create-interview-cockpit 0.23.2 → 0.24.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-interview-cockpit",
-  "version": "0.23.2",
+  "version": "0.24.0",
   "description": "Scaffold a personal AI-powered interview prep cockpit",
   "type": "module",
   "bin": {

package/template/client/src/components/LabsPanel.tsx

@@ -1,6 +1,12 @@
 import { useState } from "react";
 import { useStore } from "../store";
-import { DOCKER_DEEP_DIVE_LAB, parseInfraLabWorkspace } from "../infraLab";
+import {
+  AZURE_NETWORK_ACL_BLANK_TEMPLATE,
+  AZURE_NETWORK_ACL_DOCKER_LAB,
+  DOCKER_DEEP_DIVE_LAB,
+  POSTGRES_DOCKER_PROVIDER_LAB,
+  parseInfraLabWorkspace,
+} from "../infraLab";
 import {
   DEFAULT_GHA_LAB,
   parseGhaLabWorkspace,
@@ -641,6 +647,24 @@ export default function LabsPanel() {
                   "Dockerfile + Compose + Node API + Redis, with command-line practice",
                 onClick: () => openInfraLab(DOCKER_DEEP_DIVE_LAB),
               },
+              {
+                label: "Postgres DB in Docker",
+                description:
+                  "Terraform Docker provider deploys a local PostgreSQL database container",
+                onClick: () => openInfraLab(POSTGRES_DOCKER_PROVIDER_LAB),
+              },
+              {
+                label: "Azure ACL Failure (Docker)",
+                description:
+                  "Reproduce stale Azure subnet allowlists locally with Terraform + Docker mocks",
+                onClick: () => openInfraLab(AZURE_NETWORK_ACL_DOCKER_LAB),
+              },
+              {
+                label: "Azure ACL Blank Template",
+                description:
+                  "Same Azure-style Terraform/Docker file layout, but every file starts empty",
+                onClick: () => openInfraLab(AZURE_NETWORK_ACL_BLANK_TEMPLATE),
+              },
               {
                 label: "Enterprise BFF Docker Stack",
                 description:

package/template/client/src/infraLab.ts

@@ -370,6 +370,662 @@ setInterval(async () => {
   },
 };
 
+export const POSTGRES_DOCKER_PROVIDER_LAB: InfraLabWorkspace = {
+  version: 1,
+  label: "Postgres Docker Provider Lab",
+  provider: "docker",
+  executionMode: "docker",
+  activeFile: "README.md",
+  files: {
+    "README.md": `# Postgres Docker Provider Lab
+
+This lab is a clearer Terraform + Docker mental model:
+
+1. Terraform uses the Docker provider.
+2. Terraform pulls the Postgres Docker image.
+3. Terraform creates a Docker volume for database files.
+4. Terraform creates a running Postgres container during \`terraform apply\`.
+5. Terraform removes the container during \`terraform destroy\`.
+
+In this lab, Docker is the local infrastructure platform and Postgres is the deployed infrastructure.
+
+## Prerequisites
+
+- Docker Desktop / Docker Engine must already be running.
+- The first \`terraform init\` downloads the Docker Terraform provider.
+
+## Run it
+
+Use the Console tab one command at a time:
+
+1. \`terraform init\`
+2. \`terraform plan -out=tfplan\`
+3. \`terraform apply -auto-approve\`
+4. \`terraform output\`
+5. \`docker ps\`
+6. \`docker exec terraform-postgres-db pg_isready -U appuser -d appdb\`
+7. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "select current_database(), current_user;"\`
+
+## Create a table
+
+After apply succeeds, try these one at a time:
+
+1. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "create table if not exists notes (id serial primary key, body text not null);"\`
+2. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "insert into notes (body) values ('hello from terraform-managed postgres');"\`
+3. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "select * from notes;"\`
+
+## Change something
+
+Edit \`variables.tf\`, for example change \`host_port\` from \`5433\` to \`5434\`, then run:
+
+1. \`terraform plan -out=tfplan\`
+2. \`terraform apply -auto-approve\`
+3. \`terraform output\`
+
+## Clean up
+
+Run:
+
+\`terraform destroy -auto-approve\`
+
+The named Docker volume is also Terraform-managed, so destroying the lab removes the database data volume too.
