npm - @meshxdata/fops - Versions diffs - 0.1.49 → 0.1.51 - Mend

@meshxdata/fops 0.1.49 → 0.1.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/src/plugins/bundled/fops-plugin-azure/lib/azure-vm-terraform.js ADDED Viewed

@@ -0,0 +1,544 @@
+/**
+ * Azure VM — Terraform HCL generation
+ * Extracted from azure-vm-lifecycle.js for maintainability
+ */
+import {
+  DEFAULTS, DIM, OK,
+  banner, hint, kvLine,
+  lazyExeca, ensureAzCli, ensureAzAuth, subArgs,
+} from "./azure-helpers.js";
+import { requireVmState } from "./azure-state.js";
+// ── terraform ────────────────────────────────────────────────────────────────
+export async function vmTerraform(opts = {}) {
+  const fs = await import("node:fs");
+  const path = await import("node:path");
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const state = requireVmState(opts.vmName);
+  const { vmName, resourceGroup: rg } = state;
+  banner(`VM Terraform: ${vmName}`);
+  hint("Fetching VM and networking details from Azure…");
+  const { stdout: vmJson } = await execa("az", [
+    "vm", "show", "-g", rg, "-n", vmName, "--output", "json", ...subArgs(sub),
+  ], { timeout: 30000 });
+  const vm = JSON.parse(vmJson);
+  let rgLocation = vm.location;
+  try {
+    const { stdout: rgJson } = await execa("az", [
+      "group", "show", "--name", rg, "--output", "json", ...subArgs(sub),
+    ], { timeout: 15000 });
+    rgLocation = JSON.parse(rgJson).location || rgLocation;
+  } catch { /* use vm location */ }
+  // Resolve NIC
+  const nicId = vm.networkProfile?.networkInterfaces?.[0]?.id || "";
+  const nicName = nicId.split("/").pop();
+  let nic = null;
+  if (nicName) {
+    try {
+      const { stdout } = await execa("az", [
+        "network", "nic", "show", "-g", rg, "-n", nicName, "--output", "json", ...subArgs(sub),
+      ], { timeout: 15000 });
+      nic = JSON.parse(stdout);
+    } catch { /* no nic */ }
+  }
+  let pip = null;
+  let nsg = null;
+  let nsgRules = [];
+  let subnet = null;
+  let vnet = null;
+  if (nic) {
+    const ipConfig = nic.ipConfigurations?.[0] || {};
+    const pipId = ipConfig.publicIPAddress?.id || "";
+    const pipName = pipId.split("/").pop();
+    const subnetId = ipConfig.subnet?.id || "";
+    const nsgId = nic.networkSecurityGroup?.id || "";
+    const nsgName = nsgId.split("/").pop();
+    hint("Discovering networking resources…");
+    const fetches = [];
+    if (pipName) {
+      fetches.push(
+        execa("az", ["network", "public-ip", "show", "-g", rg, "-n", pipName, "--output", "json", ...subArgs(sub)],
+          { reject: false, timeout: 15000 }).then(r => { if (r.exitCode === 0) pip = JSON.parse(r.stdout); })
+      );
+    }
+    if (nsgName) {
+      fetches.push(
+        execa("az", ["network", "nsg", "show", "-g", rg, "-n", nsgName, "--output", "json", ...subArgs(sub)],
+          { reject: false, timeout: 15000 }).then(r => {
+          if (r.exitCode === 0) {
+            nsg = JSON.parse(r.stdout);
+            nsgRules = (nsg.securityRules || []).filter(rule => rule.direction === "Inbound" && rule.access === "Allow");
+          }
+        })
+      );
+    }
+    if (subnetId) {
+      const parts = subnetId.split("/");
+      const vnetName = parts[parts.indexOf("virtualNetworks") + 1];
+      const subnetName = parts[parts.indexOf("subnets") + 1];
+      const vnetRg = parts[parts.indexOf("resourceGroups") + 1] || rg;
+      fetches.push(
