IBM · rich-ehrhardt · Oct 21, 2022 · Oct 19, 2022 · Oct 20, 2022 · Oct 20, 2022
diff --git a/.github/workflows/verify-workflow.yaml b/.github/workflows/verify-workflow.yaml
@@ -32,14 +32,15 @@ jobs:
   verify:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/cloudnativetoolkit/cli-tools:v1.2-v2.1.3
+      image: quay.io/cloudnativetoolkit/cli-tools-azure:v1.2-v0.4.20
       options: --privileged --user root
 
     strategy:
       max-parallel: 2
       matrix:
         flavor:
           - quickstart
+          - standard
         dist:
           - aro
           - ipi
@@ -77,7 +78,7 @@ jobs:
           RANDOM_PREFIX=$(cat /dev/urandom | tr -dc '[:alpha:]' | tr '[:upper:]' '[:lower:]' | fold -w ${1:-5} | head -n 1)
           FLAVOR_CHAR=$(echo "${{ matrix.flavor }}" | fold -w ${1:-1} | head -n 1)
           STORAGE_CHAR=$(echo "${{ matrix.storage }}" | fold -w ${1:-1} | head -n 1)
-          echo "Building an ARO cluster"
+          echo "Building an ARO cluster in ${{ matrix.flavor }} architecture."
           ./setup-workspace.sh -f ${{ matrix.flavor }} -d ${{ matrix.dist }} -s ${{ matrix.storage }} -n "${FLAVOR_CHAR}${STORAGE_CHAR}-${RANDOM_PREFIX}" -r ${{ matrix.region }}
           cd ../workspaces/current
 
@@ -99,23 +100,31 @@ jobs:
           RANDOM_PREFIX=$(cat /dev/urandom | tr -dc '[:alpha:]' | tr '[:upper:]' '[:lower:]' | fold -w ${1:-5} | head -n 1)
           FLAVOR_CHAR=$(echo "${{ matrix.flavor }}" | fold -w ${1:-1} | head -n 1)
           STORAGE_CHAR=$(echo "${{ matrix.storage }}" | fold -w ${1:-1} | head -n 1)
-          echo "Building an IPI cluster"
-          ./setup-workspace.sh -f ${{ matrix.flavor }} -d ${{ matrix.dist }} -c ${{ matrix.certificate }} -s ${{ matrix.storage }} -n "${FLAVOR_CHAR}${STORAGE_CHAR}-${RANDOM_PREFIX}" -r ${{ matrix.region }} -g "github.com"
-          cd ../workspaces/current
-
-          echo ""
-          echo "*** Start terraform.tfvars ***"
-          cat cluster.tfvars
-          cat gitops.tfvars
-          echo "*** End terraform.tfvars ***"
-          echo ""
-
-          ./apply-all.sh -a
+          if [[ ${{ matrix.flavor }} == "quickstart" ]]; then
+            echo "Building an IPI cluster in ${{ matrix.flavor }} architecture."
+            ./setup-workspace.sh -f ${{ matrix.flavor }} -d ${{ matrix.dist }} -c ${{ matrix.certificate }} -s ${{ matrix.storage }} -n "${FLAVOR_CHAR}${STORAGE_CHAR}-${RANDOM_PREFIX}" -r ${{ matrix.region }} -g "github.com"
+            cd ../workspaces/current
+
+            echo ""
+            echo "*** Start terraform.tfvars ***"
+            cat cluster.tfvars
+            cat gitops.tfvars
+            echo "*** End terraform.tfvars ***"
+            echo ""
+
+            ./apply-all.sh -a
+          else
+            echo "Standard with IPI not currently supported"
+          fi
 