+
+## Mental model
+
+This is IaC [Infrastructure as Code] managing local Docker resources:
+
+- \`provider.tf\` tells Terraform how to talk to Docker.
+- \`main.tf\` declares Docker resources: image, volume, container.
+- \`terraform apply\` makes Docker match that desired state.
+- \`outputs.tf\` prints useful connection details.
+
+So this is not "Docker deployed to Docker". It is Terraform deploying a Postgres database container into local Docker.
+`,
+    "provider.tf": `terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "docker" {}
+`,
+    "variables.tf": `variable "container_name" {
+  description = "Name for the local Postgres Docker container."
+  type        = string
+  default     = "terraform-postgres-db"
+}
+
+variable "host_port" {
+  description = "Host port published to your machine for Postgres connections."
+  type        = number
+  default     = 5433
+}
+
+variable "postgres_version" {
+  description = "Postgres Docker image version."
+  type        = string
+  default     = "16-alpine"
+}
+
+variable "database_name" {
+  description = "Database created by the Postgres image on first startup."
+  type        = string
+  default     = "appdb"
+}
+
+variable "database_user" {
+  description = "Database user created by the Postgres image on first startup."
+  type        = string
+  default     = "appuser"
+}
+
+variable "database_password" {
+  description = "Local development password for the database user."
+  type        = string
+  default     = "local-dev-password"
+  sensitive   = true
+}
+`,
+    "main.tf": `resource "docker_image" "postgres" {
+  name         = "postgres:\${var.postgres_version}"
+  keep_locally = true
+}
+
+resource "docker_volume" "postgres_data" {
+  name = "\${var.container_name}-data"
+}
+
+resource "docker_container" "postgres" {
+  name    = var.container_name
+  image   = docker_image.postgres.image_id
+  restart = "unless-stopped"
+
+  env = [
+    "POSTGRES_DB=\${var.database_name}",
+    "POSTGRES_USER=\${var.database_user}",
+    "POSTGRES_PASSWORD=\${var.database_password}",
+    "PGDATA=/var/lib/postgresql/data/pgdata"
+  ]
+
+  ports {
+    internal = 5432
+    external = var.host_port
+  }
+
+  volumes {
+    volume_name    = docker_volume.postgres_data.name
+    container_path = "/var/lib/postgresql/data"
+  }
+
+  healthcheck {
+    test         = ["CMD-SHELL", "pg_isready -U \${var.database_user} -d \${var.database_name}"]
+    interval     = "5s"
+    timeout      = "3s"
+    start_period = "10s"
+    retries      = 10
+  }
+}
+`,
+    "outputs.tf": `output "container_name" {
+  value = docker_container.postgres.name
+}
+
+output "host" {
+  value = "localhost"
+}
+
+output "port" {
+  value = var.host_port
+}
+
+output "database_name" {
+  value = var.database_name
+}
+
+output "database_user" {
+  value = var.database_user
+}
+
+output "docker_exec_psql" {
+  value = "docker exec -e PGPASSWORD=local-dev-password \${docker_container.postgres.name} psql -U \${var.database_user} -d \${var.database_name} -c 'select current_database(), current_user;'"
+}
+
+output "connection_string" {
+  value     = "postgresql://\${var.database_user}:\${var.database_password}@localhost:\${var.host_port}/\${var.database_name}"
+  sensitive = true
+}
+`,
+  },
+};
+
+const AZURE_NETWORK_ACL_FILE_NAMES = [
+  "README.md",
+  "provider.tf",
+  "variables.tf",
+  "main.tf",
+  "outputs.tf",
+  "tfvars/dev.wu3.tfvars",
+  "modules/keyvault/main.tf",
+  "modules/storage-account/main.tf",
+  "modules/eventhub/main.tf",
+  "apps/azure-resource-mock/Dockerfile",
+  "apps/azure-resource-mock/server.js",
+];
+
+export const AZURE_NETWORK_ACL_DOCKER_LAB: InfraLabWorkspace = {
+  version: 1,
+  label: "Azure Network ACL Failure Lab",
+  provider: "docker",
+  executionMode: "docker",
+  activeFile: "README.md",
+  files: {
+    "README.md": `# Azure Network ACL Failure Lab — Local Docker Edition
+
+This lab recreates a common Azure Terraform failure without requiring an Azure subscription.
