[#101030380] MicroBosh on Azure

.gitignore

@@ -1,5 +1,8 @@
 gce/ssh/
 aws/ssh/
 gce/account.json
+azure/credentials.publishsettings
 *.tfstate
 *.tfstate.backup
+azure/ssh_thumbprint
+generated.*

Makefile

@@ -12,9 +12,28 @@ set-aws:
 	$(eval dir=aws)
 set-gce:
 	$(eval dir=gce)
+set-azure:
+	$(eval dir=azure)
 
 aws: set-aws apply provision
 gce: set-gce apply provision
+azure: set-azure prepare-azure apply-azure provision
+
+prepare-azure: set-azure
+	@cd ${dir} && \
+	    ./azure-generate-account-settings.sh ${DEPLOY_ENV}
+	# Files generated by external scripts and read by terraform
+	@cd ${dir} && \
+	    touch \
+	    generated.cf-storage-account.key \
+	    generated.insecure-deployer.pem \
+	    generated.bosh-public-ip \
+	    generated.ssh_thumbprint
+
+apply-azure: set-azure
+	@cd ${dir} && \
+	    source generated.azure_account_settings.sh && \
+	    terraform apply -state=${DEPLOY_ENV}.tfstate -var env=${DEPLOY_ENV}
 
 apply-aws: set-aws apply
 apply-gce: set-gce apply
@@ -23,25 +42,33 @@ apply: check-env-vars
 
 provision-aws: set-aws provision
 provision-gce: set-gce provision
+provision-azure: set-azure provision
 provision: check-env-vars
 	@ssh -oStrictHostKeyChecking=no ubuntu@$(shell terraform output -state=${dir}/${DEPLOY_ENV}.tfstate bastion_ip) '/bin/bash provision.sh'
 
 bosh-delete-aws: set-aws bosh-delete
 bosh-delete-gce: set-gce bosh-delete
+bosh-delete-azure: set-azure bosh-delete
 bosh-delete:
 	@ssh -oStrictHostKeyChecking=no ubuntu@$(shell terraform output -state=${dir}/${DEPLOY_ENV}.tfstate bastion_ip) './`ls bosh-init-*` delete manifest_${dir}.yml'
 
+azure-clean:
+	@cd ${dir} && ./azure-delete-environment.sh ${DEPLOY_ENV}
+
 destroy-aws: set-aws destroy
 destroy-gce: set-gce destroy
+destroy-azure: set-azure azure-clean destroy
 destroy:
 	@cd ${dir} && terraform destroy -state=${DEPLOY_ENV}.tfstate -var env=${DEPLOY_ENV}
 
 show-aws: set-aws show
 show-gce: set-gce show
+show-azure: set-azure show
 show:
 	@cd ${dir} && terraform show ${DEPLOY_ENV}.tfstate
 
 ssh-aws: set-aws ssh
 ssh-gce: set-gce ssh
+ssh-azure: set-azure ssh
 ssh: check-env-vars
 	@ssh -oStrictHostKeyChecking=no ubuntu@$(shell terraform output -state=${dir}/${DEPLOY_ENV}.tfstate bastion_ip)

README.md

@@ -4,7 +4,7 @@ To provision a microbosh instance on AWS and GCE.
 
 In order to deploy a microbosh, it is necessary to first create subnets, security groups and static IP reservations which will be used by bosh-init when deploying the microbosh. We are using terraform to create these resources, along with a bastion host which will perform the actual `bosh-init` steps to create the microbosh.
 
-##Pre-requisites
+## Pre-requisites
 * You will need to be running ssh-agent and have performed an `ssh-add <deployer_key>` to make the credentials available for ssh to be able to connect into the bastion host
 * Make available the ssh directory inside aws and gce
 