       - name: Terraform Destroy - ${{ matrix.flavor }},${{ matrix.storage }}
         if: ${{ always() }}
         run: |
-          cd ../workspaces/current
-          ./destroy-all.sh -a
+          if [[ -x "../workspaces/current/destroy-all.sh" ]]; then
+            cd ../workspaces/current
+            ./destroy-all.sh -a
+          else
+           echo "Nothing to destroy"
+          fi
 
 
diff --git a/1-quickstart/1-aro/README.md b/1-quickstart/1-aro/README.md
@@ -19,8 +19,8 @@ The automation is delivered in a number of layers that are applied in order. Lay
 </thead>
 <tbody>
 <tr>
-<td>105 - IBM VPC OpenShift</td>
-<td>This layer provisions the Azure infrastructure and OpenShift. It will create a new VNet and other networking components required to support the OpenShift cluster. An existing registered DNS zone for the required domain name is required (refer to prerequisites).</td>
+<td>105 - Azure ARO</td>
+<td>This layer provisions the Azure infrastructure and OpenShift. It will create a new VNet and other networking components required to support the OpenShift cluster. </td>
 <td>
 <h4>Network</h4>
 <ul>

diff --git a/1-quickstart/1-aro/architecture.png b/1-quickstart/1-aro/architecture.png
diff --git a/1-quickstart/1-aro/terragrunt.hcl b/1-quickstart/1-aro/terragrunt.hcl
@@ -21,7 +21,9 @@ retryable_errors = [
   "(?s).*Error.*timed out waiting for the condition.*",
   "(?s).*Error.*Error logging in to.*",
   "(?s).*Error creating repo.*",
-  "(?s).*Error: Kubernetes cluster unreachable.*"
+  "(?s).*Error: Kubernetes cluster unreachable.*",
+  "(?s).x509: certificate signed by unknown authority.*",
+  "(?s).argocd-bootstrap.sh.*"
 ]
 
 retry_sleep_interval_sec = 60

diff --git a/1-quickstart/2-ipi/terragrunt.hcl b/1-quickstart/2-ipi/terragrunt.hcl
@@ -21,7 +21,9 @@ retryable_errors = [
   "(?s).*Error.*timed out waiting for the condition.*",
   "(?s).*Error.*Error logging in to.*",
   "(?s).*Error creating repo.*",
-  "(?s).*read: connection reset by peer.*"
+  "(?s).*read: connection reset by peer.*",
+  "(?s).x509: certificate signed by unknown authority.*",
+  "(?s).argocd-bootstrap.sh.*"
 ]
 
