@meshxdata/fops 0.1.49 → 0.1.51

package/src/plugins/bundled/fops-plugin-azure/lib/azure-vm-lifecycle.js

@@ -13,6 +13,10 @@ import {
   ensureOpenAiNetworkAccess, handleAzSessionExpired,
 } from "./azure-helpers.js";
 import { reconcileVm, provisionVm, configureVm, postStartChecks, cleanupStaleVmResources } from "./azure-provision.js";
+import { vmTerraform } from "./azure-vm-terraform.js";
+
+// Re-export for backwards compatibility
+export { vmTerraform } from "./azure-vm-terraform.js";
 
 // ── Output ──────────────────────────────────────────────────────────────────
 
@@ -801,544 +805,5 @@ export async function azureStart(opts = {}) {
   printInfo(vmName, ip, adminUser, publicUrl);
 }
 
-// ── terraform ────────────────────────────────────────────────────────────────
-
-export async function vmTerraform(opts = {}) {
-  const fs = await import("node:fs");
-  const path = await import("node:path");
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const state = requireVmState(opts.vmName);
-  const { vmName, resourceGroup: rg } = state;
-
-  banner(`VM Terraform: ${vmName}`);
-  hint("Fetching VM and networking details from Azure…");
-
-  const { stdout: vmJson } = await execa("az", [
-    "vm", "show", "-g", rg, "-n", vmName, "--output", "json", ...subArgs(sub),
-  ], { timeout: 30000 });
-  const vm = JSON.parse(vmJson);
-
-  let rgLocation = vm.location;
-  try {
-    const { stdout: rgJson } = await execa("az", [
-      "group", "show", "--name", rg, "--output", "json", ...subArgs(sub),
-    ], { timeout: 15000 });
-    rgLocation = JSON.parse(rgJson).location || rgLocation;
-  } catch { /* use vm location */ }
-
-  // Resolve NIC
-  const nicId = vm.networkProfile?.networkInterfaces?.[0]?.id || "";
-  const nicName = nicId.split("/").pop();
-  let nic = null;
-  if (nicName) {
-    try {
-      const { stdout } = await execa("az", [
-        "network", "nic", "show", "-g", rg, "-n", nicName, "--output", "json", ...subArgs(sub),
-      ], { timeout: 15000 });
-      nic = JSON.parse(stdout);
-    } catch { /* no nic */ }
-  }
-
-  let pip = null;
-  let nsg = null;
-  let nsgRules = [];
-  let subnet = null;
-  let vnet = null;
-
-  if (nic) {
-    const ipConfig = nic.ipConfigurations?.[0] || {};
-    const pipId = ipConfig.publicIPAddress?.id || "";
-    const pipName = pipId.split("/").pop();
-    const subnetId = ipConfig.subnet?.id || "";
-    const nsgId = nic.networkSecurityGroup?.id || "";
-    const nsgName = nsgId.split("/").pop();
-
-    hint("Discovering networking resources…");
-    const fetches = [];
-
-    if (pipName) {
-      fetches.push(
-        execa("az", ["network", "public-ip", "show", "-g", rg, "-n", pipName, "--output", "json", ...subArgs(sub)],
-          { reject: false, timeout: 15000 }).then(r => { if (r.exitCode === 0) pip = JSON.parse(r.stdout); })
-      );
-    }
-    if (nsgName) {
-      fetches.push(
-        execa("az", ["network", "nsg", "show", "-g", rg, "-n", nsgName, "--output", "json", ...subArgs(sub)],
-          { reject: false, timeout: 15000 }).then(r => {
-          if (r.exitCode === 0) {
-            nsg = JSON.parse(r.stdout);
-            nsgRules = (nsg.securityRules || []).filter(rule => rule.direction === "Inbound" && rule.access === "Allow");
-          }
-        })
-      );
-    }
-    if (subnetId) {
-      const parts = subnetId.split("/");
-      const vnetName = parts[parts.indexOf("virtualNetworks") + 1];
