azure-deploy-cli 0.1.6__py3-none-any.whl

azure_deploy_cli/identity/service_principal.py

@@ -0,0 +1,268 @@
+"""Service principal lifecycle management."""
+
+import json
+import subprocess
+from typing import Any
+
+from ..utils.azure_cli import get_subscription_and_tenant, run_command
+from ..utils.logging import get_logger
+from .models import SPAuthCredentials, SPAuthCredentialsWithSecret, SPCreateResult
+
+logger = get_logger(__name__)
+
+
+def list_cmd(sp_name: str) -> list[str]:
+    """Build command to list service principals by name."""
+    return [
+        "az",
+        "ad",
+        "sp",
+        "list",
+        "--filter",
+        f"displayName eq '{sp_name}'",
+        "--output",
+        "json",
+    ]
+
+
+def exists_sp(sp_name: str) -> str | None:
+    """
+    Check if service principal exists by name.
+
+    Args:
+        sp_name: Display name of the service principal
+
+    Returns:
+        Object ID if found, None otherwise
+
+    Raises:
+        ValueError: If multiple service principals with same name found
+    """
+    result: list[dict[str, Any]] = run_command(list_cmd(sp_name))
+
+    if not result or len(result) == 0:
+        return None
+
+    if len(result) > 1:
+        raise ValueError(
+            f"Multiple service principals found with name '{sp_name}'. "
+            "Please use a more specific name."
+        )
+
+    sp_object_id: str = result[0]["id"]
+    return sp_object_id
+
+
+def get_sp(sp_name: str, subscription_id: str, tenant_id: str) -> SPCreateResult | None:
+    """
+    Get existing service principal by name.
+
+    Args:
+        sp_name: Display name of the service principal
+        subscription_id: Azure subscription ID
+        tenant_id: Azure tenant ID
+
+    Returns:
+        SPCreateResult if found, None otherwise
+    """
+    list_cmd_args: list[str] = list_cmd(sp_name)
+
+    try:
+        existing_sps: list[dict[str, Any]] = run_command(list_cmd_args)
+        if existing_sps:
+            logger.warning(f"Service principal '{sp_name}' already exists")
+            sp = existing_sps[0]
+            object_id: str = sp.get("id", "")
+            app_id: str = sp.get("appId", "")
+
+            if not object_id or not app_id:
+                raise ValueError("Failed to load existing service principal details")
+
+            # Note: existing SP won't have clientSecret - caller must reset
+            # credentials
+            return SPCreateResult(
+                objectId=object_id,
+                authCredentials=SPAuthCredentials(
+                    clientId=app_id,
+                    subscriptionId=subscription_id,
+                    tenantId=tenant_id,
+                ),
+            )
+    except (subprocess.CalledProcessError, json.JSONDecodeError):
+        return None
+    return None
+
+
+def create_sp(
+    sp_name: str,
+    skip_assignment: bool = True,
+) -> SPCreateResult:
+    """
+    Create a service principal if it doesn't already exist.
+
+    Args:
+        sp_name: Name of the service principal to create
+        skip_assignment: Whether to skip role assignment during creation
+
+    Returns:
+        SPCreateResult containing object ID and credentials
+
+    Raises:
+        subprocess.CalledProcessError: If creation fails
+        ValueError: If service principal creation is unsuccessful
+    """
+    try:
+        subscription_id, tenant_id = get_subscription_and_tenant()
+
+        logger.info(f"Checking if service principal '{sp_name}' exists")
+        result = get_sp(sp_name, subscription_id, tenant_id)
+        if result is not None:
+            logger.warning(f"Service principal '{sp_name}' already exists")
+            return result
+
+        logger.info(f"Creating service principal '{sp_name}'")
+        create_cmd: list[str] = [
+            "az",
+            "ad",
+            "sp",
+            "create-for-rbac",
+            "--name",
+            sp_name,
+            "--output",
+            "json",
+        ]
+
+        if skip_assignment:
+            create_cmd.insert(4, "--skip-assignment")
+
+        sp_output: dict[str, Any] = run_command(create_cmd)
