refresh_cmd.insert(0, 'sudo')
zypper_install_cmd.insert(0, 'sudo')
exit_code = subprocess.call(zypper_refresh_cmd)
if exit_code == 0:
logger.debug("Install dependencies with '%s'",
" ".join(zypper_install_cmd))
subprocess.call(zypper_install_cmd)
def validate_peering_type(namespace):
if namespace.peering_type and namespace.peering_type == 'MicrosoftPeering':
if not namespace.advertised_public_prefixes:
raise CLIError(
'missing required MicrosoftPeering parameter --advertised-public-prefixes')
def remove_extension(extension_name):
try:
get_extension(extension_name)
shutil.rmtree(get_extension_path(extension_name))
except ExtensionNotInstalledException as e:
raise CLIError(e)
def _report_client_side_validation_error(msg):
if force:
logger.warning(msg)
else:
raise CLIError(msg)
def validate_instance_count(namespace):
if namespace.instance_count is not None:
if namespace.instance_count < 1:
raise CLIError("--instance-count must be greater than 0")
def validate_load_balancer_outbound_ip_prefixes(namespace):
"""validate load balancer profile outbound IP prefix ids"""
if namespace.load_balancer_outbound_ip_prefixes is not None:
ip_prefix_id_list = [x.strip() for x in namespace.load_balancer_outbound_ip_prefixes.split(',')]
if not all(ip_prefix_id_list):
raise CLIError("--load-balancer-outbound-ip-prefixes cannot contain whitespace")
def validate_resource_id(namespace):
if not is_valid_resource_id(namespace.resource_id):
raise CLIError("Invalid resource id {}".format(namespace.resource_id))
def validate_user(namespace):
if namespace.user.lower() != "clusteruser" and \
namespace.user.lower() != "clustermonitoringuser":
raise CLIError(
"--user can only be clusterUser or clusterMonitoringUser")
def set_active_subscription(subscription):
"""Set the current subscription"""
if not id:
raise CLIError('Please provide subscription id or unique name.')
profile = Profile()
profile.set_active_subscription(subscription)
def validate_create_parameters(namespace):
if not namespace.name:
raise CLIError('--name has no value')
if namespace.dns_name_prefix is not None and not namespace.dns_name_prefix:
raise CLIError('--dns-prefix has no value')
def _check_name_availability(iot_hub_resource, hub_name):
name_availability = iot_hub_resource.check_name_availability(hub_name)
if name_availability is not None and not name_availability.name_available:
raise CLIError(name_availability.message)
def flexible_server_create(cmd,
client,
resource_group_name=None,
server_name=None,
sku_name=None,
tier=None,
location=None,
storage_mb=None,
administrator_login=None,
administrator_login_password=None,
version=None,
backup_retention=None,
tags=None,
public_access=None,
database_name=None,
subnet_arm_resource_id=None,
high_availability=None,
zone=None,
assign_identity=False,
vnet_resource_id=None,
vnet_address_prefix=None,
subnet_address_prefix=None,
iops=None):
# validator
if location is None:
location = DEFAULT_LOCATION_MySQL
sku_info, iops_info = get_mysql_list_skus_info(cmd, location)
mysql_arguments_validator(tier,
sku_name,
storage_mb,
backup_retention,
sku_info,
version=version)
db_context = DbContext(azure_sdk=mysql_flexibleservers,
cf_firewall=cf_mysql_flexible_firewall_rules,
cf_db=cf_mysql_flexible_db,
logging_name='MySQL',
command_group='mysql',
server_client=client)
# Raise error when user passes values for both parameters
if subnet_arm_resource_id is not None and public_access is not None:
raise CLIError(
"Incorrect usage : A combination of the parameters --subnet "
"and --public_access is invalid. Use either one of them.")
# When address space parameters are passed, the only valid combination is : --vnet, --subnet, --vnet-address-prefix, --subnet-address-prefix
# pylint: disable=too-many-boolean-expressions
if (vnet_address_prefix is not None) or (subnet_address_prefix
is not None):
if (((vnet_address_prefix is not None) and
(subnet_address_prefix is None))
or ((vnet_address_prefix is None) and
(subnet_address_prefix is not None))
or ((vnet_address_prefix is not None) and
(subnet_address_prefix is not None) and
((vnet_resource_id is None) or
(subnet_arm_resource_id is None)))):
raise CLIError(
"Incorrect usage : "
"--vnet, --subnet, --vnet-address-prefix, --subnet-address-prefix must be supplied together."