+
+Terraform still has the same shape as the real system:
+
+1. **tfvars** provides environment-specific values.
+2. **variables.tf** declares the inputs.
+3. **main.tf** wires those inputs into modules.
+4. Each module applies network lock-down rules from the same \`virtual_networks_allowed\` list.
+5. Docker containers stand in for Azure Key Vault, Storage Account, and Event Hub.
+
+The lab starts broken on purpose. The DEV deployment subscription is:
+
+- \`d05d3a9b-68eb-4dea-9f1c-208dc705ce2d\`
+
+But the subnet allowlist in \`tfvars/dev.wu3.tfvars\` points at the old platform networking subscription:
+
+- \`e2cbae49-43fe-49c9-b9e5-fdba61ccb575\`
+
+That reproduces the real bug chain:
+
+> New DEV resources are being deployed, but the security whitelist still points at old DEV networking.
+
+## Run the failure
+
+Use the Console tab one command at a time:
+
+1. \`terraform init\`
+2. \`terraform plan -var-file=tfvars/dev.wu3.tfvars -out=tfplan\`
+
+Terraform should fail before it starts the mock containers. That is intentional.
+
+## Trace the value path
+
+Follow this order:
+
+1. Open \`tfvars/dev.wu3.tfvars\` and find \`virtual_networks_allowed\`.
+2. Open \`variables.tf\` and find \`variable "virtual_networks_allowed"\`.
+3. Open \`main.tf\` and see that value passed into:
+  - \`module "keyvault"\`
+  - \`module "storage_account"\`
+  - \`module "eventhub"\`
+4. Open each module and find where the value becomes network rules:
+  - \`modules/keyvault/main.tf\` → \`network_acls\`
+  - \`modules/storage-account/main.tf\` → \`network_rules\`
+  - \`modules/eventhub/main.tf\` → \`network_rulesets\`
+
+## Fix it
+
+In \`tfvars/dev.wu3.tfvars\`, replace the old subnet subscription/resource group with the current DEV networking values:
+
+- subscription: \`d05d3a9b-68eb-4dea-9f1c-208dc705ce2d\`
+- resource group: \`plfdev02shrwu3-networking\`
+
+The fixed subnet IDs should look like:
+
+\`/subscriptions/d05d3a9b-68eb-4dea-9f1c-208dc705ce2d/resourceGroups/plfdev02shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev02-vnet/subnets/app\`
+
+Then rerun:
+
+1. \`terraform plan -var-file=tfvars/dev.wu3.tfvars -out=tfplan\`
+2. \`terraform apply -auto-approve -var-file=tfvars/dev.wu3.tfvars\`
+3. \`terraform output\`
+4. \`curl -s http://localhost:4311/health\`
+5. \`curl -s http://localhost:4312/health\`
+6. \`curl -s http://localhost:4313/health\`
+
+## Clean up
+
+Run:
+
+\`terraform destroy -auto-approve -var-file=tfvars/dev.wu3.tfvars\`
+
+If you want to inspect Docker directly:
+
+- \`docker ps -a\`
+- \`docker logs azure-acl-lab-keyvault\`
+- \`docker logs azure-acl-lab-storage\`
+- \`docker logs azure-acl-lab-eventhub\`
+
+## Interview summary
+
+The bug is not that Key Vault, Storage, or Event Hub cannot be created. The bug is that all three modules consume the same stale \`virtual_networks_allowed\` value, so all three try to apply firewall rules for subnets Azure cannot resolve anymore.