-      const subnetName = parts[parts.indexOf("subnets") + 1];
-      const vnetRg = parts[parts.indexOf("resourceGroups") + 1] || rg;
-      fetches.push(
-        execa("az", ["network", "vnet", "show", "-g", vnetRg, "-n", vnetName, "--output", "json", ...subArgs(sub)],
-          { reject: false, timeout: 15000 }).then(r => {
-          if (r.exitCode === 0) {
-            vnet = JSON.parse(r.stdout);
-            subnet = (vnet.subnets || []).find(s => s.name === subnetName) || null;
-          }
-        })
-      );
-    }
-
-    await Promise.allSettled(fetches);
-  }
-
-  // Check for ADE Key Vault
-  let adeKeyVault = null;
-  const adeVaultName = `fops-ade-kv-${vm.location}`;
-  try {
-    const { stdout, exitCode } = await execa("az", [
-      "keyvault", "show", "--name", adeVaultName, "--output", "json", ...subArgs(sub),
-    ], { reject: false, timeout: 15000 });
-    if (exitCode === 0 && stdout?.trim()) adeKeyVault = JSON.parse(stdout);
-  } catch { /* no vault */ }
-
-  const hcl = generateVmTerraform(vm, {
-    rg, rgLocation, nic, pip, nsg, nsgRules, vnet, subnet, adeKeyVault, state,
-  });
-
-  console.log(OK("  ✓ Terraform HCL generated from live VM state\n"));
-
-  if (opts.output) {
-    fs.mkdirSync(path.dirname(path.resolve(opts.output)), { recursive: true });
-    fs.writeFileSync(path.resolve(opts.output), hcl, "utf8");
-    console.log(OK(`  ✓ Written to ${opts.output}\n`));
-  } else {
-    console.log(hcl);
-  }
-}
-
-function generateVmTerraform(vm, { rg, rgLocation, nic, pip, nsg, nsgRules, vnet, subnet, adeKeyVault, state }) {
-  const tfName = (vm.name || "vm").replace(/[^a-zA-Z0-9_]/g, "_");
-  const adminUser = vm.osProfile?.adminUsername || DEFAULTS.adminUser;
-  const vmSize = vm.hardwareProfile?.vmSize || DEFAULTS.vmSize;
-  const osDisk = vm.storageProfile?.osDisk || {};
-  const imageRef = vm.storageProfile?.imageReference || {};
-  const secProfile = vm.securityProfile || {};
-  const isTrustedLaunch = secProfile.securityType === "TrustedLaunch";
-  const linuxConfig = vm.osProfile?.linuxConfiguration || {};
-
-  const lines = [];
-  const w = (s = "") => lines.push(s);
-
-  // ── variables ──────────────────────────────────────────────────────────────
-
-  w(`# ─── Variables ────────────────────────────────────────────────────────────────`);
-  w();
-  w(`variable "resource_group_name" {`);
-  w(`  description = "Name of the Azure resource group"`);
-  w(`  type        = string`);
-  w(`  default     = "${rg}"`);
-  w(`}`);
-  w();
-  w(`variable "location" {`);
-  w(`  description = "Azure region"`);
-  w(`  type        = string`);
-  w(`  default     = "${rgLocation}"`);
-  w(`}`);
-  w();
-  w(`variable "vm_name" {`);
-  w(`  description = "Virtual machine name"`);
-  w(`  type        = string`);
-  w(`  default     = "${vm.name}"`);
-  w(`}`);
-  w();
-  w(`variable "vm_size" {`);
-  w(`  description = "VM size / SKU"`);
-  w(`  type        = string`);
-  w(`  default     = "${vmSize}"`);
-  w(`}`);
-  w();
-  w(`variable "admin_username" {`);
-  w(`  description = "SSH admin username"`);
-  w(`  type        = string`);
-  w(`  default     = "${adminUser}"`);
-  w(`}`);
-  w();
-  w(`variable "os_disk_size_gb" {`);
-  w(`  description = "OS disk size in GB"`);
-  w(`  type        = number`);
-  w(`  default     = ${osDisk.diskSizeGb || DEFAULTS.osDiskSizeGb}`);
-  w(`}`);
-  w();
-  w(`variable "ssh_public_key_path" {`);
-  w(`  description = "Path to SSH public key for admin access"`);