 retry_sleep_interval_sec = 60

diff --git a/2-standard/1-aro/.mocks/mock/main.tf b/2-standard/1-aro/.mocks/mock/main.tf
diff --git a/2-standard/1-aro/.mocks/mock/terragrunt.hcl b/2-standard/1-aro/.mocks/mock/terragrunt.hcl
@@ -0,0 +1,3 @@
+include "root" {
+  path = find_in_parent_folders()
+}
diff --git a/2-standard/1-aro/101-azure-vnet-std/101-azure-vnet-std.auto.tfvars b/2-standard/1-aro/101-azure-vnet-std/101-azure-vnet-std.auto.tfvars
@@ -0,0 +1,18 @@
+## resource_group_name: The name of the resource group
+#resource_group_name=""
+
+## region: The Azure location where the resource group will be provisioned
+#region=""
+
+## subscription_id: the value of subscription_id
+#subscription_id=""
+
+## client_id: the value of client_id
+#client_id=""
+
+## client_secret: the value of client_secret
+#client_secret=""
+
+## tenant_id: the value of tenant_id
+#tenant_id=""
+
diff --git a/2-standard/1-aro/101-azure-vnet-std/apply.sh b/2-standard/1-aro/101-azure-vnet-std/apply.sh
@@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIR=$(cd $(dirname $0); pwd -P)
+
+VARIABLES_FILE="${1}"
+if [[ -z "${VARIABLES_FILE}" ]]; then
+  VARIABLES_FILE="variables.yaml"
+fi
+
+YQ=$(command -v yq4 || command -v yq)
+if [[ -z "${YQ}" ]] || [[ $(${YQ} --version | sed -E "s/.*version ([34]).*/\1/g") == "3" ]]; then
+  echo "yq v4 is required"
+  exit 1
+fi
+
+if ! command -v jq 1> /dev/null 2> /dev/null; then
+  echo "jq is required"
+  exit 1
+fi
+
+CREDENTIALS_PROPERTIES="credentials.properties"
+TERRAFORM_TFVARS="terraform/terraform.tfvars"
+
+if [[ -f "${TERRAFORM_TFVARS}" ]]; then
+  cp "${TERRAFORM_TFVARS}" "${TERRAFORM_TFVARS}.backup"
+  rm "${TERRAFORM_TFVARS}"
+fi
+
+if [[ -f "${CREDENTIALS_PROPERTIES}" ]]; then
+  cp "${CREDENTIALS_PROPERTIES}" "${CREDENTIALS_PROPERTIES}.backup"
+  rm "${CREDENTIALS_PROPERTIES}"
+fi
+touch "${CREDENTIALS_PROPERTIES}"
+
+if [[ ! -f "${VARIABLES_FILE}" ]]; then
+  echo "Variables can be provided in a yaml file passed as the first argument"
+  echo ""
+fi
+
+TMP_VARIABLES_FILE="${VARIABLES_FILE}.tmp"
+
+echo "variables: []" > ${TMP_VARIABLES_FILE}
+
+function process_variable () {
+  local name="$1"
+  local default_value="$2"
+  local sensitive="$3"
+  local description="$4"
+
+  local variable_name="TF_VAR_${name}"
+
+  environment_variable=$(env | grep "${variable_name}" | sed -E 's/.*=(.*).*/\1/g')
+  value="${environment_variable}"
+  if [[ -f "${VARIABLES_FILE}" ]]; then
+    value=$(cat "${VARIABLES_FILE}" | NAME="${name}" ${YQ} e -o json '.variables[] | select(.name == env(NAME)) | .value // ""' - | jq -c -r '.')
+    if [[ -z "${value}" ]]; then
+      value="${environment_variable}"
+    fi
+  fi
+
+  while [[ -z "${value}" ]]; do
+    echo "Provide a value for '${name}':"
+    if [[ -n "${description}" ]]; then
+      echo "  ${description}"
+    fi
+    sensitive_flag=""
+    if [[ "${sensitive}" == "true" ]]; then
+      sensitive_flag="-s"
+    fi
+    default_prompt=""
+    if [[ -n "${default_value}" ]]; then
+      default_prompt="(${default_value}) "
+    fi
+    read -u 1 ${sensitive_flag} -p "> ${default_prompt}" value
+    value=${value:-$default_value}
+  done
+
+  output_value=$(echo "${value}" | sed 's/"/\\"/g')
+
+  if [[ "${sensitive}" != "true" ]]; then
+    echo "${name} = \"${output_value}\"" >> "${TERRAFORM_TFVARS}"
+    NAME="${name}" VALUE="${value}" ${YQ} e -i -P '.variables += [{"name": env(NAME), "value": env(VALUE)}]' "${TMP_VARIABLES_FILE}"
+  else
+    echo "export ${name}=\"${output_value}\"" >> "${CREDENTIALS_PROPERTIES}"
+  fi
+}
+
+cat "bom.yaml" | ${YQ} e '.spec.variables[] | .name' - | while read name; do
+  variable=$(cat "bom.yaml" | NAME="${name}" ${YQ} e '.spec.variables[] | select(.name == env(NAME))' -)
+
+  default_value=$(echo "${variable}" | ${YQ} e -o json '.defaultValue // ""' - | jq -c -r '.')
+  sensitive=$(echo "${variable}" | ${YQ} e '.sensitive // false' -)
+  description=$(echo "${variable}" | ${YQ} e '.description // ""' -)
+
+  process_variable "${name}" "${default_value}" "${sensitive}" "${description}"
+done
+
+cat "${VARIABLES_FILE}" | ${YQ} e '.variables[]' -o json - | jq -c '.' | while read var; do
+  name=$(echo "${var}" | jq -r '.name')
+