+`,
+    "provider.tf": `terraform {
+  required_version = ">= 1.5.0"
+}
+`,
+    "variables.tf": `variable "name_prefix" {
+  description = "Prefix used for local Docker containers and image names."
+  type        = string
+  default     = "azure-acl-lab"
+}
+
+variable "location" {
+  description = "Azure region label used by the mock resources."
+  type        = string
+  default     = "westus3"
+}
+
+variable "az_subscription_id" {
+  description = "Current DEV subscription receiving the deployment."
+  type        = string
+  default     = "d05d3a9b-68eb-4dea-9f1c-208dc705ce2d"
+}
+
+variable "expected_network_resource_group" {
+  description = "Networking resource group that should own DEV subnets now."
+  type        = string
+  default     = "plfdev02shrwu3-networking"
+}
+
+variable "virtual_networks_allowed" {
+  description = "Subnet IDs trusted by Key Vault, Storage, and Event Hub firewalls."
+  type        = list(string)
+
+  # Broken on purpose. The tfvars file mirrors the same old subnet IDs.
+  default = [
+    "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/app",
+    "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/private-endpoints"
+  ]
+}
+`,
+    "main.tf": `locals {
+  mock_image = "\${var.name_prefix}/azure-resource-mock:local"
+}
+
+# This one Docker image stands in for Azure platform services. The modules below
+# run the same image with different RESOURCE_KIND values so you can inspect
+# Key Vault, Storage Account, and Event Hub independently.
+resource "terraform_data" "mock_image" {
+  triggers_replace = {
+    dockerfile = filesha1("\${path.module}/apps/azure-resource-mock/Dockerfile")
+    server     = filesha1("\${path.module}/apps/azure-resource-mock/server.js")
+  }
+
+  provisioner "local-exec" {
+    command = "docker build -t \${local.mock_image} apps/azure-resource-mock"
+  }
+}
+
+module "keyvault" {
+  source = "./modules/keyvault"
+
+  resource_name                   = "\${var.name_prefix}-kv"
+  container_name                  = "\${var.name_prefix}-keyvault"
+  host_port                       = 4311
+  image_name                      = local.mock_image
+  current_subscription_id         = var.az_subscription_id
+  expected_network_subscription_id = var.az_subscription_id
+  expected_network_resource_group = var.expected_network_resource_group
+  virtual_networks_allowed        = var.virtual_networks_allowed
+
+  depends_on = [terraform_data.mock_image]
+}
+
+module "storage_account" {
+  source = "./modules/storage-account"
+
+  resource_name                   = replace("\${var.name_prefix}storage", "-", "")
+  container_name                  = "\${var.name_prefix}-storage"
+  host_port                       = 4312
+  image_name                      = local.mock_image
+  current_subscription_id         = var.az_subscription_id
+  expected_network_subscription_id = var.az_subscription_id
+  expected_network_resource_group = var.expected_network_resource_group
+  virtual_networks_allowed        = var.virtual_networks_allowed
+
+  depends_on = [terraform_data.mock_image]
+}
+
+module "eventhub" {
+  source = "./modules/eventhub"
+
+  resource_name                   = "\${var.name_prefix}-eh"
+  container_name                  = "\${var.name_prefix}-eventhub"
+  host_port                       = 4313
+  image_name                      = local.mock_image
+  current_subscription_id         = var.az_subscription_id
+  expected_network_subscription_id = var.az_subscription_id
+  expected_network_resource_group = var.expected_network_resource_group
+  virtual_networks_allowed        = var.virtual_networks_allowed
+
+  depends_on = [terraform_data.mock_image]
+}
+`,
+    "outputs.tf": `output "keyvault_url" {
+  value = module.keyvault.url
+}
+
+output "storage_account_url" {
+  value = module.storage_account.url
+}
+
+output "eventhub_url" {
+  value = module.eventhub.url
+}
+
+output "debug_chain" {
+  value = {
+    current_subscription      = var.az_subscription_id
+    expected_network_rg       = var.expected_network_resource_group
+    virtual_networks_allowed  = var.virtual_networks_allowed
+    shared_failure_explainer  = "All three modules consume virtual_networks_allowed, so one stale subnet list breaks every resource firewall."
