Azure · super-harsh · Aug 15, 2024 · Aug 6, 2024 · Aug 8, 2024 · Aug 9, 2024
@@ -19,14 +19,28 @@ import (
 	"github.com/Azure/azure-service-operator/v2/internal/genericarmclient"
 	. "github.com/Azure/azure-service-operator/v2/internal/logging"
 	"github.com/Azure/azure-service-operator/v2/internal/resolver"
+	"github.com/Azure/azure-service-operator/v2/internal/set"
 	"github.com/Azure/azure-service-operator/v2/internal/util/to"
 	"github.com/Azure/azure-service-operator/v2/pkg/genruntime"
 	"github.com/Azure/azure-service-operator/v2/pkg/genruntime/extensions"
 )
 
 var _ extensions.PostReconciliationChecker = &BackupVaultsBackupInstanceExtension{}
 
-var protectionError = "ProtectionError"
+// These are the states on which there's no future change possible, hence best to return PostReconcileCheck success on them.
+// Then further we let Operator decide what condition to put on the resource.
+var terminalStates = set.Make(
+	"configuringprotectionfailed",
+	"invalid",
+	"notprotected",
+	"protectionconfigured",
+	"softdeleted",
+	"protectionstopped",
+	"backupschedulessuspended",
+	"retentionschedulessuspended",
+)
+
+var protectionError = "protectionerror"
 
 const (
 	BackupInstancePollerResumeTokenAnnotation = "serviceoperator.azure.com/bi-poller-resume-token"
@@ -80,69 +94,73 @@ func (extension *BackupVaultsBackupInstanceExtension) PostReconcileCheck(
 	}
 
 	protectionStatus := *backupInstance.Status.Properties.ProtectionStatus.Status
+	protectionStatus = strings.ToLower(protectionStatus)
 	log.V(Debug).Info(fmt.Sprintf("Protection Status is  %q", protectionStatus))
 
-	// We only want to continue if protectionStatus == ProtectionError.
-	if !strings.EqualFold(protectionStatus, protectionError) {
+	// Return success if the status is in a terminal state
+	if terminalStates.Contains(protectionStatus) {
 		log.V(Debug).Info("Returning PostReconcileCheckResultSuccess")
 		return next(ctx, obj, owner, resolver, armClient, log)
 	}
 
-	// call sync api only when protection status is ProtectionError and error code is usererror
-	var protectionStatusErrorCode string
-	protectionStatusErrorCode = strings.ToLower(*backupInstance.Status.Properties.ProtectionStatus.ErrorDetails.Code)
-	log.V(Debug).Info(fmt.Sprintf("Protection Error code is  %q", protectionStatusErrorCode))
+	if protectionStatus == protectionError {
+		// call sync api only when protection status is ProtectionError and error code is usererror
+		var protectionStatusErrorCode string
+		protectionStatusErrorCode = strings.ToLower(*backupInstance.Status.Properties.ProtectionStatus.ErrorDetails.Code)
+		log.V(Debug).Info(fmt.Sprintf("Protection Error code is  %q", protectionStatusErrorCode))
 
-	if protectionStatusErrorCode != "" && strings.Contains(protectionStatusErrorCode, "usererror") {
-		id, _ := genruntime.GetAndParseResourceID(backupInstance)
-		subscription := id.SubscriptionID
-		rg := id.ResourceGroupName
-		vaultName := id.Parent.Name
+		if strings.Contains(protectionStatusErrorCode, "usererror") {
+			id, _ := genruntime.GetAndParseResourceID(backupInstance)
+			subscription := id.SubscriptionID
+			rg := id.ResourceGroupName
+			vaultName := id.Parent.Name
 
-		clientFactory, err := armdataprotection.NewClientFactory(subscription, armClient.Creds(), armClient.ClientOptions())
-		if err != nil {
-			return extensions.PostReconcileCheckResultFailure("failed to create armdataprotection client"), err
-		}
+			clientFactory, err := armdataprotection.NewClientFactory(subscription, armClient.Creds(), armClient.ClientOptions())
+			if err != nil {
+				return extensions.PostReconcileCheckResultFailure("failed to create armdataprotection client"), err
+			}
 
-		var parameters armdataprotection.SyncBackupInstanceRequest
-		parameters.SyncType = to.Ptr(armdataprotection.SyncTypeDefault)
+			var parameters armdataprotection.SyncBackupInstanceRequest
+			parameters.SyncType = to.Ptr(armdataprotection.SyncTypeDefault)
 
-		// get the resume token from the resource
-		pollerResumeToken, _ := GetPollerResumeToken(obj, log)
+			// get the resume token from the resource
+			pollerResumeToken, _ := GetPollerResumeToken(obj, log)
 