+  value=$(echo "${var}" | jq -r '.value // empty')
+  sensitive=$(echo "${var}" | jq -r '.sensitive')
+
+  bom_var=$(cat bom.yaml | ${YQ} e '.spec.variables[]' -o json - | jq --arg NAME "${name}" -c 'select(.name == $NAME)')
+
+  if [[ -z "${bom_var}" ]]; then
+    process_variable "${name}" "${value}" "${sensitive}" ""
+  fi
+done
+
+cp "${TMP_VARIABLES_FILE}" "${VARIABLES_FILE}"
+rm "${TMP_VARIABLES_FILE}"
+
+source credentials.properties
+
+cd terraform
+terraform init
+terraform apply
diff --git a/2-standard/1-aro/101-azure-vnet-std/bom.yaml b/2-standard/1-aro/101-azure-vnet-std/bom.yaml
@@ -0,0 +1,129 @@
+apiVersion: cloud.ibm.com/v1alpha1
+kind: BillOfMaterial
+metadata:
+  name: 101-azure-vnet-std
+  labels:
+    type: infrastructure
+    platform: azure
+    code: '101'
+  annotations:
+    displayName: Azure VNet
+    description: Azure base infrastructure for OpenShift standard architecture
+    vpn/required: false
+spec:
+  modules:
+    - name: azure-resource-group
+      alias: resource_group
+      version: v1.1.1
+    - name: azure-vnet
+      alias: vnet
+      version: v1.1.3
+      variables:
+        - name: address_prefixes
+          value:
+            - 10.0.0.0/20
+    - name: azure-vnet-subnets
+      alias: master_subnet
+      version: v1.3.9
+      default: true
+      variables:
+        - name: label
+          value: master
+        - name: ipv4_cidr_blocks
+          value:
+            - 10.0.1.0/24
+        - name: service_endpoints
+          value:
+            - Microsoft.ContainerRegistry
+            - Microsoft.Storage
+        - name: disable_private_link_endpoint_network_policies
+          value: true
+        - name: disable_private_link_service_network_policies
+          value: true
+    - name: azure-vnet-subnets
+      alias: worker_subnet
+      version: v1.3.9
+      variables:
+        - name: label
+          value: worker
+        - name: ipv4_cidr_blocks
+          value:
+            - 10.0.2.0/24
+        - name: service_endpoints
+          value:
+            - Microsoft.ContainerRegistry
+            - Microsoft.Storage
+    - name: azure-vnet-subnets
+      alias: ingress_subnet
+      version: v1.3.9
+      variables:
+        - name: label
+          value: ingress
+        - name: ipv4_cidr_blocks
+          value:
+            - 10.0.3.0/24
+    - name: azure-nsg
+      alias: nsg
+      version: v1.0.5
+      variables:
+        - name: acl_rules
+          value:
+            - name: ssh-inbound
+              priority: '101'
+              access: Allow
+              protocol: Tcp
+              direction: Inbound
+              source_addr: '*'
+              destination_addr: '*'
+              source_ports: '*'
+              destination_ports: '22'
+            - name: vpn-inbound-tcp
+              priority: '102'
+              access: Allow
+              protocol: Tcp
+              direction: Inbound
+              source_addr: '*'
+              destination_addr: '*'
+              source_ports: '*'
+              destination_ports: '443'
+            - name: vpn-inbound-udp
+              priority: '103'
+              access: Allow
+              protocol: Udp
+              direction: Inbound
+              source_addr: '*'
+              destination_addr: '*'
+              source_ports: '*'
+              destination_ports: '1194'
+      dependencies:
+        - name: subnets
+          ref: ingress_subnet
+    - name: azure-ssh-key
+      alias: ssh-keys
+      version: v1.0.6
+    - name: azure-vpn-server
+      alias: vpn-server
+      version: v1.0.1
+      variables:
+        - name: private_network_cidrs
+          value:
+            - 10.0.0.0/20
+      dependencies:
+        - name: subnet
+          ref: ingress_subnet
+  variables:
+    - name: resource_group_name
+      type: string
+      description: The name of the resource group
+    - name: region
+      type: string
+      description: The Azure location where the resource group will be provisioned
+    - name: subscription_id
+      type: string
+    - name: client_id
+      type: string
+    - name: client_secret
+      type: string
+      sensitive: true
+    - name: tenant_id
+      type: string