-  w(`  type        = string`);
-  w(`  default     = "~/.ssh/id_rsa.pub"`);
-  w(`}`);
-  w();
-
-  if (state?.publicUrl) {
-    w(`variable "public_url" {`);
-    w(`  description = "Public URL for Foundation platform"`);
-    w(`  type        = string`);
-    w(`  default     = "${state.publicUrl}"`);
-    w(`}`);
-    w();
-  }
-
-  // ── provider ───────────────────────────────────────────────────────────────
-
-  w(`# ─── Provider ─────────────────────────────────────────────────────────────────`);
-  w();
-  w(`terraform {`);
-  w(`  required_providers {`);
-  w(`    azurerm = {`);
-  w(`      source  = "hashicorp/azurerm"`);
-  w(`      version = "~> 4.0"`);
-  w(`    }`);
-  w(`  }`);
-  w(`}`);
-  w();
-  w(`provider "azurerm" {`);
-  w(`  features {}`);
-  w(`}`);
-  w();
-
-  // ── resource group ─────────────────────────────────────────────────────────
-
-  w(`# ─── Resource Group ──────────────────────────────────────────────────────────`);
-  w();
-  w(`resource "azurerm_resource_group" "vm" {`);
-  w(`  name     = var.resource_group_name`);
-  w(`  location = var.location`);
-  w(`}`);
-  w();
-
-  // ── VNet + Subnet ──────────────────────────────────────────────────────────
-
-  if (vnet) {
-    const vnetTf = (vnet.name || "vnet").replace(/[^a-zA-Z0-9_]/g, "_");
-    const addrSpace = vnet.addressSpace?.addressPrefixes?.[0] || "10.0.0.0/16";
-    w(`# ─── Network ──────────────────────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_virtual_network" "${vnetTf}" {`);
-    w(`  name                = "${vnet.name}"`);
-    w(`  resource_group_name = azurerm_resource_group.vm.name`);
-    w(`  location            = azurerm_resource_group.vm.location`);
-    w(`  address_space       = ["${addrSpace}"]`);
-    w(`}`);
-    w();
-
-    if (subnet) {
-      const subnetTf = (subnet.name || "subnet").replace(/[^a-zA-Z0-9_]/g, "_");
-      const subnetPrefix = subnet.addressPrefix || "10.0.0.0/24";
-      w(`resource "azurerm_subnet" "${subnetTf}" {`);
-      w(`  name                 = "${subnet.name}"`);
-      w(`  resource_group_name  = azurerm_resource_group.vm.name`);
-      w(`  virtual_network_name = azurerm_virtual_network.${vnetTf}.name`);
-      w(`  address_prefixes     = ["${subnetPrefix}"]`);
-      w(`}`);
-      w();
-    }
-  }
-
-  // ── NSG ────────────────────────────────────────────────────────────────────
-
-  if (nsg) {
-    const nsgTf = (nsg.name || "nsg").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`# ─── Network Security Group ───────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_network_security_group" "${nsgTf}" {`);
-    w(`  name                = "${nsg.name}"`);
-    w(`  resource_group_name = azurerm_resource_group.vm.name`);
-    w(`  location            = azurerm_resource_group.vm.location`);
-
-    for (const rule of nsgRules) {
-      w();
-      w(`  security_rule {`);
-      w(`    name                       = "${rule.name}"`);
-      w(`    priority                   = ${rule.priority}`);
-      w(`    direction                  = "${rule.direction}"`);
-      w(`    access                     = "${rule.access}"`);
-      w(`    protocol                   = "${rule.protocol}"`);
-      w(`    source_port_range          = "${rule.sourcePortRange || "*"}"`);
-      w(`    destination_port_range     = "${rule.destinationPortRange || "*"}"`);
-      w(`    source_address_prefix      = "${rule.sourceAddressPrefix || "*"}"`);
