diff --git a/.kiro/specs/azure-integration/.config.kiro b/.kiro/specs/azure-integration/.config.kiro new file mode 100644 index 00000000..1ba4fbc2 --- /dev/null +++ b/.kiro/specs/azure-integration/.config.kiro @@ -0,0 +1 @@ +{"specId": "a7e3c1d2-8f45-4b9a-b6d1-3e2f7a8c9d0e", "workflowType": "requirements-first", "specType": "feature"} \ No newline at end of file diff --git a/.kiro/specs/azure-integration/design.md b/.kiro/specs/azure-integration/design.md new file mode 100644 index 00000000..f32c47a2 --- /dev/null +++ b/.kiro/specs/azure-integration/design.md @@ -0,0 +1,781 @@ +# Design Document: Azure Integration + +## Overview + +This design adds Azure Virtual Machine management to Pabawi, mirroring the existing AWS EC2 integration architecture. The Azure integration provides VM inventory discovery, facts retrieval, provisioning, lifecycle management (start/stop/restart/deallocate), resource discovery, journal tracking, and a frontend setup guide — all wired through the established plugin system. + +The integration uses the Azure SDK for JavaScript (`@azure/arm-compute`, `@azure/identity`, `@azure/arm-network`, `@azure/arm-resources`) and follows the same BasePlugin → IntegrationManager registration pattern used by AWS, Proxmox, and other integrations. + +## Architecture + +```mermaid +graph TB + subgraph Frontend + ASG[AzureSetupGuide.svelte] + ISP[IntegrationSetupPage.svelte] + ISP -->|azure| ASG + end + + subgraph Backend Routes + AR[azure.ts Router
/api/integrations/azure/*] + end + + subgraph Plugin Layer + AP[AzurePlugin
extends BasePlugin
type: both] + AS[AzureService
wraps Azure SDK clients] + AP --> AS + end + + subgraph Core Services + IM[IntegrationManager] + CS[ConfigService
parseIntegrationsConfig] + ICS[IntegrationColorService] + JS[JournalService] + JC[JournalCollectors
collectAzureStateEntry] + end + + subgraph Azure SDK + CC[ComputeManagementClient] + NC[NetworkManagementClient] + RC[ResourceManagementClient] + SC[SubscriptionClient] + ID[DefaultAzureCredential /
ClientSecretCredential] + end + + AR --> AP + AP -->|registers with| IM + CS -->|getAzureConfig| AP + AP -->|records events| JS + JC -->|detects state changes| AS + ICS -->|azure color| Frontend + AS --> CC + AS --> NC + AS --> RC + AS --> SC + AS --> ID +``` + +### Registration Flow (mirrors AWS) + +```mermaid +sequenceDiagram + participant S as server.ts + participant CS as ConfigService + participant AP as AzurePlugin + participant AS as AzureService + participant IM as IntegrationManager + + S->>CS: getAzureConfig() + alt Azure enabled + CS-->>S: { enabled: true, tenantId, clientId, ... } + S->>AP: new AzurePlugin(logger, perfMon) + S->>IM: registerPlugin(azurePlugin, integrationConfig) + IM->>AP: initialize(config) + AP->>AP: validateAzureConfig(config) + AP->>AS: new AzureService(config, logger) + AS->>AS: create credential (ClientSecret or Default) + AP-->>IM: initialized + else Azure disabled + CS-->>S: null + S->>S: log "Azure not configured — skipping" + end +``` + +## Components and Interfaces + +### 1. AzurePlugin (`backend/src/integrations/azure/AzurePlugin.ts`) + +Extends `BasePlugin` with `type = "both"`, implementing both `InformationSourcePlugin` and `ExecutionToolPlugin`. Mirrors `AWSPlugin` exactly. + +```typescript +class AzurePlugin extends BasePlugin implements InformationSourcePlugin, ExecutionToolPlugin { + readonly type = "both"; + private service?: AzureService; + private journalService?: JournalService; + + constructor(logger?: LoggerService, performanceMonitor?: PerformanceMonitorService, journalService?: JournalService); + + // BasePlugin overrides + protected performInitialization(): Promise; + protected performHealthCheck(): Promise>; + + // InformationSourcePlugin + getInventory(): Promise; + getGroups(): Promise; + getNodeFacts(nodeId: string): Promise; + getNodeData(nodeId: string, dataType: string): Promise; + + // ExecutionToolPlugin + executeAction(action: Action): Promise; + listCapabilities(): Capability[]; + listProvisioningCapabilities(): ProvisioningCapability[]; + + // Resource discovery (delegated to AzureService) + getLocations(): Promise; + getVMSizes(location: string): Promise; + getImages(publisher?: string, offer?: string, sku?: string): Promise; + getResourceGroups(): Promise; + + // Journal injection + setJournalService(journalService: JournalService): void; + + // Internal + private validateAzureConfig(config: AzureConfig): void; + private handleProvision(action: Action): Promise; + private handleLifecycle(action: Action): Promise; + private recordJournal(entry: CreateJournalEntry): Promise; + private mapActionToEventType(action: string): JournalEventType; +} +``` + +### 2. AzureService (`backend/src/integrations/azure/AzureService.ts`) + +Wraps Azure SDK clients. Mirrors `AWSService` structure. + +```typescript +class AzureService { + private computeClient: ComputeManagementClient; + private networkClient: NetworkManagementClient; + private resourceClient: ResourceManagementClient; + private subscriptionClient: SubscriptionClient; + private credential: TokenCredential; + private subscriptionId: string; + private resourceGroups?: string[]; + private logger: LoggerService; + + constructor(config: AzureConfig, logger: LoggerService); + + // Credential validation + validateCredentials(): Promise<{ subscriptionName: string; subscriptionId: string; tenantId: string }>; + + // Inventory + getInventory(): Promise; + getGroups(): Promise; + getNodeFacts(nodeId: string): Promise; + + // Resource discovery + getLocations(): Promise; + getVMSizes(location: string): Promise; + getImages(publisher?: string, offer?: string, sku?: string): Promise; + getResourceGroups(): Promise; + + // Provisioning + provisionVM(params: Record): Promise; + + // Lifecycle + startVM(resourceGroup: string, vmName: string): Promise; + stopVM(resourceGroup: string, vmName: string): Promise; + restartVM(resourceGroup: string, vmName: string): Promise; + deallocateVM(resourceGroup: string, vmName: string): Promise; + + // Internal helpers + private throwIfAuthError(error: unknown): void; + private listVMsInResourceGroup(resourceGroup: string): Promise; + private listAllVMs(): Promise; + private transformVMToNode(vm: VirtualMachine, resourceGroup: string): Node; + private transformToFacts(nodeId: string, vm: VirtualMachine, instanceView: VirtualMachineInstanceView): Facts; + private parseNodeId(nodeId: string): { subscriptionId: string; resourceGroup: string; vmName: string }; + private groupByLocation(nodes: Node[]): NodeGroup[]; + private groupByResourceGroup(nodes: Node[]): NodeGroup[]; + private groupByTags(nodes: Node[]): NodeGroup[]; +} +``` + +### 3. Azure Types (`backend/src/integrations/azure/types.ts`) + +```typescript +// Configuration +interface AzureConfig { + tenantId?: string; + clientId?: string; + clientSecret?: string; + subscriptionId: string; + resourceGroups?: string[]; +} + +// Resource discovery types +interface AzureLocation { + name: string; + displayName: string; + regionalDisplayName?: string; +} + +interface VMSizeInfo { + name: string; + vCPUs: number; + memoryMB: number; + osDiskSizeGB: number; + maxDataDiskCount: number; +} + +interface VMImageInfo { + publisher: string; + offer: string; + sku: string; + version: string; +} + +interface ResourceGroupInfo { + name: string; + location: string; + tags: Record; +} + +// Error class +class AzureAuthenticationError extends Error { + constructor(message: string) { + super(message); + this.name = "AzureAuthenticationError"; + } +} +``` + +### 4. Azure Routes (`backend/src/routes/integrations/azure.ts`) + +```typescript +function createAzureRouter( + azurePlugin: AzurePlugin, + integrationManager?: IntegrationManager, + options?: { allowDestructiveActions?: boolean } +): Router; +``` + +Endpoints (all under `/api/integrations/azure`): + +| Method | Path | Description | Zod Schema | +|--------|------|-------------|------------| +| GET | `/inventory` | List Azure VMs | — | +| POST | `/provision` | Create a new VM | `AzureProvisionSchema` | +| POST | `/lifecycle` | Start/stop/restart/deallocate | `AzureLifecycleSchema` | +| POST | `/test` | Test connection | — | +| GET | `/locations` | List Azure locations | — | +| GET | `/vm-sizes` | List VM sizes for a location | `LocationQuerySchema` | +| GET | `/images` | List marketplace images | `ImageQuerySchema` | +| GET | `/resource-groups` | List resource groups | — | + +### 5. ConfigService Integration + +**`parseIntegrationsConfig()`** — add Azure block after the AWS block: + +```typescript +// Parse Azure configuration +if (process.env.AZURE_ENABLED === "true") { + const subscriptionId = process.env.AZURE_SUBSCRIPTION_ID; + if (!subscriptionId) { + throw new Error("AZURE_SUBSCRIPTION_ID is required when AZURE_ENABLED is true"); + } + + let resourceGroups: string[] | undefined; + if (process.env.AZURE_RESOURCE_GROUPS) { + resourceGroups = process.env.AZURE_RESOURCE_GROUPS.split(",").map(r => r.trim()).filter(Boolean); + } + + integrations.azure = { + enabled: true, + tenantId: process.env.AZURE_TENANT_ID, + clientId: process.env.AZURE_CLIENT_ID, + clientSecret: process.env.AZURE_CLIENT_SECRET, + subscriptionId, + resourceGroups, + }; +} +``` + +**`getAzureConfig()`** accessor — same pattern as `getAWSConfig()`: + +```typescript +public getAzureConfig(): + | (typeof this.config.integrations.azure & { enabled: true }) + | null { + const azure = this.config.integrations.azure; + if (azure?.enabled) { + return azure as typeof azure & { enabled: true }; + } + return null; +} +``` + +### 6. Schema Additions (`backend/src/config/schema.ts`) + +```typescript +export const AzureConfigSchema = z.object({ + enabled: z.boolean().default(false), + tenantId: z.string().optional(), + clientId: z.string().optional(), + clientSecret: z.string().optional(), + subscriptionId: z.string().optional(), + resourceGroups: z.array(z.string()).optional(), +}); + +export type AzureIntegrationConfig = z.infer; + +// Add to IntegrationsConfigSchema: +export const IntegrationsConfigSchema = z.object({ + // ... existing fields ... + azure: AzureConfigSchema.optional(), +}); +``` + +### 7. IntegrationColorService Addition + +```typescript +// In IntegrationColors interface, add: +azure: IntegrationColorConfig; + +// In the colors object: +azure: { + primary: '#0078D4', // Azure blue + light: '#E8F4FD', + dark: '#005A9E', +}, + +// IntegrationType automatically includes "azure" via keyof IntegrationColors +``` + +### 8. Journal Collector (`collectAzureStateEntry`) + +Added to `JournalCollectors.ts`, following the `collectAWSStateEntry` pattern: + +```typescript +interface AzureServiceLike { + getNodeFacts(nodeId: string): Promise<{ + facts: { + categories?: { + system: { + powerState: string; + vmName?: string; + resourceGroup?: string; + location?: string; + }; + }; + }; + }>; +} + +function mapAzurePowerStateToEventType(state: string): JournalEventType { + const mapping: Record = { + "VM running": "start", + "VM stopped": "stop", + "VM deallocated": "stop", + "VM deallocating": "stop", + "VM starting": "start", + "VM deleting": "destroy", + }; + return mapping[state] ?? "unknown"; +} + +async function collectAzureStateEntry( + azureService: AzureServiceLike, + vmName: string, + resourceGroup: string, + db: DatabaseAdapter, + nodeId: string, +): Promise; +``` + +The `JournalSourceSchema` already needs `"azure"` added as a valid source identifier. + +### 9. Server Registration (`backend/src/server.ts`) + +Following the AWS pattern: + +```typescript +import { createAzureRouter } from "./routes/integrations/azure"; +import { AzurePlugin } from "./integrations/azure/AzurePlugin"; + +// In startServer(): +let azurePlugin: AzurePlugin | undefined; +const azureConfig = config.integrations.azure; +const azureConfigured = azureConfig?.enabled === true; + +if (azureConfigured && azureConfig) { + azurePlugin = new AzurePlugin(logger, performanceMonitor); + const integrationConfig: IntegrationConfig = { + enabled: true, + name: "azure", + type: "both", + config: azureConfig as unknown as Record, + priority: 7, + }; + integrationManager.registerPlugin(azurePlugin, integrationConfig); +} + +// Mount routes: +if (azurePlugin) { + app.use("/api/integrations/azure", createAzureRouter(azurePlugin, integrationManager, { + allowDestructiveActions: configService.isDestructiveProvisioningAllowed(), + })); +} +``` + +### 10. Frontend — AzureSetupGuide (`frontend/src/components/AzureSetupGuide.svelte`) + +Mirrors `AWSSetupGuide.svelte`: + +- Form fields: Tenant ID, Client ID, Client Secret (password), Subscription ID, Resource Groups (optional, comma-separated), Default Location +- `generateEnvSnippet()` → produces `AZURE_ENABLED=true` + all `AZURE_*` vars +- `maskSensitiveValues()` → masks `AZURE_CLIENT_SECRET` +- Copy-to-clipboard button with toast notification +- Instructions to paste into `backend/.env` and restart +- Prerequisites section (Azure subscription, Service Principal, RBAC permissions) +- CLI validation commands (`az login`, `az vm list`) +- Troubleshooting section + +Registered in `IntegrationSetupPage.svelte` as `{:else if integration === 'azure'}` block and exported from `frontend/src/components/index.ts`. + +## Data Models + +### Node ID Format + +``` +azure:{subscriptionId}:{resourceGroup}:{vmName} +``` + +Example: `azure:12345678-abcd-efgh-ijkl-123456789012:my-rg:web-server-01` + +### Node Object (from `transformVMToNode`) + +```typescript +{ + id: "azure:{subscriptionId}:{resourceGroup}:{vmName}", + name: "{vmName}", + source: "azure", + status: "running" | "stopped" | "deallocated" | ..., + config: { + vmId: string, + powerState: string, + vmSize: string, + resourceGroup: string, + location: string, + tags: Record, + provisioningState: string, + osType: "Windows" | "Linux", + } +} +``` + +### Facts Object (from `transformToFacts`) + +```typescript +{ + nodeId: string, + source: "azure", + facts: { + os: { family: "windows" | "linux", name: string, release: string }, + networking: { hostname: string, interfaces: [...] }, + categories: { + system: { + vmName, vmId, powerState, vmSize, location, + provisioningState, osType, offer, sku, version, availabilityZone + }, + network: { + publicIp, privateIp, networkInterfaces: [...], + virtualNetwork, subnet, networkSecurityGroup + }, + hardware: { + vmSize, osDiskSizeGB, dataDiskCount, dataDiskDetails: [...] + }, + custom: { + tags: Record, + resourceGroup, subscriptionId + } + } + } +} +``` + +### NodeGroup ID Format + +``` +azure:{groupType}:{groupValue} +``` + +Examples: +- `azure:location:eastus` +- `azure:resourceGroup:my-rg` +- `azure:tag:Environment:production` + +### Zod Schemas for Route Validation + +```typescript +const AzureProvisionSchema = z.object({ + resourceGroup: z.string().min(1), + vmName: z.string().min(1), + location: z.string().min(1), + vmSize: z.string().optional().default("Standard_B1s"), + imageReference: z.object({ + publisher: z.string(), + offer: z.string(), + sku: z.string(), + version: z.string().optional().default("latest"), + }), + adminUsername: z.string().min(1), + adminPassword: z.string().optional(), + sshPublicKey: z.string().optional(), + networkInterfaceId: z.string().optional(), + subnetId: z.string().optional(), + tags: z.record(z.string()).optional(), +}); + +const AzureLifecycleSchema = z.object({ + vmName: z.string().min(1), + resourceGroup: z.string().min(1), + action: z.enum(["start", "stop", "restart", "deallocate"]), + subscriptionId: z.string().optional(), +}); + +const LocationQuerySchema = z.object({ + location: z.string().min(1, "Location is required"), +}); + +const ImageQuerySchema = z.object({ + publisher: z.string().optional(), + offer: z.string().optional(), + sku: z.string().optional(), +}); +``` + +## Sequence Diagrams + +### Inventory Discovery Flow + +```mermaid +sequenceDiagram + participant UI as Frontend + participant R as Azure Router + participant AP as AzurePlugin + participant AS as AzureService + participant SDK as Azure Compute Client + + UI->>R: GET /api/integrations/azure/inventory + R->>AP: getInventory() + AP->>AS: getInventory() + + alt Resource groups configured + loop Each configured resource group + AS->>SDK: listByResourceGroup(rg) + SDK-->>AS: VirtualMachine[] + end + else No resource groups configured + AS->>SDK: listAll() + SDK-->>AS: VirtualMachine[] + end + + AS->>AS: transformVMToNode(vm, rg) for each VM + AS-->>AP: Node[] + AP-->>R: Node[] + R-->>UI: { inventory: Node[] } +``` + +### VM Provisioning Flow + +```mermaid +sequenceDiagram + participant UI as Frontend + participant R as Azure Router + participant AP as AzurePlugin + participant AS as AzureService + participant SDK as Azure Compute Client + participant JS as JournalService + participant IM as IntegrationManager + + UI->>R: POST /api/integrations/azure/provision + R->>R: Validate body with AzureProvisionSchema + R->>AP: executeAction({ action: "provision", ... }) + AP->>AS: provisionVM(params) + AS->>SDK: virtualMachines.beginCreateOrUpdate(rg, vmName, vmParams) + SDK-->>AS: LRO poller + AS->>AS: poller.pollUntilDone() + SDK-->>AS: VirtualMachine (created) + AS-->>AP: resourceId + + AP->>JS: recordJournal({ eventType: "provision", source: "azure", ... }) + AP-->>R: ExecutionResult { status: "success" } + R->>IM: clearInventoryCache() + R-->>UI: { result: ExecutionResult } +``` + +### VM Lifecycle Flow + +```mermaid +sequenceDiagram + participant UI as Frontend + participant R as Azure Router + participant AP as AzurePlugin + participant AS as AzureService + participant SDK as Azure Compute Client + participant JS as JournalService + participant IM as IntegrationManager + + UI->>R: POST /api/integrations/azure/lifecycle + R->>R: Validate body with AzureLifecycleSchema + + alt action === "deallocate" && !allowDestructive + R-->>UI: 403 DESTRUCTIVE_ACTION_DISABLED + end + + R->>AP: executeAction({ action: "start"|"stop"|"restart"|"deallocate", ... }) + AP->>AS: startVM/stopVM/restartVM/deallocateVM(rg, vmName) + AS->>SDK: virtualMachines.beginStart/beginPowerOff/beginRestart/beginDeallocate + SDK-->>AS: LRO poller → done + AS-->>AP: void + + AP->>JS: recordJournal({ eventType, source: "azure", ... }) + AP-->>R: ExecutionResult { status: "success" } + R->>IM: clearInventoryCache() + R-->>UI: { result: ExecutionResult } +``` + + + +## Correctness Properties + +*A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.* + +### Property 1: Config parsing round-trip + +*For any* valid combination of AZURE_* environment variables (AZURE_ENABLED=true, optional tenantId, clientId, clientSecret, subscriptionId, resourceGroups), parsing them through `parseIntegrationsConfig()` SHALL produce an Azure config object where each field matches the corresponding environment variable value, and resourceGroups is correctly split from a comma-separated string into an array. + +**Validates: Requirements 2.1, 2.3** + +### Property 2: VM-to-Node transformation preserves identity and state + +*For any* valid Azure VirtualMachine object with a name, resource group, subscription, power state, VM size, location, and tags, `transformVMToNode()` SHALL produce a Node with id matching the format `azure:{subscriptionId}:{resourceGroup}:{vmName}`, name equal to the VM name, source equal to `"azure"`, status reflecting the power state, and config containing vmId, powerState, vmSize, resourceGroup, location, and tags. + +**Validates: Requirements 4.3, 4.4** + +### Property 3: Grouping produces correct membership and id format + +*For any* set of Azure VM nodes with varying locations, resource groups, and tags, the grouping functions SHALL produce NodeGroup objects where: (a) each group's id matches the format `azure:{groupType}:{groupValue}`, (b) every node appears in exactly the groups corresponding to its location, resource group, and matching tag keys, and (c) no group contains a node that doesn't belong to it. + +**Validates: Requirements 5.1, 5.2, 5.3, 5.4** + +### Property 4: Facts transformation includes all required categories + +*For any* valid Azure VirtualMachine and VirtualMachineInstanceView, `transformToFacts()` SHALL produce a Facts object containing: system category (vmName, vmId, powerState, vmSize, location, provisioningState, osType), network category (publicIp, privateIp, networkInterfaces), hardware category (vmSize, osDiskSizeGB, dataDiskCount), and custom category (tags, resourceGroup, subscriptionId). The os section SHALL have family set to `"windows"` or `"linux"` based on osType. + +**Validates: Requirements 6.2, 6.3, 6.4** + +### Property 5: Zod schemas reject invalid request bodies + +*For any* object that is missing required fields or has fields of incorrect types relative to `AzureProvisionSchema` or `AzureLifecycleSchema`, Zod validation SHALL throw a `ZodError`. Conversely, *for any* object that satisfies all required fields with correct types, validation SHALL succeed. + +**Validates: Requirements 7.5, 8.5, 12.3, 12.6** + +### Property 6: Action and power state mapping correctness + +*For any* valid lifecycle action string in `{"start", "stop", "restart", "deallocate"}`, `mapActionToEventType()` SHALL return the correct JournalEventType (`"start"`, `"stop"`, `"reboot"`, `"stop"` respectively). *For any* known Azure power state string, `mapAzurePowerStateToEventType()` SHALL return the correct JournalEventType per the defined mapping ("VM running" → "start", "VM stopped" → "stop", "VM deallocated" → "stop", "VM deleting" → "destroy"). + +**Validates: Requirements 9.2, 9.5** + +### Property 7: State change detection produces entries only on transitions + +*For any* pair of (previousState, currentState) Azure power state strings, `collectAzureStateEntry()` SHALL produce exactly one journal entry when previousState ≠ currentState, and zero entries when previousState = currentState. The produced entry's eventType SHALL match `mapAzurePowerStateToEventType(currentState)`. + +**Validates: Requirements 9.4** + +### Property 8: Auth error wrapping + +*For any* Azure SDK error whose code or message indicates an authentication or authorization failure (e.g., "AuthenticationFailed", "AuthorizationFailed", "InvalidAuthenticationToken"), `throwIfAuthError()` SHALL throw an `AzureAuthenticationError` with the original error message. *For any* non-auth error, it SHALL not throw an `AzureAuthenticationError`. + +**Validates: Requirements 13.2** + +### Property 9: generateEnvSnippet produces valid .env block + +*For any* form state with non-empty subscriptionId, `generateEnvSnippet()` SHALL produce a string containing `AZURE_ENABLED=true` and a line `AZURE_SUBSCRIPTION_ID={value}` for each populated field. Empty optional fields SHALL not appear in the output. The output SHALL be a valid .env format (one KEY=VALUE per line, comments starting with #). + +**Validates: Requirements 15.3** + +### Property 10: maskSensitiveValues preserves non-sensitive values + +*For any* .env snippet string, `maskSensitiveValues()` SHALL replace the value portion of `AZURE_CLIENT_SECRET=...