)
server_result = firewall_id = subnet_id = None
# Populate desired parameters
location, resource_group_name, server_name = generate_missing_parameters(
cmd, location, resource_group_name, server_name, 'mysql')
server_name = server_name.lower()
# Handle Vnet scenario
if (subnet_arm_resource_id is not None) or (vnet_resource_id is not None):
subnet_id = prepare_vnet(cmd, server_name, vnet_resource_id,
subnet_arm_resource_id, resource_group_name,
location, DELEGATION_SERVICE_NAME,
vnet_address_prefix, subnet_address_prefix)
delegated_subnet_arguments = mysql_flexibleservers.models.DelegatedSubnetArguments(
subnet_arm_resource_id=subnet_id)
elif public_access is None and subnet_arm_resource_id is None and vnet_resource_id is None:
subnet_id = create_vnet(cmd, server_name, location,
resource_group_name, DELEGATION_SERVICE_NAME)
delegated_subnet_arguments = mysql_flexibleservers.models.DelegatedSubnetArguments(
subnet_arm_resource_id=subnet_id)
else:
delegated_subnet_arguments = None
# calculate IOPS
iops = _determine_iops(storage_mb, iops_info, iops, tier, sku_name)
storage_mb *= 1024 # storage input comes in GiB value
administrator_login_password = generate_password(
administrator_login_password)
if server_result is None:
# Create mysql server
# Note : passing public_access has no effect as the accepted values are 'Enabled' and 'Disabled'. So the value ends up being ignored.
server_result = _create_server(
db_context, cmd, resource_group_name, server_name, location,
backup_retention, sku_name, tier, storage_mb, administrator_login,
administrator_login_password, version, tags,
delegated_subnet_arguments, assign_identity, public_access,
high_availability, zone, iops)
# Adding firewall rule
if public_access is not None and str(public_access).lower() != 'none':
if str(public_access).lower() == 'all':
start_ip, end_ip = '0.0.0.0', '255.255.255.255'
else:
start_ip, end_ip = parse_public_access_input(public_access)
firewall_id = create_firewall_rule(db_context, cmd,
resource_group_name,
server_name, start_ip, end_ip)
# Create mysql database if it does not exist
if database_name is None:
database_name = DEFAULT_DB_NAME
_create_database(db_context, cmd, resource_group_name, server_name,
database_name)
user = server_result.administrator_login
server_id = server_result.id
loc = server_result.location
version = server_result.version
sku = server_result.sku.name
host = server_result.fully_qualified_domain_name
logger.warning(
'Make a note of your password. If you forget, you would have to reset your password with'
'\'az mysql flexible-server update -n %s -g %s -p <new-password>\'.',
server_name, resource_group_name)
_update_local_contexts(cmd, server_name, resource_group_name, location,
user)
return _form_response(
user, sku, loc, server_id, host, version, administrator_login_password
if administrator_login_password is not None else '*****',
_create_mysql_connection_string(host, database_name, user,
administrator_login_password),
database_name, firewall_id, subnet_id)
def set_cloud(cloud_name):
try:
switch_active_cloud(cloud_name)
except CloudNotRegisteredException as e:
raise CLIError(e)
def _create_kubernetes(resource_group_name, deployment_name, dns_name_prefix, name, ssh_key_value,
admin_username="******", agent_count="3", agent_vm_size="Standard_D2_v2",
location=None, service_principal=None, client_secret=None, master_count="1",
windows=False, admin_password='', validate=False, no_wait=False, tags=None):
if not location:
location = '[resourceGroup().location]'
windows_profile = None
os_type = 'Linux'
if windows:
if len(admin_password) == 0:
raise CLIError('--admin-password is required.')
