@meshxdata/fops 0.1.36 → 0.1.37

package/src/plugins/bundled/fops-plugin-azure/lib/commands/fleet-cmds.js

@@ -0,0 +1,254 @@
+/**
+ * Fleet management, swarm, audit, snapshot/restore commands.
+ * All operations target multiple Azure VMs or the swarm cluster.
+ */
+import chalk from "chalk";
+
+export function registerFleetCommands(azure) {
+  // ── Fleet management ───────────────────────────────────────────────────
+
+  azure
+    .command("exec <command>")
+    .description("Run a command on all tracked VMs in parallel")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--timeout <seconds>", "Per-VM command timeout (default: 120)", "120")
+    .option("--quiet", "Show only summary, not command output")
+    .action(async (command, opts) => {
+      const { fleetExec } = await import("../azure-fleet.js");
+      await fleetExec(command, { vmName: opts.vmName, timeout: Number(opts.timeout), quiet: opts.quiet });
+    });
+
+  azure
+    .command("diff")
+    .description("Compare configuration across all VMs — detect drift")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .action(async (opts) => {
+      const { fleetDiff } = await import("../azure-fleet.js");
+      await fleetDiff({ vmName: opts.vmName });
+    });
+
+  azure
+    .command("rollout")
+    .description("Rolling deploy: pull, restart, health-check across VMs in batches")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--batch <size>", "Number of VMs to deploy in parallel per batch (default: 1)", "1")
+    .option("--branch <branch>", "Git branch to deploy (default: main)")
+    .option("--health-timeout <seconds>", "Seconds to wait for healthy after restart (default: 120)", "120")
+    .option("--force", "Continue rolling out even if a batch fails")
+    .action(async (opts) => {
+      const { fleetRollout } = await import("../azure-fleet.js");
+      await fleetRollout({
+        vmName: opts.vmName, batch: Number(opts.batch), branch: opts.branch,
+        healthTimeout: Number(opts.healthTimeout), force: opts.force,
+      });
+    });
+
+  azure
+    .command("sync")
+    .description("Push local config files to all VMs")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--files <files>", "Comma-separated list of files to sync (default: docker-compose.yaml,.env)", "docker-compose.yaml,.env")
+    .option("--restart", "Run fops up after syncing files")
+    .action(async (opts) => {
+      const { fleetSync } = await import("../azure-fleet.js");
+      await fleetSync({ vmName: opts.vmName, files: opts.files.split(","), restart: opts.restart });
+    });
+
+  azure
+    .command("health")
+    .description("Deep health report across all VMs — containers, disk, memory, load")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .action(async (opts) => {
+      const { fleetHealth } = await import("../azure-fleet.js");
+      await fleetHealth({ vmName: opts.vmName });
+    });
+
+  azure
+    .command("snapshot [name]")
+    .description("Create Azure disk snapshots of all (or one) tracked VMs")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--tag <tag>", "Snapshot tag/label (default: ISO timestamp)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { fleetSnapshot } = await import("../azure-fleet.js");
+      await fleetSnapshot({ vmName: opts.vmName || name, tag: opts.tag, profile: opts.profile });
+    });
+
+  azure
+    .command("restore <name>")
+    .description("Restore a VM from an Azure disk snapshot")
+    .option("--snapshot <name>", "Snapshot name to restore from (omit to list available)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--yes", "Skip confirmation prompt")
+    .action(async (name, opts) => {
+      const { fleetRestore } = await import("../azure-fleet.js");
+      await fleetRestore({ vmName: name, snapshot: opts.snapshot, profile: opts.profile, yes: opts.yes });
+    });
+
+  // ── Audit subcommands ──────────────────────────────────────────────────
+
+  const audit = azure
+    .command("audit")
+    .description("Security & compliance audit across Azure resources");
+
+  audit
+    .command("all", { isDefault: true })
+    .description("Run all audit checks (VMs, AKS, storage encryption)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--vm-name <name>", "Limit VM audit to a specific VM")
+    .option("--cluster <name>", "Limit AKS audit to a specific cluster")
+    .option("--account <name>", "Limit storage audit to a specific account")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (opts) => {
+      const { auditAll } = await import("../azure-audit.js");
+      await auditAll({ profile: opts.profile, vmName: opts.vmName, clusterName: opts.cluster, account: opts.account, verbose: opts.verbose });
+    });
+
+  audit
+    .command("vm [vmName]")
+    .description("Audit VM security — disk encryption, NSG rules, managed identity, patching")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--vm-name <name>", "Audit a specific VM (default: all tracked)")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (vmName, opts) => {
+      const { auditVms } = await import("../azure-audit.js");
+      await auditVms({ profile: opts.profile, vmName: opts.vmName || vmName, verbose: opts.verbose });
+    });
+
+  audit
+    .command("aks [clusterName]")
+    .description("Audit AKS cluster security — RBAC, network policy, auto-upgrade, Defender")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (clusterName, opts) => {
+      const { auditAks } = await import("../azure-audit.js");
+      await auditAks({ profile: opts.profile, clusterName, verbose: opts.verbose });
+    });
+
+  audit
+    .command("storage")