+        execa("az", ["network", "vnet", "show", "-g", vnetRg, "-n", vnetName, "--output", "json", ...subArgs(sub)],
+          { reject: false, timeout: 15000 }).then(r => {
+          if (r.exitCode === 0) {
+            vnet = JSON.parse(r.stdout);
+            subnet = (vnet.subnets || []).find(s => s.name === subnetName) || null;
+          }
+        })
+      );
+    }
+    await Promise.allSettled(fetches);
+  }
+  // Check for ADE Key Vault
+  let adeKeyVault = null;
+  const adeVaultName = `fops-ade-kv-${vm.location}`;
+  try {
+    const { stdout, exitCode } = await execa("az", [
+      "keyvault", "show", "--name", adeVaultName, "--output", "json", ...subArgs(sub),
+    ], { reject: false, timeout: 15000 });
+    if (exitCode === 0 && stdout?.trim()) adeKeyVault = JSON.parse(stdout);
+  } catch { /* no vault */ }
+  const hcl = generateVmTerraform(vm, {
+    rg, rgLocation, nic, pip, nsg, nsgRules, vnet, subnet, adeKeyVault, state,
+  });
+  console.log(OK("  ✓ Terraform HCL generated from live VM state\n"));
+  if (opts.output) {
+    fs.mkdirSync(path.dirname(path.resolve(opts.output)), { recursive: true });
+    fs.writeFileSync(path.resolve(opts.output), hcl, "utf8");
+    console.log(OK(`  ✓ Written to ${opts.output}\n`));
+  } else {
+    console.log(hcl);
+  }
+}
+function generateVmTerraform(vm, { rg, rgLocation, nic, pip, nsg, nsgRules, vnet, subnet, adeKeyVault, state }) {
+  const tfName = (vm.name || "vm").replace(/[^a-zA-Z0-9_]/g, "_");
+  const adminUser = vm.osProfile?.adminUsername || DEFAULTS.adminUser;
+  const vmSize = vm.hardwareProfile?.vmSize || DEFAULTS.vmSize;
+  const osDisk = vm.storageProfile?.osDisk || {};
+  const imageRef = vm.storageProfile?.imageReference || {};
+  const secProfile = vm.securityProfile || {};
+  const isTrustedLaunch = secProfile.securityType === "TrustedLaunch";
+  const linuxConfig = vm.osProfile?.linuxConfiguration || {};
+  const lines = [];
+  const w = (s = "") => lines.push(s);
+  // ── variables ──────────────────────────────────────────────────────────────
+  w(`# ─── Variables ────────────────────────────────────────────────────────────────`);
+  w();
+  w(`variable "resource_group_name" {`);
+  w(`  description = "Name of the Azure resource group"`);
+  w(`  type        = string`);
+  w(`  default     = "${rg}"`);
+  w(`}`);
+  w();
+  w(`variable "location" {`);
+  w(`  description = "Azure region"`);
+  w(`  type        = string`);
+  w(`  default     = "${rgLocation}"`);
+  w(`}`);
+  w();
+  w(`variable "vm_name" {`);
+  w(`  description = "Name of the VM"`);
+  w(`  type        = string`);
+  w(`  default     = "${vm.name}"`);
+  w(`}`);
+  w();
+  w(`variable "vm_size" {`);
+  w(`  description = "Azure VM size"`);
+  w(`  type        = string`);
+  w(`  default     = "${vmSize}"`);
+  w(`}`);
+  w();
+  w(`variable "admin_username" {`);
+  w(`  description = "SSH admin username"`);
+  w(`  type        = string`);
+  w(`  default     = "${adminUser}"`);
+  w(`}`);
+  w();
+  w(`variable "ssh_public_key_path" {`);
+  w(`  description = "Path to SSH public key file"`);
+  w(`  type        = string`);
+  w(`  default     = "~/.ssh/id_rsa.pub"`);
+  w(`}`);
+  w();
+  w(`variable "os_disk_size_gb" {`);
+  w(`  description = "OS disk size in GB"`);
+  w(`  type        = number`);
+  w(`  default     = ${osDisk.diskSizeGb || 128}`);
+  w(`}`);
+  w();
+  if (state?.publicUrl) {
+    w(`variable "public_url" {`);