-      w(`    destination_address_prefix = "${rule.destinationAddressPrefix || "*"}"`);
-      w(`  }`);
-    }
-
-    w(`}`);
-    w();
-  }
 
-  // ── Public IP ──────────────────────────────────────────────────────────────
-
-  if (pip) {
-    const pipTf = (pip.name || "pip").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`# ─── Public IP ────────────────────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_public_ip" "${pipTf}" {`);
-    w(`  name                = "${pip.name}"`);
-    w(`  resource_group_name = azurerm_resource_group.vm.name`);
-    w(`  location            = azurerm_resource_group.vm.location`);
-    w(`  allocation_method   = "${pip.publicIPAllocationMethod || "Static"}"`);
-    w(`  sku                 = "${pip.sku?.name || "Standard"}"`);
-    const pipTags = pip.tags || {};
-    const pipTagEntries = Object.entries(pipTags);
-    if (pipTagEntries.length) {
-      w();
-      w(`  tags = {`);
-      for (const [k, v] of pipTagEntries) {
-        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
-      }
-      w(`  }`);
-    }
-    w(`}`);
-    w();
-  }
-
-  // ── NIC ────────────────────────────────────────────────────────────────────
-
-  if (nic) {
-    const nicTf = (nic.name || "nic").replace(/[^a-zA-Z0-9_]/g, "_");
-    const vnetTf = vnet ? (vnet.name || "vnet").replace(/[^a-zA-Z0-9_]/g, "_") : null;
-    const subnetTf = subnet ? (subnet.name || "subnet").replace(/[^a-zA-Z0-9_]/g, "_") : null;
-    const nsgTf = nsg ? (nsg.name || "nsg").replace(/[^a-zA-Z0-9_]/g, "_") : null;
-    const pipTf = pip ? (pip.name || "pip").replace(/[^a-zA-Z0-9_]/g, "_") : null;
-
-    w(`# ─── Network Interface ────────────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_network_interface" "${nicTf}" {`);
-    w(`  name                          = "${nic.name}"`);
-    w(`  resource_group_name           = azurerm_resource_group.vm.name`);
-    w(`  location                      = azurerm_resource_group.vm.location`);
-    if (nic.enableAcceleratedNetworking) {
-      w(`  accelerated_networking_enabled = true`);
-    }
-    w();
-    w(`  ip_configuration {`);
-    w(`    name                          = "${nic.ipConfigurations?.[0]?.name || "ipconfig1"}"`);
-    if (subnetTf) {
-      w(`    subnet_id                     = azurerm_subnet.${subnetTf}.id`);
-    }
-    w(`    private_ip_address_allocation  = "${nic.ipConfigurations?.[0]?.privateIPAllocationMethod || "Dynamic"}"`);
-    if (pipTf) {
-      w(`    public_ip_address_id          = azurerm_public_ip.${pipTf}.id`);
-    }
-    w(`  }`);
-    w(`}`);
-    w();
-
-    if (nsgTf) {
-      w(`resource "azurerm_network_interface_security_group_association" "${nicTf}_nsg" {`);
-      w(`  network_interface_id      = azurerm_network_interface.${nicTf}.id`);
-      w(`  network_security_group_id = azurerm_network_security_group.${nsgTf}.id`);
-      w(`}`);
-      w();
-    }
-  }
-
-  // ── ADE Key Vault ──────────────────────────────────────────────────────────
-
-  if (adeKeyVault) {
-    const kvTf = (adeKeyVault.name || "ade_kv").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`# ─── Disk Encryption Key Vault ────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_key_vault" "${kvTf}" {`);
-    w(`  name                        = "${adeKeyVault.name}"`);
-    w(`  resource_group_name         = azurerm_resource_group.vm.name`);
-    w(`  location                    = azurerm_resource_group.vm.location`);