+        get_sp_output = get_sp(sp_name, subscription_id, tenant_id)
+        if not get_sp_output:
+            raise ValueError("Failed to create service principal")
+        logger.info(f"{sp_output} {get_sp_output}")
+
+        object_id = get_sp_output.objectId
+        app_id = sp_output.get("appId", "")
+        client_secret = sp_output.get("password", "")
+
+        logger.success(f"Service principal '{sp_name}' created successfully")
+
+        return SPCreateResult(
+            objectId=object_id,
+            authCredentials=SPAuthCredentialsWithSecret(
+                clientId=app_id,
+                clientSecret=client_secret,
+                subscriptionId=subscription_id,
+                tenantId=tenant_id,
+            ),
+        )
+
+    except subprocess.CalledProcessError as e:
+        logger.error(f"Failed to create service principal: {str(e)}")
+        raise
+
+
+def reset_sp_credentials(
+    sp_name: str,
+    credential_name: str = "Grant Scraper",
+    years: int = 2,
+) -> SPAuthCredentialsWithSecret:
+    """
+    Reset service principal credentials.
+
+    Args:
+        sp_name: The display name of the service principal
+        credential_name: Display name for the credential
+        years: Number of years for the credential validity
+
+    Returns:
+        AuthCredentialsWithSecret with clientId, clientSecret,
+        subscriptionId, tenantId
+
+    Raises:
+        subprocess.CalledProcessError: If reset fails
+        ValueError: If service principal not found
+    """
+    try:
+        subscription_id, tenant_id = get_subscription_and_tenant()
+
+        logger.critical(f"Looking up service principal '{sp_name}'")
+
+        # Get the app ID for the service principal by name
+        sp_result = get_sp(sp_name, subscription_id, tenant_id)
+        if not sp_result:
+            raise ValueError(f"Service principal '{sp_name}' not found")
+
+        client_id = sp_result.authCredentials.clientId
+        logger.info(f"Found service principal with app ID: {client_id}")
+
+        logger.critical(f"Resetting credentials for service principal '{sp_name}'")
+
+        reset_cmd: list[str] = [
+            "az",
+            "ad",
+            "sp",
+            "credential",
+            "reset",
+            "--id",
+            client_id,
+            "--display-name",
+            credential_name,
+            "--years",
+            str(years),
+            "--output",
+            "json",
+        ]
+
+        result: dict[str, Any] = run_command(reset_cmd)
+
+        logger.success(f"Credentials reset for service principal '{sp_name}'")
+
+        return SPAuthCredentialsWithSecret(
+            clientId=client_id,
+            clientSecret=result.get("password", ""),
+            subscriptionId=subscription_id,
+            tenantId=tenant_id,
+        )
+
+    except subprocess.CalledProcessError as e:
+        logger.error(f"Failed to reset service principal credentials: {str(e)}")
+        raise
+
+
+def delete_service_principal_by_name(sp_name: str) -> None:
+    """
+    Delete a service principal by display name.
+
+    Args:
+        sp_name: The display name of the service principal to delete
+
+    Raises:
+        subprocess.CalledProcessError: If the delete operation fails
+        ValueError: If the service principal is not found
+    """
+    try:
+        logger.info(f"Looking up service principal '{sp_name}'")
+        sp_object_id = exists_sp(sp_name)
+        if not sp_object_id:
+            logger.success(f"Service principal '{sp_name}' does not exist; nothing to delete")
+            return
+        logger.info(f"Found service principal with object ID: {sp_object_id}")
+
+        delete_cmd: list[str] = [
+            "az",
+            "ad",
+            "sp",
+            "delete",
+            "--id",
+            sp_object_id,
+            "--output",
+            "json",
+        ]
+
+        run_command(delete_cmd)
+        logger.success(f"Service principal '{sp_name}' deleted successfully")
+
+    except subprocess.CalledProcessError as e:
+        logger.error(f"Failed to delete service principal: {str(e)}")
+        raise