` lines with asterisks, while leaving all other lines (including `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, comments) unchanged. The number of lines in the output SHALL equal the number of lines in the input. + +**Validates: Requirements 15.4** + +## Error Handling + +### Error Classes + +| Error Class | When Thrown | HTTP Status | +|---|---|---| +| `AzureAuthenticationError` | Azure SDK returns auth/authz error | 401 | +| `ZodError` (from Zod) | Request body/query validation fails | 422 (via `sendValidationError`) | +| `Error` ("VM not found") | Requested VM doesn't exist | 500 | +| `Error` ("AZURE_SUBSCRIPTION_ID required") | Config validation during init | Startup failure (logged, server continues) | + +### Error Handling Strategy + +1. **Authentication errors**: The `throwIfAuthError()` helper in `AzureService` inspects Azure SDK error codes (`AuthenticationFailed`, `AuthorizationFailed`, `InvalidAuthenticationToken`, `ExpiredAuthenticationToken`) and wraps them in `AzureAuthenticationError`. Routes catch this and return 401. + +2. **Validation errors**: All route handlers validate request bodies/queries with Zod schemas. `ZodError` is caught and passed to `sendValidationError()` for consistent 422 responses. + +3. **Resource not found**: When a VM lookup fails, `AzureService` throws a descriptive error including the VM identifier. Routes catch this as a generic error and return 500. + +4. **Initialization failures**: If `AzurePlugin.performInitialization()` throws (e.g., missing subscriptionId), the `IntegrationManager` logs the error and continues starting other plugins. The server remains operational without Azure. + +5. **Partial failures**: When querying multiple resource groups, if one fails, the error is logged and remaining groups continue to be queried. The inventory returns partial results rather than failing entirely. + +6. **Journal failures**: If `JournalService` is unavailable when recording an event, the failure is logged but the operation result is still returned to the caller. + +7. **Destructive action guard**: Deallocate requests are rejected with 403 when `ALLOW_DESTRUCTIVE_PROVISIONING=false`, matching the AWS terminate guard pattern. + +### Structured Logging + +All errors are logged via `LoggerService` with structured metadata: + +```typescript +{ + component: "AzurePlugin" | "AzureService" | "AzureRouter", + operation: "getInventory" | "provision" | "lifecycle" | ..., + metadata: { resourceGroup?, vmName?, subscriptionId?, action? } +} +``` + +## Testing Strategy + +### Property-Based Tests (fast-check, minimum 100 iterations each) + +| Property | Test File | What It Validates | +|---|---|---| +| P1: Config parsing | `test/properties/azure-config.property.test.ts` | Random env var combos parse correctly | +| P2: VM-to-Node transform | `test/properties/azure-transform.property.test.ts` | Node id format, fields, status | +| P3: Grouping membership | `test/properties/azure-groups.property.test.ts` | Group ids, node membership | +| P4: Facts completeness | `test/properties/azure-facts.property.test.ts` | All fact categories present | +| P5: Zod validation | `test/properties/azure-validation.property.test.ts` | Invalid bodies rejected | +| P6: Action/state mapping | `test/properties/azure-mapping.property.test.ts` | Correct event types | +| P7: State change detection | `test/properties/azure-journal.property.test.ts` | Entries on transitions only | +| P8: Auth error wrapping | `test/properties/azure-errors.property.test.ts` | Auth errors wrapped correctly | +| P9: generateEnvSnippet | `test/properties/azure-setup-guide.property.test.ts` | Valid .env output | +| P10: maskSensitiveValues | `test/properties/azure-setup-guide.property.test.ts` | Secrets masked, others preserved | + +Each property test is tagged: `// Feature: azure-integration, Property N: {description}` + +### Unit Tests (Vitest) + +| Area | Test File | Key Scenarios | +|---|---|---| +| AzurePlugin init | `src/integrations/azure/__tests__/AzurePlugin.test.ts` | Enabled/disabled, missing subscriptionId, credential fallback | +| AzurePlugin health | `src/integrations/azure/__tests__/AzurePlugin.test.ts` | Healthy, unhealthy (auth), unhealthy (network) | +| AzureService inventory | `src/integrations/azure/__tests__/AzureService.test.ts` | With/without resource groups, partial failures | +| AzureService lifecycle | `src/integrations/azure/__tests__/AzureService.test.ts` | Start, stop, restart, deallocate | +| AzureService provision | `src/integrations/azure/__tests__/AzureService.test.ts` | Success, auth error, param error | +| Azure routes | `test/integration/azure-routes.test.ts` | All endpoints, auth errors, validation errors, 403 guard | +| ConfigService | `test/unit/ConfigService.test.ts` | Azure config parsing, getAzureConfig() | +| IntegrationColorService | `test/unit/IntegrationColorService.test.ts` | Azure color entry exists, distinct from AWS/Proxmox | +| Journal collector | `test/unit/azure-journal-collector.test.ts` | State change detection, no-change case | +| AzureSetupGuide | `frontend/src/components/AzureSetupGuide.test.ts` | Form fields, snippet generation, masking, clipboard | + +### Integration Tests + +| Area | Test File | What It Validates | +|---|---|---| +| Server registration | `test/integration/azure-registration.test.ts` | Plugin registered when enabled, skipped when disabled | +| Route mounting | `test/integration/azure-routes.test.ts` | Routes accessible at /api/integrations/azure/* | +| End-to-end inventory | `test/integration/azure-inventory.test.ts` | Full flow from HTTP request to mocked Azure SDK response | + +### Mocking Strategy + +- Azure SDK clients (`ComputeManagementClient`, `NetworkManagementClient`, `ResourceManagementClient`, `SubscriptionClient`) are mocked in all unit and property tests +- `JournalService` is mocked to verify journal recording without database dependency +- `IntegrationManager.clearInventoryCache()` is mocked to verify cache invalidation +- No real Azure API calls in any test — all Azure SDK interactions are mocked diff --git a/.kiro/specs/azure-integration/requirements.md b/.kiro/specs/azure-integration/requirements.md new file mode 100644 index 00000000..5c784d54 --- /dev/null +++ b/.kiro/specs/azure-integration/requirements.md @@ -0,0 +1,212 @@ +# Requirements Document + +## Introduction + +Azure integration for Pabawi, providing VM provisioning, lifecycle management, inventory discovery, facts gathering, and journal tracking for Azure Virtual Machines. This integration follows the same plugin architecture as the existing AWS integration — extending BasePlugin, registering with IntegrationManager, and implementing both InformationSourcePlugin and ExecutionToolPlugin interfaces. It uses the Azure SDK for JavaScript (`@azure/arm-compute`, `@azure/identity`, `@azure/arm-network`, `@azure/arm-resources`) to interact with Azure Resource Manager APIs. + +## Glossary + +- **Azure_Plugin**: The integration plugin class that extends BasePlugin and implements both InformationSourcePlugin and ExecutionToolPlugin interfaces for Azure VM management +- **Azure_Service**: The service class that wraps Azure SDK clients to provide inventory discovery, facts retrieval, resource discovery, provisioning, and lifecycle operations +- **Integration_Manager**: The central service that manages all integration plugins, handles registration, initialization, and multi-source data aggregation +- **Integration_Color_Service**: The service that provides consistent color coding for each integration in the UI +- **Journal_Service**: The service that records and retrieves a unified timeline of events for inventory nodes +- **Journal_Collector**: A function that collects Azure-specific state change entries for the journal timeline +- **Node**: A standardized representation of an infrastructure target (VM, container, server) used across all integrations +- **Facts**: A standardized collection of system information gathered about a specific node +- **Node_Group**: A logical grouping of nodes by shared attributes (resource group, region, tags) +- **Config_Service**: The centralized configuration service (ConfigService class in backend/src/config/ConfigService.ts) backed by Zod validation (backend/src/config/schema.ts) that parses AZURE_* environment variables from backend/.env via parseIntegrationsConfig() and exposes them through getAzureConfig() +- **Setup_Guide**: A Svelte frontend component that provides form fields for an integration's configuration values, generates a .env snippet using a generateEnvSnippet() function, displays a masked preview of sensitive values, and offers a copy-to-clipboard button — the user then manually pastes the snippet into backend/.env (no web-based configuration saving) +- **Subscription**: An Azure subscription that contains resource groups and resources +- **Resource_Group**: An Azure resource group that serves as a logical container for Azure resources +- **VM_Size**: An Azure VM size specification defining vCPUs, memory, and other hardware characteristics + +## Requirements + +### Requirement 1: Plugin Registration and Initialization + +**User Story:** As a Pabawi administrator, I want the Azure integration to register with the IntegrationManager following the standard plugin architecture, so that Azure VMs appear alongside other infrastructure sources. + +#### Acceptance Criteria + +1. THE Azure_Plugin SHALL extend BasePlugin with type "both" to support both InformationSourcePlugin and ExecutionToolPlugin interfaces +2. WHEN the Azure integration is enabled in configuration, THE Azure_Plugin SHALL register with the Integration_Manager during server startup +3. WHEN the Azure integration is disabled in configuration, THE Azure_Plugin SHALL skip registration and log an informational message +4. WHEN Azure credentials are provided via environment variables, THE Azure_Plugin SHALL initialize the Azure_Service with those credentials +5. IF no Azure credentials or managed identity configuration is provided, THEN THE Azure_Plugin SHALL log an informational message indicating the default credential chain is used +6. IF the Azure_Plugin fails to initialize, THEN THE Azure_Plugin SHALL log the error and allow the server to continue starting without the Azure integration + +### Requirement 2: Configuration via Environment Variables + +**User Story:** As a Pabawi administrator, I want to configure the Azure integration exclusively through environment variables in backend/.env validated by ConfigService, so that credentials and settings are managed consistently with other integrations and no web-based configuration saving is involved. + +#### Acceptance Criteria + +1. THE Config_Service SHALL parse AZURE_* environment variables from backend/.env in the parseIntegrationsConfig() method following the same pattern as the existing AWS configuration block (checking AZURE_ENABLED, then reading AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, and AZURE_RESOURCE_GROUPS) +2. THE Zod schema in backend/src/config/schema.ts SHALL define an AzureConfigSchema with fields: enabled (boolean, default false), tenantId (optional string), clientId (optional string), clientSecret (optional string), subscriptionId (optional string), and resourceGroups (optional string array), and the IntegrationsConfigSchema SHALL include an optional azure field using AzureConfigSchema +3. WHEN AZURE_ENABLED is set to true in backend/.env, THE Config_Service SHALL include the Azure configuration in the integrations config object +4. WHEN explicit credentials (tenantId, clientId, clientSecret) are provided via environment variables, THE Azure_Service SHALL use ClientSecretCredential for authentication +5. WHEN no explicit credentials are provided via environment variables, THE Azure_Service SHALL fall back to DefaultAzureCredential (supporting managed identity, CLI credentials, and environment variables) +6. IF AZURE_ENABLED is true but subscriptionId is missing, THEN THE Azure_Plugin SHALL fail initialization with a descriptive error message +7. THE Config_Service SHALL expose a getAzureConfig() accessor method following the same pattern as getAWSConfig(), returning the typed Azure configuration when enabled or null when disabled + +### Requirement 3: Health Check and Credential Validation + +**User Story:** As a Pabawi administrator, I want to verify that Azure credentials are valid and the integration is healthy, so that I can diagnose connectivity issues. + +#### Acceptance Criteria + +1. WHEN a health check is requested, THE Azure_Plugin SHALL validate credentials by listing subscriptions via the Azure SDK +2. WHEN credentials are valid, THE Azure_Plugin SHALL return a healthy status with subscription details (subscription name, subscription ID, tenant ID) +3. IF credentials are invalid or expired, THEN THE Azure_Plugin SHALL return an unhealthy status with a descriptive error message +4. IF the Azure API is unreachable, THEN THE Azure_Plugin SHALL return an unhealthy status indicating a connectivity failure +5. THE Azure_Plugin SHALL expose a test connection endpoint at POST /api/integrations/azure/test that returns success status and message + +### Requirement 4: Inventory Source + +**User Story:** As an infrastructure engineer, I want Azure VMs to appear in the Pabawi inventory alongside VMs from other sources, so that I have a unified view of all infrastructure. + +#### Acceptance Criteria + +1. WHEN inventory is requested, THE Azure_Service SHALL query all configured resource groups for VM instances using the Azure Compute Management client +2. WHEN no specific resource groups are configured, THE Azure_Service SHALL discover VMs across all resource groups in the subscription +3. THE Azure_Service SHALL transform each Azure VM into a Node object with id format "azure:{subscriptionId}:{resourceGroup}:{vmName}", name from the VM name, source "azure", and config containing vmId, powerState, vmSize, resourceGroup, location, and tags +4. THE Azure_Service SHALL include the VM power state (running, stopped, deallocated, etc.) as the node status for UI display +5. IF a resource group query fails, THEN THE Azure_Service SHALL log the error and continue querying remaining resource groups + +### Requirement 5: Node Grouping + +**User Story:** As an infrastructure engineer, I want Azure VMs grouped by resource group, location, and tags, so that I can organize and filter infrastructure logically. + +#### Acceptance Criteria + +1. WHEN groups are requested, THE Azure_Service SHALL create Node_Group objects grouping VMs by Azure location (region) +2. THE Azure_Service SHALL create Node_Group objects grouping VMs by resource group +3. THE Azure_Service SHALL create Node_Group objects grouping VMs by well-known tag keys (Environment, Project, Team, Application) +4. EACH Node_Group SHALL have an id in the format "azure:{groupType}:{groupValue}", source "azure", and metadata with a description + +### Requirement 6: Facts Source + +**User Story:** As an infrastructure engineer, I want to view detailed Azure-specific information about a VM as facts, so that I can inspect hardware, networking, OS, and configuration details. + +#### Acceptance Criteria + +1. WHEN facts are requested for an Azure VM, THE Azure_Service SHALL query the Azure Compute Management client for the full VM instance view (including instance status) +2. THE Azure_Service SHALL return a Facts object with categories including: system (vmName, vmId, powerState, vmSize, location, provisioningState, osType, offer, sku, version, availabilityZone), network (publicIp, privateIp, networkInterfaces, virtualNetwork, subnet, networkSecurityGroup), hardware (vmSize, osDiskSizeGB, dataDiskCount, dataDiskDetails), and custom (tags, resourceGroup, subscriptionId) +3. THE Azure_Service SHALL populate the os facts section with family (windows or linux), name from the image reference, and release information +4. THE Azure_Service SHALL populate the networking facts section with hostname, and interface details including public and private IPs +5. IF the VM is not found, THEN THE Azure_Service SHALL throw an error with a descriptive message including the VM identifier + +### Requirement 7: VM Provisioning + +**User Story:** As an infrastructure engineer, I want to create new Azure VMs through Pabawi, so that I can provision infrastructure without leaving the management interface. + +#### Acceptance Criteria + +1. WHEN a provision action is received, THE Azure_Plugin SHALL create a new VM using the Azure Compute Management client with the specified parameters (resourceGroup, vmName, location, vmSize, imageReference, adminUsername, adminPassword or sshPublicKey, networkInterfaceId) +2. WHEN provisioning succeeds, THE Azure_Plugin SHALL return an ExecutionResult with status "success" and the new VM resource ID +3. IF provisioning fails due to invalid parameters, THEN THE Azure_Plugin SHALL return an ExecutionResult with status "failed" and a descriptive error message +4. IF provisioning fails due to authentication errors, THEN THE Azure_Plugin SHALL throw an AzureAuthenticationError +5. THE Azure_Plugin SHALL expose a provisioning endpoint at POST /api/integrations/azure/provision that validates the request body with a Zod schema + +### Requirement 8: VM Lifecycle Management + +**User Story:** As an infrastructure engineer, I want to start, stop, restart, and deallocate Azure VMs through Pabawi, so that I can manage VM state without switching to the Azure portal. + +#### Acceptance Criteria + +1. WHEN a lifecycle action is received, THE Azure_Plugin SHALL execute the corresponding Azure Compute Management operation: start (powerOn), stop (powerOff), restart, or deallocate +2. WHEN a lifecycle action succeeds, THE Azure_Plugin SHALL return an ExecutionResult with status "success" +3. IF a lifecycle action fails due to authentication errors, THEN THE Azure_Plugin SHALL throw an AzureAuthenticationError +4. IF a destructive action (deallocate) is requested and ALLOW_DESTRUCTIVE_PROVISIONING is false, THEN THE Azure_Plugin SHALL reject the request with a 403 status and descriptive message +5. THE Azure_Plugin SHALL expose a lifecycle endpoint at POST /api/integrations/azure/lifecycle that validates the request body with a Zod schema accepting vmName, resourceGroup, action (start, stop, restart, deallocate), and optional subscription override +6. WHEN a lifecycle action succeeds, THE Integration_Manager SHALL invalidate the inventory cache so state changes appear immediately + +### Requirement 9: Journal Integration + +**User Story:** As an infrastructure engineer, I want Azure VM activities (provisioning, lifecycle changes, state transitions) recorded in the node journal, so that I have a complete audit trail of operations. + +#### Acceptance Criteria + +1. WHEN a provisioning action completes (success or failure), THE Azure_Plugin SHALL record a journal entry with eventType "provision", source "azure", and a summary describing the outcome +2. WHEN a lifecycle action completes (success or failure), THE Azure_Plugin SHALL record a journal entry with the appropriate eventType (start, stop, reboot, or destroy for deallocate), source "azure", and a summary describing the outcome +3. IF the Journal_Service is unavailable, THEN THE Azure_Plugin SHALL log the failure and continue without blocking the operation result +4. THE Journal_Collector SHALL provide a collectAzureStateEntry function that detects VM power state changes by comparing current state against the last recorded state in journal_entries +5. THE Journal_Collector SHALL map Azure power states to JournalEventType values: "VM running" to "start", "VM stopped" to "stop", "VM deallocated" to "stop", and "VM deleting" to "destroy" +6. THE JournalSourceSchema SHALL include "azure" as a valid source identifier + +### Requirement 10: Integration Color Service Entry + +**User Story:** As a Pabawi user, I want Azure-sourced data visually distinguished with a consistent color theme, so that I can quickly identify Azure resources in the UI. + +#### Acceptance Criteria + +1. THE Integration_Color_Service SHALL include an "azure" entry in the IntegrationColors interface with primary, light, and dark color values +2. THE "azure" color entry SHALL use a blue-toned palette visually distinct from the existing AWS cyan and Proxmox blue entries +3. THE IntegrationType type SHALL include "azure" as a valid integration type + +### Requirement 11: Resource Discovery + +**User Story:** As an infrastructure engineer, I want to browse available Azure locations, VM sizes, and images when provisioning VMs, so that I can make informed choices without consulting the Azure portal. + +#### Acceptance Criteria + +1. WHEN locations are requested, THE Azure_Service SHALL return a list of available Azure locations for the subscription +2. WHEN VM sizes are requested for a location, THE Azure_Service SHALL return available VM sizes with vCPUs, memoryMB, and osDiskSizeGB +3. WHEN VM images are requested, THE Azure_Service SHALL return available marketplace images filtered by publisher, offer, and SKU +4. THE Azure_Plugin SHALL expose resource discovery endpoints: GET /api/integrations/azure/locations, GET /api/integrations/azure/vm-sizes, GET /api/integrations/azure/images +5. WHEN resource groups are requested, THE Azure_Service SHALL return all resource groups in the subscription with name, location, and tags + +### Requirement 12: API Routes + +**User Story:** As a frontend developer, I want well-structured API endpoints for all Azure operations, so that I can build the Azure management UI. + +#### Acceptance Criteria + +1. THE Azure router SHALL be mounted at /api/integrations/azure and registered in server.ts +2. WHEN an Azure API request fails due to authentication, THE Azure router SHALL return HTTP 401 with error code "UNAUTHORIZED" and message "Azure authentication failed" +3. WHEN an Azure API request fails due to validation, THE Azure router SHALL return the Zod validation error using the standard sendValidationError utility +4. WHEN an Azure API request fails due to an internal error, THE Azure router SHALL return HTTP 500 with error code "INTERNAL_SERVER_ERROR" and a descriptive message +5. THE Azure router SHALL expose GET /api/integrations/azure/inventory for listing VMs +6. THE Azure router SHALL validate all request parameters and bodies using Zod schemas + +### Requirement 13: Error Handling + +**User Story:** As a Pabawi administrator, I want clear and actionable error messages from the Azure integration, so that I can diagnose and resolve issues efficiently. + +#### Acceptance Criteria + +1. THE Azure_Plugin SHALL define an AzureAuthenticationError class that extends Error with name "AzureAuthenticationError" +2. WHEN the Azure SDK returns an authentication or authorization error, THE Azure_Service SHALL throw an AzureAuthenticationError with the original error message +3. WHEN the Azure SDK returns a resource-not-found error, THE Azure_Service SHALL throw an Error with a message identifying the missing resource +4. THE Azure_Plugin SHALL log all errors using LoggerService with structured metadata including component "AzurePlugin" or "AzureService", operation name, and relevant context (resourceGroup, vmName, subscriptionId) + + +### Requirement 14: Setup Instructions and Documentation + +**User Story:** As a Pabawi administrator, I