-    w(`  tenant_id                   = "${adeKeyVault.properties?.tenantId || ""}"`);
-    w(`  sku_name                    = "${adeKeyVault.properties?.sku?.name || "standard"}"`);
-    w(`  enabled_for_disk_encryption = true`);
-    if (adeKeyVault.properties?.enableRbacAuthorization) {
-      w(`  enable_rbac_authorization   = true`);
-    }
-    if (adeKeyVault.properties?.softDeleteRetentionInDays) {
-      w(`  soft_delete_retention_days  = ${adeKeyVault.properties.softDeleteRetentionInDays}`);
-    }
-    if (adeKeyVault.properties?.enablePurgeProtection) {
-      w(`  purge_protection_enabled   = true`);
-    }
-    w(`}`);
-    w();
-  }
-
-  // ── Virtual Machine ────────────────────────────────────────────────────────
-
-  const nicTf = nic ? (nic.name || "nic").replace(/[^a-zA-Z0-9_]/g, "_") : null;
-
-  w(`# ─── Virtual Machine ─────────────────────────────────────────────────────────`);
-  w();
-  w(`resource "azurerm_linux_virtual_machine" "${tfName}" {`);
-  w(`  name                = var.vm_name`);
-  w(`  resource_group_name = azurerm_resource_group.vm.name`);
-  w(`  location            = azurerm_resource_group.vm.location`);
-  w(`  size                = var.vm_size`);
-  w(`  admin_username      = var.admin_username`);
-  if (linuxConfig.disablePasswordAuthentication !== false) {
-    w(`  disable_password_authentication = true`);
-  }
-  if (nicTf) {
-    w(`  network_interface_ids = [azurerm_network_interface.${nicTf}.id]`);
-  }
-  w();
-
-  w(`  admin_ssh_key {`);
-  w(`    username   = var.admin_username`);
-  w(`    public_key = file(var.ssh_public_key_path)`);
-  w(`  }`);
-  w();
-
-  w(`  os_disk {`);
-  w(`    name                 = "${osDisk.name || vm.name + "-osdisk"}"`);
-  w(`    caching              = "${osDisk.caching || "ReadWrite"}"`);
-  w(`    storage_account_type = "${osDisk.managedDisk?.storageAccountType || "Premium_LRS"}"`);
-  w(`    disk_size_gb         = var.os_disk_size_gb`);
-  w(`  }`);
-  w();
-
-  if (imageRef.publisher) {
-    w(`  source_image_reference {`);
-    w(`    publisher = "${imageRef.publisher}"`);
-    w(`    offer     = "${imageRef.offer}"`);
-    w(`    sku       = "${imageRef.sku}"`);
-    w(`    version   = "${imageRef.exactVersion || imageRef.version || "latest"}"`);
-    w(`  }`);
-    w();
-  } else if (imageRef.id) {
-    w(`  source_image_id = "${imageRef.id}"`);
-    w();
-  }
-
-  if (isTrustedLaunch) {
-    w(`  secure_boot_enabled = ${secProfile.uefiSettings?.secureBootEnabled ?? true}`);
-    w(`  vtpm_enabled        = ${secProfile.uefiSettings?.vTpmEnabled ?? true}`);
-    w();
-  }
-
-  if (vm.diagnosticsProfile?.bootDiagnostics?.enabled) {
-    w(`  boot_diagnostics {}`);
-    w();
-  }
-
-  if (vm.identity?.type && vm.identity.type !== "None") {
-    w(`  identity {`);
-    w(`    type = "${vm.identity.type}"`);
-    w(`  }`);
-    w();
-  }
-
-  const patchMode = linuxConfig.patchSettings?.patchMode;
-  if (patchMode) {
-    w(`  patch_mode = "${patchMode}"`);
-    if (patchMode === "AutomaticByPlatform") {
-      w(`  patch_assessment_mode = "AutomaticByPlatform"`);
-    }
-    w();
-  }
-
-  w(`  # Foundation provisioning script — uncomment and point to your cloud-init`);
-  w(`  # custom_data = filebase64("cloud-init-foundation.sh")`);
-  w();
-
-  const tags = vm.tags || {};
-  const tagEntries = Object.entries(tags);
-  if (tagEntries.length) {
-    w(`  tags = {`);
-    for (const [k, v] of tagEntries) {