if len(admin_password) < 6:
raise CLIError('--admin-password must be at least 6 characters')
windows_profile = {
"adminUsername": admin_username,
"adminPassword": admin_password,
}
os_type = 'Windows'
template = {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clientSecret": {
"type": "secureString",
"metadata": {
"description": "The client secret for the service principal"
}
}
},
"resources": [
{
"apiVersion": "2017-01-31",
"location": location,
"type": "Microsoft.ContainerService/containerServices",
"name": name,
"tags": tags,
"properties": {
"orchestratorProfile": {
"orchestratorType": "kubernetes"
},
"masterProfile": {
"count": master_count,
"dnsPrefix": dns_name_prefix
},
"agentPoolProfiles": [
{
"name": "agentpools",
"count": agent_count,
"vmSize": agent_vm_size,
"dnsPrefix": dns_name_prefix + '-k8s-agents',
"osType": os_type,
}
],
"linuxProfile": {
"ssh": {
"publicKeys": [
{
"keyData": ssh_key_value
}
]
},
"adminUsername": admin_username
},
"windowsProfile": windows_profile,
"servicePrincipalProfile": {
"ClientId": service_principal,
"Secret": "[parameters('clientSecret')]"
}
}
}
]
}
params = {
"clientSecret": {
"value": client_secret
}
}
return _invoke_deployment(resource_group_name, deployment_name, template, params, validate, no_wait)
def decrypt_vm(resource_group_name, vm_name, volume_type=None, force=False):
'''
Disable disk encryption on OS disk, Data disks, or both
'''
compute_client = _compute_client_factory()
vm = compute_client.virtual_machines.get(resource_group_name, vm_name)
# pylint: disable=no-member
os_type = vm.storage_profile.os_disk.os_type.value
# 1. be nice, figure out the default volume type and also verify VM will not be busted
is_linux = _is_linux_vm(os_type)
if is_linux:
if volume_type:
if not force:
if volume_type == _DATA_VOLUME_TYPE:
status = show_vm_encryption_status(resource_group_name,
vm_name)
if status['osDisk'] == _STATUS_ENCRYPTED:
raise CLIError(
"Linux VM's OS disk is encrypted. Disabling encryption on data "
"disk can render the VM unbootable. Use '--force' "
"to ingore the warning")
else:
raise CLIError(
"Only Data disks can have encryption disabled in a Linux VM. "
"Use '--force' to ingore the warning")
else:
volume_type = _DATA_VOLUME_TYPE
elif volume_type is None:
if vm.storage_profile.data_disks:
raise CLIError("VM has data disks, please specify --volume-type")
# sequence_version should be incremented since encryptions occurred before
extension = vm_extension_info[os_type]
sequence_version = uuid.uuid4()
# 2. update the disk encryption extension
# The following logic was mostly ported from xplat-cli
public_config = {
'VolumeType': volume_type,
'EncryptionOperation': 'DisableEncryption',
'SequenceVersion': sequence_version,
}
from azure.mgmt.compute.models import VirtualMachineExtension, DiskEncryptionSettings
ext = VirtualMachineExtension(
vm.location, # pylint: disable=no-member
publisher=extension['publisher'],
virtual_machine_extension_type=extension['name'],
type_handler_version=extension['version'],
settings=public_config,
auto_upgrade_minor_version=True)
poller = compute_client.virtual_machine_extensions.create_or_update(
resource_group_name, vm_name, extension['name'], ext)
poller.result()
# 3. Remove the secret from VM's storage profile
extension_result = compute_client.virtual_machine_extensions.get(
resource_group_name, vm_name, extension['name'], 'instanceView')
if extension_result.provisioning_state != 'Succeeded':
raise CLIError("Extension updating didn't succeed")
vm = compute_client.virtual_machines.get(resource_group_name, vm_name)
disk_encryption_settings = DiskEncryptionSettings(enabled=False)
vm.storage_profile.os_disk.encryption_settings = disk_encryption_settings
set_vm(vm)
def restore_disks(cmd, client, resource_group_name, vault_name, container_name, item_name, rp_name, storage_account,
target_resource_group=None, restore_to_staging_storage_account=None, restore_only_osdisk=None,
diskslist=None, restore_as_unmanaged_disks=None):
item = show_item(cmd, backup_protected_items_cf(cmd.cli_ctx), resource_group_name, vault_name, container_name,
item_name, "AzureIaasVM", "VM")
_validate_item(item)
recovery_point = show_recovery_point(cmd, recovery_points_cf(cmd.cli_ctx), resource_group_name, vault_name,
container_name, item_name, rp_name, "AzureIaasVM", "VM")
vault = vaults_cf(cmd.cli_ctx).get(resource_group_name, vault_name)
vault_location = vault.location
# Get container and item URIs
container_uri = _get_protection_container_uri_from_id(item.id)
item_uri = _get_protected_item_uri_from_id(item.id)
# Original Storage Account Restore Logic
use_original_storage_account = _should_use_original_storage_account(recovery_point,
restore_to_staging_storage_account)
if use_original_storage_account:
logger.warning(
"""
The disks will be restored to their original storage accounts. The VM config file will be uploaded to given
storage account.