+    w(`  description = "Public URL for the Foundation deployment"`);
+    w(`  type        = string`);
+    w(`  default     = "${state.publicUrl}"`);
+    w(`}`);
+    w();
+  }
+  // ── provider ───────────────────────────────────────────────────────────────
+  w(`# ─── Provider ─────────────────────────────────────────────────────────────────`);
+  w();
+  w(`terraform {`);
+  w(`  required_providers {`);
+  w(`    azurerm = {`);
+  w(`      source  = "hashicorp/azurerm"`);
+  w(`      version = "~> 4.0"`);
+  w(`    }`);
+  w(`  }`);
+  w(`}`);
+  w();
+  w(`provider "azurerm" {`);
+  w(`  features {}`);
+  w(`}`);
+  w();
+  // ── resource group ─────────────────────────────────────────────────────────
+  w(`# ─── Resource Group ───────────────────────────────────────────────────────────`);
+  w();
+  w(`resource "azurerm_resource_group" "vm" {`);
+  w(`  name     = var.resource_group_name`);
+  w(`  location = var.location`);
+  w(`}`);
+  w();
+  // ── VNet / Subnet ──────────────────────────────────────────────────────────
+  if (vnet) {
+    const vnetTf = (vnet.name || "vnet").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`# ─── Virtual Network ──────────────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_virtual_network" "${vnetTf}" {`);
+    w(`  name                = "${vnet.name}"`);
+    w(`  resource_group_name = azurerm_resource_group.vm.name`);
+    w(`  location            = azurerm_resource_group.vm.location`);
+    w(`  address_space       = ${JSON.stringify(vnet.addressSpace?.addressPrefixes || ["10.0.0.0/16"])}`);
+    w(`}`);
+    w();
+    if (subnet) {
+      const subnetTf = (subnet.name || "subnet").replace(/[^a-zA-Z0-9_]/g, "_");
+      w(`resource "azurerm_subnet" "${subnetTf}" {`);
+      w(`  name                 = "${subnet.name}"`);
+      w(`  resource_group_name  = azurerm_resource_group.vm.name`);
+      w(`  virtual_network_name = azurerm_virtual_network.${vnetTf}.name`);
+      w(`  address_prefixes     = ${JSON.stringify(subnet.addressPrefix ? [subnet.addressPrefix] : subnet.addressPrefixes || ["10.0.1.0/24"])}`);
+      w(`}`);
+      w();
+    }
+  }
+  // ── NSG ────────────────────────────────────────────────────────────────────
+  if (nsg) {
+    const nsgTf = (nsg.name || "nsg").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`# ─── Network Security Group ───────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_network_security_group" "${nsgTf}" {`);
+    w(`  name                = "${nsg.name}"`);
+    w(`  resource_group_name = azurerm_resource_group.vm.name`);
+    w(`  location            = azurerm_resource_group.vm.location`);
+    w(`}`);
+    w();
+    for (const rule of nsgRules) {
+      const ruleTf = (rule.name || "rule").replace(/[^a-zA-Z0-9_]/g, "_");
+      w(`resource "azurerm_network_security_rule" "${ruleTf}" {`);
+      w(`  name                        = "${rule.name}"`);
+      w(`  priority                    = ${rule.priority}`);
+      w(`  direction                   = "${rule.direction}"`);
+      w(`  access                      = "${rule.access}"`);
+      w(`  protocol                    = "${rule.protocol}"`);
+      w(`  source_port_range           = "${rule.sourcePortRange || "*"}"`);
+      w(`  destination_port_range      = "${rule.destinationPortRange || "*"}"`);
+      w(`  source_address_prefix       = "${rule.sourceAddressPrefix || "*"}"`);
+      w(`  destination_address_prefix  = "${rule.destinationAddressPrefix || "*"}"`);