+  }
+}
+`,
+    "tfvars/dev.wu3.tfvars": `# DEV deploys into the new subscription.
+az_subscription_id = "d05d3a9b-68eb-4dea-9f1c-208dc705ce2d"
+location           = "westus3"
+
+# DEV networking moved. The modules expect subnet IDs from this resource group.
+expected_network_resource_group = "plfdev02shrwu3-networking"
+
+# Broken on purpose: these still point at the old platform networking subscription
+# and old networking resource group.
+virtual_networks_allowed = [
+  "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/app",
+  "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/private-endpoints"
+]
+`,
+    "modules/keyvault/main.tf": `variable "resource_name" { type = string }
+variable "container_name" { type = string }
+variable "host_port" { type = number }
+variable "image_name" { type = string }
+variable "current_subscription_id" { type = string }
+variable "expected_network_subscription_id" { type = string }
+variable "expected_network_resource_group" { type = string }
+variable "virtual_networks_allowed" { type = list(string) }
+
+# Mirrors azurerm_key_vault.network_acls.virtual_network_subnet_ids.
+resource "terraform_data" "network_acls" {
+  input = var.virtual_networks_allowed
+
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for subnet_id in var.virtual_networks_allowed :
+        can(regex("^/subscriptions/\${var.expected_network_subscription_id}/resourceGroups/\${var.expected_network_resource_group}/providers/Microsoft.Network/virtualNetworks/.+/subnets/.+$", subnet_id))
+      ])
+      error_message = "Key Vault network_acls rejected virtual_networks_allowed. Expected subnet IDs from subscription \${var.expected_network_subscription_id} and resource group \${var.expected_network_resource_group}."
+    }
+  }
+}
+
+resource "terraform_data" "keyvault_mock" {
+  input = {
+    container_name = var.container_name
+    url            = "http://localhost:\${var.host_port}"
+  }
+
+  provisioner "local-exec" {
+    command = "docker rm -f \${var.container_name} >/dev/null 2>&1 || true && docker run -d --name \${var.container_name} -p \${var.host_port}:8080 -e RESOURCE_KIND=KeyVault -e RESOURCE_NAME=\${var.resource_name} -e CURRENT_SUBSCRIPTION_ID=\${var.current_subscription_id} -e ALLOWED_SUBNET_IDS='\${join(",", var.virtual_networks_allowed)}' \${var.image_name}"
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "docker rm -f \${self.input.container_name} >/dev/null 2>&1 || true"
+  }
+
+  depends_on = [terraform_data.network_acls]
+}
+
+output "url" {
+  value = terraform_data.keyvault_mock.input.url
+}
+`,
+    "modules/storage-account/main.tf": `variable "resource_name" { type = string }
+variable "container_name" { type = string }
+variable "host_port" { type = number }
+variable "image_name" { type = string }
+variable "current_subscription_id" { type = string }
+variable "expected_network_subscription_id" { type = string }
+variable "expected_network_resource_group" { type = string }
+variable "virtual_networks_allowed" { type = list(string) }
+
+# Mirrors azurerm_storage_account.network_rules.virtual_network_subnet_ids.
+resource "terraform_data" "network_rules" {
+  input = var.virtual_networks_allowed
+
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for subnet_id in var.virtual_networks_allowed :
+        can(regex("^/subscriptions/\${var.expected_network_subscription_id}/resourceGroups/\${var.expected_network_resource_group}/providers/Microsoft.Network/virtualNetworks/.+/subnets/.+$", subnet_id))
+      ])
+      error_message = "Storage Account network_rules rejected virtual_networks_allowed. Expected subnet IDs from subscription \${var.expected_network_subscription_id} and resource group \${var.expected_network_resource_group}."