want comprehensive setup instructions for the Azure integration, so that I can configure Azure credentials, subscription, and resource groups through environment variables following the same documentation patterns as other integrations. + +#### Acceptance Criteria + +1. THE Azure integration SHALL have a documentation file at docs/integrations/azure.md following the same structure as docs/integrations/aws.md, covering prerequisites, environment variable configuration, authentication methods, required Azure RBAC permissions, feature summary, and troubleshooting +2. THE docs/integrations/azure.md file SHALL document all Azure-specific environment variables (AZURE_ENABLED, AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUPS) with descriptions and example values, and SHALL state that configuration is exclusively through backend/.env +3. THE docs/integrations/azure.md file SHALL document authentication options including Service Principal (client credentials), Managed Identity, and Azure CLI credential fallback via DefaultAzureCredential +4. THE docs/integrations/azure.md file SHALL include a troubleshooting table covering common issues: invalid credentials, missing subscription ID, permission errors, unreachable Azure API, and resource group discovery failures +5. THE backend/.env.example file SHALL include an "Azure integration (optional)" section with all Azure-specific environment variables, comments describing each variable, and example placeholder values consistent with the existing integration sections +6. THE scripts/setup.sh file SHALL include an Azure integration section in the Integrations block that prompts for AZURE_ENABLED (default "n"), and WHEN enabled, prompts for AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, and optionally AZURE_RESOURCE_GROUPS +7. WHEN Azure is enabled in the setup script, THE scripts/setup.sh SHALL append the Azure configuration block to the generated backend/.env file following the same pattern as other integration sections + +### Requirement 15: Azure Setup Guide Frontend Component + +**User Story:** As a Pabawi administrator, I want an AzureSetupGuide component in the frontend that generates a .env snippet for Azure configuration, so that I can quickly produce the correct environment variables to paste into backend/.env without manually writing them. + +#### Acceptance Criteria + +1. THE Setup_Guide SHALL be implemented as an AzureSetupGuide.svelte component in frontend/src/components/ following the same pattern as AWSSetupGuide.svelte +2. THE AzureSetupGuide SHALL provide form fields for: Tenant ID, Client ID, Client Secret (password input), Subscription ID, Resource Groups (optional, comma-separated), and a Default Location selector +3. THE AzureSetupGuide SHALL implement a generateEnvSnippet() function that produces a valid .env configuration block with AZURE_ENABLED=true and all populated AZURE_* variables +4. THE AzureSetupGuide SHALL display a masked preview of the generated snippet where sensitive values (AZURE_CLIENT_SECRET) are replaced with asterisks using a maskSensitiveValues() function, while non-sensitive values remain visible +5. THE AzureSetupGuide SHALL provide a copy-to-clipboard button that copies the unmasked .env snippet to the clipboard and displays a success toast notification +6. THE AzureSetupGuide SHALL instruct the user to paste the copied snippet into backend/.env and restart the application — the component SHALL NOT save configuration directly or imply web-based configuration persistence +7. THE frontend/src/components/index.ts file SHALL export AzureSetupGuide as a named export following the existing alphabetical convention +8. THE frontend/src/pages/IntegrationSetupPage.svelte SHALL include an {:else if integration === 'azure'} block that renders the AzureSetupGuide component, following the same layout pattern as the existing AWS block (back button, component, expert mode debug panel) diff --git a/.kiro/specs/azure-integration/tasks.md b/.kiro/specs/azure-integration/tasks.md new file mode 100644 index 00000000..6faa943e --- /dev/null +++ b/.kiro/specs/azure-integration/tasks.md @@ -0,0 +1,239 @@ +# Implementation Plan: Azure Integration + +## Overview + +Implement Azure VM integration for Pabawi following the same plugin architecture as the existing AWS integration. This includes extending BasePlugin, registering with IntegrationManager, and implementing both InformationSourcePlugin and ExecutionToolPlugin interfaces using the Azure SDK for JavaScript (`@azure/arm-compute`, `@azure/identity`, `@azure/arm-network`, `@azure/arm-resources`). + +## Tasks + +- [x] 1. Configuration foundation (ConfigService, schema, .env.example) + - [x] 1.1 Add AzureConfigSchema to backend/src/config/schema.ts + - Define AzureConfigSchema with fields: enabled (boolean, default false), tenantId (optional string), clientId (optional string), clientSecret (optional string), subscriptionId (optional string), resourceGroups (optional string array) + - Add azure field to IntegrationsConfigSchema as optional using AzureConfigSchema + - Export AzureIntegrationConfig type + - _Requirements: 2.2_ + + - [x] 1.2 Add Azure parsing to ConfigService.parseIntegrationsConfig() + - Add Azure configuration block in backend/src/config/ConfigService.ts parseIntegrationsConfig() following the AWS pattern + - Check AZURE_ENABLED, then read AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUPS + - Parse AZURE_RESOURCE_GROUPS from JSON array or comma-separated string (same pattern as AWS_REGIONS) + - Add azure to the return type of parseIntegrationsConfig() + - _Requirements: 2.1, 2.3_ + + - [x] 1.3 Add getAzureConfig() accessor to ConfigService + - Implement getAzureConfig() following the same pattern as getAWSConfig() + - Return typed Azure configuration when enabled, null when disabled + - _Requirements: 2.7_ + + - [x] 1.4 Update backend/.env.example with Azure section + - Add an "Azure integration (optional)" section after the AWS section + - Include AZURE_ENABLED, AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUPS with comments and placeholder values + - Use `# pragma: allowlist secret` on the AZURE_CLIENT_SECRET line + - _Requirements: 14.5_ + +- [x] 2. Azure types and error classes + - [x] 2.1 Create backend/src/integrations/azure/types.ts + - Define AzureConfig interface (tenantId, clientId, clientSecret, subscriptionId, resourceGroups, all optional strings/string arrays) + - Define AzureVMInfo interface (vmName, vmId, powerState, vmSize, resourceGroup, location, tags, provisioningState, osType) + - Define AzureLocationInfo interface (name, displayName) + - Define AzureVMSizeInfo interface (name, vCpus, memoryMB, osDiskSizeGB) + - Define AzureImageInfo interface (publisher, offer, sku, version) + - Define AzureResourceGroupInfo interface (name, location, tags) + - Define AzureAuthenticationError class extending Error with name "AzureAuthenticationError" + - Re-export ProvisioningCapability from ../types + - _Requirements: 2.4, 2.5, 13.1, 13.2, 13.3_ + +- [x] 3. AzureService (core service with Azure SDK integration) + - [x] 3.1 Install Azure SDK dependencies + - Add @azure/arm-compute, @azure/identity, @azure/arm-network, @azure/arm-resources, @azure/arm-subscriptions to backend/package.json + - Run npm install in the backend workspace + - _Requirements: 2.4, 2.5_ + + - [x] 3.2 Create backend/src/integrations/azure/AzureService.ts — credential setup and health check + - Implement constructor accepting AzureConfig and LoggerService + - Use ClientSecretCredential when tenantId, clientId, clientSecret are all provided + - Fall back to DefaultAzureCredential when explicit credentials are not provided + - Implement validateCredentials() that lists subscriptions via SubscriptionClient to verify auth + - Return subscription name, subscription ID, tenant ID on success + - Throw AzureAuthenticationError on auth failures + - _Requirements: 2.4, 2.5, 3.1, 3.2, 3.3, 3.4_ + + - [x] 3.3 Implement AzureService inventory methods + - Implement getInventory() querying all configured resource groups (or all RGs if none configured) for VMs using ComputeManagementClient + - Transform each VM into a Node with id format "azure:{subscriptionId}:{resourceGroup}:{vmName}", source "azure", and config containing vmId, powerState, vmSize, resourceGroup, location, tags + - Include VM power state as node status + - Log and continue on individual resource group query failures + - _Requirements: 4.1, 4.2, 4.3, 4.4, 4.5_ + + - [x] 3.4 Implement AzureService groups and facts methods + - Implement getGroups() creating NodeGroup objects by location, resource group, and well-known tag keys (Environment, Project, Team, Application) + - Each group id format: "azure:{groupType}:{groupValue}" + - Implement getNodeFacts() querying full VM instance view including instance status + - Return Facts with categories: system, network, hardware, custom + - Populate os facts with family (windows/linux), name from image reference + - Throw descriptive error if VM not found + - _Requirements: 5.1, 5.2, 5.3, 5.4, 6.1, 6.2, 6.3, 6.4, 6.5_ + + - [x] 3.5 Implement AzureService provisioning and lifecycle methods + - Implement provisionVM() creating a new VM via ComputeManagementClient with parameters (resourceGroup, vmName, location, vmSize, imageReference, adminUsername, adminPassword or sshPublicKey, networkInterfaceId) + - Implement startVM(), stopVM(), restartVM(), deallocateVM() lifecycle methods + - Throw AzureAuthenticationError on auth/authorization errors + - _Requirements: 7.1, 7.2, 7.3, 7.4, 8.1, 8.2, 8.3_ + + - [x] 3.6 Implement AzureService resource discovery methods + - Implement getLocations() returning available Azure locations for the subscription + - Implement getVMSizes(location) returning VM sizes with vCPUs, memoryMB, osDiskSizeGB + - Implement getImages(publisher, offer, sku) returning marketplace images + - Implement getResourceGroups() returning all resource groups with name, location, tags + - _Requirements: 11.1, 11.2, 11.3, 11.5_ + +- [x] 4. Checkpoint — Core service complete + - Ensure all tests pass, ask the user if questions arise. + +- [x] 5. AzurePlugin (BasePlugin extension and registration) + - [x] 5.1 Create backend/src/integrations/azure/AzurePlugin.ts + - Extend BasePlugin with type "both" implementing InformationSourcePlugin and ExecutionToolPlugin + - Accept optional LoggerService, PerformanceMonitorService, JournalService in constructor + - Implement performInitialization() validating Azure config and creating AzureService + - Fail initialization with descriptive error if AZURE_ENABLED is true but subscriptionId is missing + - Log informational message when default credential chain is used + - _Requirements: 1.1, 1.4, 1.5, 1.6, 2.6_ + + - [x] 5.2 Implement AzurePlugin InformationSourcePlugin methods + - Implement getInventory(), getGroups(), getNodeFacts(), getNodeData() delegating to AzureService + - Handle nodeId resolution (azure: prefix format vs plain name lookup) + - _Requirements: 4.1, 5.1, 6.1_ + + - [x] 5.3 Implement AzurePlugin ExecutionToolPlugin methods + - Implement executeAction() routing based on action type: provision/create_vm → provisionVM, start/stop/restart/deallocate → lifecycle + - Implement listCapabilities() returning start, stop, restart, deallocate + - Implement listProvisioningCapabilities() returning create_vm + - _Requirements: 7.1, 8.1, 8.5_ + + - [x] 5.4 Implement AzurePlugin health check + - Implement performHealthCheck() using AzureService.validateCredentials() + - Return healthy status with subscription details on success + - Return unhealthy status with descriptive error on auth failure or connectivity issues + - _Requirements: 3.1, 3.2, 3.3, 3.4_ + + - [x] 5.5 Implement AzurePlugin journal integration + - Record journal entries on provision and lifecycle action completion (success or failure) + - Map actions to JournalEventType: provision→"provision", start→"start", stop→"stop", restart→"reboot", deallocate→"destroy" + - Log and continue if JournalService is unavailable + - Implement setJournalService() for alternative injection + - _Requirements: 9.1, 9.2, 9.3_ + + - [x] 5.6 Implement AzurePlugin resource discovery delegation + - Implement getLocations(), getVMSizes(), getImages(), getResourceGroups() delegating to AzureService + - _Requirements: 11.1, 11.2, 11.3, 11.5_ + + - [ ]* 5.7 Write unit tests for AzurePlugin + - Create backend/src/integrations/azure/__tests__/AzurePlugin.test.ts + - Test initialization with valid/invalid config + - Test health check success and failure paths + - Test executeAction routing for provision and lifecycle actions + - Test journal recording on action completion + - Test error handling (AzureAuthenticationError propagation) + - _Requirements: 1.1, 1.4, 1.5, 1.6, 3.1, 3.2, 3.3, 3.4, 13.1, 13.2_ + +- [x] 6. Journal integration (collector and source schema) + - [x] 6.1 Add "azure" to JournalSourceSchema + - Update backend/src/services/journal/types.ts JournalSourceSchema enum to include "azure" + - _Requirements: 9.6_ + + - [x] 6.2 Add Azure state collector to JournalCollectors.ts + - Add collectAzureVMStateEntry function in backend/src/services/journal/JournalCollectors.ts + - Map Azure power states to JournalEventType: "VM running"→"start", "VM stopped"→"stop", "VM deallocated"→"stop", "VM deleting"→"destroy" + - Compare current state against last recorded state in journal_entries + - Follow the same pattern as collectAWSStateEntry + - _Requirements: 9.4, 9.5_ + +- [x] 7. Integration color service entry + - [x] 7.1 Add "azure" to IntegrationColorService + - Add "azure" entry to IntegrationColors interface in backend/src/services/IntegrationColorService.ts + - Use a blue-toned palette visually distinct from AWS cyan (#06B6D4) and Proxmox blue (#3B82F6) + - Suggested: primary #8B5CF6 (violet) or #6366F1 (indigo) to differentiate + - Add "azure" to IntegrationType type + - _Requirements: 10.1, 10.2, 10.3_ + +- [x] 8. API routes + - [x] 8.1 Create backend/src/routes/integrations/azure.ts + - Create createAzureRouter() function following the AWS router pattern + - Accept AzurePlugin, optional IntegrationManager, and options (allowDestructiveActions) + - Define Zod schemas for provision, lifecycle, and query parameters + - Implement GET /inventory, POST /provision, POST /lifecycle, POST /test + - Implement GET /locations, GET /vm-sizes, GET /images, GET /resource-groups + - Handle AzureAuthenticationError → 401, ZodError → sendValidationError, other → 500 + - Guard deallocate action with allowDestructiveActions check (403 if disabled) + - Invalidate inventory cache on successful provision/lifecycle actions + - _Requirements: 3.5, 7.5, 8.4, 8.5, 8.6, 11.4, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6_ + + - [x] 8.2 Register Azure routes in backend/src/server.ts + - Import AzurePlugin and createAzureRouter + - Add Azure integration initialization block following the AWS pattern + - Check azureConfig.enabled, create AzurePlugin, register with IntegrationManager + - Pass JournalService to AzurePlugin + - Mount createAzureRouter at /api/integrations/azure + - _Requirements: 1.2, 1.3, 12.1_ + + - [ ]* 8.3 Write unit tests for Azure routes + - Create backend/src/routes/__tests__/azure.test.ts + - Test inventory endpoint success and auth failure + - Test provision endpoint with valid/invalid body + - Test lifecycle endpoint with destructive action guard + - Test test-connection endpoint + - Test resource discovery endpoints + - _Requirements: 12.1, 12.2, 12.3, 12.4, 12.5, 12.6_ + +- [x] 9. Checkpoint — Backend integration complete + - Ensure all tests pass, ask the user if questions arise. + +- [x] 10. Frontend AzureSetupGuide component + - [x] 10.1 Create frontend/src/components/AzureSetupGuide.svelte + - Follow the AWSSetupGuide.svelte pattern closely + - Provide form fields: Tenant ID, Client ID, Client Secret (password input), Subscription ID, Resource Groups (optional, comma-separated), Default Location + - Implement generateEnvSnippet() producing AZURE_ENABLED=true and all populated AZURE_* variables + - Implement maskSensitiveValues() replacing AZURE_CLIENT_SECRET with asterisks + - Provide copy-to-clipboard button with success toast + - Include prerequisites section (Azure subscription, Service Principal, RBAC permissions) + - Include validation CLI test commands (az account show, az vm list) + - Instruct user to paste into backend/.env and restart — no web-based config saving + - _Requirements: 15.1, 15.2, 15.3, 15.4, 15.5, 15.6_ + + - [x] 10.2 Export AzureSetupGuide in frontend/src/components/index.ts + - Add `export { default as AzureSetupGuide } from "./AzureSetupGuide.svelte"` in alphabetical order + - _Requirements: 15.7_ + + - [x] 10.3 Register AzureSetupGuide in IntegrationSetupPage.svelte + - Import AzureSetupGuide in frontend/src/pages/IntegrationSetupPage.svelte + - Add {:else if integration === 'azure'} block rendering AzureSetupGuide with back button and expert mode debug panel + - Follow the same layout pattern as the existing AWS block + - _Requirements: 15.8_ + +- [x] 11. Documentation + - [x] 11.1 Create docs/integrations/azure.md + - Follow the same structure as docs/integrations/aws.md + - Cover prerequisites, environment variable configuration, authentication methods (Service Principal, Managed Identity, Azure CLI via DefaultAzureCredential) + - Document all AZURE_* environment variables with descriptions and examples + - Document required Azure RBAC permissions (Virtual Machine Contributor or custom role) + - Include feature summary (inventory, facts, provisioning, lifecycle, resource discovery) + - Include troubleshooting table: invalid credentials, missing subscription ID, permission errors, unreachable API, resource group discovery failures + - _Requirements: 14.1, 14.2, 14.3, 14.4_ + + - [x] 11.2 Update scripts/setup.sh with Azure section + - Add Azure integration section in the Integrations block after the SSH section + - Prompt for AZURE_ENABLED (default "n") + - When enabled, prompt for AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, and optionally AZURE_RESOURCE_GROUPS + - Append Azure configuration block to generated backend/.env + - _Requirements: 14.6, 14.7_ + +- [x] 12. Final checkpoint — All tasks complete + - Ensure all tests pass, ask the user if questions arise. + +## Notes + +- Tasks marked with `*` are optional and can be skipped for faster MVP +- Each task references specific requirements for traceability +- Checkpoints ensure incremental validation +- The Azure integration mirrors the AWS integration patterns throughout (plugin structure, routes, config, frontend guide) +- Azure SDK packages: @azure/arm-compute, @azure/identity, @azure/arm-network, @azure/arm-resources, @azure/arm-subscriptions diff --git a/.kiro/specs/azure-support/.config.kiro b/.kiro/specs/azure-support/.config.kiro deleted file mode 100644 index 85ad8938..00000000 --- a/.kiro/specs/azure-support/.config.kiro +++ /dev/null @@ -1 +0,0 @@ -{"specId": "de78ec71-9d3d-416b-a6d0-15bb727e8bf5", "workflowType": "requirements-first", "specType": "feature"} diff --git a/.kiro/specs/azure-support/design.md b/.kiro/specs/azure-support/design.md deleted file mode 100644 index 53577b9a..00000000 --- a/.kiro/specs/azure-support/design.md +++ /dev/null @@ -1,508 +0,0 @@ -# Documento di Design — Supporto Azure - -## Panoramica - -Questo documento descrive il design tecnico per l'integrazione di Microsoft Azure in Pabawi. Il plugin Azure seguirà gli stessi pattern architetturali già consolidati nel progetto (AWS, Proxmox), estendendo `BasePlugin` e implementando le interfacce `InformationSourcePlugin` e `ExecutionToolPlugin` per fornire inventario VM, raggruppamento, facts e gestione del ciclo di vita delle macchine virtuali Azure. - -L'integrazione utilizza l'Azure SDK per JavaScript (`@azure/arm-compute`, `@azure/arm-network`, `@azure/identity`, `@azure/arm-subscriptions`) per comunicare con le API Azure tramite autenticazione Service Principal. - -### Decisioni di design chiave - -1. **Pattern Service/Plugin separati**: Come per AWS, la logica Azure SDK è incapsulata in `AzureService` (chiamate API), mentre `AzurePlugin` gestisce il ciclo di vita del plugin e l'integrazione con Pabawi. -2. **Autenticazione Service Principal**: Si utilizza `ClientSecretCredential` da `@azure/identity`, coerente con scenari server-side non interattivi. -3. **Filtri opzionali**: Resource Group e Region sono filtri opzionali applicati a livello di `AzureService` per limitare lo scope dell'inventario. -4. **Degradazione graduale**: Il plugin restituisce dati vuoti in caso di errore, senza interrompere le altre integrazioni, seguendo il pattern di `BasePlugin`. - -## Architettura - -### Diagramma dei componenti - -```mermaid -graph TB - subgraph Pabawi Backend - CM[ConfigService] -->|azure config| IM[IntegrationManager] - IM -->|register| AP[AzurePlugin] - AP -->|delega| AS[AzureService] - IM -->|link nodes| NLS[NodeLinkingService] - end - - subgraph Azure SDK - AS -->|ClientSecretCredential| AI[@azure/identity] - AS -->|VM operations| AC[@azure/arm-compute] - AS -->|Network info| AN[@azure/arm-network] - AS -->|Subscription info| ASub[@azure/arm-subscriptions] - end - - subgraph Azure Cloud - AC -->|REST API| AZ[Azure Resource Manager] - AN -->|REST API| AZ - ASub -->|REST API| AZ - AI -->|OAuth2| AAD[Azure AD / Entra ID] - end -``` - -### Flusso di inizializzazione - -```mermaid -sequenceDiagram - participant CS as ConfigService - participant IM as IntegrationManager - participant AP as AzurePlugin - participant AS as AzureService - participant AZ as Azure API - - CS->>IM: azure config (enabled: true) - IM->>AP: initialize(config) - AP->>AP: validateAzureConfig() - AP->>AS: new AzureService(config) - AS->>AZ: ClientSecretCredential.getToken() - alt Autenticazione OK - AZ-->>AS: token - AS-->>AP: initialized - AP-->>IM: initialized: true - else Autenticazione fallita - AZ-->>AS: errore - AS-->>AP: errore - AP->>AP: log errore, initialized: false - AP-->>IM: initialized: false (no throw) - end -``` - -### Flusso di inventario - -```mermaid -sequenceDiagram - participant IM as IntegrationManager - participant AP as AzurePlugin - participant AS as AzureService - participant AZ as Azure API - - IM->>AP: getInventory() - AP->>AS: getInventory() - AS->>AZ: computeClient.virtualMachines.listAll() - AZ-->>AS: VM[] - AS->>AZ: networkClient.publicIPAddresses.listAll() - AZ-->>AS: PublicIP[] - AS->>AS: transformVMToNode(vm) - AS-->>AP: Node[] - AP-->>IM: Node[] -``` - -## Componenti e Interfacce - -### 1. Configurazione Azure nel ConfigService - -Estensione del metodo `parseIntegrationsConfig()` in `ConfigService.ts` per includere la configurazione Azure. - -```typescript -// Aggiunta al tipo di ritorno di parseIntegrationsConfig() -azure?: { - enabled: boolean; - tenantId: string; - clientId: string; - clientSecret: string; - subscriptionId: string; - resourceGroup?: string; - region?: string; - priority?: number; -}; -``` - -**Variabili d'ambiente:** - -| Variabile | Obbligatoria | Descrizione | -|---|---|---| -| `AZURE_ENABLED` | Sì | Abilita il plugin (`true`/`false`) | -| `AZURE_TENANT_ID` | Sì (se enabled) | ID del tenant Azure