+      w(`  resource_group_name         = azurerm_resource_group.vm.name`);
+      w(`  network_security_group_name = azurerm_network_security_group.${nsgTf}.name`);
+      w(`}`);
+      w();
+    }
+  }
+  // ── Public IP ──────────────────────────────────────────────────────────────
+  if (pip) {
+    const pipTf = (pip.name || "pip").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`# ─── Public IP ────────────────────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_public_ip" "${pipTf}" {`);
+    w(`  name                = "${pip.name}"`);
+    w(`  resource_group_name = azurerm_resource_group.vm.name`);
+    w(`  location            = azurerm_resource_group.vm.location`);
+    w(`  allocation_method   = "${pip.publicIPAllocationMethod || "Static"}"`);
+    w(`  sku                 = "${pip.sku?.name || "Standard"}"`);
+    if (pip.dnsSettings?.domainNameLabel) {
+      w(`  domain_name_label   = "${pip.dnsSettings.domainNameLabel}"`);
+    }
+    w(`}`);
+    w();
+  }
+  // ── NIC ────────────────────────────────────────────────────────────────────
+  if (nic) {
+    const nicTf = (nic.name || "nic").replace(/[^a-zA-Z0-9_]/g, "_");
+    const vnetTf = vnet ? (vnet.name || "vnet").replace(/[^a-zA-Z0-9_]/g, "_") : null;
+    const subnetTf = subnet ? (subnet.name || "subnet").replace(/[^a-zA-Z0-9_]/g, "_") : null;
+    const nsgTf = nsg ? (nsg.name || "nsg").replace(/[^a-zA-Z0-9_]/g, "_") : null;
+    const pipTf = pip ? (pip.name || "pip").replace(/[^a-zA-Z0-9_]/g, "_") : null;
+    w(`# ─── Network Interface ────────────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_network_interface" "${nicTf}" {`);
+    w(`  name                          = "${nic.name}"`);
+    w(`  resource_group_name           = azurerm_resource_group.vm.name`);
+    w(`  location                      = azurerm_resource_group.vm.location`);
+    if (nic.enableAcceleratedNetworking) {
+      w(`  accelerated_networking_enabled = true`);
+    }
+    w();
+    w(`  ip_configuration {`);
+    w(`    name                          = "${nic.ipConfigurations?.[0]?.name || "ipconfig1"}"`);
+    if (subnetTf) {
+      w(`    subnet_id                     = azurerm_subnet.${subnetTf}.id`);
+    }
+    w(`    private_ip_address_allocation  = "${nic.ipConfigurations?.[0]?.privateIPAllocationMethod || "Dynamic"}"`);
+    if (pipTf) {
+      w(`    public_ip_address_id          = azurerm_public_ip.${pipTf}.id`);
+    }
+    w(`  }`);
+    w(`}`);
+    w();
+    if (nsgTf) {
+      w(`resource "azurerm_network_interface_security_group_association" "${nicTf}_nsg" {`);
+      w(`  network_interface_id      = azurerm_network_interface.${nicTf}.id`);
+      w(`  network_security_group_id = azurerm_network_security_group.${nsgTf}.id`);
+      w(`}`);
+      w();
+    }
+  }
+  // ── ADE Key Vault ──────────────────────────────────────────────────────────
+  if (adeKeyVault) {
+    const kvTf = (adeKeyVault.name || "ade_kv").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`# ─── Disk Encryption Key Vault ────────────────────────────────────────────────`);
+    w();
+    w(`resource "azurerm_key_vault" "${kvTf}" {`);
+    w(`  name                        = "${adeKeyVault.name}"`);
+    w(`  resource_group_name         = azurerm_resource_group.vm.name`);
+    w(`  location                    = azurerm_resource_group.vm.location`);
+    w(`  tenant_id                   = "${adeKeyVault.properties?.tenantId || ""}"`);