@@ -18,7 +18,36 @@ gce/
         insecure-deployer
         insecure-deployer.pub
 ```
-* Provide `account.json` inside gce
+
+### GCE pre-requisites
+
+* Provide `account.json` inside gce, which must be downloaded from your google
+  compute dashboard.
+
+### Azure pre-requisites
+
+Tooling:
+
+ * You need to [install azure client](https://azure.microsoft.com/en-gb/documentation/articles/xplat-cli-install/) to be able to upload the SSH credentials (if you have [brew cask](http://caskroom.io/) `brew cask install azure`)
+ * You must login in azure client]: `azure login`
+
+> Note: it is recommended run `azure account clear` first to remove any previous accounts.
+
+Credentials:
+
+ * Download the azure credentials in `azure/credentials.publishsettings` manually [from here  https://manage.windowsazure.com/publishsettings] (the `azure account download` just sends you to this page).
+
+Restrictions:
+
+ * Your environment name must not contain special chars, only alphanumeric in lower case. This is because a restriction in the storage service resource:
+  ```
+* azure_storage_service.cf-storage: Failed to create Azure storage service hectorjimazure-cf-storage: Error response from Azure. Code: BadRequest, Message: The name is not a valid storage account name. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.
+```
+ * Do not login in azure using `azure import <credentialsfile>`. There is a bug and not all the values might be initialised.
+
+
+### AWS pre-requisites
+
 * Provide AWS access keys as environment variables, plus the corresponding terraform variables. Example in profile:
 
 ```

aws/ssh

@@ -0,0 +1 @@
+../ssh

azure/azure-acl-rule.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e
+
+SCRIPT_NAME=$0
+
+usage() {
+	cat <<EOF
+Usage:
+	$SCRIPT_NAME <azure_hostname> <endpoint_name> <base_priority> <permit|deny> <comma_list_cidr>
+
+Creates the given ACL rules in azure using 'azure-cli'. It implements logic to split
+the cidr by comma and add multiple rules.
+
+Note: base priority will be incremented as many CIDR addresses are given.
+
+EOF
+}
+
+if [  "$#" -lt 5 ]; then
+	usage
+	exit 1
+fi
+
+host=$1; shift
+endpoint=$1; shift
+priority=$1; shift
+action=$1; shift
+list_cidr=$1; shift
+
+IFS=','
+count=0
+for cidr in $list_cidr; do
+	echo "Executing 'azure vm endpoint acl-rule create $host $endpoint $((priority+count)) $action $cidr'"
+	azure vm endpoint acl-rule create $host $endpoint $((priority+count)) $action $cidr
+	count=$((count + 1))
+done
+
+azure vm endpoint acl-rule list $host $endpoint

azure/azure-create-network.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+	cat <<EOF
+Usage:
+	$0 <resource_group_name> <network_name> <network_cidr> <subnet_name> <subnet_cidr>
+
+Creates network and subnet for cloudfoundry
+
+Can be deleted with: "azure network vnet delete env-cf-hosted-service env-cf-network"
+EOF
+	exit 1
+fi
+
+resource_group_name=$1; shift
+network_name=$1; shift
+network_cidr=$1; shift
+subnet_name=$1; shift
+subnet_cidr=$1; shift
+
+azure config mode arm
+azure resource create \
+	${resource_group_name} \
+	${network_name} \
+	Microsoft.Network/virtualNetworks \
+	'West Europe' 2015-05-01-preview \
+	-p "{\"addressSpace\": {\"addressPrefixes\": [\"${network_cidr}\"]},\"subnets\": [{\"name\": \"${subnet_name}\",\"properties\" : { \"addressPrefix\": \"${subnet_cidr}\"}}]}"
+

azure/azure-create-public-ip.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+if [ $# -lt 2 ]; then
+	cat <<EOF
+Usage:
+	$0 <resource_group_name> <ip_name>
+
+Creates a public IP
+EOF
+	exit 1
+fi
+
+resource_group_name=$1; shift
+ip_name=$1; shift
+
+azure config mode arm
+azure resource create \
+     ${resource_group_name} \
+     ${ip_name} \
+     Microsoft.Network/publicIPAddresses \
+     "West Europe" 2015-05-01-preview \
+     -p "{\"publicIPAllocationMethod\":\"static\"}"
+
+sleep 5
+
+azure resource show \
+     ${resource_group_name} \
+     ${ip_name} \
+     Microsoft.Network/publicIPAddresses \
+     2015-05-01-preview | awk '/Property ipAddress/ {print $4}' | tee generated.${ip_name}
+
+echo "Created IP $(<generated.${ip_name}), stored in generated.${ip_name}"

azure/azure-create-service-principal.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+if [ $# -lt 2 ]; then
+	cat <<EOF
+Usage:
+	$0 <deploy_env> <azure_subscription_id>
+
+Setups the application and service pricipal for bosh for the given environment.
+Granting the role of Contributor.
+