AD | -| `AZURE_CLIENT_ID` | Sì (se enabled) | Client ID del Service Principal | -| `AZURE_CLIENT_SECRET` | Sì (se enabled) | Client Secret del Service Principal | -| `AZURE_SUBSCRIPTION_ID` | Sì (se enabled) | ID della sottoscrizione Azure | -| `AZURE_RESOURCE_GROUP` | No | Filtra per Resource Group | -| `AZURE_REGION` | No | Filtra per regione Azure | -| `AZURE_PRIORITY` | No | Priorità nell'aggregazione inventario | - -**Validazione:** Se `AZURE_ENABLED=true`, `AZURE_TENANT_ID` e `AZURE_SUBSCRIPTION_ID` sono obbligatori. L'assenza genera un errore con messaggio specifico. - -### 2. AzureService (`backend/src/integrations/azure/AzureService.ts`) - -Servizio che incapsula tutte le chiamate all'Azure SDK. Segue lo stesso pattern di `AWSService`. - -```typescript -class AzureService { - constructor(config: AzureConfig, logger: LoggerService); - - // Autenticazione - async validateCredentials(): Promise<{ subscriptionName: string; subscriptionId: string }>; - - // Inventario - async getInventory(): Promise; - async getGroups(): Promise; - async getNodeFacts(nodeId: string): Promise; - async getNodeData(nodeId: string, dataType: string): Promise; - - // Ciclo di vita VM - async startVM(resourceGroup: string, vmName: string): Promise; - async stopVM(resourceGroup: string, vmName: string): Promise; - async deallocateVM(resourceGroup: string, vmName: string): Promise; - async restartVM(resourceGroup: string, vmName: string): Promise; -} -``` - -**Metodi privati chiave:** - -- `listAllVMs()`: Elenca le VM, applicando filtri opzionali per Resource Group e Region -- `transformVMToNode(vm, networkInfo)`: Mappa una VM Azure a un oggetto `Node` -- `transformToFacts(nodeId, vm, networkInfo)`: Mappa una VM Azure a un oggetto `Facts` -- `resolveVMIPAddress(vm)`: Risolve l'IP privato/pubblico di una VM tramite le interfacce di rete -- `groupByResourceGroup(nodes)`: Raggruppa i nodi per Resource Group -- `groupByRegion(nodes)`: Raggruppa i nodi per regione -- `groupByTags(nodes)`: Raggruppa i nodi per tag Azure -- `parseNodeId(nodeId)`: Estrae resourceGroup e vmName da un nodeId formato `azure::` - -### 3. AzurePlugin (`backend/src/integrations/azure/AzurePlugin.ts`) - -Plugin che estende `BasePlugin` e implementa `InformationSourcePlugin` e `ExecutionToolPlugin`. - -```typescript -class AzurePlugin extends BasePlugin implements InformationSourcePlugin, ExecutionToolPlugin { - type: "both" = "both"; - - constructor(logger?: LoggerService, performanceMonitor?: PerformanceMonitorService); - - // BasePlugin - protected performInitialization(): Promise; - protected performHealthCheck(): Promise>; - - // InformationSourcePlugin - async getInventory(): Promise; - async getGroups(): Promise; - async getNodeFacts(nodeId: string): Promise; - async getNodeData(nodeId: string, dataType: string): Promise; - - // ExecutionToolPlugin - async executeAction(action: Action): Promise; - listCapabilities(): Capability[]; -} -``` - -**Comportamento di degradazione:** - -- Se `initialized === false`, `getInventory()` e `getGroups()` restituiscono `[]` -- Se l'API Azure fallisce durante una query, il plugin logga l'errore e restituisce dati vuoti -- Le transizioni di stato `healthy: true ↔ false` vengono loggate con livello appropriato (warning/info) - -### 4. Tipi Azure (`backend/src/integrations/azure/types.ts`) - -```typescript -export interface AzureConfig { - tenantId: string; - clientId: string; - clientSecret: string; - subscriptionId: string; - resourceGroup?: string; - region?: string; -} - -export class AzureAuthenticationError extends Error { - constructor(message: string) { - super(message); - this.name = "AzureAuthenticationError"; - } -} -``` - -### 5. Integrazione con IntegrationManager - -La registrazione del plugin avviene nel punto di bootstrap dell'applicazione (dove vengono registrati gli altri plugin), seguendo lo stesso pattern: - -```typescript -if (azureConfig?.enabled) { - const azurePlugin = new AzurePlugin(logger, performanceMonitor); - integrationManager.registerPlugin(azurePlugin, { - enabled: true, - name: "azure", - type: "both", - config: azureConfig, - priority: azureConfig.priority, - }); -} -``` - -## Modelli Dati - -### Mappatura VM Azure → Node - -| Campo Node | Sorgente Azure | Note | -|---|---|---| -| `id` | `azure::` | Formato univoco per identificare la VM | -| `name` | `vm.name` | Nome della VM Azure | -| `uri` | IP privato → IP pubblico → `vm.name` | Fallback a catena | -| `transport` | `"ssh"` (Linux) / `"winrm"` (Windows) | Basato su `vm.storageProfile.osDisk.osType` | -| `config` | `{}` | Configurazione di default | -| `source` | `"azure"` | Identificatore sorgente | - -### Mappatura VM Azure → Facts - -```typescript -{ - nodeId: "azure::", - gatheredAt: "", - source: "azure", - facts: { - vmSize: "Standard_D2s_v3", - location: "westeurope", - provisioningState: "Succeeded", - powerState: "running", - osType: "Linux", - osDiskSizeGB: 30, - privateIpAddress: "10.0.0.4", - publicIpAddress: "20.1.2.3", - resourceGroup: "my-rg", - subscriptionId: "sub-id", - tags: { env: "production", team: "infra" }, - os: { family: "Linux", name: "Ubuntu", release: { full: "22.04", major: "22" } }, - processors: { count: 2, models: ["Standard_D2s_v3"] }, - memory: { system: { total: "8 GB", available: "N/A" } }, - networking: { - hostname: "my-vm", - interfaces: { eth0: { ip: "10.0.0.4", public: "20.1.2.3" } } - } - } -} -``` - -### Formato NodeGroup - -| Tipo raggruppamento | Formato `id` | Esempio | -|---|---|---| -| Resource Group | `azure:rg:` | `azure:rg:my-resource-group` | -| Regione | `azure:region:` | `azure:region:westeurope` | -| Tag | `azure:tag::` | `azure:tag:env:production` | - -### Formato nodeId - -Il `nodeId` per le VM Azure segue il formato: `azure::` - -Questo formato permette di: - -- Identificare univocamente la VM -- Estrarre il Resource Group necessario per le operazioni di ciclo di vita -- Mantenere coerenza con il pattern AWS (`aws::`) - -### Capability del plugin - -```typescript -[ - { - name: "start", - description: "Avvia una VM Azure", - parameters: [ - { name: "target", type: "string", required: true, description: "nodeId della VM" } - ] - }, - { - name: "stop", - description: "Arresta una VM Azure", - parameters: [ - { name: "target", type: "string", required: true, description: "nodeId della VM" } - ] - }, - { - name: "deallocate", - description: "Dealloca una VM Azure (rilascia risorse compute)", - parameters: [ - { name: "target", type: "string", required: true, description: "nodeId della VM" } - ] - }, - { - name: "restart", - description: "Riavvia una VM Azure", - parameters: [ - { name: "target", type: "string", required: true, description: "nodeId della VM" } - ] - } -] -``` - -## Proprietà di Correttezza - -*Una proprietà è una caratteristica o un comportamento che deve essere vero in tutte le esecuzioni valide di un sistema — essenzialmente, un'affermazione formale su ciò che il sistema deve fare. Le proprietà fungono da ponte tra le specifiche leggibili dall'uomo e le garanzie di correttezza verificabili dalla macchina.* - -### Proprietà 1: Round-trip della configurazione Azure - -*Per qualsiasi* insieme valido di variabili d'ambiente Azure (con `AZURE_ENABLED=true`, `tenantId`, `clientId`, `clientSecret`, `subscriptionId` obbligatori, e `resourceGroup`, `region`, `priority` opzionali), il parsing tramite `ConfigService.parseIntegrationsConfig()` deve produrre un oggetto `azure` i cui campi corrispondono esattamente ai valori delle variabili d'ambiente originali. - -**Valida: Requisiti 1.1, 1.4, 1.5, 1.6** - -### Proprietà 2: Configurazione disabilitata esclude Azure - -*Per qualsiasi* valore di `AZURE_ENABLED` diverso da `"true"` (incluso `undefined`, `"false"`, stringhe casuali), l'oggetto restituito da `parseIntegrationsConfig()` non deve contenere la chiave `azure`. - -**Valida: Requisiti 1.7** - -### Proprietà 3: Plugin non operativo restituisce dati vuoti senza eccezioni - -*Per qualsiasi* istanza di `AzurePlugin` che si trova nello stato `initialized: false` o `healthy: false`, le chiamate a `getInventory()` e `getGroups()` devono restituire array vuoti, e `getNodeFacts(nodeId)` deve restituire un oggetto `Facts` vuoto, senza lanciare eccezioni, indipendentemente dal `nodeId` fornito. - -**Valida: Requisiti 2.5, 7.2** - -### Proprietà 4: Mappatura VM → Node preserva source e campi obbligatori - -*Per qualsiasi* VM Azure restituita dall'API, la trasformazione in oggetto `Node` deve produrre un nodo con: `source` uguale a `"azure"`, `name` uguale al nome della VM, `id` nel formato `azure::`, e `uri` non vuoto (IP privato, IP pubblico, o nome VM come fallback). - -**Valida: Requisiti 3.1, 3.2, 9.3** - -### Proprietà 5: I filtri di inventario restituiscono solo VM corrispondenti - -*Per qualsiasi* insieme di VM Azure e qualsiasi combinazione di filtri attivi (`resourceGroup`, `region`), `getInventory()` deve restituire esclusivamente VM che soddisfano tutti i filtri configurati. Se `resourceGroup` è configurato, ogni VM restituita deve appartenere a quel Resource Group. Se `region` è configurata, ogni VM restituita deve trovarsi in quella regione. - -**Valida: Requisiti 3.3, 3.4** - -### Proprietà 6: Raggruppamento completo e coerente - -*Per qualsiasi* insieme di VM Azure, `getGroups()` deve restituire: un `NodeGroup` per ogni Resource Group distinto (con id `azure:rg:`), un `NodeGroup` per ogni regione distinta (con id `azure:region:`), un `NodeGroup` per ogni coppia tag chiave:valore distinta (con id `azure:tag::`). Ogni `NodeGroup` deve avere `source` uguale a `"azure"`, e ogni nodo deve apparire in esattamente un gruppo per Resource Group e un gruppo per regione. - -**Valida: Requisiti 4.1, 4.2, 4.3, 4.4** - -### Proprietà 7: Facts contengono tutti i campi richiesti - -*Per qualsiasi* VM Azure valida, `getNodeFacts(nodeId)` deve restituire un oggetto `Facts` contenente almeno i campi: `vmSize`, `location`, `provisioningState`, `powerState`, `osType`, `resourceGroup`, `subscriptionId`, e `tags`. - -**Valida: Requisiti 5.1** - -### Proprietà 8: Coerenza del risultato delle operazioni di ciclo di vita - -*Per qualsiasi* operazione di ciclo di vita (start, stop, deallocate, restart) su una VM Azure, il campo `success` dell'`ExecutionResult` restituito deve essere `true` se e solo se l'API Azure ha completato l'operazione senza errori. In caso di errore, `success` deve essere `false` e il campo `error` deve contenere il messaggio di errore dell'API. - -**Valida: Requisiti 8.5, 8.6** - -## Gestione degli Errori - -### Strategia generale - -Il plugin Azure segue la strategia di degradazione graduale già adottata dagli altri plugin di Pabawi: - -1. **Errori di autenticazione**: Catturati durante `performInitialization()`. Il plugin imposta `initialized: false` e logga l'errore. Non viene lanciata alcuna eccezione verso l'`IntegrationManager`. - -2. **Errori API durante le query**: Catturati in ogni metodo pubblico (`getInventory`, `getGroups`, `getNodeFacts`, `getNodeData`). Il plugin logga l'errore e restituisce dati vuoti (array vuoto o Facts vuoto). - -3. **Errori durante le operazioni di ciclo di vita**: Catturati in `executeAction()`. Il plugin restituisce un `ExecutionResult` con `success: false` e il messaggio di errore. - -4. **Errori di configurazione**: Lanciati durante il parsing in `ConfigService` (campi obbligatori mancanti). Questi errori impediscono l'avvio dell'applicazione, coerentemente con il comportamento degli altri plugin. - -### Classificazione degli errori - -| Tipo errore | Classe | Comportamento | -|---|---|---| -| Credenziali non valide/scadute | `AzureAuthenticationError` | `initialized: false`, log error | -| API non raggiungibile | `Error` (generico) | Dati vuoti, log error | -| VM non trovata | N/A | Facts vuoto, log warning | -| Permessi insufficienti | `AzureAuthenticationError` | `degraded: true`, log warning | -| Timeout API | `Error` (generico) | Dati vuoti, log error | -| Config mancante | `Error` | Throw durante startup | - -### Transizioni di stato e logging - -```mermaid -stateDiagram-v2 - [*] --> Uninitialized - Uninitialized --> Initialized: autenticazione OK - Uninitialized --> Failed: autenticazione fallita - Initialized --> Healthy: healthCheck OK - Initialized --> Unhealthy: healthCheck fallito - Healthy --> Unhealthy: healthCheck fallito [log WARNING] - Unhealthy --> Healthy: healthCheck OK [log INFO] - Healthy --> Degraded: permessi parziali [log WARNING] - Degraded --> Healthy: permessi ripristinati [log INFO] - Failed --> Initialized: retry manuale -``` - -## Strategia di Testing - -### Approccio duale - -Il testing del plugin Azure utilizza un approccio duale complementare: - -- **Test unitari (Vitest)**: Verificano esempi specifici, edge case e condizioni di errore con mock delle API Azure -- **Test property-based (fast-check + Vitest)**: Verificano proprietà universali su input generati casualmente - -### Libreria di property-based testing - -Si utilizza `fast-check` (già presente nel progetto) integrato con Vitest. Ogni test property-based deve: - -- Eseguire almeno 100 iterazioni (`numRuns: 100`) -- Referenziare la proprietà del design document tramite commento tag -- Formato tag: `Feature: azure-support, Property {numero}: {titolo}` - -### Test unitari - -I test unitari coprono: - -1. **Configurazione** (Requisiti 1.x): - - Parsing corretto con tutte le variabili obbligatorie - - Errore con `AZURE_TENANT_ID` mancante (messaggio specifico) - - Errore con `AZURE_SUBSCRIPTION_ID` mancante (messaggio specifico) - - Esclusione config quando `AZURE_ENABLED` non è `true` - -2. **Inizializzazione** (Requisiti 2.x): - - Registrazione come tipo `"both"` - - Autenticazione con Service Principal (mock) - - Stato `initialized: true` dopo autenticazione riuscita - - Stato `initialized: false` dopo autenticazione fallita, senza throw - -3. **Health check** (Requisiti 6.x): - - `healthy: true` con nome Subscription quando connettività OK - - `healthy: false` con messaggio errore per credenziali non valide - - `healthy: false` con messaggio connettività per API non raggiungibili - - `degraded: true` con capabilities per permessi parziali - -4. **Degradazione** (Requisiti 7.x): - - Log warning su transizione healthy→unhealthy - - Log info su transizione unhealthy→healthy - -5. **Ciclo di vita VM** (Requisiti 8.x): - - Azioni start, stop, deallocate, restart (mock API) - - `listCapabilities()` restituisce le 4 azioni - -6. **Dettagli VM** (Requisiti 5.x): - - `getNodeData(nodeId, "status")` restituisce stato esecuzione - - `getNodeData(nodeId, "network")` restituisce info rete - - `getNodeFacts(nodeId)` con nodeId non valido restituisce Facts vuoto - -### Test property-based - -Ogni proprietà del design document è implementata da un singolo test property-based: - -| Proprietà | Generatore | Verifica | -|---|---|---| -| 1: Round-trip config | `fc.record({tenantId: fc.uuid(), ...})` | Parsing env → oggetto config equivalente | -| 2: Config disabilitata | `fc.string().filter(s => s !== "true")` | `azure` assente dall'oggetto integrazioni | -| 3: Plugin non operativo | `fc.string()` (nodeId casuali) | Array vuoti, nessuna eccezione | -| 4: Mappatura VM→Node | `fc.record({name, resourceGroup, ...})` | `source="azure"`, `id` formato corretto, `uri` non vuoto | -| 5: Filtri inventario | `fc.array(vmArbitrary)` + filtri | Solo VM corrispondenti ai filtri | -| 6: Raggruppamento | `fc.array(vmArbitrary)` | Gruppi per RG, regione, tag completi e coerenti | -| 7: Facts completi | `fc.record({vmSize, location, ...})` | Tutti i campi richiesti presenti | -| 8: Risultato ciclo di vita | `fc.constantFrom("start","stop","deallocate","restart")` | `success` coerente con esito API | - -### Struttura dei file di test - -``` -backend/src/integrations/azure/__tests__/ -├── AzurePlugin.test.ts # Test unitari del plugin -├── AzureService.test.ts # Test unitari del servizio -├── AzurePlugin.property.test.ts # Test property-based -└── AzureConfig.test.ts # Test configurazione -``` - -### Dipendenze Azure SDK - -```json -{ - "@azure/identity": "^4.x", - "@azure/arm-compute": "^21.x", - "@azure/arm-network": "^33.x", - "@azure/arm-subscriptions": "^5.x" -} -``` - -Queste dipendenze vengono mockate nei test unitari e property-based per evitare chiamate reali alle API Azure. diff --git a/.kiro/specs/azure-support/requirements.md b/.kiro/specs/azure-support/requirements.md deleted file mode 100644 index e244635a..00000000 --- a/.kiro/specs/azure-support/requirements.md +++ /dev/null @@ -1,146 +0,0 @@ -# Documento dei Requisiti — Supporto Azure - -## Introduzione - -Questa specifica definisce i requisiti per l'integrazione di Microsoft Azure in Pabawi. L'obiettivo è aggiungere un plugin Azure che implementi l'interfaccia `InformationSourcePlugin` (e opzionalmente `ExecutionToolPlugin`) per consentire la gestione delle macchine virtuali Azure direttamente dall'interfaccia unificata di Pabawi, seguendo gli stessi pattern architetturali già utilizzati per AWS e Proxmox. - -## Glossario - -- **Azure_Plugin**: Plugin di integrazione Azure per Pabawi, che estende `BasePlugin` e implementa le interfacce `InformationSourcePlugin` e `ExecutionToolPlugin` -- **Azure_Service**: Servizio interno che incapsula le chiamate alle API Azure SDK (`@azure/arm-compute`, `@azure/identity`) -- **ConfigService**: Servizio di configurazione esistente di Pabawi che carica e valida le variabili d'ambiente -- **IntegrationManager**: Gestore centrale dei plugin che registra, inizializza e orchestra tutte le integrazioni -- **VM**: Macchina virtuale Azure (Azure Virtual Machine) -- **Service_Principal**: Identità applicativa Azure utilizzata per l'autenticazione tramite `clientId`, `clientSecret` e `tenantId` -- **Subscription**: Sottoscrizione Azure che raggruppa le risorse e la fatturazione -- **Resource_Group**: Contenitore logico Azure che raggruppa risorse correlate -- **Node**: Rappresentazione interna di Pabawi di un host gestito, definita in `integrations/bolt/types.ts` -- **NodeGroup**: Raggruppamento logico di nodi in Pabawi, definito in `integrations/types.ts` -- **HealthStatus**: Interfaccia standard di Pabawi per lo stato di salute di un plugin - -## Requisiti - -### Requisito 1: Configurazione del plugin Azure tramite variabili d'ambiente - -**User Story:** Come amministratore di Pabawi, voglio configurare l'integrazione Azure tramite variabili d'ambiente, in modo da poter abilitare e personalizzare il collegamento ad Azure senza modificare il codice. - -#### Criteri di Accettazione - -1. WHEN la variabile `AZURE_ENABLED` è impostata a `true`, THE ConfigService SHALL analizzare e validare le variabili d'ambiente Azure (`AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`) -2. WHEN la variabile `AZURE_ENABLED` è impostata a `true` e `AZURE_TENANT_ID` non è definita, THE ConfigService SHALL generare un errore con il messaggio "AZURE_TENANT_ID is required when AZURE_ENABLED is true" -3. WHEN la variabile `AZURE_ENABLED` è impostata a `true` e `AZURE_SUBSCRIPTION_ID` non è definita, THE ConfigService SHALL generare un errore con il messaggio "AZURE_SUBSCRIPTION_ID is required when AZURE_ENABLED is true" -4. THE ConfigService SHALL supportare la variabile opzionale `AZURE_RESOURCE_GROUP` per filtrare le risorse a un singolo Resource Group -5. THE ConfigService SHALL supportare la variabile opzionale `AZURE_REGION` per filtrare le VM a una specifica regione Azure -6. THE ConfigService SHALL supportare la variabile opzionale `AZURE_PRIORITY` per definire la priorità del plugin nell'aggregazione dell'inventario -7. IF la variabile `AZURE_ENABLED` non è definita o è impostata a `false`, THEN THE ConfigService SHALL escludere la configurazione Azure dall'oggetto integrazioni - -### Requisito 2: Registrazione e inizializzazione del plugin Azure - -**User Story:** Come amministratore di Pabawi, voglio che il plugin Azure si registri automaticamente nell'IntegrationManager all'avvio, in modo che sia disponibile insieme alle altre integrazioni. - -#### Criteri di Accettazione - -1. WHEN il ConfigService restituisce una configurazione Azure con `enabled: true`, THE Azure_Plugin SHALL registrarsi nell'IntegrationManager come plugin di tipo `both` -2. WHEN il Azure_Plugin viene inizializzato, THE Azure_Plugin SHALL autenticarsi verso Azure utilizzando le credenziali Service Principal configurate (`tenantId`, `clientId`, `clientSecret`) -3. WHEN l'autenticazione Azure ha successo, THE Azure_Plugin SHALL impostare il proprio stato interno a `initialized: true` -4. IF l'autenticazione Azure fallisce durante l'inizializzazione, THEN THE Azure_Plugin SHALL registrare l'errore nel log e impostare il proprio stato a `initialized: false` senza interrompere l'avvio di Pabawi -5. WHILE il Azure_Plugin è nello stato `initialized: false`, THE Azure_Plugin SHALL restituire array vuoti per le chiamate a `getInventory()` e `getGroups()` - -### Requisito 3: Inventario delle macchine virtuali Azure - -**User Story:** Come operatore, voglio visualizzare le macchine virtuali Azure nell'inventario unificato di Pabawi, in modo da avere una visione completa dell'infrastruttura. - -#### Criteri di Accettazione - -1. WHEN viene invocato `getInventory()`, THE Azure_Plugin SHALL restituire un array di oggetti `Node` corrispondenti alle VM Azure presenti nella Subscription configurata -2. THE Azure_Plugin SHALL mappare ogni VM Azure a un oggetto `Node` con i seguenti campi: `name` (nome della VM), `uri` (indirizzo IP privato o pubblico della VM), `source` impostato a `"azure"` -3. WHERE la variabile `AZURE_RESOURCE_GROUP` è configurata, THE Azure_Plugin SHALL filtrare l'inventario restituendo solo le VM appartenenti al Resource Group specificato -4. WHERE la variabile `AZURE_REGION` è configurata, THE Azure_Plugin SHALL filtrare l'inventario restituendo solo le VM nella regione specificata -5. WHEN una VM Azure non ha un indirizzo IP assegnato, THE Azure_Plugin SHALL impostare il campo `uri` del Node al nome della VM -6. IF l'API Azure restituisce un errore durante il recupero dell'inventario, THEN THE Azure_Plugin SHALL registrare l'errore nel log e restituire un array vuoto - -### Requisito 4: Raggruppamento delle macchine virtuali Azure - -**User Story:** Come operatore, voglio che le VM Azure siano organizzate in gruppi logici nell'inventario di Pabawi, in modo da poter filtrare e gestire le risorse per Resource Group, regione o tag. - -#### Criteri di Accettazione - -1. WHEN viene invocato `getGroups()`, THE Azure_Plugin SHALL restituire un array di oggetti `NodeGroup` che raggruppano le VM per Resource Group -2. THE Azure_Plugin SHALL creare un NodeGroup aggiuntivo per ogni regione Azure contenente VM, con formato id `azure:region:` -3. THE Azure_Plugin SHALL creare un NodeGroup per ogni tag Azure presente sulle VM, con formato id `azure:tag::` -4. THE Azure_Plugin SHALL impostare il campo `source` di ogni NodeGroup a `"azure"` -5. IF l'API Azure restituisce un errore durante il recupero dei gruppi, THEN THE Azure_Plugin SHALL registrare l'errore nel log e restituire un array vuoto - -### Requisito 5: Dettagli e facts delle macchine virtuali Azure - -**User Story:** Come operatore, voglio consultare i dettagli di una specifica