+    w(`  sku_name                    = "${adeKeyVault.properties?.sku?.name || "standard"}"`);
+    w(`  enabled_for_disk_encryption = true`);
+    if (adeKeyVault.properties?.enableRbacAuthorization) {
+      w(`  enable_rbac_authorization   = true`);
+    }
+    if (adeKeyVault.properties?.softDeleteRetentionInDays) {
+      w(`  soft_delete_retention_days  = ${adeKeyVault.properties.softDeleteRetentionInDays}`);
+    }
+    if (adeKeyVault.properties?.enablePurgeProtection) {
+      w(`  purge_protection_enabled   = true`);
+    }
+    w(`}`);
+    w();
+  }
+  // ── Virtual Machine ────────────────────────────────────────────────────────
+  const nicTf = nic ? (nic.name || "nic").replace(/[^a-zA-Z0-9_]/g, "_") : null;
+  w(`# ─── Virtual Machine ─────────────────────────────────────────────────────────`);
+  w();
+  w(`resource "azurerm_linux_virtual_machine" "${tfName}" {`);
+  w(`  name                = var.vm_name`);
+  w(`  resource_group_name = azurerm_resource_group.vm.name`);
+  w(`  location            = azurerm_resource_group.vm.location`);
+  w(`  size                = var.vm_size`);
+  w(`  admin_username      = var.admin_username`);
+  if (linuxConfig.disablePasswordAuthentication !== false) {
+    w(`  disable_password_authentication = true`);
+  }
+  if (nicTf) {
+    w(`  network_interface_ids = [azurerm_network_interface.${nicTf}.id]`);
+  }
+  w();
+  w(`  admin_ssh_key {`);
+  w(`    username   = var.admin_username`);
+  w(`    public_key = file(var.ssh_public_key_path)`);
+  w(`  }`);
+  w();
+  w(`  os_disk {`);
+  w(`    name                 = "${osDisk.name || vm.name + "-osdisk"}"`);
+  w(`    caching              = "${osDisk.caching || "ReadWrite"}"`);
+  w(`    storage_account_type = "${osDisk.managedDisk?.storageAccountType || "Premium_LRS"}"`);
+  w(`    disk_size_gb         = var.os_disk_size_gb`);
+  w(`  }`);
+  w();
+  if (imageRef.publisher) {
+    w(`  source_image_reference {`);
+    w(`    publisher = "${imageRef.publisher}"`);
+    w(`    offer     = "${imageRef.offer}"`);
+    w(`    sku       = "${imageRef.sku}"`);
+    w(`    version   = "${imageRef.exactVersion || imageRef.version || "latest"}"`);
+    w(`  }`);
+    w();
+  } else if (imageRef.id) {
+    w(`  source_image_id = "${imageRef.id}"`);
+    w();
+  }
+  if (isTrustedLaunch) {
+    w(`  secure_boot_enabled = ${secProfile.uefiSettings?.secureBootEnabled ?? true}`);
+    w(`  vtpm_enabled        = ${secProfile.uefiSettings?.vTpmEnabled ?? true}`);
+    w();
+  }
+  if (vm.diagnosticsProfile?.bootDiagnostics?.enabled) {
+    w(`  boot_diagnostics {}`);
+    w();
+  }
+  if (vm.identity?.type && vm.identity.type !== "None") {
+    w(`  identity {`);
+    w(`    type = "${vm.identity.type}"`);
+    w(`  }`);
+    w();
+  }
+  const patchMode = linuxConfig.patchSettings?.patchMode;
+  if (patchMode) {
+    w(`  patch_mode = "${patchMode}"`);
+    if (patchMode === "AutomaticByPlatform") {
+      w(`  patch_assessment_mode = "AutomaticByPlatform"`);
+    }
+    w();
+  }
+  w(`  # Foundation provisioning script — uncomment and point to your cloud-init`);
+  w(`  # custom_data = filebase64("cloud-init-foundation.sh")`);
+  w();
+  const tags = vm.tags || {};
+  const tagEntries = Object.entries(tags);
+  if (tagEntries.length) {
+    w(`  tags = {`);
+    for (const [k, v] of tagEntries) {
+      w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