+    }
+  }
+}
+
+resource "terraform_data" "storage_mock" {
+  input = {
+    container_name = var.container_name
+    url            = "http://localhost:\${var.host_port}"
+  }
+
+  provisioner "local-exec" {
+    command = "docker rm -f \${var.container_name} >/dev/null 2>&1 || true && docker run -d --name \${var.container_name} -p \${var.host_port}:8080 -e RESOURCE_KIND=StorageAccount -e RESOURCE_NAME=\${var.resource_name} -e CURRENT_SUBSCRIPTION_ID=\${var.current_subscription_id} -e ALLOWED_SUBNET_IDS='\${join(",", var.virtual_networks_allowed)}' \${var.image_name}"
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "docker rm -f \${self.input.container_name} >/dev/null 2>&1 || true"
+  }
+
+  depends_on = [terraform_data.network_rules]
+}
+
+output "url" {
+  value = terraform_data.storage_mock.input.url
+}
+`,
+    "modules/eventhub/main.tf": `variable "resource_name" { type = string }
+variable "container_name" { type = string }
+variable "host_port" { type = number }
+variable "image_name" { type = string }
+variable "current_subscription_id" { type = string }
+variable "expected_network_subscription_id" { type = string }
+variable "expected_network_resource_group" { type = string }
+variable "virtual_networks_allowed" { type = list(string) }
+
+locals {
+  virtual_network_rule = [
+    for subnet_id in var.virtual_networks_allowed : {
+      subnet_id = subnet_id
+      ignore_missing_virtual_network_service_endpoint = false
+    }
+  ]
+}
+
+# Mirrors azurerm_eventhub_namespace.network_rulesets.virtual_network_rule.
+resource "terraform_data" "network_rulesets" {
+  input = local.virtual_network_rule
+
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for rule in local.virtual_network_rule :
+        can(regex("^/subscriptions/\${var.expected_network_subscription_id}/resourceGroups/\${var.expected_network_resource_group}/providers/Microsoft.Network/virtualNetworks/.+/subnets/.+$", rule.subnet_id))
+      ])
+      error_message = "Event Hub network_rulesets rejected virtual_networks_allowed. Expected subnet IDs from subscription \${var.expected_network_subscription_id} and resource group \${var.expected_network_resource_group}."
+    }
+  }
+}
+
+resource "terraform_data" "eventhub_mock" {
+  input = {
+    container_name = var.container_name
+    url            = "http://localhost:\${var.host_port}"
+  }
+
+  provisioner "local-exec" {
+    command = "docker rm -f \${var.container_name} >/dev/null 2>&1 || true && docker run -d --name \${var.container_name} -p \${var.host_port}:8080 -e RESOURCE_KIND=EventHub -e RESOURCE_NAME=\${var.resource_name} -e CURRENT_SUBSCRIPTION_ID=\${var.current_subscription_id} -e ALLOWED_SUBNET_IDS='\${join(",", var.virtual_networks_allowed)}' \${var.image_name}"
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "docker rm -f \${self.input.container_name} >/dev/null 2>&1 || true"
+  }
+
+  depends_on = [terraform_data.network_rulesets]
+}
+
+output "url" {
+  value = terraform_data.eventhub_mock.input.url
+}
+`,
+    "apps/azure-resource-mock/Dockerfile": `FROM node:20-alpine
+WORKDIR /app
+COPY server.js ./server.js
+EXPOSE 8080
+CMD ["node", "server.js"]
+`,
+    "apps/azure-resource-mock/server.js": `import http from "node:http";
+
+const port = Number(process.env.PORT || 8080);
+const resourceKind = process.env.RESOURCE_KIND || "AzureResource";
+const resourceName = process.env.RESOURCE_NAME || "local-resource";
+const subscriptionId = process.env.CURRENT_SUBSCRIPTION_ID || "unknown";
+const allowedSubnets = (process.env.ALLOWED_SUBNET_IDS || "")
+  .split(",")
+  .map((value) => value.trim())
+  .filter(Boolean);
+
+function json(res, statusCode, body) {
+  res.writeHead(statusCode, { "content-type": "application/json" });
+  res.end(JSON.stringify(body, null, 2));
+}
+
+function payload(path) {
+  return {
+    ok: true,
+    path,
+    resourceKind,
+    resourceName,
+    subscriptionId,
+    networkLockdown: {
+      defaultAction: "Deny",
+      allowedSubnets,
+      teachingPoint:
+        "In Azure this list is used by network_acls, network_rules, or network_rulesets. If any subnet ID is stale, the lock-down update fails."
