#!/bin/bash confighost() { : } mksecrets() { az keyvault secret list --vault-name doldbadmin | grep -qi ${dbrootname} if [ $? -ne 0 ] then echo "Creating ${dbrootnname} secret in doldbadmin" az keyvault secret set --vault-name doldbadmin -n ${dbrootname} \ --value "${dbrootsecret}" -o none [[ $? -ne 0 ]] && exit fi az keyvault secret list --vault-name doldbapp | grep -qi ${dbappname} if [ $? -ne 0 ] then echo "Creating ${dbappname} secret in doldbapp" az keyvault secret set --vault-name doldbapp -n ${dbappname} \ --value "${dbappsecret}" -o none fi return $? } mkkv() { # create keyvault if it doesn't exist. for kv in ${kvnames[*]} do az keyvault list -g ${rgname} --query '[].name' -o tsv | grep -qi ${kv} if [ $? -ne 0 ] then echo "Creating keyvault: ${kv}" az keyvault create -n ${kv} -g ${rgname} \ --default-action Deny \ --retention-days 7 -o none || exit az keyvault network-rule add -n ${kv} -g ${rgname} \ --subnet ${vnetid}/subnets/vms \ --ip-address ${myip} -o none az keyvault network-rule add -n ${kv} -g ${rgname} \ --subnet ${vnetid}/subnets/db -o none [[ $? -ne 0 ]] && exit fi done return 0 } mkrg() { # create rgname if it doesn't exist. az group list --query '[].name' -o tsv | grep -qi ${rgname} if [ $? -ne 0 ] then echo "Creating RG: ${rgname}" az group create -l centralus --name ${rgname} --tags env=mpitest -o none fi return $? } mknsg() { # create nsgs if they don't exist: az network nsg list -g ${rgname} --query '[].name' -o tsv | grep -qi ${nsgname} if [ $? -ne 0 ] then echo "Creating nsg: ${nsgname}" az network nsg create --name ${nsgname} -g ${rgname} --location centralus -o none fi # create nsg rule az network nsg rule list -g $rgname --nsg-name $nsgname --query '[].name' -o tsv | \ grep -qi ssh_from_home if [ $? -ne 0 ] then echo "Creating NSG rule: ssh_from_home" az network nsg rule create -n 'ssh_from_home' --nsg-name ${nsgname} \ -g ${rgname} --priority 150 --source-address-prefixes "${myip}/32" \ --destination-port-ranges 22 --access Allow --protocol Tcp \ --description 'Allow ssh from home' -o none fi az network nsg rule list -g $rgname --nsg-name $nsgname --query '[].name' -o tsv | \ grep -qi mysql_from_home if [ $? -ne 0 ] then echo "Creating NSG rule: mysql_from_home" az network nsg rule create -n 'mysql_from_home' --nsg-name ${nsgname} \ -g ${rgname} --priority 155 --source-address-prefixes "${myip}/32" \ --destination-port-ranges 3306 --access Allow --protocol Tcp \ --description 'Allow mysql from home' -o none fi return 0 } mkvnet() { # create vnet: az network vnet list -g ${rgname} --query '[].name' -o tsv | grep -qi ${vnet} if [ $? -ne 0 ] then echo "Creating vnet: ${vnet}" az network vnet create -g ${rgname} -n ${vnet} \ --address-prefix 10.0.0.0/16 -o none fi az network vnet subnet list -g ${rgname} --vnet-name ${vnet} \ --query '[].name' -o tsv | grep -qi vms if [ $? -ne 0 ] then echo "Creating subnet: vms" az network vnet subnet create -g ${rgname} -n vms --vnet-name ${vnet} \ --address-prefixes 10.0.0.0/24 -o none az network vnet subnet update --vnet-name ${vnet} -g ${rgname} -n vms \ --network-security-group ${nsgname} \ --service-endpoints Microsoft.Storage Microsoft.KeyVault \ -o none fi az network vnet subnet list -g ${rgname} --vnet-name ${vnet} \ --query '[].name' -o tsv | grep -qi db if [ $? -ne 0 ] then echo "Creating subnet: db" az network vnet subnet create -g ${rgname} -n db --vnet-name ${vnet} \ --address-prefixes 10.0.1.0/24 -o none az network vnet subnet update --vnet-name ${vnet} -g ${rgname} -n db \ --network-security-group ${nsgname} \ --service-endpoints Microsoft.Storage Microsoft.KeyVault \ -o none fi return 0 } mksa() { # create storage account: az storage account list -g ${rgname} --query '[].name' -o tsv | \ grep -qi ${saname} if [ $? -ne 0 ] then echo "Creating storage account: ${saname}" az storage account create -g ${rgname} -n ${saname} \ --encryption-services table \ --access-tier hot -k true -q Account -l centralus \ --allow-blob-public-access true --sku Standard_LRS \ --kind StorageV2 --https-only true \ --min-tls-version TLS1_2 --public-network-access Enabled \ --tags env=test -i false \ --output none || exit echo "Setting ip and subnet restrictions" az storage account network-rule add -g ${rgname} \ -n ${saname} --ip-address ${myip} --output none || exit for s in ${snets[*]} do az storage account network-rule add -g ${rgname} \ -n ${saname} --subnet ${vnetid}/subnets/${s} -o none || exit done az storage account update -g ${rgname} -n ${saname} \ --default-action Deny --output none || exit # echo "... sleeping a few to let storage account settle" # sleep 10 fi # create SAS token for saname: echo "Creating SAS token" end=`date -v+12H '+%Y-%m-%dT%H:%MZ'` az storage account generate-sas --permissions cdlruwap \ --account-name ${saname} --services b --resource-types sco \ --expiry ${end} 2>/dev/null | sed 's/"//g' > ../src/token t=$(cat ../src/token) # update custom data # perl -i -nle 'print unless (/export token/)' ../src/cdata # echo "echo export token='${t}' >> /home/dkoleary/.bashrc" >> ../src/cdata echo "SAS token: ${t}" return 0 } mkvm() { # ceate vm: az vm list -g ${rgname} --query '[].name' -o tsv | grep -qi ${vmname} if [ $? -ne 0 ] then echo "Creating vm: ${vmname}" az vm create -g dbaccess -n ${vmname} \ --image ${vmimage} --admin-username dkoleary \ --ssh-key-values ~/.ssh/id_rsa.pub \ --vnet-name ${vnet} --subnet vms --size ${vmsize} \ --custom-data ../src/cdata -o none \ --public-ip-address-allocation static \ --assign-identity [system] --scope ${said} \ --role Contributor fi echo "Updating privs for ${vmname} to ${kvname}" mgid=$(az vm show -g ${rgname} -n ${vmname} --query identity.principalId -o tsv) [[ ${#mgid} -eq 0 ]] && exit for k in ${kvnames[*]} do az keyvault set-policy --name ${k} --object-id ${mgid} \ --secret-permissions get list -o none || exit done echo "Updating privs for ${vmname} on ${saname}" az role assignment create --assignee $mgid --role "Storage Blob Data Reader" \ --scope ${said} -o none return $? } mkblob() { echo "Creating blob: ${blob}" azcopy make ${base}/${blob}?${t} echo "Copying dbaccess related files:" azcopy copy '../src/*' "${base}/${blob}?${t}" --follow-symlinks --put-md5 \ --disable-auto-decoding=false --log-level=INFO } rgname=dbaccess nsgname=home vnet=dbnet snets=(vms db) vmname=ub0x001 vmsize=Standard_B2s vmimage=Ubuntu2204 subid='413bdb96-713e-4a35-b648-d61a850402e2' saname=sa0x003 blob=dbaccess # rename to container kvnames=(doldbadmin doldbapp) myip=$(curl -s ipv4.icanhazip.com) base=https://${saname}.blob.core.windows.net said="/subscriptions/${subid}/resourceGroups/${rgname}/providers/Microsoft.Storage/storageAccounts/${saname}" vnetid="/subscriptions/${subid}/resourceGroups/${rgname}/providers/Microsoft.Network/virtualNetworks/${vnet}" dbrootname=dbroot dbrootsecret='Ih8lbds' dbappname=appid dbappsecret='mysupersecret' export AZCOPY_CRED_TYPE=Anonymous; export AZCOPY_CONCURRENCY_VALUE=AUTO; mkrg || exit mknsg || exit mkvnet || exit mkkv || exit mksecrets || exit mksa || exit mkvm || exit mkblob || exit # List ips: az vm list-ip-addresses --query "[].{ VMName:virtualMachine.name, PublicIP:virtualMachine.network.publicIpAddresses[0].ipAddress}" \ -o table