+    }
+    w(`  }`);
+    w();
+  }
+  w(`}`);
+  w();
+  // ── Data disks ─────────────────────────────────────────────────────────────
+  for (const dd of vm.storageProfile?.dataDisks || []) {
+    const ddTf = (dd.name || `datadisk_lun${dd.lun}`).replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`resource "azurerm_managed_disk" "${ddTf}" {`);
+    w(`  name                 = "${dd.name}"`);
+    w(`  resource_group_name  = azurerm_resource_group.vm.name`);
+    w(`  location             = azurerm_resource_group.vm.location`);
+    w(`  storage_account_type = "${dd.managedDisk?.storageAccountType || "Premium_LRS"}"`);
+    w(`  create_option        = "Empty"`);
+    w(`  disk_size_gb         = ${dd.diskSizeGb || 128}`);
+    w(`}`);
+    w();
+    w(`resource "azurerm_virtual_machine_data_disk_attachment" "${ddTf}" {`);
+    w(`  managed_disk_id    = azurerm_managed_disk.${ddTf}.id`);
+    w(`  virtual_machine_id = azurerm_linux_virtual_machine.${tfName}.id`);
+    w(`  lun                = ${dd.lun}`);
+    w(`  caching            = "${dd.caching || "ReadWrite"}"`);
+    w(`}`);
+    w();
+  }
+  // ── Resource lock ──────────────────────────────────────────────────────────
+  w(`resource "azurerm_management_lock" "${tfName}_lock" {`);
+  w(`  name       = "${vm.name}-lock"`);
+  w(`  scope      = azurerm_linux_virtual_machine.${tfName}.id`);
+  w(`  lock_level = "CanNotDelete"`);
+  w(`  notes      = "Managed by fops — prevents accidental deletion"`);
+  w(`}`);
+  w();
+  // ── VM extension: ADE ──────────────────────────────────────────────────────
+  const adeExt = (vm.resources || []).find(r => r.id?.toLowerCase().includes("azurediskencryption"));
+  if (adeExt && adeKeyVault) {
+    const kvTf = (adeKeyVault.name || "ade_kv").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`resource "azurerm_virtual_machine_extension" "ade" {`);
+    w(`  name                 = "AzureDiskEncryption"`);
+    w(`  virtual_machine_id   = azurerm_linux_virtual_machine.${tfName}.id`);
+    w(`  publisher            = "Microsoft.Azure.Security"`);
+    w(`  type                 = "AzureDiskEncryptionForLinux"`);
+    w(`  type_handler_version = "1.4"`);
+    w();
+    w(`  settings = jsonencode({`);
+    w(`    EncryptionOperation = "EnableEncryption"`);
+    w(`    KeyVaultURL         = azurerm_key_vault.${kvTf}.vault_uri`);
+    w(`    KeyVaultResourceId  = azurerm_key_vault.${kvTf}.id`);
+    w(`    VolumeType          = "All"`);
+    w(`  })`);
+    w(`}`);
+    w();
+  }
+  // ── outputs ────────────────────────────────────────────────────────────────
+  w(`# ─── Outputs ─────────────────────────────────────────────────────────────────`);
+  w();
+  w(`output "vm_name" {`);
+  w(`  value = azurerm_linux_virtual_machine.${tfName}.name`);
+  w(`}`);
+  w();
+  if (pip) {
+    const pipTf = (pip.name || "pip").replace(/[^a-zA-Z0-9_]/g, "_");
+    w(`output "public_ip" {`);
+    w(`  value = azurerm_public_ip.${pipTf}.ip_address`);
+    w(`}`);
+    w();
+  }
+  w(`output "admin_username" {`);
+  w(`  value = var.admin_username`);
+  w(`}`);
+  w();
+  if (state?.publicUrl) {
+    w(`output "public_url" {`);
+    w(`  value = var.public_url`);
+    w(`}`);
+    w();
+  }
+  return lines.join("\n");
+}

package/src/plugins/bundled/fops-plugin-azure/lib/commands/infra-cmds.js CHANGED Viewed

@@ -3,7 +3,7 @@
  */
 import chalk from "chalk";
 import { resolveRemoteAuth, suppressTlsWarning } from "../azure-auth.js";