""")
# Construct trigger restore request object
sa_name, sa_rg = _get_resource_name_and_rg(resource_group_name, storage_account)
_storage_account_id = _get_storage_account_id(cmd.cli_ctx, sa_name, sa_rg)
_source_resource_id = item.properties.source_resource_id
target_rg_id = None
if restore_as_unmanaged_disks and target_resource_group is not None:
raise CLIError(
"""
Both restore_as_unmanaged_disks and target_resource_group can't be spceified.
Please give Only one parameter and retry.
""")
if recovery_point.properties.is_managed_virtual_machine:
if target_resource_group is not None:
target_rg_id = '/'.join(_source_resource_id.split('/')[:4]) + "/" + target_resource_group
if not restore_as_unmanaged_disks and target_resource_group is None:
logger.warning(
"""
The disks of the managed VM will be restored as unmanaged since targetRG parameter is not provided.
This will NOT leverage the instant restore functionality.
Hence it can be significantly slow based on given storage account.
To leverage instant restore, provide the target RG parameter.
Otherwise, provide the intent next time by passing the --restore-as-unmanaged-disks parameter
""")
_validate_restore_disk_parameters(restore_only_osdisk, diskslist)
restore_disk_lun_list = None
if restore_only_osdisk:
restore_disk_lun_list = []
if diskslist:
restore_disk_lun_list = diskslist
trigger_restore_properties = IaasVMRestoreRequest(create_new_cloud_service=True,
recovery_point_id=rp_name,
recovery_type='RestoreDisks',
region=vault_location,
storage_account_id=_storage_account_id,
source_resource_id=_source_resource_id,
target_resource_group_id=target_rg_id,
original_storage_account_option=use_original_storage_account,
restore_disk_lun_list=restore_disk_lun_list)
trigger_restore_request = RestoreRequestResource(properties=trigger_restore_properties)
# Trigger restore
result = client.trigger(vault_name, resource_group_name, fabric_name,
container_uri, item_uri, rp_name,
trigger_restore_request, raw=True)
return _track_backup_job(cmd.cli_ctx, result, vault_name, resource_group_name)
def encrypt_vm(
resource_group_name,
vm_name, # pylint: disable=too-many-locals, too-many-statements
aad_client_id,
disk_encryption_keyvault,
aad_client_secret=None,
aad_client_cert_thumbprint=None,
key_encryption_keyvault=None,
key_encryption_key=None,
key_encryption_algorithm='RSA-OAEP',
volume_type=None):
'''
Enable disk encryption on OS disk, Data disks, or both
:param str aad_client_id: Client ID of AAD app with permissions to write secrets to KeyVault
:param str aad_client_secret: Client Secret of AAD app with permissions to
write secrets to KeyVault
:param str aad_client_cert_thumbprint: Thumbprint of AAD app certificate with permissions
to write secrets to KeyVault
:param str disk_encryption_keyvault:the KeyVault where generated encryption key will be placed
:param str key_encryption_key: KeyVault key name or URL used to encrypt the disk encryption key
:param str key_encryption_keyvault: the KeyVault containing the key encryption key
used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault
'''
# pylint: disable=no-member
compute_client = _compute_client_factory()
vm = compute_client.virtual_machines.get(resource_group_name, vm_name)
os_type = vm.storage_profile.os_disk.os_type.value
is_linux = _is_linux_vm(os_type)
extension = vm_extension_info[os_type]
# 1. First validate arguments
if not aad_client_cert_thumbprint and not aad_client_secret:
raise CLIError(
'Please provide either --aad-client-id or --aad-client-cert-thumbprint'
)
if volume_type is None:
if vm.storage_profile.data_disks:
raise CLIError('VM has data disks, please supply --volume-type')
else:
volume_type = 'OS'
# encryption is not supported on all linux distros, but service never tells you
# so let us verify at the client side
if is_linux:
image_reference = getattr(vm.storage_profile, 'image_reference', None)
if image_reference:
result, message = _check_encrypt_is_supported(
image_reference, volume_type)
if not result:
logger.warning(message)
# sequence_version should be unique
sequence_version = uuid.uuid4()
# retrieve keyvault details
disk_encryption_keyvault_url = _get_key_vault_base_url(
(parse_resource_id(disk_encryption_keyvault))['name'])
# disk encryption key itself can be further protected, so let us verify
if key_encryption_key:
key_encryption_keyvault = key_encryption_keyvault or disk_encryption_keyvault
if '://' not in key_encryption_key: # appears a key name
key_encryption_key = _get_keyvault_key_url(
(parse_resource_id(key_encryption_keyvault))['name'],
key_encryption_key)
# 2. we are ready to provision/update the disk encryption extensions
# The following logic was mostly ported from xplat-cli
public_config = {
'AADClientID': aad_client_id,
'AADClientCertThumbprint': aad_client_cert_thumbprint,
'KeyVaultURL': disk_encryption_keyvault_url,
'VolumeType': volume_type,
'EncryptionOperation': 'EnableEncryption',
'KeyEncryptionKeyURL': key_encryption_key,
'KeyEncryptionAlgorithm': key_encryption_algorithm,
'SequenceVersion': sequence_version,
}
private_config = {
'AADClientSecret':
aad_client_secret if is_linux else (aad_client_secret or '')
}
from azure.mgmt.compute.models import (VirtualMachineExtension,
DiskEncryptionSettings,
KeyVaultSecretReference,
KeyVaultKeyReference, SubResource)
ext = VirtualMachineExtension(
vm.location, # pylint: disable=no-member
publisher=extension['publisher'],
virtual_machine_extension_type=extension['name'],
protected_settings=private_config,
type_handler_version=extension['version'],
settings=public_config,
auto_upgrade_minor_version=True)
poller = compute_client.virtual_machine_extensions.create_or_update(
resource_group_name, vm_name, extension['name'], ext)
poller.result()
# verify the extension was ok
extension_result = compute_client.virtual_machine_extensions.get(
resource_group_name, vm_name, extension['name'], 'instanceView')
if extension_result.provisioning_state != 'Succeeded':
raise CLIError(
'Extension needed for disk encryption was not provisioned correctly'
)
if not (extension_result.instance_view.statuses
and extension_result.instance_view.statuses[0].message):
raise CLIError(
'Could not found url pointing to the secret for disk encryption')
# 3. update VM's storage profile with the secrets
status_url = extension_result.instance_view.statuses[0].message
vm = compute_client.virtual_machines.get(resource_group_name, vm_name)
secret_ref = KeyVaultSecretReference(
secret_url=status_url,
source_vault=SubResource(disk_encryption_keyvault))
key_encryption_key_obj = None
if key_encryption_key:
key_encryption_key_obj = KeyVaultKeyReference(
key_encryption_key, SubResource(key_encryption_keyvault))
disk_encryption_settings = DiskEncryptionSettings(
disk_encryption_key=secret_ref,
key_encryption_key=key_encryption_key_obj,
enabled=True)
vm.storage_profile.os_disk.encryption_settings = disk_encryption_settings
set_vm(vm)
if is_linux and volume_type != _DATA_VOLUME_TYPE:
# TODO: expose a 'wait' command to do the monitor and handle the reboot
logger.warning(
"The encryption request was accepted. Please use 'show' command to monitor "
"the progress. If you see 'VMRestartPending', please restart the VM, and "
"the encryption will finish shortly")
def create_keyvault(client, # pylint: disable=too-many-locals
resource_group_name, vault_name, location=None, sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
enable_soft_delete=None,
no_self_perms=None,
tags=None):
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
from azure.cli.core._profile import Profile, CLOUD
from azure.graphrbac.models import GraphErrorException
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=CLOUD.endpoints.active_directory_graph_resource_id)
graph_client = GraphRbacManagementClient(
cred,
tenant_id,