-		// BeginSyncBackupInstance is in-progress - poller resume token is available
-		log.V(Debug).Info("Starting BeginSyncBackupInstance")
+			// BeginSyncBackupInstance is in-progress - poller resume token is available
+			log.V(Debug).Info("Starting BeginSyncBackupInstance")
 
-		poller, err := clientFactory.NewBackupInstancesClient().BeginSyncBackupInstance(ctx, rg, vaultName, backupInstance.AzureName(), parameters, &armdataprotection.BackupInstancesClientBeginSyncBackupInstanceOptions{
-			ResumeToken: pollerResumeToken,
-		})
-		if err != nil {
-			return extensions.PostReconcileCheckResultFailure("Failed Polling for BeginSyncBackupInstance to get the result"), err
-		}
+			poller, err := clientFactory.NewBackupInstancesClient().BeginSyncBackupInstance(ctx, rg, vaultName, backupInstance.AzureName(), parameters, &armdataprotection.BackupInstancesClientBeginSyncBackupInstanceOptions{
+				ResumeToken: pollerResumeToken,
+			})
+			if err != nil {
+				return extensions.PostReconcileCheckResultFailure("Failed Polling for BeginSyncBackupInstance to get the result"), err
+			}
 
-		if pollerResumeToken == "" {
-			resumeToken, resumeTokenErr := poller.ResumeToken()
-			if resumeTokenErr != nil {
-				return extensions.PostReconcileCheckResultFailure("couldn't create PUT resume token for resource"), resumeTokenErr
-			} else {
-				SetPollerResumeToken(obj, resumeToken, log)
+			if pollerResumeToken == "" {
+				resumeToken, resumeTokenErr := poller.ResumeToken()
+				if resumeTokenErr != nil {
+					return extensions.PostReconcileCheckResultFailure("couldn't create PUT resume token for resource"), resumeTokenErr
+				} else {
+					SetPollerResumeToken(obj, resumeToken, log)
+				}
 			}
-		}
 
-		_, pollErr := poller.Poll(ctx)
-		if pollErr != nil {
-			return extensions.PostReconcileCheckResultFailure("couldn't create PUT resume token for resource"), pollErr
-		}
+			_, pollErr := poller.Poll(ctx)
+			if pollErr != nil {
+				return extensions.PostReconcileCheckResultFailure("couldn't create PUT resume token for resource"), pollErr
+			}
 
-		if poller.Done() {
-			log.V(Debug).Info("Polling is completed")
-			ClearPollerResumeToken(obj, log)
-			_, err := poller.Result(ctx)
-			if err != nil {
-				return extensions.PostReconcileCheckResultFailure("couldn't create PUT resume token for resource"), err
+			if poller.Done() {
+				log.V(Debug).Info("Polling is completed")
+				ClearPollerResumeToken(obj, log)
+				_, err := poller.Result(ctx)
+				if err != nil {
+					return extensions.PostReconcileCheckResultFailure("couldn't create PUT resume token for resource"), err
+				}
 			}
+			log.V(Debug).Info("Polling is in-progress")
 		}
-		log.V(Debug).Info("Polling is in-progress")
 	}
+
 	return extensions.PostReconcileCheckResultFailure("Backup Instance is in non terminal state"), nil
 }
@@ -32,7 +32,7 @@ func Test_DataProtection_BackupInstance_20231101_CRUD(t *testing.T) {
 	// Create a test resource group and wait until the operation is completed, where the globalTestContext is a global object that provides the necessary context and utilities for testing.
 	tc := globalTestContext.ForTest(t)
 	rg := tc.CreateTestResourceGroupAndWait()
-	contributorRoleId := fmt.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", tc.AzureSubscription)
+	contributorRoleId := fmt.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", tc.AzureSubscription)
 	readerRoleId := fmt.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", tc.AzureSubscription)
 	saContributorRoleId := fmt.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", tc.AzureSubscription)
 
@@ -56,11 +56,13 @@ func Test_DataProtection_BackupInstance_20231101_CRUD(t *testing.T) {
 		},
 	}
 
-	backupPolicy := newBackupPolicy20231101(tc, backupVault, "asotestbackuppolicy")
+	backupPolicy := newBackupPolicy20231101(tc, backupVault, "asotestbp")
 
 	// create storage account and blob container
 
 	acct := newStorageAccount(tc, rg)
+	// Not allowed by the policy anymore. Will need to update the storage account and respective tests
+	acct.Spec.AllowBlobPublicAccess = to.Ptr(false)
 
 	blobService := &storage.StorageAccountsBlobService{
 		ObjectMeta: tc.MakeObjectMeta("blobservice"),