npm - @meshxdata/fops - Versions diffs - 0.1.45 → 0.1.46 - Mend

@meshxdata/fops 0.1.45 → 0.1.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/src/plugins/bundled/fops-plugin-azure/lib/azure-keyvault.js CHANGED Viewed

@@ -1253,6 +1253,192 @@ export async function keyvaultSetup(opts = {}) {
   console.log(chalk.bold.green(`\n  Setup complete! Run: fops azure keyvault sync\n`));
 }
+// ═══════════════════════════════════════════════════════════════════════════
+// Network configuration (VNet integration, service endpoints)
+// ═══════════════════════════════════════════════════════════════════════════
+export async function networkShow(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const vault = await resolveVault(execa, opts.vault, sub);
+  const { stdout } = await execa("az", [
+    "keyvault", "show", "--name", vault, "--output", "json", ...subArgs(sub),
+  ], { timeout: 30000 });
+  const v = JSON.parse(stdout);
+  const props = v.properties || {};
+  const networkRules = props.networkAcls || {};
+  banner(`Network Config — "${vault}"`);
+  kvLine("Public Access", props.publicNetworkAccess === "Disabled" ? OK("disabled") : WARN("enabled"));
+  kvLine("Default Action", networkRules.defaultAction === "Deny" ? OK("Deny") : WARN(networkRules.defaultAction || "Allow"));
+  kvLine("Bypass", DIM(networkRules.bypass || "AzureServices"));
+  const ipRules = networkRules.ipRules || [];
+  const vnetRules = networkRules.virtualNetworkRules || [];
+  console.log("");
+  if (ipRules.length > 0) {
+    console.log(ACCENT("  IP Rules"));
+    for (const r of ipRules) {
+      console.log(`    ${DIM("•")} ${r.value}`);
+    }
+  } else {
+    kvLine("IP Rules", DIM("none"));
+  }
+  if (vnetRules.length > 0) {
+    console.log(ACCENT("  VNet Rules"));
+    for (const r of vnetRules) {
+      const subnetId = r.id || "";
+      const parts = subnetId.split("/");
+      const vnet = parts[parts.indexOf("virtualNetworks") + 1] || "";
+      const subnet = parts[parts.indexOf("subnets") + 1] || "";
+      console.log(`    ${DIM("•")} ${vnet}/${subnet}`);
+    }
+  } else {
+    kvLine("VNet Rules", DIM("none"));
+  }
+  console.log("");
+  hint("Add VNet: fops azure keyvault network add-vnet --vault <name> --vnet <vnet> --subnet <subnet>");
+  hint("Private:  fops azure keyvault network private --vault <name>\n");
+}
+export async function networkAddVnet(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const vault = await resolveVault(execa, opts.vault, sub);
+  if (!opts.vnet || !opts.subnet) {
+    console.error(chalk.red("\n  --vnet and --subnet are required.\n"));
+    process.exit(1);
+  }
+  const rg = opts.resourceGroup || opts.vnetResourceGroup;
+  // 1. Add service endpoint to subnet if not present
+  hint(`Adding Microsoft.KeyVault service endpoint to ${opts.vnet}/${opts.subnet}...`);
+  const subnetArgs = [
+    "network", "vnet", "subnet", "update",
+    "--vnet-name", opts.vnet,
+    "-n", opts.subnet,
+    "--service-endpoints", "Microsoft.KeyVault",
+    "--output", "none",
+    ...subArgs(sub),
+  ];
+  if (rg) subnetArgs.push("-g", rg);
+  const { exitCode: seCode, stderr: seErr } = await execa("az", subnetArgs, { timeout: 120000, reject: false });
+  if (seCode !== 0) {
+    console.log(WARN(`  ⚠ Service endpoint: ${(seErr || "").split("\n")[0]}`));
+  } else {
+    console.log(OK("  ✓ Service endpoint added"));
+  }
+  // 2. Get subnet resource ID
+  const subnetShowArgs = [
+    "network", "vnet", "subnet", "show",
+    "--vnet-name", opts.vnet,
+    "-n", opts.subnet,
+    "--query", "id", "-o", "tsv",
+    ...subArgs(sub),
+  ];
+  if (rg) subnetShowArgs.push("-g", rg);
+  const { stdout: subnetId, exitCode: sidCode, stderr: sidErr } = await execa("az", subnetShowArgs, { timeout: 30000, reject: false });
+  if (sidCode !== 0 || !subnetId?.trim()) {
+    console.error(chalk.red(`\n  ✗ Could not find subnet: ${(sidErr || "").split("\n")[0]}\n`));
+    process.exit(1);
+  }
+  // 3. Add VNet rule to Key Vault
+  hint(`Adding VNet rule to Key Vault "${vault}"...`);
+  const { exitCode, stderr } = await execa("az", [
+    "keyvault", "network-rule", "add",
+    "--name", vault,
+    "--subnet", subnetId.trim(),
+    "--output", "none",
+    ...subArgs(sub),
+  ], { timeout: 60000, reject: false });
+  if (exitCode !== 0) {
+    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
+    process.exit(1);
+  }
+  console.log(OK(`  ✓ VNet rule added: ${opts.vnet}/${opts.subnet}`));
+  hint(`\nSet to private: fops azure keyvault network private --vault ${vault}\n`);
+}
+export async function networkPrivate(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const vault = await resolveVault(execa, opts.vault, sub);
+  hint(`Setting "${vault}" to private (deny public access)...`);
+  const { exitCode, stderr } = await execa("az", [
+    "keyvault", "update",
+    "--name", vault,
+    "--default-action", "Deny",
+    "--bypass", "AzureServices",
+    "--output", "none",
+    ...subArgs(sub),
+  ], { timeout: 60000, reject: false });
+  if (exitCode !== 0) {
+    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
+    process.exit(1);
+  }
+  console.log(OK(`  ✓ Key Vault "${vault}" is now private`));
+  console.log(DIM("    Default action: Deny"));
+  console.log(DIM("    Bypass: AzureServices"));
+  hint("\nAccess limited to allowed VNets/IPs and Azure services.\n");
+}
+export async function networkPublic(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const vault = await resolveVault(execa, opts.vault, sub);
+  const { resolveCliSrc } = await import("./azure-helpers.js");
+  const { confirm } = await import(resolveCliSrc("ui/confirm.js"));
+  const yes = await confirm(`  Make Key Vault "${vault}" publicly accessible?`);
+  if (!yes) { console.log(DIM("\n  Cancelled.\n")); return; }
+  const { exitCode, stderr } = await execa("az", [
+    "keyvault", "update",
+    "--name", vault,
+    "--default-action", "Allow",
+    "--output", "none",
+    ...subArgs(sub),
+  ], { timeout: 60000, reject: false });
+  if (exitCode !== 0) {
+    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
+    process.exit(1);
+  }
+  console.log(WARN(`  ⚠ Key Vault "${vault}" is now public`));
+}
 // ── Config helpers ──────────────────────────────────────────────────────────
 function readFopsConfig() {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-results.js CHANGED Viewed

@@ -421,6 +421,11 @@ export async function resultsShow(opts = {}) {
     process.exit(1);
   }
+  if (opts.json) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
   banner(`Test Result: ${target}`);
   kvLine("Passed", result.passed ? OK("yes") : ERR("no"));
   kvLine("Exit code", String(result.exitCode ?? "–"));