-import { parsePytestSummary, parsePytestDurations } from "../pytest-parse.js";
+import { parsePytestSummary, parsePytestDurations, parsePytestFailedTests } from "../pytest-parse.js";
 export function registerInfraCommands(azure) {
   // ── Storage (blob management) ──────────────────────────────────────────
@@ -573,6 +573,7 @@ export function registerInfraCommands(azure) {
     .option("--no-zones", "Disable availability zone redundancy")
     .option("--geo-replica", "Create Postgres geo-replica for DR (default when in UAE)")
     .option("--no-geo-replica", "Skip Postgres geo-replica creation")
+    .option("--ha", "Enable full HA: storage replication + Postgres replica + standby AKS in North Europe")
     .option("--reprovision", "Re-render and push cluster template (for existing clusters)")
     .action(async (name, opts) => {
       const { aksUp } = await import("../azure-aks.js");
@@ -599,6 +600,7 @@ export function registerInfraCommands(azure) {
         dai: opts.dai === true,
         zones: opts.zones,
         geoReplica: opts.geoReplica,
+        ha: opts.ha === true,
         reprovision: opts.reprovision === true,
       });
     });
@@ -748,6 +750,44 @@ export function registerInfraCommands(azure) {
         envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
         envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
       }
+      // Resolve CF Access credentials from ~/.fops.json or env
+      let cfAccessClientId = process.env.CF_ACCESS_CLIENT_ID || "";
+      let cfAccessClientSecret = process.env.CF_ACCESS_CLIENT_SECRET || "";
+      if (!cfAccessClientId) {
+        try {
+          const os = await import("node:os");
+          const fopsJson = JSON.parse(await fsp.readFile(path.join(os.homedir(), ".fops.json"), "utf8"));
+          cfAccessClientId = fopsJson?.cloudflare?.accessClientId || "";
+          cfAccessClientSecret = fopsJson?.cloudflare?.accessClientSecret || "";
+        } catch { /* no fops.json */ }
+      }
+      if (cfAccessClientId) {
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_ID", cfAccessClientId);
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_SECRET", cfAccessClientSecret);
+        console.log(chalk.green("  ✓ Found CF Access credentials"));
+      }
+      // Fetch S3 credentials from cluster secret
+      let s3AccessKey = "";
+      let s3SecretKey = "";
+      try {
+        const { stdout } = await execaFn("kubectl", [
+          "get", "secret", "-n", "foundation", "storage-engine-auth-credentials",
+          "-o", "jsonpath={.data.AUTH_IDENTITY},{.data.AUTH_CREDENTIAL}",
+        ], { timeout: 15000 });
+        const [identityB64, credentialB64] = stdout.trim().split(",");
+        if (identityB64 && credentialB64) {
+          s3AccessKey = Buffer.from(identityB64, "base64").toString("utf8");
+          s3SecretKey = Buffer.from(credentialB64, "base64").toString("utf8");
+          envContent = setVar(envContent, "S3_ACCESS_KEY", s3AccessKey);
+          envContent = setVar(envContent, "S3_SECRET_KEY", s3SecretKey);
+          console.log(chalk.green("  ✓ Retrieved S3 credentials from cluster"));
+        }
+      } catch {
+        console.log(chalk.dim("  ⚠ Could not fetch S3 credentials from cluster"));
+      }
       await fsp.writeFile(envPath, envContent);
       console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
@@ -803,6 +843,14 @@ export function registerInfraCommands(azure) {
