assign scaleset to a role (#185)

Author: chkeita

src/deployment/deploy.py

@@ -12,18 +12,20 @@
 import subprocess
 import sys
 import tempfile
+import time
 import uuid
 import zipfile
 from datetime import datetime, timedelta
 
-from azure.cli.core import CLIError
 from azure.common.client_factory import get_client_from_cli_profile
 from azure.common.credentials import get_cli_profile
 from azure.core.exceptions import ResourceExistsError
 from azure.cosmosdb.table.tableservice import TableService
 from azure.graphrbac import GraphRbacManagementClient
 from azure.graphrbac.models import (
+    Application,
     ApplicationCreateParameters,
+    ApplicationUpdateParameters,
     AppRole,
     GraphErrorException,
     OptionalClaims,
@@ -48,7 +50,6 @@
     DeploymentMode,
     DeploymentProperties,
 )
-import time
 from azure.mgmt.storage import StorageManagementClient
 from azure.storage.blob import (
     BlobServiceClient,
@@ -59,12 +60,12 @@
 from msrest.serialization import TZ_UTC
 
 from data_migration import migrate
-from register_pool_application import (
+from registration import (
     add_application_password,
     authorize_application,
     get_application,
     register_application,
-    update_registration,
+    update_pool_registration,
 )
 
 USER_IMPERSONATION = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
@@ -225,12 +226,11 @@ def create_password(self, object_id):
         while True:
             time.sleep(wait)
             count += 1
-            try:
-                return add_application_password(object_id)
-            except CLIError as err:
-                if count > timeout_seconds/wait:
-                    raise err
-            logger.info("creating password failed, trying again")
+            password = add_application_password(object_id)
+            if password:
+                return password
+            if count > timeout_seconds/wait:
+                raise Exception("creating password failed, trying again")
 
     def setup_rbac(self):
         """
@@ -256,6 +256,25 @@ def setup_rbac(self):
             logger.error("unable to query RBAC. Provide client_id and client_secret")
             sys.exit(1)
 
+        app_roles = [
+            AppRole(
+                allowed_member_types=["Application"],
+                display_name="CliClient",
+                id=str(uuid.uuid4()),
+                is_enabled=True,
+                description="Allows access from the CLI.",
+                value="CliClient",
+            ),
+            AppRole(
+                allowed_member_types=["Application"],
+                display_name="ManagedNode",
+                id=str(uuid.uuid4()),
+                is_enabled=True,
+                description="Allow access from a lab machine.",
+                value="ManagedNode",
+            ),
+        ]
+
         if not existing:
             logger.info("creating Application registration")
             url = "https://%s.azurewebsites.net" % self.application_name
@@ -273,24 +292,7 @@ def setup_rbac(self):
                         resource_app_id="00000002-0000-0000-c000-000000000000",
                     )
                 ],
-                app_roles=[
-                    AppRole(
-                        allowed_member_types=["Application"],
-                        display_name="CliClient",
-                        id=str(uuid.uuid4()),
-                        is_enabled=True,
-                        description="Allows access from the CLI.",
-                        value="CliClient",
-                    ),
-                    AppRole(
-                        allowed_member_types=["Application"],
-                        display_name="LabMachine",
-                        id=str(uuid.uuid4()),
-                        is_enabled=True,
-                        description="Allow access from a lab machine.",
-                        value="LabMachine",
-                    ),
-                ],
+                app_roles=app_roles,
             )
             app = client.applications.create(params)
 
@@ -303,7 +305,27 @@ def setup_rbac(self):
             )
             client.service_principals.create(service_principal_params)
         else:
-            app = existing[0]
+            app: Application = existing[0]
+            existing_role_values = [app_role.value for app_role in app.app_roles]
+            has_missing_roles = any(
+                [role.value not in existing_role_values for role in app_roles]
+            )
+
+            if has_missing_roles:
+                # disabling the existing app role first to allow the update
+                # this is a requirement to update the application roles
+                for role in app.app_roles:
+                    role.is_enabled = False
+
+                client.applications.patch(
+                    app.object_id, ApplicationUpdateParameters(app_roles=app.app_roles)
+                )
+
+                # overriding the list of app roles
+                client.applications.patch(
+                    app.object_id, ApplicationUpdateParameters(app_roles=app_roles)
+                )
+
             creds = list(client.applications.list_password_credentials(app.object_id))
             client.applications.update_password_credentials(app.object_id, creds)
 
@@ -612,7 +634,7 @@ def deploy_app(self):
     def update_registration(self):
         if not self.create_registration:
             return
-        update_registration(self.application_name)
+        update_pool_registration(self.application_name)
 
     def done(self):
         logger.info(TELEMETRY_NOTICE)
@@ -766,19 +788,6 @@ def main():
 
     logging.getLogger("deploy").setLevel(logging.INFO)
 
-    # TODO: using az_cli resets logging defaults.  For now, force these
-    # to be WARN level
-    if not args.verbose:
-        for entry in [
-            "adal-python",
-            "msrest.universal_http",
-            "urllib3.connectionpool",
-            "az_command_data_logger",
-            "msrest.service_client",
-            "azure.core.pipeline.policies.http_logging_policy",
-        ]:
-            logging.getLogger(entry).setLevel(logging.WARN)
-
     if args.start_at != states[0][0]:
         logger.warning(
             "*** Starting at a non-standard deployment state.  "