VM Azure, in modo da conoscerne la configurazione e lo stato corrente. - -#### Criteri di Accettazione - -1. WHEN viene invocato `getNodeFacts(nodeId)` con un nodeId valido, THE Azure_Plugin SHALL restituire un oggetto `Facts` contenente le proprietà della VM Azure: `vmSize`, `location`, `provisioningState`, `powerState`, `osType`, `osDiskSizeGB`, `privateIpAddress`, `publicIpAddress`, `resourceGroup`, `subscriptionId`, `tags` -2. WHEN viene invocato `getNodeFacts(nodeId)` con un nodeId che non corrisponde a nessuna VM Azure, THE Azure_Plugin SHALL restituire un oggetto `Facts` vuoto -3. IF l'API Azure restituisce un errore durante il recupero dei facts, THEN THE Azure_Plugin SHALL registrare l'errore nel log e restituire un oggetto `Facts` vuoto -4. WHEN viene invocato `getNodeData(nodeId, "status")`, THE Azure_Plugin SHALL restituire lo stato di esecuzione della VM (running, stopped, deallocated) -5. WHEN viene invocato `getNodeData(nodeId, "network")`, THE Azure_Plugin SHALL restituire le informazioni di rete della VM (interfacce di rete, IP privati, IP pubblici, security groups associati) - -### Requisito 6: Health check del plugin Azure - -**User Story:** Come amministratore di Pabawi, voglio monitorare lo stato di connessione del plugin Azure, in modo da identificare rapidamente problemi di autenticazione o connettività. - -#### Criteri di Accettazione - -1. WHEN viene invocato `healthCheck()`, THE Azure_Plugin SHALL verificare la connettività verso le API Azure tentando di elencare le sottoscrizioni accessibili -2. WHEN la verifica di connettività ha successo, THE Azure_Plugin SHALL restituire un oggetto `HealthStatus` con `healthy: true` e un messaggio che include il nome della Subscription -3. IF le credenziali Azure sono scadute o non valide, THEN THE Azure_Plugin SHALL restituire un oggetto `HealthStatus` con `healthy: false` e un messaggio descrittivo dell'errore di autenticazione -4. IF le API Azure non sono raggiungibili, THEN THE Azure_Plugin SHALL restituire un oggetto `HealthStatus` con `healthy: false` e un messaggio che indica il problema di connettività -5. WHEN il plugin ha accesso parziale alle risorse (permessi IAM insufficienti per alcune operazioni), THE Azure_Plugin SHALL restituire un oggetto `HealthStatus` con `degraded: true`, elencando le capability funzionanti in `workingCapabilities` e quelle non funzionanti in `failingCapabilities` - -### Requisito 7: Degradazione graduale del plugin Azure - -**User Story:** Come operatore, voglio che Pabawi continui a funzionare correttamente anche quando l'integrazione Azure non è disponibile, in modo da non perdere l'accesso alle altre integrazioni. - -#### Criteri di Accettazione - -1. IF il plugin Azure non riesce a inizializzarsi, THEN THE IntegrationManager SHALL continuare l'inizializzazione degli altri plugin senza interruzioni -2. WHILE il plugin Azure è nello stato `healthy: false`, THE Azure_Plugin SHALL restituire dati vuoti per tutte le query di inventario senza generare eccezioni non gestite -3. WHEN il plugin Azure passa dallo stato `healthy: true` a `healthy: false`, THE Azure_Plugin SHALL registrare un messaggio di warning nel log con i dettagli dell'errore -4. WHEN il plugin Azure passa dallo stato `healthy: false` a `healthy: true`, THE Azure_Plugin SHALL registrare un messaggio informativo nel log indicando il ripristino della connessione - -### Requisito 8: Gestione del ciclo di vita delle VM Azure - -**User Story:** Come operatore, voglio poter avviare, arrestare e deallocare le VM Azure direttamente da Pabawi, in modo da gestire le risorse cloud dall'interfaccia unificata. - -#### Criteri di Accettazione - -1. WHEN viene invocato `executeAction()` con tipo `command` e azione `start`, THE Azure_Plugin SHALL avviare la VM Azure specificata nel target -2. WHEN viene invocato `executeAction()` con tipo `command` e azione `stop`, THE Azure_Plugin SHALL arrestare la VM Azure specificata nel target -3. WHEN viene invocato `executeAction()` con tipo `command` e azione `deallocate`, THE Azure_Plugin SHALL deallocare la VM Azure specificata nel target -4. WHEN viene invocato `executeAction()` con tipo `command` e azione `restart`, THE Azure_Plugin SHALL riavviare la VM Azure specificata nel target -5. WHEN un'operazione di ciclo di vita viene completata con successo, THE Azure_Plugin SHALL restituire un oggetto `ExecutionResult` con `success: true` e i dettagli dell'operazione -6. IF un'operazione di ciclo di vita fallisce, THEN THE Azure_Plugin SHALL restituire un oggetto `ExecutionResult` con `success: false` e il messaggio di errore dell'API Azure -7. THE Azure_Plugin SHALL esporre le operazioni di ciclo di vita tramite `listCapabilities()` con i parametri richiesti per ogni azione - -### Requisito 9: Integrazione nell'inventario aggregato - -**User Story:** Come operatore, voglio che le VM Azure appaiano nell'inventario aggregato di Pabawi insieme ai nodi delle altre integrazioni, in modo da avere una visione unificata dell'infrastruttura. - -#### Criteri di Accettazione - -1. THE IntegrationManager SHALL includere i nodi restituiti dal Azure_Plugin nell'inventario aggregato quando il plugin è abilitato e inizializzato -2. WHEN una VM Azure ha lo stesso hostname di un nodo proveniente da un'altra integrazione (Bolt, PuppetDB, Ansible, SSH, AWS, Proxmox), THE IntegrationManager SHALL collegare i nodi tramite il NodeLinkingService -3. THE Azure_Plugin SHALL impostare il campo `source` a `"azure"` per tutti i nodi e gruppi restituiti, consentendo al NodeLinkingService di identificare la provenienza dei dati -4. THE Azure_Plugin SHALL rispettare la configurazione `priority` per determinare l'ordine di precedenza nell'aggregazione dell'inventario - -### Requisito 10: Test unitari del plugin Azure - -**User Story:** Come sviluppatore, voglio che il plugin Azure sia coperto da test unitari, in modo da garantire la correttezza dell'implementazione e prevenire regressioni. - -#### Criteri di Accettazione - -1. THE Azure_Plugin SHALL avere test unitari che verifichino l'inizializzazione corretta con credenziali valide -2. THE Azure_Plugin SHALL avere test unitari che verifichino il comportamento con credenziali mancanti o non valide -3. THE Azure_Plugin SHALL avere test unitari che verifichino la mappatura corretta delle VM Azure in oggetti `Node` -4. THE Azure_Plugin SHALL avere test unitari che verifichino la creazione corretta dei `NodeGroup` per Resource Group, regione e tag -5. THE Azure_Plugin SHALL avere test unitari che verifichino il comportamento di degradazione graduale in caso di errori API -6. THE Azure_Plugin SHALL avere test unitari che verifichino le operazioni di ciclo di vita delle VM (start, stop, deallocate, restart) -7. FOR ALL le VM Azure restituite da `getInventory()`, la mappatura a `Node` e la successiva lettura tramite `getNodeFacts()` SHALL restituire dati coerenti con la VM originale (proprietà round-trip) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00651b28..81110ee5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,36 @@ # Changelog +## [1.1.0] + +### Added + +- Global Journal page with cross-node timeline aggregation, filtering by node, group, event type, source, and date range +- Journal collectors for Proxmox tasks, AWS EC2 state changes, PuppetDB reports, and execution history +- Collapsible target selector in Global Journal with node/group search and source filtering +- Grouping of consecutive similar journal entries in the timeline for cleaner display +- Clickable node IDs in global journal entries linking to node detail pages +- Node name resolution in journal views — Proxmox/AWS raw IDs resolve to hostnames +- Input sanitization middleware with null byte removal, prototype pollution prevention, and deep nesting protection +- Cumulative login attempt counters (migration 011) for permanent lockout decisions that persist across successful logins +- Request deduplication middleware with LRU cache for identical GET requests +- Integration color service with consistent color coding across all integrations +- Multi-source filtering support in journal timeline API +- Zod-based input validation schemas for RBAC and common request types + +### Changed + +- Journal timeline component supports both per-node and global modes +- Streaming route refined for journal event collection +- AWS state persistence uses batched `Promise.all` mapping +- Security hardened across integrations with secure defaults and stricter input validation +- Version bumped to 1.1.0 across all package.json files + +### Fixed + +- Journal timeline stuck loading state resolved +- Proxmox and AWS URIs correctly resolve to hostnames in journal views +- Journal stream guard logic refined to prevent edge-case rendering issues + ## [1.0.0] ### Added @@ -33,13 +64,6 @@ - `IntegrationConfigRecord` frontend type - Dead code and unused dependencies related to database-stored config overrides -### Breaking Changes from 0.10.0 - -- `/api/config/integrations` CRUD endpoints removed — all configuration is now via `.env` -- `integration_configs` database table dropped (migration 010 runs automatically) -- Setup guides no longer save configuration to the database -- Test connection endpoints (`POST /api/integrations/proxmox/test`, `POST /api/integrations/aws/test`) no longer accept config in the request body - ## [0.8.0] ### Added diff --git a/README.md b/README.md index 807f5c78..2419fd4d 100644 --- a/README.md +++ b/README.md @@ -60,9 +60,12 @@ If you manage "classic infrastructure" — bare metal, VMs, not Kubernetes — P - **Event Tracking** — resource changes and failures over time - **Hiera Data Browser** — hierarchical configuration data and key usage analysis - **Node Journal** — timeline of events, actions, and notes per node +- **Global Journal** — cross-node timeline with filtering by node, group, event type, source, and date range - **Real-time Streaming** — live output for command and task execution - **Expert Mode** — full command lines and debug output - **Graceful Degradation** — continues operating when individual integrations are unavailable +- **Request Deduplication** — LRU-cached responses for identical API requests to reduce external calls +- **Input Sanitization** — automatic null byte removal, prototype pollution prevention, and deep nesting protection ## Screenshots @@ -210,6 +213,7 @@ Scheduled executions, custom dashboards, CLI tool, audit logging, Tiny Puppet in ### Version History +- **v1.1.0**: Global Journal with cross-node timeline, security hardening, docs rewrite - **v1.0.0**: Configuration refactor (`.env` as single source of truth), Proxmox and AWS provisioning, Node Journal, setup wizard `.env` snippet generators, Integration Status Dashboard - **v0.10.0**: AWS EC2 integration, integration configuration management - **v0.9.0**: Proxmox integration, Node Journal diff --git a/backend/.env.example b/backend/.env.example index a895263f..bdfd6c91 100644 --- a/backend/.env.example +++ b/backend/.env.example @@ -175,6 +175,19 @@ AWS_ENABLED=false # Custom endpoint (for LocalStack or other S3-compatible services) # AWS_ENDPOINT= +# ----------------------------------------------------------------------------- +# Azure integration (optional) +# ----------------------------------------------------------------------------- +AZURE_ENABLED=false +# Service Principal credentials (if omitted, DefaultAzureCredential is used) +# AZURE_TENANT_ID= +# AZURE_CLIENT_ID= +# AZURE_CLIENT_SECRET= # pragma: allowlist secret +# Azure subscription to query +# AZURE_SUBSCRIPTION_ID= +# Limit inventory to specific resource groups (JSON array or comma-separated) +# AZURE_RESOURCE_GROUPS=["my-rg-1","my-rg-2"] + # ----------------------------------------------------------------------------- # Advanced: Streaming, caching, and execution queue # ----------------------------------------------------------------------------- diff --git a/backend/package.json b/backend/package.json index 454ab7c9..44c28d83 100644 --- a/backend/package.json +++ b/backend/package.json @@ -15,6 +15,10 @@ "dependencies": { "@aws-sdk/client-ec2": "^3.700.0", "@aws-sdk/client-sts": "^3.700.0", + "@azure/arm-compute": "^23.3.0", + "@azure/arm-resources": "^7.0.0", + "@azure/arm-resources-subscriptions": "^2.1.0", + "@azure/identity": "^4.13.1", "bcrypt": "^5.1.1", "cors": "^2.8.5", "dotenv": "^16.4.5", diff --git a/backend/src/config/ConfigService.ts b/backend/src/config/ConfigService.ts index 50cf4a17..d1ea7ad1 100644 --- a/backend/src/config/ConfigService.ts +++ b/backend/src/config/ConfigService.ts @@ -136,6 +136,14 @@ export class ConfigService { profile?: string; endpoint?: string; }; + azure?: { + enabled: boolean; + tenantId?: string; + clientId?: string; + clientSecret?: string; + subscriptionId?: string; + resourceGroups?: string[]; + }; } { const integrations: ReturnType = {}; @@ -497,6 +505,34 @@ export class ConfigService { }; } + // Parse Azure configuration + if (process.env.AZURE_ENABLED === "true") { + // Parse resource groups from JSON array or comma-separated string + let resourceGroups: string[] | undefined; + if (process.env.AZURE_RESOURCE_GROUPS) { + try { + const parsed = JSON.parse(process.env.AZURE_RESOURCE_GROUPS) as unknown; + if (Array.isArray(parsed)) { + resourceGroups = parsed.filter( + (item): item is string => typeof item === "string", + ); + } + } catch { + // Not JSON — treat as comma-separated + resourceGroups = process.env.AZURE_RESOURCE_GROUPS.split(",").map((r) => r.trim()).filter(Boolean); + } + } + + integrations.azure = { + enabled: true, + tenantId: process.env.AZURE_TENANT_ID, + clientId: process.env.AZURE_CLIENT_ID, + clientSecret: process.env.AZURE_CLIENT_SECRET, + subscriptionId: process.env.AZURE_SUBSCRIPTION_ID, + resourceGroups, + }; + } + return integrations; } @@ -802,4 +838,17 @@ export class ConfigService { } return null; } + + /** + * Get Azure configuration if enabled + */ + public getAzureConfig(): + | (typeof this.config.integrations.azure & { enabled: true }) + | null { + const azure = this.config.integrations.azure; + if (azure?.enabled) { + return azure as typeof azure & { enabled: true }; + } + return null; + } } diff --git a/backend/src/config/schema.ts b/backend/src/config/schema.ts index 8a4ff1af..a054f59c 100644 --- a/backend/src/config/schema.ts +++ b/backend/src/config/schema.ts @@ -315,6 +315,20 @@ export const AWSConfigSchema = z.object({ export type AWSIntegrationConfig = z.infer; +/** + * Azure integration configuration schema + */ +export const AzureConfigSchema = z.object({ + enabled: z.boolean().default(false), + tenantId: z.string().optional(), + clientId: z.string().optional(), + clientSecret: z.string().optional(), + subscriptionId: z.string().optional(), + resourceGroups: z.array(z.string()).optional(), +}); + +export type AzureIntegrationConfig = z.infer; + /** * Provisioning safety configuration schema * @@ -338,6 +352,7 @@ export const IntegrationsConfigSchema = z.object({ hiera: HieraConfigSchema.optional(), proxmox: ProxmoxConfigSchema.optional(), aws: AWSConfigSchema.optional(), + azure: AzureConfigSchema.optional(), }); export type IntegrationsConfig = z.infer; diff --git a/backend/src/integrations/azure/AzureHelpers.ts b/backend/src/integrations/azure/AzureHelpers.ts new file mode 100644 index 00000000..87f2bdc7 --- /dev/null +++ b/backend/src/integrations/azure/AzureHelpers.ts @@ -0,0 +1,222 @@ +/** + * Azure Service Helpers + * + * Pure transformation and grouping functions extracted from AzureService + * to keep the main service file under 300 lines. + */ + +import type { VirtualMachine, VirtualMachineInstanceView } from "@azure/arm-compute"; +import type { Node, Facts } from "../bolt/types"; +import type { NodeGroup } from "../types"; + +const TAG_KEYS = ["Environment", "Project", "Team", "Application"]; + +/** + * Extract power state from a VM's instanceView statuses + */ +export function extractPowerState(vm: VirtualMachine): string { + const statuses = vm.instanceView?.statuses ?? []; + const powerStatus = statuses.find((s) => s.code?.startsWith("PowerState/")); + return powerStatus?.displayStatus ?? "unknown"; +} + +/** + * Parse an Azure node ID into its components + */ +export function parseNodeId(nodeId: string): { subscriptionId: string; resourceGroup: string; vmName: string } { + const parts = nodeId.split(":"); + if (parts.length < 4 || parts[0] !== "azure") { + throw new Error( + `Invalid Azure node ID format: ${nodeId}. Expected "azure:{subscriptionId}:{resourceGroup}:{vmName}"`, + ); + } + return { subscriptionId: parts[1], resourceGroup: parts[2], vmName: parts.slice(3).join(":") }; +} + +/** + * Transform an Azure VirtualMachine into a Node object + */ +export function transformVMToNode(vm: VirtualMachine, resourceGroup: string, subscriptionId: string): Node { + const vmName: string = vm.name ?? "unknown"; + const tags: Record = (vm.tags as Record | undefined) ?? {}; + const powerState = extractPowerState(vm); + const nodeId = `azure:${subscriptionId}:${resourceGroup}:${vmName}`; + + const node: Node = { + id: nodeId, + name: vmName, + uri: nodeId, + transport: "ssh" as const, + config: { + vmId: vm.id ?? "", + powerState, + vmSize: vm.hardwareProfile?.vmSize ?? "unknown", + resourceGroup, + location: vm.location, + tags, + provisioningState: vm.provisioningState ?? "unknown", + osType: vm.storageProfile?.osDisk?.osType ?? "unknown", + }, + source: "azure", + }; + + (node as Node & { status?: string }).status = powerState; + return node; +} + +/** + * Transform a VM and its instance view into a Facts object + */ +export function transformToFacts( + nodeId: string, + vm: VirtualMachine, + instanceView: VirtualMachineInstanceView, + subscriptionId: string, +): Facts { + const tags: Record = (vm.tags as Record | undefined) ?? {}; + const powerStatus = instanceView.statuses?.find((s) => s.code?.startsWith("PowerState/")); + const powerState = powerStatus?.displayStatus ?? "unknown"; + const osType: string = vm.storageProfile?.osDisk?.osType ?? "unknown"; + const imageRef = vm.storageProfile?.imageReference; + + return { + nodeId, + gatheredAt: new Date().toISOString(), + source: "azure", + facts: { + os: { + family: osType.toLowerCase() === "windows" ? "windows" : "linux", + name: imageRef ? `${imageRef.offer ?? ""}/${imageRef.sku ?? ""}` : "unknown", + release: { full: imageRef?.version ?? "unknown", major: imageRef?.sku ?? "unknown" }, + }, + processors: { count: 0, models: [] }, + memory: { system: { total: "unknown", available: "unknown" } }, + networking: { + hostname: vm.name ?? "unknown", + interfaces: {}, + }, + categories: { + system: { + vmName: vm.name, + vmId: vm.id, + powerState, + vmSize: vm.hardwareProfile?.vmSize, + location: vm.location, + provisioningState: vm.provisioningState, + osType, + offer: imageRef?.offer, + sku: imageRef?.sku, + version: imageRef?.version, + }, + network: { + networkInterfaces: (vm.networkProfile?.networkInterfaces ?? []).map((nic) => ({ + id: nic.id, + primary: nic.primary, + })), + }, + hardware: { + vmSize: vm.hardwareProfile?.vmSize, + osDiskSizeGB: vm.storageProfile?.osDisk?.diskSizeGB, + dataDiskCount: vm.storageProfile?.dataDisks?.length ?? 0, + dataDiskDetails: (vm.storageProfile?.dataDisks ?? []).map((d) => ({ + name: d.name, + sizeGB: d.diskSizeGB, + lun: d.lun, + })), + }, + custom: { + tags, + resourceGroup: parseNodeId(nodeId).resourceGroup, + subscriptionId, + }, + }, + }, + }; +} + +/** + * Group nodes by Azure location + */ +export function groupByLocation(nodes: Node[]): NodeGroup[] { + const locationMap = new Map(); + for (const node of nodes) { + const location = typeof node.config.location === "string" ? node.config.location : "unknown"; + if (!locationMap.has(location)) locationMap.set(location, []); + const locationNodes = locationMap.get(location); + if (locationNodes) locationNodes.push(node.name); + } + return Array.from(locationMap.entries()).map(([location, nodeNames]) => ({ + id: `azure:location:${location}`, + name: `Azure ${location}`, + source: "azure", + sources: ["azure"], + linked: false, + nodes: nodeNames, + metadata: { description: `Azure VMs in ${location}` }, + })); +} + +/** + * Group nodes by resource group + */ +export function groupByResourceGroup(nodes: Node[]): NodeGroup[] { + const rgMap = new Map(); + for (const node of nodes) { + const rg = typeof node.config.resourceGroup === "string" ? node.config.resourceGroup : "unknown"; + if (!rgMap.has(rg)) rgMap.set(rg, []); + const rgNodes = rgMap.get(rg); + if (rgNodes) rgNodes.push(node.name); + } + return Array.from(rgMap.entries()).map(([rg, nodeNames]) => ({ + id: `azure:resourceGroup:${rg}`, + name: `Resource Group: ${rg}`, + source: "azure", + sources: ["azure"], + linked: false, + nodes: nodeNames, + metadata: { description: `Azure VMs in resource group ${rg}` }, + })); +} + +/** + * Group nodes by well-known tag keys (Environment, Project, Team, Application) + */ +export function groupByTags(nodes: Node[]): NodeGroup[] { + const tagGroups = new Map>(); + + for (const node of nodes) { + const rawTags = node.config.tags; + const tags: Record = typeof rawTags === "object" && rawTags !