+    .description("Audit storage account encryption & security posture")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--account <name>", "Audit a specific storage account (default: all)")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (opts) => {
+      const { auditStorage } = await import("../azure-audit.js");
+      await auditStorage({ profile: opts.profile, account: opts.account, verbose: opts.verbose });
+    });
+
+  audit
+    .command("sessions [vmName]")
+    .description("View SSH session recordings across the fleet")
+    .option("--session <id>", "Read a specific session by ID")
+    .option("--live", "Show only active (live) sessions")
+    .option("--cloud", "Read from blob storage instead of SSH")
+    .option("--push", "Push collected sessions to blob storage")
+    .option("--last <n>", "Show only the last N sessions", "50")
+    .option("--tail <n>", "When reading a session, show only the last N lines")
+    .action(async (vmName, opts) => {
+      const { fleetAudit } = await import("../azure-fleet.js");
+      await fleetAudit({
+        vmName,
+        session: opts.session,
+        live: opts.live,
+        cloud: opts.cloud,
+        push: opts.push,
+        last: Number(opts.last),
+        tail: opts.tail ? Number(opts.tail) : undefined,
+      });
+    });
+
+  audit
+    .command("zap [vmName]")
+    .description("Run an authenticated OWASP ZAP DAST scan against a VM's frontend")
+    .option("--vm-name <name>", "Target VM (default: active)")
+    .option("--target <url>", "Override target URL (default: https://<vm>.meshx.app)")
+    .option("--output <dir>", "Directory for JSON report (default: cwd)")
+    .option("--spider-minutes <n>", "Spider duration in minutes (default: 3)", "3")
+    .option("--ajax-minutes <n>", "Ajax spider duration in minutes (default: 3)", "3")
+    .option("--active-scan-minutes <n>", "Active scan rule timeout in minutes (default: 5)", "5")
+    .option("--max-minutes <n>", "Overall scan timeout in minutes (default: 20)", "20")
+    .option("--verbose", "Show fix suggestions for each finding")
+    .option("--aggressive", "Pentest mode: Penetration Tester policy, longer crawl/scan")
+    .action(async (vmName, opts) => {
+      const { auditZap } = await import("../azure-audit.js");
+      await auditZap({
+        vmName: opts.vmName || vmName,
+        target: opts.target,
+        output: opts.output,
+        spiderMinutes: opts.aggressive ? undefined : (opts.spiderMinutes ? Number(opts.spiderMinutes) : undefined),
+        ajaxMinutes: opts.aggressive ? undefined : (opts.ajaxMinutes ? Number(opts.ajaxMinutes) : undefined),
+        activeScanMinutes: opts.aggressive ? undefined : (opts.activeScanMinutes ? Number(opts.activeScanMinutes) : undefined),
+        maxMinutes: opts.aggressive ? undefined : (opts.maxMinutes ? Number(opts.maxMinutes) : undefined),
+        verbose: opts.verbose,
+        aggressive: opts.aggressive,
+      });
+    });
+
+  // ── Swarm subcommands ──────────────────────────────────────────────────
+
+  const swarm = azure
+    .command("swarm")
+    .description("Docker Swarm cluster management");
+
+  swarm
+    .command("init <vmName>")
+    .description("Initialize Docker Swarm on a VM (single-node manager)")
+    .option("--stack", "Also deploy the compose stack as swarm services")
+    .action(async (vmName, opts) => {
+      const { swarmInit } = await import("../azure-fleet.js");
+      await swarmInit({ vmName, stack: opts.stack });
+    });
+
+  swarm
+    .command("join <vmName>")
+    .description("Join a VM as a worker to an existing swarm (auto-creates the VM if it doesn't exist)")
+    .requiredOption("--manager <name>", "Manager VM to join")
+    .option("--as-manager", "Join as a manager instead of worker")
+    .option("--vm-size <size>", "VM size when auto-creating (default: inherited from manager)")
+    .option("--location <region>", "Azure region when auto-creating (default: inherited from manager)")
+    .option("--image <urn>", "Custom image URN when auto-creating")
+    .option("--url <url>", "Public URL override when auto-creating")
+    .option("--profile <subscription>", "Azure subscription when auto-creating")
+    .action(async (vmName, opts) => {
+      const { swarmJoin } = await import("../azure-fleet.js");
+      await swarmJoin({
+        vmName, manager: opts.manager, asManager: opts.asManager,
+        vmSize: opts.vmSize, location: opts.location,
+        image: opts.image, url: opts.url, profile: opts.profile,
+      });
+    });
+
+  swarm
+    .command("status [vmName]")
+    .description("Show swarm node and service status")
+    .action(async (vmName) => {
+      const { swarmStatus } = await import("../azure-fleet.js");
+      await swarmStatus({ vmName });
+    });
+
+  swarm
+    .command("promote <vmName>")
+    .description("Promote a swarm worker to manager")
+    .action(async (vmName) => {
+      const { swarmPromote } = await import("../azure-fleet.js");
+      await swarmPromote({ vmName });
+    });
+
+  swarm
+    .command("deploy [vmName]")
+    .description("Deploy the compose stack as swarm services (or update existing)")
+    .action(async (vmName) => {
+      const { swarmDeploy } = await import("../azure-fleet.js");
+      await swarmDeploy({ vmName });
+    });
+
+  swarm
+    .command("leave <vmName>")
+    .description("Remove a VM from the swarm")
+    .option("--force", "Force leave (required for managers)")
+    .action(async (vmName, opts) => {
+      const { swarmLeave } = await import("../azure-fleet.js");
+      await swarmLeave({ vmName, force: opts.force });
+    });
+}