base_url=CLOUD.endpoints.active_directory_graph_resource_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(keys=[KeyPermissions.get,
KeyPermissions.create,
KeyPermissions.delete,
KeyPermissions.list,
KeyPermissions.update,
KeyPermissions.import_enum,
KeyPermissions.backup,
KeyPermissions.restore,
KeyPermissions.recover],
secrets=[
SecretPermissions.get,
SecretPermissions.list,
SecretPermissions.set,
SecretPermissions.delete,
SecretPermissions.backup,
SecretPermissions.restore,
SecretPermissions.recover],
certificates=[
CertificatePermissions.get,
CertificatePermissions.list,
CertificatePermissions.delete,
CertificatePermissions.create,
CertificatePermissions.import_enum,
CertificatePermissions.update,
CertificatePermissions.managecontacts,
CertificatePermissions.getissuers,
CertificatePermissions.listissuers,
CertificatePermissions.setissuers,
CertificatePermissions.deleteissuers,
CertificatePermissions.manageissuers,
CertificatePermissions.recover],
storage=[
StoragePermissions.get,
StoragePermissions.list,
StoragePermissions.delete,
StoragePermissions.set,
StoragePermissions.update,
StoragePermissions.regeneratekey,
StoragePermissions.setsas,
StoragePermissions.listsas,
StoragePermissions.getsas,
StoragePermissions.deletesas])
try:
object_id = _get_current_user_object_id(graph_client)
except GraphErrorException:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\nUnable to query active directory for information '
'about the current user.\nYou may try the --no-self-perms flag to '
'create a vault without permissions.')
access_policies = [AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)]
properties = VaultProperties(tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment,
enable_soft_delete=enable_soft_delete)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def update_streaming_endpoint(instance,
tags=None,
cross_domain_policy=None,
client_access_policy=None,
description=None,
max_cache_age=None,
ips=None,
disable_cdn=None,
cdn_provider=None,
cdn_profile=None,
custom_host_names=None):
if not instance:
raise CLIError('The streaming endpoint resource was not found.')
if ips is not None:
is_ips_argument_empty = len(ips) == 1 and ips[0] == ""
if is_ips_argument_empty:
if instance.access_control is not None and instance.access_control.ip is not None:
instance.access_control.ip = None
else:
if instance.access_control is None:
instance.access_control = StreamingEndpointAccessControl()
if instance.access_control.ip is None:
instance.access_control.ip = IPAccessControl(allow=[])
for ip in ips:
instance.access_control.ip.allow.append(
create_ip_range(instance.name, ip))
if instance.cross_site_access_policies is None:
instance.cross_site_access_policies = CrossSiteAccessPolicies()
if client_access_policy is not None:
if not client_access_policy:
instance.cross_site_access_policies.client_access_policy = None
else:
instance.cross_site_access_policies.client_access_policy = client_access_policy
if cross_domain_policy is not None:
if not cross_domain_policy:
instance.cross_site_access_policies.cross_domain_policy = None
else:
instance.cross_site_access_policies.cross_domain_policy = cross_domain_policy
if max_cache_age is not None:
instance.max_cache_age = max_cache_age
if tags is not None:
instance.tags = tags
if description is not None:
instance.description = description
if custom_host_names is not None:
is_custom_host_names_argument_empty = len(
custom_host_names) == 1 and custom_host_names[0] == ""
if is_custom_host_names_argument_empty:
instance.custom_host_names = []
else:
instance.custom_host_names = custom_host_names
if cdn_provider is not None:
instance.cdn_provider = cdn_provider
if cdn_profile is not None:
instance.cdn_profile = cdn_profile
if cdn_provider is not None or cdn_profile is not None:
if ips is None and instance.access_control is not None:
instance.access_control = None
instance.cdn_enabled = True
if disable_cdn is not None:
instance.cdn_enabled = not disable_cdn
return instance