== null + ? rawTags as Record + : {}; + for (const key of TAG_KEYS) { + const value = tags[key]; + if (value) { + if (!tagGroups.has(key)) tagGroups.set(key, new Map()); + const valueMap = tagGroups.get(key); + if (valueMap) { + if (!valueMap.has(value)) valueMap.set(value, []); + const valueNodes = valueMap.get(value); + if (valueNodes) valueNodes.push(node.name); + } + } + } + } + + const groups: NodeGroup[] = []; + for (const [tagKey, valueMap] of tagGroups) { + for (const [tagValue, nodeNames] of valueMap) { + groups.push({ + id: `azure:tag:${tagKey}:${tagValue}`, + name: `${tagKey}: ${tagValue}`, + source: "azure", + sources: ["azure"], + linked: false, + nodes: nodeNames, + metadata: { description: `Azure VMs with tag ${tagKey}=${tagValue}` }, + }); + } + } + + return groups; +} diff --git a/backend/src/integrations/azure/AzurePlugin.ts b/backend/src/integrations/azure/AzurePlugin.ts new file mode 100644 index 00000000..5ba03c93 --- /dev/null +++ b/backend/src/integrations/azure/AzurePlugin.ts @@ -0,0 +1,511 @@ +/* eslint-disable @typescript-eslint/no-non-null-assertion */ +/** + * Azure Integration Plugin + * + * Plugin class that integrates Azure VMs into Pabawi. + * Implements both InformationSourcePlugin and ExecutionToolPlugin interfaces. + * + * Validates: Requirements 1.1, 1.4, 1.5, 1.6, 2.6, 3.1–3.4, 4.1, 5.1, 6.1, + * 7.1, 8.1, 8.5, 9.1–9.3, 11.1–11.3, 11.5, 13.1, 13.2 + */ + +import { BasePlugin } from "../BasePlugin"; +import type { + HealthStatus, + InformationSourcePlugin, + ExecutionToolPlugin, + NodeGroup, + Capability, + Action, +} from "../types"; +import type { Node, Facts, ExecutionResult } from "../bolt/types"; +import type { LoggerService } from "../../services/LoggerService"; +import type { PerformanceMonitorService } from "../../services/PerformanceMonitorService"; +import type { JournalService } from "../../services/journal/JournalService"; +import type { CreateJournalEntry, JournalSource } from "../../services/journal/types"; +import type { + AzureConfig, + AzureLocationInfo, + AzureVMSizeInfo, + AzureImageInfo, + AzureResourceGroupInfo, + ProvisioningCapability, +} from "./types"; +import { AzureService } from "./AzureService"; +import { AzureAuthenticationError } from "./types"; + +/** + * AzurePlugin — Plugin for Azure Virtual Machines + * + * Provides: + * - Inventory discovery of Azure VMs + * - Group management (by location, resource group, tags) + * - Facts retrieval for VMs + * - Lifecycle actions (start, stop, restart, deallocate) + * - Provisioning capabilities (create_vm) + * - Resource discovery (locations, VM sizes, images, resource groups) + */ +export class AzurePlugin + extends BasePlugin + implements InformationSourcePlugin, ExecutionToolPlugin +{ + readonly type = "both" as const; + private service?: AzureService; + private journalService?: JournalService; + + constructor( + logger?: LoggerService, + performanceMonitor?: PerformanceMonitorService, + journalService?: JournalService, + ) { + super("azure", "both", logger, performanceMonitor); + this.journalService = journalService; + + this.logger.debug("AzurePlugin created", { + component: "AzurePlugin", + operation: "constructor", + }); + } + + // ======================================== + // Initialization + // ======================================== + + // eslint-disable-next-line @typescript-eslint/require-await + protected async performInitialization(): Promise { + this.logger.info("Initializing Azure integration", { + component: "AzurePlugin", + operation: "performInitialization", + }); + + const config = this.config.config as unknown as AzureConfig; + this.validateAzureConfig(config); + + this.service = new AzureService(config, this.logger); + + this.logger.info("Azure integration initialized successfully", { + component: "AzurePlugin", + operation: "performInitialization", + }); + } + + private validateAzureConfig(config: AzureConfig): void { + this.logger.debug("Validating Azure configuration", { + component: "AzurePlugin", + operation: "validateAzureConfig", + }); + + if (!config.subscriptionId) { + throw new Error( + "AZURE_SUBSCRIPTION_ID is required when AZURE_ENABLED is true", + ); + } + + if (!config.tenantId && !config.clientId && !config.clientSecret) { + this.logger.info( + "No explicit Azure credentials configured — using default credential chain (managed identity, CLI, environment)", + { component: "AzurePlugin", operation: "validateAzureConfig" }, + ); + } else { + const hasTenantId = Boolean(config.tenantId); + const hasClientId = Boolean(config.clientId); + const hasClientSecret = Boolean(config.clientSecret); + const hasCompleteExplicitCredentials = hasTenantId && hasClientId && hasClientSecret; + + if (!hasCompleteExplicitCredentials) { + const missingFields: string[] = []; + if (!hasTenantId) missingFields.push("tenantId"); + if (!hasClientId) missingFields.push("clientId"); + if (!hasClientSecret) missingFields.push("clientSecret"); + + throw new Error( + `Incomplete Azure client credential configuration: missing ${missingFields.join(", ")}. ` + + "Set all of tenantId, clientId, and clientSecret to use explicit client credentials, " + + "or leave all three unset to use the default credential chain.", + ); + } + } + + this.logger.debug("Azure configuration validated successfully", { + component: "AzurePlugin", + operation: "validateAzureConfig", + }); + } + + // ======================================== + // Health Check + // ======================================== + + protected async performHealthCheck(): Promise> { + if (!this.service) { + return { healthy: false, message: "Azure service not initialized" }; + } + + try { + const info = await this.service.validateCredentials(); + const config = this.config.config as unknown as AzureConfig; + + return { + healthy: true, + message: `Azure authenticated — subscription "${info.subscriptionName}"`, + details: { + subscriptionName: info.subscriptionName, + subscriptionId: info.subscriptionId, + tenantId: info.tenantId, + resourceGroups: config.resourceGroups, + hasClientCredentials: !!(config.tenantId && config.clientId), + }, + }; + } catch (error) { + if (error instanceof AzureAuthenticationError) { + return { + healthy: false, + message: "Azure authentication failed", + details: { error: error.message }, + }; + } + + return { + healthy: false, + message: error instanceof Error ? error.message : "Azure health check failed", + details: { + error: error instanceof Error ? error.stack : String(error), + }, + }; + } + } + + // ======================================== + // InformationSourcePlugin + // ======================================== + + async getInventory(): Promise { + this.ensureInitialized(); + return this.service!.getInventory(); + } + + async getGroups(): Promise { + this.ensureInitialized(); + return this.service!.getGroups(); + } + + async getNodeFacts(nodeId: string): Promise { + this.ensureInitialized(); + + if (!nodeId.startsWith("azure:")) { + const inventory = await this.service!.getInventory(); + const match = inventory.find((n) => n.id === nodeId || n.name === nodeId); + if (!match) { + throw new Error(`Azure node not found: ${nodeId}`); + } + return this.service!.getNodeFacts(match.id); + } + + return this.service!.getNodeFacts(nodeId); + } + + // eslint-disable-next-line @typescript-eslint/require-await + async getNodeData(_nodeId: string, _dataType: string): Promise { + this.ensureInitialized(); + return null; + } + + // ======================================== + // ExecutionToolPlugin + // ======================================== + + async executeAction(action: Action): Promise { + this.ensureInitialized(); + + const startedAt = new Date().toISOString(); + const target = Array.isArray(action.target) ? action.target[0] : action.target; + + try { + let result: ExecutionResult; + + switch (action.action) { + case "provision": + case "create_vm": + result = await this.handleProvision(action, startedAt, target); + break; + case "start": + case "stop": + case "restart": + case "deallocate": + result = await this.handleLifecycle(action, startedAt, target); + break; + default: + throw new Error(`Unsupported Azure action: ${action.action}`); + } + + await this.recordJournal(action, target, result); + return result; + } catch (error) { + if (error instanceof AzureAuthenticationError) { + await this.recordJournalFailure(action, target, startedAt, error.message); + throw error; + } + + const errorMessage = error instanceof Error ? error.message : String(error); + const failedResult = this.buildFailedResult(action, startedAt, target, errorMessage); + await this.recordJournal(action, target, failedResult); + return failedResult; + } + } + + private async handleProvision( + action: Action, + startedAt: string, + target: string, + ): Promise { + // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition + const params = action.parameters ?? action.metadata! ?? {}; + const resourceId = await this.service!.provisionVM(params); + const completedAt = new Date().toISOString(); + + return { + id: `azure-provision-${String(Date.now())}`, + type: "task", + targetNodes: [target], + action: action.action, + parameters: params, + status: "success", + startedAt, + completedAt, + results: [ + { + nodeId: resourceId, + status: "success", + output: { stdout: `VM ${resourceId} provisioned successfully` }, + duration: new Date(completedAt).getTime() - new Date(startedAt).getTime(), + }, + ], + }; + } + + private async handleLifecycle( + action: Action, + startedAt: string, + target: string, + ): Promise { + const { resourceGroup, vmName } = this.parseTarget(target, action); + + switch (action.action) { + case "start": + await this.service!.startVM(resourceGroup, vmName); + break; + case "stop": + await this.service!.stopVM(resourceGroup, vmName); + break; + case "restart": + await this.service!.restartVM(resourceGroup, vmName); + break; + case "deallocate": + await this.service!.deallocateVM(resourceGroup, vmName); + break; + } + + const completedAt = new Date().toISOString(); + + return { + id: `azure-${action.action}-${String(Date.now())}`, + type: "command", + targetNodes: [target], + action: action.action, + status: "success", + startedAt, + completedAt, + results: [ + { + nodeId: target, + status: "success", + output: { stdout: `Action ${action.action} completed on ${vmName}` }, + duration: new Date(completedAt).getTime() - new Date(startedAt).getTime(), + }, + ], + }; + } + + private parseTarget( + target: string, + action: Action, + ): { resourceGroup: string; vmName: string } { + const parts = target.split(":"); + if (parts.length >= 4 && parts[0] === "azure") { + return { resourceGroup: parts[2], vmName: parts.slice(3).join(":") }; + } + const resourceGroup = + (action.parameters?.resourceGroup as string | undefined) ?? + (action.metadata?.resourceGroup as string | undefined) ?? + ""; + const vmName = + (action.parameters?.vmName as string | undefined) ?? + (action.metadata?.vmName as string | undefined) ?? + target; + return { resourceGroup, vmName }; + } + + private buildFailedResult( + action: Action, + startedAt: string, + target: string, + errorMessage: string, + ): ExecutionResult { + const type = + action.action === "provision" || action.action === "create_vm" + ? "task" + : "command"; + return { + id: `azure-error-${String(Date.now())}`, + type, + targetNodes: [target], + action: action.action, + status: "failed", + startedAt, + completedAt: new Date().toISOString(), + results: [ + { + nodeId: target, + status: "failed", + error: errorMessage, + duration: 0, + }, + ], + error: errorMessage, + }; + } + + // ======================================== + // Journal Integration + // ======================================== + + private async recordJournal( + action: Action, + target: string, + result: ExecutionResult, + ): Promise { + if (!this.journalService) return; + + const eventType = this.mapActionToEventType(action.action); + // Normalize to canonical nodeId (azure:{subscriptionId}:{resourceGroup}:{vmName}) + // and avoid double-prefixing nodeUri + const canonicalNodeRef = target.startsWith("azure:") ? target : `azure:${target}`; + const entry: CreateJournalEntry = { + nodeId: canonicalNodeRef, + nodeUri: canonicalNodeRef, + eventType, + source: "azure" as JournalSource, + action: action.action, + summary: + result.status === "success" + ? `Azure ${action.action} succeeded on ${target}` + : `Azure ${action.action} failed on ${target}: ${result.error ?? "unknown error"}`, + details: { + status: result.status, + parameters: action.parameters, + ...(result.error ? { error: result.error } : {}), + }, + }; + + try { + await this.journalService.recordEvent(entry); + } catch (err) { + this.logger.error("Failed to record journal entry", { + component: "AzurePlugin", + operation: "recordJournal", + metadata: { error: err instanceof Error ? err.message : String(err) }, + }); + } + } + + private async recordJournalFailure( + action: Action, + target: string, + startedAt: string, + errorMessage: string, + ): Promise { + const failedResult = this.buildFailedResult(action, startedAt, target, errorMessage); + await this.recordJournal(action, target, failedResult); + } + + private mapActionToEventType( + actionName: string, + ): "provision" | "start" | "stop" | "reboot" | "destroy" | "unknown" { + switch (actionName) { + case "provision": + case "create_vm": + return "provision"; + case "start": + return "start"; + case "stop": + return "stop"; + case "restart": + return "reboot"; + case "deallocate": + return "destroy"; + default: + return "unknown"; + } + } + + setJournalService(journalService: JournalService): void { + this.journalService = journalService; + } + + // ======================================== + // Capabilities + // ======================================== + + listCapabilities(): Capability[] { + return [ + { name: "start", description: "Start an Azure VM" }, + { name: "stop", description: "Stop an Azure VM" }, + { name: "restart", description: "Restart an Azure VM" }, + { name: "deallocate", description: "Deallocate an Azure VM" }, + ]; + } + + listProvisioningCapabilities(): ProvisioningCapability[] { + return [ + { + name: "create_vm", + description: "Create a new Azure VM", + operation: "create", + }, + ]; + } + + // ======================================== + // Resource Discovery + // ======================================== + + async getLocations(): Promise { + this.ensureInitialized(); + return this.service!.getLocations(); + } + + async getVMSizes(location: string): Promise { + this.ensureInitialized(); + return this.service!.getVMSizes(location); + } + + async getImages(location?: string, publisher?: string, offer?: string, sku?: string): Promise { + this.ensureInitialized(); + return this.service!.getImages(location, publisher, offer, sku); + } + + async getResourceGroups(): Promise { + this.ensureInitialized(); + return this.service!.getResourceGroups(); + } + + // ======================================== + // Helpers + // ======================================== + + private ensureInitialized(): void { + if (!this.initialized || !this.config.enabled) { + throw new Error("Azure integration is not initialized"); + } + } +} diff --git a/backend/src/integrations/azure/AzureService.ts b/backend/src/integrations/azure/AzureService.ts new file mode 100644 index 00000000..376e2f2b --- /dev/null +++ b/backend/src/integrations/azure/AzureService.ts @@ -0,0 +1,317 @@ +/** + * Azure Service + * + * Wraps Azure SDK clients to provide inventory discovery, + * grouping, facts retrieval, provisioning, lifecycle management, + * and resource discovery for Azure VMs. + */ + +import { ComputeManagementClient } from "@azure/arm-compute"; +import type { VirtualMachine } from "@azure/arm-compute"; +import { ClientSecretCredential, DefaultAzureCredential } from "@azure/identity"; +import type { TokenCredential } from "@azure/identity"; +import { ResourceManagementClient } from "@azure/arm-resources"; +import { SubscriptionClient } from "@azure/arm-resources-subscriptions"; +import { AzureAuthenticationError } from "./types"; +import type { + AzureConfig, + AzureLocationInfo, + AzureVMSizeInfo, + AzureImageInfo, + AzureResourceGroupInfo, +} from "./types"; +import type { Node, Facts } from "../bolt/types"; +import type { NodeGroup } from "../types"; +import type { LoggerService } from "../../services/LoggerService"; +import { + transformVMToNode, + transformToFacts, + parseNodeId, + groupByLocation, + groupByResourceGroup, + groupByTags, +} from "./AzureHelpers"; + +const AUTH_ERROR_CODES = [ + "AuthenticationFailed", + "AuthorizationFailed", + "InvalidAuthenticationToken", + "ExpiredAuthenticationToken", +]; + +export class AzureService { + private readonly computeClient: ComputeManagementClient; + private readonly resourceClient: ResourceManagementClient; + private readonly subscriptionClient: SubscriptionClient; + private readonly credential: TokenCredential; + private readonly subscriptionId: string; + private readonly resourceGroups?: string[]; + private readonly logger: LoggerService; + + constructor(config: AzureConfig, logger: LoggerService) { + this.logger = logger; + this.subscriptionId = config.subscriptionId; + this.resourceGroups = config.resourceGroups; + + if (config.tenantId && config.clientId && config.clientSecret) { + this.credential = new ClientSecretCredential(config.tenantId, config.clientId, config.clientSecret); + this.logger.debug("Using ClientSecretCredential", { component: "AzureService", operation: "constructor" }); + } else { + this.credential = new DefaultAzureCredential(); + this.logger.debug("Using DefaultAzureCredential", { component: "AzureService", operation: "constructor" }); + } + + this.computeClient = new ComputeManagementClient(this.credential, this.subscriptionId); + this.resourceClient = new ResourceManagementClient(this.credential, this.subscriptionId); + this.subscriptionClient = new SubscriptionClient(this.credential); + + this.logger.debug("AzureService created", { + component: "AzureService", + operation: "constructor", + metadata: { subscriptionId: this.subscriptionId }, + }); + } + // ======================================== + // Credential Validation + // ======================================== + + async validateCredentials(): Promise<{ subscriptionName: string; subscriptionId: string; tenantId: string }> { + try { + const response = await this.subscriptionClient.subscriptions.get(this.subscriptionId); + const result = { + subscriptionName: response.displayName ?? "", + subscriptionId: response.subscriptionId ?? this.subscriptionId, + tenantId: response.tenantId ?? "", + }; + this.logger.info("Azure credentials validated", { + component: "AzureService", operation: "validateCredentials", + metadata: { subscriptionName: result.subscriptionName }, + }); + return result; + } catch (error) { + this.throwIfAuthError(error); + const message = error instanceof Error ? error.message : String(error); + throw new AzureAuthenticationError(message); + } + } + // ======================================== + // Inventory, Groups & Facts + // ======================================== + + async getInventory(): Promise { + const nodes: Node[] = []; + + if (this.resourceGroups && this.resourceGroups.length > 0) { + for (const rg of this.resourceGroups) { + try { + const vms = await this.listVMsInResourceGroup(rg); + nodes.push(...vms.map((vm) => transformVMToNode(vm, rg, this.subscriptionId))); + } catch (error) { + this.logger.error(`Failed to query resource group ${rg}`, { + component: "AzureService", operation: "getInventory", metadata: { resourceGroup: rg }, + }, error instanceof Error ? error : undefined); + } + } + } else { + nodes.push(...await this.listAllVMs()); + } + + this.logger.info("Azure VM inventory fetched", { + component: "AzureService", operation: "getInventory", metadata: { count: nodes.length }, + }); + return nodes; + } + + async getGroups(): Promise { + const inventory = await this.getInventory(); + return [...groupByLocation(inventory), ...groupByResourceGroup(inventory), ...groupByTags(inventory)]; + } + + async getNodeFacts(nodeId: string): Promise { + const { resourceGroup, vmName } = parseNodeId(nodeId); + const vm = await this.computeClient.virtualMachines.get(resourceGroup, vmName); + const instanceView = await this.computeClient.virtualMachines.instanceView(resourceGroup, vmName); + return transformToFacts(nodeId, vm, instanceView, this.subscriptionId); + } + + // ======================================== + // Provisioning & Lifecycle + // ======================================== + + async provisionVM(params: Record): Promise { + const rg = params.resourceGroup as string; + const vmName = params.vmName as string; + this.logger.info("Provisioning Azure VM", { + component: "AzureService", operation: "provisionVM", metadata: { resourceGroup: rg, vmName }, + }); + + try { + const imageRef = params.imageReference as { publisher: string; offer: string; sku: string; version?: string }; + const adminUser = params.adminUsername as string; + const vmDef: VirtualMachine = { + location: params.location as string, + hardwareProfile: { vmSize: typeof params.vmSize === "string" ? params.vmSize : "Standard_B1s" }, + storageProfile: { + imageReference: { ...imageRef, version: imageRef.version ?? "latest" }, + osDisk: { createOption: "FromImage", managedDisk: { storageAccountType: "Standard_LRS" } }, + }, + osProfile: { + computerName: vmName, adminUsername: adminUser, + ...(params.adminPassword ? { adminPassword: params.adminPassword as string } : {}), + ...(params.sshPublicKey ? { + linuxConfiguration: { ssh: { publicKeys: [{ + path: `/home/${adminUser}/.ssh/authorized_keys`, keyData: params.sshPublicKey as string, + }] } }, + } : {}), + }, + networkProfile: { + networkInterfaces: params.networkInterfaceId ? [{ id: params.networkInterfaceId as string }] : [], + }, + }; + + const poller = await this.computeClient.virtualMachines.beginCreateOrUpdate(rg, vmName, vmDef); + const result = await poller.pollUntilDone(); + return result.id ?? `${rg}/${vmName}`; + } catch (error) { this.throwIfAuthError(error); throw error; } + } + + async startVM(resourceGroup: string, vmName: string): Promise { + await this.runLifecycleOp("startVM", resourceGroup, vmName, + () => this.computeClient.virtualMachines.beginStart(resourceGroup, vmName)); + } + + async stopVM(resourceGroup: string, vmName: string): Promise { + await this.runLifecycleOp("stopVM", resourceGroup, vmName, + () => this.computeClient.virtualMachines.beginPowerOff(resourceGroup, vmName)); + } + + async restartVM(resourceGroup: string, vmName: string): Promise { + await this.runLifecycleOp("restartVM", resourceGroup, vmName, + () => this.computeClient.virtualMachines.beginRestart(resourceGroup, vmName)); + } + + async deallocateVM(resourceGroup: string, vmName: string): Promise { + await this.runLifecycleOp("deallocateVM", resourceGroup, vmName, + () => this.computeClient.virtualMachines.beginDeallocate(resourceGroup, vmName)); + } + + private async runLifecycleOp( + operation: string, + resourceGroup: string, + vmName: string, + beginOp: () => Promise<{ pollUntilDone: () => Promise }>, + ): Promise { + try { + const poller = await beginOp(); + await poller.pollUntilDone(); + this.logger.info(`Azure VM ${operation} complete`, { + component: "AzureService", operation, metadata: { resourceGroup, vmName }, + }); + } catch (error) { this.throwIfAuthError(error); throw error; } + } + + // ======================================== + // Resource Discovery + // ======================================== + + async getLocations(): Promise { + const locations: AzureLocationInfo[] = []; + for await (const loc of this.subscriptionClient.subscriptions.listLocations(this.subscriptionId)) { + if (loc.name && loc.displayName) locations.push({ name: loc.name, displayName: loc.displayName }); + } + this.logger.info("Azure locations fetched", { + component: "AzureService", operation: "getLocations", metadata: { count: locations.length }, + }); + return locations; + } + + async getVMSizes(location: string): Promise { + const sizes: AzureVMSizeInfo[] = []; + for await (const size of this.computeClient.virtualMachineSizes.list(location)) { + sizes.push({ + name: size.name ?? "", + vCpus: size.numberOfCores ?? 0, + memoryMB: size.memoryInMB ?? 