azure_deploy_cli/utils/azure_cli.py

@@ -0,0 +1,96 @@
+import json
+import os
+import subprocess
+from typing import Any
+
+from .logging import get_logger
+
+logger = get_logger(__name__)
+
+# Singleton credential instance
+_credential = None
+
+
+def run_command(command: list[str]) -> Any:
+    """
+    Run an Azure CLI command and return the JSON output.
+
+    Args:
+        command: List of command arguments starting with 'az'
+
+    Returns:
+        Parsed JSON output from the command
+
+    Raises:
+        subprocess.CalledProcessError: If command fails
+    """
+    try:
+        # Set environment to suppress Azure authentication logs
+        env = os.environ.copy()
+        env["AZURE_CORE_ONLY_SHOW_ERRORS"] = "True"
+
+        result = subprocess.run(
+            command,
+            capture_output=True,
+            text=True,
+            check=True,
+            env=env,
+        )
+        if result.stdout.strip() == "":
+            return {}
+        return json.loads(result.stdout)
+    except subprocess.CalledProcessError as e:
+        logger.error(f"Command failed: {' '.join(command)}")
+        logger.error(f"Error: {e.stderr}")
+        raise
+    except json.JSONDecodeError as e:
+        logger.error(f"Failed to parse JSON output: {e}")
+        return {}
+
+
+def get_subscription_and_tenant() -> tuple[str, str]:
+    """
+    Get subscription ID and tenant ID from Azure CLI.
+
+    Returns:
+        Tuple of (subscription_id, tenant_id)
+
+    Raises:
+        ValueError: If subscription or tenant ID cannot be retrieved
+    """
+    account_info = run_command(["az", "account", "show", "--output", "json"])
+    subscription_id: str = account_info.get("id", "")
+    tenant_id: str = account_info.get("tenantId", "")
+
+    if not subscription_id or not tenant_id:
+        raise ValueError("Failed to retrieve subscription or tenant information")
+
+    return subscription_id, tenant_id
+
+
+def get_credential(cache: bool = True):
+    """
+    Get or create Azure CLI credential.
+
+    Args:
+        cache: If True, returns cached credential singleton. If False,
+        creates new credential each time.
+
+    Returns:
+        AzureCliCredential instance
+
+    Note:
+        Using cached credentials (cache=True) is recommended for most use cases to avoid
+        repeated authentication overhead. Set cache=False only if you need isolated credentials
+        for testing or specific scenarios.
+    """
+    from azure.identity import AzureCliCredential
+
+    global _credential
+
+    if cache:
+        if _credential is None:
+            _credential = AzureCliCredential()
+        return _credential
+    else:
+        return AzureCliCredential()

azure_deploy_cli/utils/docker.py

@@ -0,0 +1,137 @@
+"""Docker utility functions for image operations."""
+
+import subprocess
+from pathlib import Path
+
+
+def image_exists(full_image_name: str) -> bool:
+    """
+    Check if a Docker image exists locally.
+
+    Args:
+        full_image_name: Full image name including registry, repository, and tag
+
+    Returns:
+        True if the image exists locally, False otherwise
+    """
+    check_image_result = subprocess.run(
+        ["docker", "image", "inspect", full_image_name],
+        capture_output=True,
+        text=True,
+    )
+    return check_image_result.returncode == 0
+
+
+def push_image(full_image_name: str) -> None:
+    """
+    Push a Docker image to the registry.
+
+    Args:
+        full_image_name: Full image name including registry, repository, and tag
+
+    Raises:
+        RuntimeError: If the docker push command fails
+    """
+    push_result = subprocess.run(
+        ["docker", "push", full_image_name],
+        capture_output=True,
+        text=True,
+    )
+    if push_result.returncode != 0:
+        raise RuntimeError(f"Docker push failed {push_result.stderr}")
+
+
+def pull_image(full_image_name: str) -> None:
+    """
+    Pull a Docker image from the registry.
+
+    Args:
+        full_image_name: Full image name including registry, repository, and tag
+
+    Raises:
+        RuntimeError: If the docker pull command fails
+    """
+    pull_result = subprocess.run(
+        ["docker", "pull", full_image_name],
+        capture_output=True,
+        text=True,
+    )
+    if pull_result.returncode != 0:
+        raise RuntimeError(f"Docker pull failed: {pull_result.stderr}")
+
+
+def tag_image(source_image: str, target_image: str) -> None:
+    """
+    Tag a Docker image locally.
+
+    Args:
+        source_image: Full name of the source image
+        target_image: Full name of the target image
+
+    Raises:
+        RuntimeError: If the docker tag command fails
+    """
+    tag_result = subprocess.run(
+        ["docker", "tag", source_image, target_image],
+        capture_output=True,
+        text=True,
+    )
+    if tag_result.returncode != 0:
+        raise RuntimeError(f"Docker tag failed: {tag_result.stderr}")
+
+
+def pull_retag_and_push_image(
+    source_full_image_name: str,
+    target_full_image_name: str,
+) -> None:
+    """
+    Pull an existing image, retag it, and push to registry.
+
+    Args:
+        source_full_image_name: Full name of the source image (registry/image:tag)
+        target_full_image_name: Full name of the target image (registry/image:new_tag)
+
+    Raises:
+        RuntimeError: If the source image doesn't exist or operations fail
+    """
+    if not image_exists(source_full_image_name):
+        pull_image(source_full_image_name)
+
+    tag_image(source_full_image_name, target_full_image_name)
+    push_image(target_full_image_name)
+
+
+def build_and_push_image(
+    dockerfile: str,
+    full_image_name: str,
+) -> None:
+    """
+    Build a Docker image using buildx and push to registry.
+
+    Args:
+        dockerfile: Path to the Dockerfile
+        full_image_name: Full image name including registry, repository, and tag
+
+    Raises:
+        RuntimeError: If the docker build and push command fails
+    """
+    src_folder = str(Path(dockerfile).parent)
+    build_result = subprocess.run(
+        [
+            "docker",
+            "buildx",
+            "build",
+            "--platform",
+            "linux/amd64",
+            "-t",
+            full_image_name,
+            "-f",
+            dockerfile,
+            src_folder,
+            "--push",
+        ],
+        capture_output=True,
+        text=True,
+    )
+    if build_result.returncode != 0:
+        raise RuntimeError(f"Docker build and push failed: {build_result.stderr}")