         testEnv.BEARER_TOKEN = bearerToken;
         testEnv.TOKEN_AUTH0 = bearerToken;
       }
+      if (cfAccessClientId) {
+        testEnv.CF_ACCESS_CLIENT_ID = cfAccessClientId;
+        testEnv.CF_ACCESS_CLIENT_SECRET = cfAccessClientSecret;
+      }
+      if (s3AccessKey) {
+        testEnv.S3_ACCESS_KEY = s3AccessKey;
+        testEnv.S3_SECRET_KEY = s3SecretKey;
+      }
       const aksStartMs = Date.now();
       const aksProc = execaFn(
@@ -818,6 +866,7 @@ export function registerInfraCommands(azure) {
       const aksCounts = parsePytestSummary(aksCaptured);
       const aksTiming = parsePytestDurations(aksCaptured);
+      const aksFailedTests = parsePytestFailedTests(aksCaptured);
       const qaResult = {
         passed: exitCode === 0,
         exitCode,
@@ -829,14 +878,35 @@ export function registerInfraCommands(azure) {
         ...(aksCounts.skipped != null && { numSkipped: aksCounts.skipped }),
         durationSec: aksCounts.durationSec || aksWallSec,
         ...(aksTiming && { timing: aksTiming }),
+        ...(aksFailedTests.length > 0 && { failedTests: aksFailedTests.slice(0, 50) }),
       };
       writeClusterState(cluster.clusterName, { qa: qaResult });
       if (exitCode === 0) {
         console.log(chalk.green("\n  ✓ QA tests passed\n"));
       } else {
-        console.error(chalk.red(`\n  QA tests failed (exit ${exitCode}).`));
-        console.error(chalk.dim(`  Report: ${path.join(qaDir, "playwright-report", "report.html")}\n`));
+        console.error(chalk.red(`\n  ✗ QA tests failed (exit ${exitCode})`));
+        // Parse and display failed tests summary
+        const failedTests = parsePytestFailedTests(aksCaptured);
+        if (failedTests.length > 0) {
+          console.error(chalk.red(`\n  Failed tests (${failedTests.length}):`));
+          for (const { test, reason } of failedTests.slice(0, 20)) {
+            const shortTest = test.replace(/^tests\//, "");
+            const reasonStr = reason ? chalk.dim(` - ${reason.slice(0, 60)}`) : "";
+            console.error(chalk.red(`    • ${shortTest}${reasonStr}`));
+          }
+          if (failedTests.length > 20) {
+            console.error(chalk.dim(`    ... and ${failedTests.length - 20} more`));
+          }
+        }
+        // Show summary counts
+        if (aksCounts.passed != null || aksCounts.failed != null) {
+          console.error(chalk.dim(`\n  Summary: ${aksCounts.passed || 0} passed, ${aksCounts.failed || 0} failed, ${aksCounts.skipped || 0} skipped`));
+        }
+        console.error(chalk.dim(`\n  Report: ${path.join(qaDir, "playwright-report", "report.html")}\n`));
         process.exitCode = 1;
       }
@@ -874,6 +944,7 @@ export function registerInfraCommands(azure) {
     .option("--bearer-token <token>", "Bearer token for API authentication")
     .option("--yes", "Use credentials from env or ~/.fops.json, skip prompt")
     .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--skip-sample-upload", "Skip uploading sample CSV files to MinIO storage")
     .action(async (clusterName, opts) => {
       const { aksDataBootstrap } = await import("../azure-aks.js");
       await aksDataBootstrap({
@@ -882,6 +953,7 @@ export function registerInfraCommands(azure) {
         apiUrl: opts.apiUrl,
         bearerToken: opts.bearerToken,
         yes: opts.yes,
+        skipSampleUpload: opts.skipSampleUpload,
       });
     });