0, + osDiskSizeGB: size.osDiskSizeInMB != null ? Math.round(size.osDiskSizeInMB / 1024) : 0, + }); + } + this.logger.info("Azure VM sizes fetched", { + component: "AzureService", operation: "getVMSizes", metadata: { location, count: sizes.length }, + }); + return sizes; + } + + async getImages(location?: string, publisher?: string, offer?: string, sku?: string): Promise { + if (!publisher || !offer || !sku) return []; + + const resolvedLocation = location ?? (await this.getLocations())[0]?.name; + if (!resolvedLocation) { + this.logger.warn("No Azure locations available for subscription; cannot list images", { + component: "AzureService", + operation: "getImages", + metadata: { subscriptionId: this.subscriptionId }, + }); + return []; + } + + const result = await this.computeClient.virtualMachineImages.list(resolvedLocation, publisher, offer, sku); + const images = result.map((img) => ({ publisher, offer, sku, version: img.name })); + + this.logger.info("Azure VM images fetched", { + component: "AzureService", + operation: "getImages", + metadata: { location: resolvedLocation, publisher, offer, sku, count: images.length }, + }); + + return images; + } + + async getResourceGroups(): Promise { + const groups: AzureResourceGroupInfo[] = []; + for await (const rg of this.resourceClient.resourceGroups.list()) { + groups.push({ name: rg.name ?? "", location: rg.location, tags: (rg.tags as Record | undefined) ?? {} }); + } + this.logger.info("Azure resource groups fetched", { + component: "AzureService", operation: "getResourceGroups", metadata: { count: groups.length }, + }); + return groups; + } + + // ======================================== + // Private Helpers + // ======================================== + + private throwIfAuthError(error: unknown): void { + if (error instanceof Error) { + const code = (error as Error & { code?: string }).code ?? ""; + const name = error.name; + if (AUTH_ERROR_CODES.includes(code) || AUTH_ERROR_CODES.includes(name)) { + throw new AzureAuthenticationError(error.message); + } + } + } + + private async listVMsInResourceGroup(resourceGroup: string): Promise { + const vms: VirtualMachine[] = []; + const iter = this.computeClient.virtualMachines.list(resourceGroup); + for await (const vm of iter) { vms.push(vm); } + return vms; + } + + private async listAllVMs(): Promise { + const nodes: Node[] = []; + const rgIter = this.resourceClient.resourceGroups.list(); + for await (const rg of rgIter) { + const rgName = rg.name ?? ""; + try { + const vms = await this.listVMsInResourceGroup(rgName); + nodes.push(...vms.map((vm) => transformVMToNode(vm, rgName, this.subscriptionId))); + } catch (error) { + this.logger.error(`Failed to query resource group ${rgName}`, { + component: "AzureService", operation: "listAllVMs", metadata: { resourceGroup: rgName }, + }, error instanceof Error ? error : undefined); + } + } + return nodes; + } +} diff --git a/backend/src/integrations/azure/types.ts b/backend/src/integrations/azure/types.ts new file mode 100644 index 00000000..bbb65027 --- /dev/null +++ b/backend/src/integrations/azure/types.ts @@ -0,0 +1,84 @@ +/** + * Azure Integration Types + * + * Type definitions for the Azure VM integration plugin. + */ + +import type { ProvisioningCapability } from "../types"; + +export type { ProvisioningCapability }; + +/** + * Azure configuration parsed from environment variables. + */ +export interface AzureConfig { + tenantId?: string; + clientId?: string; + clientSecret?: string; + subscriptionId: string; + resourceGroups?: string[]; +} + +/** + * Azure VM instance information. + */ +export interface AzureVMInfo { + vmName: string; + vmId: string; + powerState: string; + vmSize: string; + resourceGroup: string; + location: string; + tags: Record; + provisioningState: string; + osType: string; +} + +/** + * Azure location (region) information. + */ +export interface AzureLocationInfo { + name: string; + displayName: string; +} + +/** + * Azure VM size specification. + */ +export interface AzureVMSizeInfo { + name: string; + vCpus: number; + memoryMB: number; + osDiskSizeGB: number; +} + +/** + * Azure marketplace image information. + */ +export interface AzureImageInfo { + publisher: string; + offer: string; + sku: string; + version: string; +} + +/** + * Azure resource group information. + */ +export interface AzureResourceGroupInfo { + name: string; + location: string; + tags: Record; +} + +/** + * Azure authentication error. + * + * Thrown when Azure credentials are invalid, expired, or lack required RBAC permissions. + */ +export class AzureAuthenticationError extends Error { + constructor(message: string) { + super(message); + this.name = "AzureAuthenticationError"; + } +} diff --git a/backend/src/routes/integrations/azure.ts b/backend/src/routes/integrations/azure.ts new file mode 100644 index 00000000..5e1e869b --- /dev/null +++ b/backend/src/routes/integrations/azure.ts @@ -0,0 +1,475 @@ +import { Router, type Request, type Response } from "express"; +import { z } from "zod"; +import { ZodError } from "zod"; +import { asyncHandler } from "../asyncHandler"; +import type { AzurePlugin } from "../../integrations/azure/AzurePlugin"; +import type { IntegrationManager } from "../../integrations/IntegrationManager"; +import { AzureAuthenticationError } from "../../integrations/azure/types"; +import { LoggerService } from "../../services/LoggerService"; +import { sendValidationError, ERROR_CODES } from "../../utils/errorHandling"; + +const logger = new LoggerService(); + +/** + * Zod schema for provisioning request body + */ +const AzureProvisionSchema = z.object({ + resourceGroup: z.string().min(1), + vmName: z.string().min(1), + location: z.string().min(1), + vmSize: z.string().optional().default("Standard_B1s"), + imageReference: z.object({ + publisher: z.string(), + offer: z.string(), + sku: z.string(), + version: z.string().optional().default("latest"), + }), + adminUsername: z.string().min(1), + adminPassword: z.string().optional(), + sshPublicKey: z.string().optional(), + networkInterfaceId: z.string().min(1, "networkInterfaceId is required for VM creation"), +}); + +/** + * Zod schema for lifecycle action request body + */ +const AzureLifecycleSchema = z.object({ + vmName: z.string().min(1), + resourceGroup: z.string().min(1), + action: z.enum(["start", "stop", "restart", "deallocate"]), +}); + +/** + * Zod schema for location query parameter + */ +const LocationQuerySchema = z.object({ + location: z.string().min(1, "Location is required"), +}); + +/** + * Zod schema for image query parameters + */ +const ImageQuerySchema = z.object({ + location: z.string().optional(), + publisher: z.string().optional(), + offer: z.string().optional(), + sku: z.string().optional(), +}); + +/** + * Create Azure integration API routes + * + * Requirements: 3.5, 7.5, 8.4, 8.5, 8.6, 11.4, 12.1–12.6 + */ +export function createAzureRouter( + azurePlugin: AzurePlugin, + integrationManager?: IntegrationManager, + options?: { allowDestructiveActions?: boolean }, +): Router { + const router = Router(); + + /** + * GET /api/integrations/azure/inventory + * List Azure VMs + */ + router.get( + "/inventory", + asyncHandler(async (_req: Request, res: Response): Promise => { + logger.info("Processing Azure inventory request", { + component: "AzureRouter", + operation: "getInventory", + }); + + try { + const inventory = await azurePlugin.getInventory(); + res.status(200).json({ inventory }); + } catch (error) { + if (error instanceof AzureAuthenticationError) { + logger.warn("Azure authentication failed during inventory", { + component: "AzureRouter", + operation: "getInventory", + }); + res.status(401).json({ + error: { + code: ERROR_CODES.UNAUTHORIZED, + message: "Azure authentication failed", + }, + }); + return; + } + + logger.error("Azure inventory request failed", { + component: "AzureRouter", + operation: "getInventory", + }, error instanceof Error ? error : undefined); + + res.status(500).json({ + error: { + code: ERROR_CODES.INTERNAL_SERVER_ERROR, + message: "Failed to retrieve Azure inventory", + }, + }); + } + }), + ); + + /** + * POST /api/integrations/azure/provision + * Provision a new Azure VM + */ + router.post( + "/provision", + asyncHandler(async (req: Request, res: Response): Promise => { + logger.info("Processing Azure provision request", { + component: "AzureRouter", + operation: "provision", + metadata: { userId: req.user?.userId }, + }); + + try { + const validatedBody = AzureProvisionSchema.parse(req.body); + + const result = await azurePlugin.executeAction({ + type: "task", + target: "new", + action: "provision", + parameters: validatedBody, + }); + + logger.info("Azure provision completed", { + component: "AzureRouter", + operation: "provision", + metadata: { status: result.status }, + }); + + // Invalidate inventory cache so the new VM appears immediately + if (result.status === "success") { + integrationManager?.clearInventoryCache(); + } + + res.status(result.status === "success" ? 201 : 200).json({ result }); + } catch (error) { + if (error instanceof ZodError) { + sendValidationError(res, error); + return; + } + + if (error instanceof AzureAuthenticationError) { + res.status(401).json({ + error: { + code: ERROR_CODES.UNAUTHORIZED, + message: "Azure authentication failed", + }, + }); + return; + } + + logger.error("Azure provision request failed", { + component: "AzureRouter", + operation: "provision", + metadata: { userId: req.user?.userId }, + }, error instanceof Error ? error : undefined); + + res.status(500).json({ + error: { + code: ERROR_CODES.INTERNAL_SERVER_ERROR, + message: "Failed to provision Azure VM", + }, + }); + } + }), + ); + + /** + * POST /api/integrations/azure/lifecycle + * Execute lifecycle action (start/stop/restart/deallocate) + */ + router.post( + "/lifecycle", + asyncHandler(async (req: Request, res: Response): Promise => { + logger.info("Processing Azure lifecycle request", { + component: "AzureRouter", + operation: "lifecycle", + metadata: { userId: req.user?.userId }, + }); + + try { + const validatedBody = AzureLifecycleSchema.parse(req.body); + + // Guard: reject deallocate if destructive provisioning actions are disabled + if (validatedBody.action === "deallocate" && options?.allowDestructiveActions === false) { + res.status(403).json({ + error: { + code: "DESTRUCTIVE_ACTION_DISABLED", + message: "Destructive provisioning actions are disabled by configuration (ALLOW_DESTRUCTIVE_PROVISIONING=false)", + }, + }); + return; + } + + const target = `azure:${validatedBody.resourceGroup}:${validatedBody.vmName}`; + + const result = await azurePlugin.executeAction({ + type: "command", + target, + action: validatedBody.action, + parameters: { + resourceGroup: validatedBody.resourceGroup, + vmName: validatedBody.vmName, + }, + }); + + logger.info("Azure lifecycle action completed", { + component: "AzureRouter", + operation: "lifecycle", + metadata: { action: validatedBody.action, status: result.status }, + }); + + // Invalidate inventory cache so state changes appear immediately + if (result.status === "success") { + integrationManager?.clearInventoryCache(); + } + + res.status(200).json({ result }); + } catch (error) { + if (error instanceof ZodError) { + sendValidationError(res, error); + return; + } + + if (error instanceof AzureAuthenticationError) { + res.status(401).json({ + error: { + code: ERROR_CODES.UNAUTHORIZED, + message: "Azure authentication failed", + }, + }); + return; + } + + logger.error("Azure lifecycle request failed", { + component: "AzureRouter", + operation: "lifecycle", + metadata: { userId: req.user?.userId }, + }, error instanceof Error ? error : undefined); + + res.status(500).json({ + error: { + code: ERROR_CODES.INTERNAL_SERVER_ERROR, + message: "Failed to execute Azure lifecycle action", + }, + }); + } + }), + ); + + /** + * POST /api/integrations/azure/test + * Test Azure connection + */ + router.post( + "/test", + asyncHandler(async (_req: Request, res: Response): Promise => { + logger.info("Testing Azure connection", { + component: "AzureRouter", + operation: "testConnection", + }); + + try { + const health = await azurePlugin.healthCheck(); + res.status(200).json({ + success: health.healthy, + message: health.message ?? (health.healthy ? "Connection successful" : "Connection failed"), + }); + } catch (error) { + const msg = error instanceof Error ? error.message : String(error); + logger.error("Azure connection test failed", { + component: "AzureRouter", + operation: "testConnection", + }, error instanceof Error ? error : undefined); + res.status(200).json({ + success: false, + message: msg, + }); + } + }), + ); + + /** + * GET /api/integrations/azure/locations + * List available Azure locations + */ + router.get( + "/locations", + asyncHandler(async (_req: Request, res: Response): Promise => { + logger.info("Processing Azure locations request", { + component: "AzureRouter", + operation: "getLocations", + }); + + try { + const locations = await azurePlugin.getLocations(); + res.status(200).json({ locations }); + } catch (error) { + if (error instanceof AzureAuthenticationError) { + res.status(401).json({ + error: { + code: ERROR_CODES.UNAUTHORIZED, + message: "Azure authentication failed", + }, + }); + return; + } + + logger.error("Azure locations request failed", { + component: "AzureRouter", + operation: "getLocations", + }, error instanceof Error ? error : undefined); + + res.status(500).json({ + error: { + code: ERROR_CODES.INTERNAL_SERVER_ERROR, + message: "Failed to retrieve Azure locations", + }, + }); + } + }), + ); + + /** + * GET /api/integrations/azure/vm-sizes + * List VM sizes for a location + */ + router.get( + "/vm-sizes", + asyncHandler(async (req: Request, res: Response): Promise => { + logger.info("Processing Azure VM sizes request", { + component: "AzureRouter", + operation: "getVMSizes", + }); + + try { + const { location } = LocationQuerySchema.parse(req.query); + const vmSizes = await azurePlugin.getVMSizes(location); + res.status(200).json({ vmSizes }); + } catch (error) { + if (error instanceof ZodError) { + sendValidationError(res, error); + return; + } + + if (error instanceof AzureAuthenticationError) { + res.status(401).json({ + error: { + code: ERROR_CODES.UNAUTHORIZED, + message: "Azure authentication failed", + }, + }); + return; + } + + logger.error("Azure VM sizes request failed", { + component: "AzureRouter", + operation: "getVMSizes", + }, error instanceof Error ? error : undefined); + + res.status(500).json({ + error: { + code: ERROR_CODES.INTERNAL_SERVER_ERROR, + message: "Failed to retrieve Azure VM sizes", + }, + }); + } + }), + ); + + /** + * GET /api/integrations/azure/images + * List marketplace images + */ + router.get( + "/images", + asyncHandler(async (req: Request, res: Response): Promise => { + logger.info("Processing Azure images request", { + component: "AzureRouter", + operation: "getImages", + }); + + try { + const { location, publisher, offer, sku } = ImageQuerySchema.parse(req.query); + const images = await azurePlugin.getImages(location, publisher, offer, sku); + res.status(200).json({ images }); + } catch (error) { + if (error instanceof ZodError) { + sendValidationError(res, error); + return; + } + + if (error instanceof AzureAuthenticationError) { + res.status(401).json({ + error: { + code: ERROR_CODES.UNAUTHORIZED, + message: "Azure authentication failed", + }, + }); + return; + } + + logger.error("Azure images request failed", { + component: "AzureRouter", + operation: "getImages", + }, error instanceof Error ? error : undefined); + + res.status(500).json({ + error: { + code: ERROR_CODES.INTERNAL_SERVER_ERROR, + message: "Failed to retrieve Azure images", + }, + }); + } + }), + ); + + /** + * GET /api/integrations/azure/resource-groups + * List resource groups + */ + router.get( + "/resource-groups", + asyncHandler(async (_req: Request, res: Response): Promise => { + logger.info("Processing Azure resource groups request", { + component: "AzureRouter", + operation: "getResourceGroups", + }); + + try { + const resourceGroups = await azurePlugin.getResourceGroups(); + res.status(200).json({ resourceGroups }); + } catch (error) { + if (error instanceof AzureAuthenticationError) { + res.status(401).json({ + error: { + code: ERROR_CODES.UNAUTHORIZED, + message: "Azure authentication failed", + }, + }); + return; + } + + logger.error("Azure resource groups request failed", { + component: "AzureRouter", + operation: "getResourceGroups", + }, error instanceof Error ? error : undefined); + + res.status(500).json({ + error: { + code: ERROR_CODES.INTERNAL_SERVER_ERROR, + message: "Failed to retrieve Azure resource groups", + }, + }); + } + }), + ); + + return router; +} diff --git a/backend/src/server.ts b/backend/src/server.ts index 186843ac..97329ede 100644 --- a/backend/src/server.ts +++ b/backend/src/server.ts @@ -30,7 +30,9 @@ import { createRolesRouter } from "./routes/roles"; import { createPermissionsRouter } from "./routes/permissions"; import { createJournalRouter } from "./routes/journal"; import { createAWSRouter } from "./routes/integrations/aws"; +import { createAzureRouter } from "./routes/integrations/azure"; import { AWSPlugin } from "./integrations/aws/AWSPlugin"; +import { AzurePlugin } from "./integrations/azure/AzurePlugin"; import monitoringRouter from "./routes/monitoring"; import { StreamingExecutionManager } from "./services/StreamingExecutionManager"; import { ExecutionQueue } from "./services/ExecutionQueue"; @@ -856,6 +858,88 @@ async function startServer(): Promise { operation: "initializeAWS", }); + // Initialize Azure integration only if configured + let azurePlugin: AzurePlugin | undefined; + const azureConfig = config.integrations.azure; + const azureConfigured = azureConfig?.enabled === true; + + logger.debug("=== Azure Integration Setup ===", { + component: "Server", + operation: "initializeAzure", + metadata: { + configured: azureConfigured, + enabled: azureConfig?.enabled, + hasSubscriptionId: !!azureConfig?.subscriptionId, + }, + }); + + // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition + if (azureConfigured && azureConfig) { + logger.info("Initializing Azure integration...", { + component: "Server", + operation: "initializeAzure", + }); + try { + azurePlugin = new AzurePlugin(logger, performanceMonitor); + logger.debug("AzurePlugin instance created", { + component: "Server", + operation: "initializeAzure", + }); + + const integrationConfig: IntegrationConfig = { + enabled: true, + name: "azure", + type: "both", + config: azureConfig as unknown as Record, + priority: 7, + }; + + logger.debug("Registering Azure plugin", { + component: "Server", + operation: "initializeAzure", + metadata: { config: { ...integrationConfig, config: { subscriptionId: azureConfig.subscriptionId } } }, + }); + integrationManager.registerPlugin(azurePlugin, integrationConfig); + + logger.info("Azure integration registered successfully", { + component: "Server", + operation: "initializeAzure", + metadata: { + enabled: true, + subscriptionId: azureConfig.subscriptionId, + hasClientCredentials: !!(azureConfig.tenantId && azureConfig.clientId), + resourceGroups: azureConfig.resourceGroups, + priority: 7, + }, + }); + } catch (error) { + logger.warn(`WARNING: Failed to initialize Azure integration: ${error instanceof Error ? error.message : "Unknown error"}`, { + component: "Server", + operation: "initializeAzure", + }); + if (error instanceof Error && error.stack) { + logger.error("Azure initialization error stack", { + component: "Server", + operation: "initializeAzure", + }, error); + } + azurePlugin = undefined; + } + } else { + logger.warn("Azure integration not configured - skipping registration", { + component: "Server", + operation: "initializeAzure", + }); + logger.info("Set AZURE_ENABLED=true and AZURE_SUBSCRIPTION_ID to enable Azure integration", { + component: "Server", + operation: "initializeAzure", + }); + } + logger.debug("=== End Azure Integration Setup ===", { + component: "Server", + operation: "initializeAzure", + }); + // Initialize all registered plugins logger.info("=== Initializing All Integration Plugins ===", { component: "Server", @@ -940,6 +1024,13 @@ async function startServer(): Promise { operation: "wireJournalService", }); } + if (azurePlugin) { + azurePlugin.setJournalService(journalService); + logger.info("JournalService wired to AzurePlugin", { + component: "Server", + operation: "wireJournalService", + }); + } // Make integration manager available globally for cross-service access (global as Record).integrationManager = integrationManager; @@ -1250,6 +1341,19 @@ async function startServer(): Promise { ); } + // Azure integration routes (conditional on plugin availability) + const azurePluginInstance = integrationManager.getExecutionTool("azure") as AzurePlugin | null; + if (azurePluginInstance) { + app.use( + "/api/integrations/azure", + authMiddleware, + rateLimitMiddleware, + createAzureRouter(azurePluginInstance, integrationManager, { + allowDestructiveActions: config.provisioning.allowDestructiveActions, + }), + ); + } + app.use( "/api/debug", authMiddleware, diff --git a/backend/src/services/IntegrationColorService.ts b/backend/src/services/IntegrationColorService.ts index d91db2ec..c3573043 100644 --- a/backend/src/services/IntegrationColorService.ts +++ b/backend/src/services/IntegrationColorService.ts @@ -19,6 +19,7 @@ export interface IntegrationColors { ssh: IntegrationColorConfig; proxmox: IntegrationColorConfig; aws: IntegrationColorConfig; + azure: IntegrationColorConfig; } /** @@ -53,6 +54,11 @@ export class IntegrationColorService { light: '#ECFEFF', dark: '#0891B2', }, + azure: { + primary: '#0078D4', // Azure blue + light: '#E8F4FD', + dark: '#005A9E', + }, // Remote execution tools — vivid greens bolt: { primary: '#22C55E', // Vivid green diff --git a/backend/src/services/journal/JournalCollectors.ts b/backend/src/services/journal/JournalCollectors.ts index 1e524d71..6947f66f 100644 --- a/backend/src/services/journal/JournalCollectors.ts +++ b/backend/src/services/journal/JournalCollectors.ts @@ -482,6 +482,140 @@ export async function collectAWSStateEntry( ]; } +// ============================================================================ +// Azure VM State Collector +// ============================================================================ + +/** + * Minimal interface for Azure service to avoid circular deps. + * Subset of AzureService — only the method we need for state collection. + */ +export interface AzureServiceLike { + getNodeFacts(nodeId: string): Promise<{ + facts: { + categories?: { + system: { + powerState: string; + vmName?: string; + resourceGroup?: string; + location?: string; + }; + }; + }; + }>; +} + +/** + * Map an Azure VM power state string to a JournalEventType. + */ +export function mapAzurePowerStateToEventType(state: string): JournalEventType { + const mapping: Record = { + "VM running": "start", + "VM stopped": "stop", + "VM deallocated": "stop", + "VM deallocating": "stop", + "VM starting": "start", + "VM deleting": "destroy", + }; + return mapping[state] ?? "unknown"; +} + +/** + * Collect Azure VM state change entry for a virtual machine. + * Calls getNodeFacts to get current state, compares against last recorded + * state in journal_entries. Returns 0 or 1 JournalEntry. The entry ID + * includes a timestamp and is therefore non-deterministic per run. + */ +export async function collectAzureVMStateEntry( + azureService: AzureServiceLike, + vmName: string, + resourceGroup: string, + db: DatabaseAdapter, + nodeId: string, +): Promise { + const logger = new LoggerService(); + + // 1. Get current state from Azure + let currentState: string; + try { + const factsResult = await azureService.getNodeFacts(nodeId); + const system = factsResult.facts.categories?.system; + if (!system?.powerState) { + logger.warn("Azure facts missing system powerState", { + component: "JournalCollectors", + integration: "azure", + operation: "collectAzureVMStateEntry", + }); + return []; + } + currentState = system.powerState; + } catch (error: unknown) { + const message = error instanceof Error ? error.message : String(error); + logger.warn(`Failed to fetch Azure