azure_deploy_cli/utils/env.py

@@ -0,0 +1,108 @@
+"""Environment variable and credential file handling utilities."""
+
+from pathlib import Path
+from string import Template
+
+from dotenv import dotenv_values
+
+from .logging import get_logger
+
+logger = get_logger(__name__)
+
+
+def substitute_env_vars(value: str, env_vars: dict[str, str]) -> str:
+    """
+    Substitute environment variables in a string using Template format.
+
+    All ${VAR_NAME} placeholders in the value must have corresponding entries in
+    env_vars, otherwise a KeyError is raised.
+
+    Args:
+        value: String with ${VAR_NAME} placeholders
+        env_vars: Dictionary of variable values
+
+    Returns:
+        Fully substituted string with all variables replaced
+
+    Raises:
+        KeyError: If any ${VAR_NAME} placeholders in value are not found in
+                  env_vars
+
+    Example:
+        >>> env_vars = {
+        ...     "SUBSCRIPTION_ID": "12345678-1234-1234-1234-123456789012",
+        ...     "RESOURCE_GROUP": "my-rg",
+        ...     "OPENAI_RESOURCE_NAME": "my-openai",
+        ... }
+        >>> scope = "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/\
+        ${RESOURCE_GROUP}/providers/Microsoft.CognitiveServices/accounts/\
+        ${OPENAI_RESOURCE_NAME}"
+        >>> substitute_env_vars(scope, env_vars)
+        '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/\
+        my-rg/providers/Microsoft.CognitiveServices/accounts/my-openai'
+    """
+    template = Template(value)
+    result = template.substitute(env_vars)
+    return result
+
+
+def load_env_vars_from_files(
+    env_file_paths: list[Path] | None,
+) -> dict[str, str]:
+    """
+    Load environment variables from multiple .env files using python-dotenv.
+
+    Files are loaded in order and merged, with later files overriding earlier
+    ones.
+
+    Args:
+        env_file_paths: List of paths to .env files with KEY=VALUE format
+
+    Returns:
+        Merged dictionary of environment variables
+
+    Raises:
+        FileNotFoundError: If any file doesn't exist
+        Exception: If file parsing fails
+    """
+    if not env_file_paths:
+        return {}
+
+    merged_vars: dict[str, str | None] = {}
+
+    for env_file_path in env_file_paths:
+        env_vars = dotenv_values(env_file_path)
+        merged_vars.update(env_vars)
+        logger.info(f"Loaded {len(env_vars)} variables from {env_file_path}")
+
+    logger.info(f"Total merged: {len(merged_vars)} unique environment variables")
+    merged_vars_cleaned: dict[str, str] = {k: v for k, v in merged_vars.items() if v is not None}
+    return merged_vars_cleaned
+
+
+def add_var_to_env_file(
+    env_var_map: dict[str, str],
+    env_file_path: Path,
+) -> None:
+    """
+    Add or update in an environment file.
+
+    Args:
+        env_var_map: Dictionary of environment variable key-value pairs
+        env_file_path: Path to the environment file
+    """
+    env_file_path.parent.mkdir(parents=True, exist_ok=True)
+    existing_content = ""
+    if env_file_path.exists():
+        with open(env_file_path) as f:
+            existing_content = f.read()
+    lines = [
+        line
+        for line in existing_content.split("\n")
+        if not any(line.startswith(f"{env_var_key}=") for env_var_key in env_var_map.keys())
+    ]
+    with open(env_file_path, "w") as f:
+        f.write("\n".join(lines).rstrip())
+        for env_var_key, env_var_value in env_var_map.items():
+            env_var_line = f"{env_var_key}={env_var_value}\n"
+            f.write("\n" + env_var_line)

azure_deploy_cli/utils/key_vault.py

@@ -0,0 +1,11 @@
+from azure.mgmt.keyvault import KeyVaultManagementClient
+
+from ..utils.azure_cli import get_credential
+
+
+def get_key_vault_client(
+    subscription_id: str, resource_group: str, key_vault_name: str
+) -> KeyVaultManagementClient:
+    credential = get_credential()
+    kv_client = KeyVaultManagementClient(credential, subscription_id)
+    return kv_client