+    }
+  };
+}
+
+const server = http.createServer((req, res) => {
+  const path = new URL(req.url || "/", "http://localhost").pathname;
+  if (path === "/" || path === "/health") return json(res, 200, payload(path));
+  if (path === "/secret") return json(res, 200, { ...payload(path), secretName: "demo-connection-string" });
+  if (path === "/blob") return json(res, 200, { ...payload(path), container: "solution-designs" });
+  if (path === "/events") return json(res, 200, { ...payload(path), eventHub: "solution-builder-events" });
+  return json(res, 404, { ok: false, error: "Not found", path });
+});
+
+server.listen(port, "0.0.0.0", () => {
+  console.log(resourceKind + " mock listening on 0.0.0.0:" + port);
+  console.log("Allowed subnets:", allowedSubnets);
+});
+`,
+  },
+};
+
+export const AZURE_NETWORK_ACL_BLANK_TEMPLATE: InfraLabWorkspace = {
+  version: 1,
+  label: "Azure Network ACL Blank Template",
+  provider: "docker",
+  executionMode: "docker",
+  activeFile: "README.md",
+  files: Object.fromEntries(
+    AZURE_NETWORK_ACL_FILE_NAMES.map((fileName) => [fileName, ""]),
+  ),
+};
+
+function hasWorkspaceFile(
+  files: Record<string, string>,
+  fileName: string,
+): boolean {
+  return Object.prototype.hasOwnProperty.call(files, fileName);
+}
+
 function refreshLegacyEnterpriseAuthFiles(
   source: InfraLabWorkspace,
   files: Record<string, string>,
@@ -404,7 +1060,7 @@ export function cloneInfraLabWorkspace(
       ? { ...source.files }
       : { ...DEFAULT_INFRA_FILES };
   const files = refreshLegacyEnterpriseAuthFiles(source, sourceFiles);
-  const activeFile = files[source.activeFile]
+  const activeFile = hasWorkspaceFile(files, source.activeFile)
     ? source.activeFile
     : (Object.keys(files)[0] ?? "main.tf");
 
@@ -438,14 +1094,22 @@ export function getInfraLabFileOrder(workspace: InfraLabWorkspace): string[] {
     "provider.tf",
     "variables.tf",
     "terraform.tfvars",
+    "tfvars/dev.wu3.tfvars",
     "outputs.tf",
     "locals.tf",
+    "modules/keyvault/main.tf",
+    "modules/storage-account/main.tf",
+    "modules/eventhub/main.tf",
+    "apps/azure-resource-mock/Dockerfile",
+    "apps/azure-resource-mock/server.js",
   ];
   const extras = Object.keys(workspace.files)
     .filter((name) => !preferred.includes(name))
     .sort();
 
-  return preferred.filter((name) => workspace.files[name]).concat(extras);
+  return preferred
+    .filter((name) => hasWorkspaceFile(workspace.files, name))
+    .concat(extras);
 }
 
 export function serializeInfraLabWorkspace(

package/template/cockpit.json

@@ -1,3 +1,3 @@
 {
-  "version": "0.23.0"
+  "version": "0.23.1"
 }