+Password must be pass as a environment variable: \$SERVICE_PASSWORD
+EOF
+	exit 1
+fi
+
+deploy_env=$1; shift
+azure_subscription_id=$1; shift
+
+azure config mode arm
+
+echo "Creating application resource in the active directory:"
+azure ad app create \
+    --name "Service Principal for BOSH - Environment: $deploy_env" \
+    --password "$SERVICE_PASSWORD" \
+    --home-page "http://BOSHAzureCPI-$deploy_env" \
+	--identifier-uris "http://BOSHAzureCPI-$deploy_env" | \
+		tee generated.active_directory_app_${deploy_env}_info.txt
+
+if [ ${PIPESTATUS[0]} != 0 ]; then
+    # Skip if it already exists
+    if grep -q 'Another object with the same value for property identifierUris already exists' ~/.azure/azure.err; then
+    	echo "The app already exists, skipping"
+    else
+	echo "Failed"
+	exit 1
+    fi
+fi
+
+application_id=$(cat generated.active_directory_app_${deploy_env}_info.txt | sed -n 's/.*Application Id: *\(.*\)$/\1/p')
+echo $application_id > generated.application_id
+echo "Created application 'http://BOSHAzureCPI-$deploy_env' with ID (this is your client_id): $application_id"
+
+echo "Creating Service principal for the created application $application_id"
+azure ad sp create $application_id || exit 1
+
+echo "Waiting for the orcs in Azure to manually create the resources we have just requested..."
+sleep 30
+
+echo "Assigning 'Contributor' role to application 'http://BOSHAzureCPI-$deploy_env'"
+azure role assignment create \
+	--spn "http://BOSHAzureCPI-$deploy_env" \
+	-o "Contributor" \
+	--subscription $azure_subscription_id || exit 1
+
+

azure/azure-create-storage-service.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+if [ $# -lt 3 ]; then
+	cat <<EOF
+Usage:
+	$0 <resource group name> <storage_account_name> <account_key_file>
+
+Will create a storage service name and store the credencials on the given file
+so they can be consumed by terraform
+EOF
+	exit 1
+fi
+
+resource_group_name=$1; shift
+storage_account_name=$1; shift
+account_key_file=$1; shift
+
+set -x
+
+azure config mode arm # Change azure client mode, needed to run `azure resource create`
+
+echo "Check if the account already exists"
+echo $resource_group_name | azure storage account show  $storage_account_name
+RET=$?
+
+if [ $RET != 0 ]; then
+	echo "Creating account"
+	azure resource create $resource_group_name $storage_account_name \
+		Microsoft.Storage/storageAccounts "West Europe" \
+		2015-05-01-preview \
+		-p "{\"accountType\":\"Standard_LRS\"}"
+	# Horrible workaround. It fails once with Error:null
+	if [ $? != 0 ] && grep 'Error: null' ~/.azure/azure.err; then
+		echo "Warning: Ignoring 'Error: null' error... The account gets created anyway"
+	else
+		exit 1
+	fi
+else
+	echo "Warning: $storage_account_name account already exists in  $storage_service_name. Not creating it."
+fi
+
+sleep 30
+echo "Retrieving the account key from the command line azure client"
+echo $resource_group_name | \
+	azure storage account keys list $storage_account_name --json > ${account_key_file}.json
+
+sed -n 's/.*"key1":.*"\(.*\)".*/\1/p' <  ${account_key_file}.json > $account_key_file || exit 1
+
+echo "Account $storage_account_name created, key in file $account_key_file."
+

azure/azure-create-vm.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+if [ $# -lt 1 ]; then
+	cat <<EOF
+Usage:
+	$0 <resource_group> <vm_name> <storage_account_name> <ssh_public_key> <subscription_id> <network_name> <ip>
+
+Creates a new VM in a specified resource group."
+EOF
+	exit 1
+fi
+
+resource_group_name=$1; shift
+vm_name=$1; shift
+storage_account_name=$1; shift
+ssh_public_key=$1; shift
+subscription_id=$1; shift
+network_name=$1; shift
+ip=$1; shift
+
+echo "Check if the VM already exists"
+azure vm list --resource-group $resource_group_name | cat | grep $vm_name -q
+RET=$?
+
+if [ $RET != 0 ]; then
+	echo "Creating VM"
+	azure config mode arm
+  azure vm create --resource-group $resource_group_name \
+    --name $vm_name \
+    -l "West Europe" \
+    --image-urn Canonical:UbuntuServer:14.04.3-LTS:14.04.201508050 \
+    --vm-size Basic_A3 \
+    --storage-account-name $storage_account_name \
+    --os-type Linux \
+    --ssh-publickey-file $ssh_public_key \
+    -u ubuntu -p Password1* \
+    --nic-id /subscriptions/$subscription_id/resourceGroups/$resource_group_name/providers/Microsoft.Network/networkInterfaces/$network_name
+else
+	echo "Warning: $vm_name VM already exists in $resource_group_name. Not creating it."
+fi