-      w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
-    }
-    w(`  }`);
-    w();
-  }
-
-  w(`}`);
-  w();
-
-  // ── Data disks ─────────────────────────────────────────────────────────────
-
-  for (const dd of vm.storageProfile?.dataDisks || []) {
-    const ddTf = (dd.name || `datadisk_lun${dd.lun}`).replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`resource "azurerm_managed_disk" "${ddTf}" {`);
-    w(`  name                 = "${dd.name}"`);
-    w(`  resource_group_name  = azurerm_resource_group.vm.name`);
-    w(`  location             = azurerm_resource_group.vm.location`);
-    w(`  storage_account_type = "${dd.managedDisk?.storageAccountType || "Premium_LRS"}"`);
-    w(`  create_option        = "Empty"`);
-    w(`  disk_size_gb         = ${dd.diskSizeGb || 128}`);
-    w(`}`);
-    w();
-    w(`resource "azurerm_virtual_machine_data_disk_attachment" "${ddTf}" {`);
-    w(`  managed_disk_id    = azurerm_managed_disk.${ddTf}.id`);
-    w(`  virtual_machine_id = azurerm_linux_virtual_machine.${tfName}.id`);
-    w(`  lun                = ${dd.lun}`);
-    w(`  caching            = "${dd.caching || "ReadWrite"}"`);
-    w(`}`);
-    w();
-  }
-
-  // ── Resource lock ──────────────────────────────────────────────────────────
-
-  w(`resource "azurerm_management_lock" "${tfName}_lock" {`);
-  w(`  name       = "${vm.name}-lock"`);
-  w(`  scope      = azurerm_linux_virtual_machine.${tfName}.id`);
-  w(`  lock_level = "CanNotDelete"`);
-  w(`  notes      = "Managed by fops — prevents accidental deletion"`);
-  w(`}`);
-  w();
-
-  // ── VM extension: ADE ──────────────────────────────────────────────────────
-
-  const adeExt = (vm.resources || []).find(r => r.id?.toLowerCase().includes("azurediskencryption"));
-  if (adeExt && adeKeyVault) {
-    const kvTf = (adeKeyVault.name || "ade_kv").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`resource "azurerm_virtual_machine_extension" "ade" {`);
-    w(`  name                 = "AzureDiskEncryption"`);
-    w(`  virtual_machine_id   = azurerm_linux_virtual_machine.${tfName}.id`);
-    w(`  publisher            = "Microsoft.Azure.Security"`);
-    w(`  type                 = "AzureDiskEncryptionForLinux"`);
-    w(`  type_handler_version = "1.4"`);
-    w();
-    w(`  settings = jsonencode({`);
-    w(`    EncryptionOperation = "EnableEncryption"`);
-    w(`    KeyVaultURL         = azurerm_key_vault.${kvTf}.vault_uri`);
-    w(`    KeyVaultResourceId  = azurerm_key_vault.${kvTf}.id`);
-    w(`    VolumeType          = "All"`);
-    w(`  })`);
-    w(`}`);
-    w();
-  }
-
-  // ── outputs ────────────────────────────────────────────────────────────────
-
-  w(`# ─── Outputs ─────────────────────────────────────────────────────────────────`);
-  w();
-  w(`output "vm_name" {`);
-  w(`  value = azurerm_linux_virtual_machine.${tfName}.name`);
-  w(`}`);
-  w();
-  if (pip) {
-    const pipTf = (pip.name || "pip").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`output "public_ip" {`);
-    w(`  value = azurerm_public_ip.${pipTf}.ip_address`);
-    w(`}`);
-    w();
-  }
-  w(`output "admin_username" {`);
-  w(`  value = var.admin_username`);
-  w(`}`);
-  w();
-  if (state?.publicUrl) {
-    w(`output "public_url" {`);
-    w(`  value = var.public_url`);
-    w(`}`);
-    w();
-  }
-
-  return lines.join("\n");
-}
+// vmTerraform is now in azure-vm-terraform.js and re-exported above for backwards compatibility