facts for ${nodeId}: ${message}`, { + component: "JournalCollectors", + integration: "azure", + operation: "collectAzureVMStateEntry", + }); + return []; + } + + // 2. Query last recorded state from journal_entries + let previousState: string | undefined; + try { + const rows = await db.query<{ details: string }>( + `SELECT details FROM journal_entries + WHERE nodeId = ? AND source = 'azure' AND action LIKE 'Azure VM state change:%' + ORDER BY timestamp DESC + LIMIT 1`, + [nodeId], + ); + if (rows.length > 0) { + const details = typeof rows[0].details === "string" + ? (JSON.parse(rows[0].details) as Record) + : (rows[0].details as Record); + previousState = details.currentState as string | undefined; + } + } catch (error: unknown) { + const message = error instanceof Error ? error.message : String(error); + logger.warn(`Failed to query last Azure state for ${nodeId}: ${message}`, { + component: "JournalCollectors", + integration: "azure", + operation: "collectAzureVMStateEntry", + }); + // Treat as "no previous state known" — record the current state + } + + // 3. If state hasn't changed, return empty + if (previousState === currentState) { + return []; + } + + // 4. Create new journal entry for the state change + const eventType = mapAzurePowerStateToEventType(currentState); + const timestamp = new Date().toISOString(); + + return [ + { + id: `azure:state:${vmName}:${currentState}:${timestamp}`, + nodeId, + nodeUri: `azure:${resourceGroup}:${vmName}`, + eventType, + source: "azure", + action: `Azure VM state change: ${previousState ?? "unknown"} → ${currentState}`, + summary: `Azure VM ${vmName} ${currentState}`, + details: { + vmName, + resourceGroup, + previousState: previousState ?? "unknown", + currentState, + }, + userId: undefined, + timestamp, + isLive: true, + }, + ]; +} + // ============================================================================ // Global Collectors (cross-node) // ============================================================================ diff --git a/backend/src/services/journal/types.ts b/backend/src/services/journal/types.ts index 7072190e..23fa94ca 100644 --- a/backend/src/services/journal/types.ts +++ b/backend/src/services/journal/types.ts @@ -45,6 +45,7 @@ export type JournalEventType = z.infer; export const JournalSourceSchema = z.enum([ "proxmox", "aws", + "azure", "bolt", "ansible", "ssh", diff --git a/backend/test/integration/integration-colors.test.ts b/backend/test/integration/integration-colors.test.ts index c802c377..855dbbba 100644 --- a/backend/test/integration/integration-colors.test.ts +++ b/backend/test/integration/integration-colors.test.ts @@ -34,7 +34,7 @@ describe('Integration Colors API', () => { // Verify all five integrations are present const { colors, integrations } = response.body; - expect(integrations).toEqual(['proxmox', 'aws', 'bolt', 'ansible', 'ssh', 'puppetdb', 'puppetserver', 'hiera']); + expect(integrations).toEqual(['proxmox', 'aws', 'azure', 'bolt', 'ansible', 'ssh', 'puppetdb', 'puppetserver', 'hiera']); // Verify each integration has color configuration for (const integration of integrations) { diff --git a/backend/test/integrations/azure/AzurePlugin.executeAction.test.ts b/backend/test/integrations/azure/AzurePlugin.executeAction.test.ts new file mode 100644 index 00000000..6dfd7a4b --- /dev/null +++ b/backend/test/integrations/azure/AzurePlugin.executeAction.test.ts @@ -0,0 +1,414 @@ +/** + * Tests for AzurePlugin.executeAction — provisioning, lifecycle, journal, + * authentication errors, and initialization validation. + */ + +import { describe, it, expect, vi, beforeEach } from "vitest"; +import { AzurePlugin } from "../../../src/integrations/azure/AzurePlugin"; +import { AzureAuthenticationError } from "../../../src/integrations/azure/types"; +import type { Action } from "../../../src/integrations/types"; +import type { JournalService } from "../../../src/services/journal/JournalService"; + +// Shared mock methods accessible from tests +const mockProvisionVM = vi.fn().mockResolvedValue("/subscriptions/sub-1/resourceGroups/rg-1/providers/Microsoft.Compute/virtualMachines/my-vm"); +const mockStartVM = vi.fn().mockResolvedValue(undefined); +const mockStopVM = vi.fn().mockResolvedValue(undefined); +const mockRestartVM = vi.fn().mockResolvedValue(undefined); +const mockDeallocateVM = vi.fn().mockResolvedValue(undefined); +const mockValidateCredentials = vi.fn().mockResolvedValue({ + subscriptionName: "Test Sub", + subscriptionId: "sub-1", + tenantId: "tenant-1", +}); + +// Mock the AzureService module — must return a proper class +vi.mock("../../../src/integrations/azure/AzureService", () => { + return { + AzureService: class MockAzureService { + provisionVM = mockProvisionVM; + startVM = mockStartVM; + stopVM = mockStopVM; + restartVM = mockRestartVM; + deallocateVM = mockDeallocateVM; + validateCredentials = mockValidateCredentials; + getInventory = vi.fn().mockResolvedValue([]); + getGroups = vi.fn().mockResolvedValue([]); + getNodeFacts = vi.fn().mockResolvedValue({}); + getLocations = vi.fn().mockResolvedValue([]); + getVMSizes = vi.fn().mockResolvedValue([]); + getImages = vi.fn().mockResolvedValue([]); + getResourceGroups = vi.fn().mockResolvedValue([]); + }, + }; +}); + +function createMockJournalService(): JournalService { + return { + recordEvent: vi.fn().mockResolvedValue("journal-id-1"), + } as unknown as JournalService; +} + +async function createInitializedPlugin(journalService?: JournalService) { + const plugin = new AzurePlugin(undefined, undefined, journalService); + await plugin.initialize({ + enabled: true, + name: "azure", + type: "both", + config: { + subscriptionId: "sub-1", + tenantId: "tenant-1", + clientId: "client-1", + clientSecret: "fake-client-secret-for-testing", // pragma: allowlist secret + }, + }); + return plugin; +} + +describe("AzurePlugin.executeAction", () => { + beforeEach(() => { + mockProvisionVM.mockReset().mockResolvedValue( + "/subscriptions/sub-1/resourceGroups/rg-1/providers/Microsoft.Compute/virtualMachines/my-vm", + ); + mockStartVM.mockReset().mockResolvedValue(undefined); + mockStopVM.mockReset().mockResolvedValue(undefined); + mockRestartVM.mockReset().mockResolvedValue(undefined); + mockDeallocateVM.mockReset().mockResolvedValue(undefined); + mockValidateCredentials.mockReset().mockResolvedValue({ + subscriptionName: "Test Sub", + subscriptionId: "sub-1", + tenantId: "tenant-1", + }); + }); + + // ─── Provisioning ─────────────────────────────────────────────────────── + + describe("provisioning", () => { + it("should provision a VM and return success result with type=task", async () => { + const plugin = await createInitializedPlugin(); + const action: Action = { + type: "task", + target: "new", + action: "provision", + parameters: { + resourceGroup: "rg-1", + vmName: "my-vm", + location: "eastus", + adminUsername: "azureuser", + networkInterfaceId: "/subscriptions/sub-1/resourceGroups/rg-1/providers/Microsoft.Network/networkInterfaces/nic-1", + }, + }; + + const result = await plugin.executeAction(action); + + expect(result.status).toBe("success"); + expect(result.type).toBe("task"); + expect(result.action).toBe("provision"); + expect(result.results[0].output?.stdout).toContain("my-vm"); + }); + + it("should also accept create_vm as provisioning action", async () => { + const plugin = await createInitializedPlugin(); + const action: Action = { + type: "task", + target: "new", + action: "create_vm", + parameters: { resourceGroup: "rg-1", vmName: "vm-2", location: "eastus" }, + }; + + const result = await plugin.executeAction(action); + + expect(result.status).toBe("success"); + expect(result.type).toBe("task"); + expect(result.action).toBe("create_vm"); + }); + + it("failed provision should return type=task (not command)", async () => { + mockProvisionVM.mockRejectedValueOnce(new Error("Quota exceeded")); + + const plugin = await createInitializedPlugin(); + const action: Action = { + type: "task", + target: "new", + action: "provision", + parameters: { resourceGroup: "rg-1", vmName: "vm-fail", location: "eastus" }, + }; + + const result = await plugin.executeAction(action); + + expect(result.status).toBe("failed"); + expect(result.type).toBe("task"); + }); + }); + + // ─── Lifecycle ────────────────────────────────────────────────────────── + + describe("lifecycle actions", () => { + const lifecycleActions = ["start", "stop", "restart", "deallocate"] as const; + + for (const actionName of lifecycleActions) { + it(`should execute ${actionName} and return success`, async () => { + const plugin = await createInitializedPlugin(); + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: actionName, + }; + + const result = await plugin.executeAction(action); + + expect(result.status).toBe("success"); + expect(result.type).toBe("command"); + expect(result.action).toBe(actionName); + expect(result.targetNodes).toContain("azure:sub-1:rg-1:my-vm"); + }); + } + + it("failed lifecycle should return type=command (not task)", async () => { + mockStopVM.mockRejectedValueOnce(new Error("VM not found")); + + const plugin = await createInitializedPlugin(); + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "stop", + parameters: { resourceGroup: "rg-1", vmName: "my-vm" }, + }; + + const result = await plugin.executeAction(action); + + expect(result.status).toBe("failed"); + expect(result.type).toBe("command"); + }); + }); + + // ─── Unsupported action ───────────────────────────────────────────────── + + describe("unsupported action", () => { + it("should return failed result for unsupported action", async () => { + const plugin = await createInitializedPlugin(); + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "hibernate", + }; + + const result = await plugin.executeAction(action); + + expect(result.status).toBe("failed"); + expect(result.error).toContain("Unsupported Azure action"); + }); + }); + + // ─── Journal Recording ────────────────────────────────────────────────── + + describe("journal recording", () => { + it("should record journal with canonical nodeId (azure: prefix)", async () => { + const journal = createMockJournalService(); + const plugin = await createInitializedPlugin(journal); + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "start", + }; + + await plugin.executeAction(action); + + expect(journal.recordEvent).toHaveBeenCalledTimes(1); + const entry = (journal.recordEvent as ReturnType).mock.calls[0][0]; + expect(entry.nodeId).toBe("azure:sub-1:rg-1:my-vm"); + expect(entry.nodeUri).toBe("azure:sub-1:rg-1:my-vm"); + // Should NOT double-prefix the URI + expect(entry.nodeUri).not.toMatch(/^azure:azure:/); + }); + + it("should not double-prefix nodeId when target already starts with azure:", async () => { + const journal = createMockJournalService(); + const plugin = await createInitializedPlugin(journal); + const action: Action = { + type: "command", + target: "azure:rg-1:my-vm", + action: "stop", + }; + + await plugin.executeAction(action); + + const entry = (journal.recordEvent as ReturnType).mock.calls[0][0]; + expect(entry.nodeId).not.toMatch(/^azure:azure:/); + expect(entry.nodeUri).not.toMatch(/^azure:azure:/); + }); + + it("should record provision journal with source=azure and eventType=provision", async () => { + const journal = createMockJournalService(); + const plugin = await createInitializedPlugin(journal); + const action: Action = { + type: "task", + target: "new", + action: "provision", + parameters: { resourceGroup: "rg-1", vmName: "vm-new", location: "eastus" }, + }; + + await plugin.executeAction(action); + + const entry = (journal.recordEvent as ReturnType).mock.calls[0][0]; + expect(entry.source).toBe("azure"); + expect(entry.eventType).toBe("provision"); + expect(entry.summary).toContain("succeeded"); + }); + + it("should record failed journal entry on action failure", async () => { + mockStartVM.mockRejectedValueOnce(new Error("VM not found")); + + const journal = createMockJournalService(); + const plugin = await createInitializedPlugin(journal); + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "start", + parameters: { resourceGroup: "rg-1", vmName: "my-vm" }, + }; + + await plugin.executeAction(action); + + const entry = (journal.recordEvent as ReturnType).mock.calls[0][0]; + expect(entry.summary).toContain("failed"); + }); + + it("should not fail if journalService is not set", async () => { + const plugin = await createInitializedPlugin(); // no journal + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "stop", + parameters: { resourceGroup: "rg-1", vmName: "my-vm" }, + }; + + const result = await plugin.executeAction(action); + expect(result.status).toBe("success"); + }); + + it("should allow setting journal service after construction", async () => { + const plugin = await createInitializedPlugin(); + const journal = createMockJournalService(); + plugin.setJournalService(journal); + + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "restart", + parameters: { resourceGroup: "rg-1", vmName: "my-vm" }, + }; + + await plugin.executeAction(action); + + expect(journal.recordEvent).toHaveBeenCalledTimes(1); + }); + }); + + // ─── Authentication Errors ────────────────────────────────────────────── + + describe("authentication errors", () => { + it("should throw AzureAuthenticationError when service throws it during lifecycle", async () => { + mockStartVM.mockRejectedValueOnce(new AzureAuthenticationError("Expired credentials")); + + const journal = createMockJournalService(); + const plugin = await createInitializedPlugin(journal); + + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "start", + parameters: { resourceGroup: "rg-1", vmName: "my-vm" }, + }; + + await expect(plugin.executeAction(action)).rejects.toThrow(AzureAuthenticationError); + // Journal should still be recorded for the auth failure + expect(journal.recordEvent).toHaveBeenCalledTimes(1); + }); + }); + + // ─── Config Validation ────────────────────────────────────────────────── + + describe("validateAzureConfig — partial credentials", () => { + it("should throw on partial credentials (tenantId only)", async () => { + const plugin = new AzurePlugin(); + await expect( + plugin.initialize({ + enabled: true, + name: "azure", + type: "both", + config: { subscriptionId: "sub-1", tenantId: "tenant-1" }, + }), + ).rejects.toThrow(/Incomplete Azure client credential/); + }); + + it("should throw on partial credentials (tenantId + clientId, no secret)", async () => { + const plugin = new AzurePlugin(); + await expect( + plugin.initialize({ + enabled: true, + name: "azure", + type: "both", + config: { subscriptionId: "sub-1", tenantId: "tenant-1", clientId: "client-1" }, + }), + ).rejects.toThrow(/Incomplete Azure client credential/); + }); + + it("should succeed with all three explicit credentials", async () => { + const plugin = new AzurePlugin(); + await expect( + plugin.initialize({ + enabled: true, + name: "azure", + type: "both", + config: { + subscriptionId: "sub-1", + tenantId: "tenant-1", + clientId: "client-1", + clientSecret: "fake-client-secret-for-testing", // pragma: allowlist secret + }, + }), + ).resolves.not.toThrow(); + }); + + it("should succeed with no explicit credentials (default credential chain)", async () => { + const plugin = new AzurePlugin(); + await expect( + plugin.initialize({ + enabled: true, + name: "azure", + type: "both", + config: { subscriptionId: "sub-1" }, + }), + ).resolves.not.toThrow(); + }); + + it("should throw if subscriptionId is missing", async () => { + const plugin = new AzurePlugin(); + await expect( + plugin.initialize({ + enabled: true, + name: "azure", + type: "both", + config: {}, + }), + ).rejects.toThrow("AZURE_SUBSCRIPTION_ID is required"); + }); + }); + + // ─── Not Initialized ──────────────────────────────────────────────────── + + describe("not initialized", () => { + it("should throw if plugin is not initialized", async () => { + const plugin = new AzurePlugin(); + const action: Action = { + type: "command", + target: "azure:sub-1:rg-1:my-vm", + action: "start", + }; + + await expect(plugin.executeAction(action)).rejects.toThrow( + "Azure integration is not initialized", + ); + }); + }); +}); diff --git a/backend/test/performance/rbac-performance.test.ts b/backend/test/performance/rbac-performance.test.ts index 6a386a29..61c90c33 100644 --- a/backend/test/performance/rbac-performance.test.ts +++ b/backend/test/performance/rbac-performance.test.ts @@ -388,7 +388,7 @@ describe('RBAC Performance Tests', () => { console.log(` - Throughput: ${(operationCount / (duration / 1000)).toFixed(2)} ops/sec`); expect(avgPerOp).toBeLessThan(PERFORMANCE_THRESHOLDS.AUTHENTICATION); - }); + }, 30000); }); describe('Cache Hit Rate Tracking', () => { @@ -461,8 +461,10 @@ describe('RBAC Performance Tests', () => { console.log(` - P95: ${cachedStats.p95}ms`); console.log(` Performance improvement: ${(uncachedStats.avg / cachedStats.avg).toFixed(2)}x`); - // Cached should be significantly faster - expect(cachedStats.avg).toBeLessThan(uncachedStats.avg / 2); + // Cached should be significantly faster (or both near-zero which is fine) + if (uncachedStats.avg > 0) { + expect(cachedStats.avg).toBeLessThan(uncachedStats.avg / 2); + } }); }); diff --git a/backend/test/routes/azure.test.ts b/backend/test/routes/azure.test.ts new file mode 100644 index 00000000..c2056c5a --- /dev/null +++ b/backend/test/routes/azure.test.ts @@ -0,0 +1,394 @@ +/** + * Tests for Azure Router + * + * Validates: auth/validation/403 guard behavior, inventory, provision, + * lifecycle, locations, vm-sizes, images, resource-groups endpoints. + */ + +import express, { type Express } from "express"; +import request from "supertest"; +import { describe, it, expect, beforeEach, vi } from "vitest"; +import { createAzureRouter } from "../../src/routes/integrations/azure"; +import { AzureAuthenticationError } from "../../src/integrations/azure/types"; +import type { AzurePlugin } from "../../src/integrations/azure/AzurePlugin"; + +/** + * Create a mock AzurePlugin with vi.fn() stubs for all methods used by the router. + */ +function createMockAzurePlugin(): AzurePlugin { + return { + getInventory: vi.fn().mockResolvedValue([]), + executeAction: vi.fn().mockResolvedValue({ + id: "azure-test-1", + type: "task", + targetNodes: ["new"], + action: "provision", + status: "success", + startedAt: new Date().toISOString(), + completedAt: new Date().toISOString(), + results: [], + }), + healthCheck: vi.fn().mockResolvedValue({ healthy: true, message: "OK" }), + getLocations: vi.fn().mockResolvedValue([ + { name: "eastus", displayName: "East US" }, + { name: "westeurope", displayName: "West Europe" }, + ]), + getVMSizes: vi.fn().mockResolvedValue([ + { name: "Standard_B1s", vCpus: 1, memoryMB: 1024, osDiskSizeGB: 30 }, + ]), + getImages: vi.fn().mockResolvedValue([ + { publisher: "Canonical", offer: "UbuntuServer", sku: "18.04-LTS", version: "18.04.202101290" }, + ]), + getResourceGroups: vi.fn().mockResolvedValue([ + { name: "my-rg", location: "eastus", tags: {} }, + ]), + } as unknown as AzurePlugin; +} + +describe("Azure Router", () => { + let app: Express; + let mockPlugin: AzurePlugin; + + beforeEach(() => { + mockPlugin = createMockAzurePlugin(); + app = express(); + app.use(express.json()); + app.use("/api/integrations/azure", createAzureRouter(mockPlugin, undefined, { allowDestructiveActions: true })); + }); + + // ─── Inventory ─────────────────────────────────────────────────────────── + + describe("GET /api/integrations/azure/inventory", () => { + it("should return inventory from the plugin", async () => { + const mockNodes = [ + { id: "azure:sub-1:rg-1:vm-1", name: "vm-1", uri: "azure:sub-1:rg-1:vm-1" }, + ]; + (mockPlugin.getInventory as ReturnType).mockResolvedValue(mockNodes); + + const response = await request(app).get("/api/integrations/azure/inventory"); + + expect(response.status).toBe(200); + expect(response.body).toHaveProperty("inventory"); + expect(response.body.inventory).toEqual(mockNodes); + }); + + it("should return 401 when Azure auth fails", async () => { + (mockPlugin.getInventory as ReturnType).mockRejectedValue( + new AzureAuthenticationError("Invalid credentials"), + ); + + const response = await request(app).get("/api/integrations/azure/inventory"); + + expect(response.status).toBe(401); + expect(response.body.error.code).toBe("UNAUTHORIZED"); + }); + + it("should return 500 on generic error", async () => { + (mockPlugin.getInventory as ReturnType).mockRejectedValue( + new Error("Something went wrong"), + ); + + const response = await request(app).get("/api/integrations/azure/inventory"); + + expect(response.status).toBe(500); + expect(response.body.error.code).toBe("INTERNAL_SERVER_ERROR"); + }); + }); + + // ─── Provision ──────────────────────────────────────────────────────────── + + describe("POST /api/integrations/azure/provision", () => { + const validProvisionBody = { + resourceGroup: "my-rg", + vmName: "my-vm", + location: "eastus", + imageReference: { publisher: "Canonical", offer: "UbuntuServer", sku: "18.04-LTS" }, + adminUsername: "azureuser", + networkInterfaceId: "/subscriptions/sub-1/resourceGroups/my-rg/providers/Microsoft.Network/networkInterfaces/nic-1", + }; + + it("should provision a VM with valid params and return 201", async () => { + const response = await request(app) + .post("/api/integrations/azure/provision") + .send(validProvisionBody); + + expect(response.status).toBe(201); + expect(response.body).toHaveProperty("result"); + expect(response.body.result.status).toBe("success"); + }); + + it("should return 400 when resourceGroup is missing", async () => { + const { resourceGroup: _rg, ...body } = validProvisionBody; + const response = await request(app) + .post("/api/integrations/azure/provision") + .send(body); + + expect(response.status).toBe(400); + expect(response.body.error.code).toBe("VALIDATION_ERROR"); + }); + + it("should return 400 when networkInterfaceId is missing", async () => { + const { networkInterfaceId: _nic, ...body } = validProvisionBody; + const response = await request(app) + .post("/api/integrations/azure/provision") + .send(body); + + expect(response.status).toBe(400); + expect(response.body.error.code).toBe("VALIDATION_ERROR"); + }); + + it("should return 400 when adminUsername is missing", async () => { + const { adminUsername: _u, ...body } = validProvisionBody; + const response = await request(app) + .post("/api/integrations/azure/provision") + .send(body); + + expect(response.status).toBe(400); + expect(response.body.error.code).toBe("VALIDATION_ERROR"); + }); + + it("should return 401 on Azure auth error", async () => { + (mockPlugin.executeAction as ReturnType).mockRejectedValue( + new AzureAuthenticationError("Expired token"), + ); + + const response = await request(app) + .post("/api/integrations/azure/provision") + .send(validProvisionBody); + + expect(response.status).toBe(401); + expect(response.body.error.code).toBe("UNAUTHORIZED"); + }); + + it("should return 500 on generic error", async () => { + (mockPlugin.executeAction as ReturnType).mockRejectedValue( + new Error("Azure SDK error"), + ); + + const response = await request(app) + .post("/api/integrations/azure/provision") + .send(validProvisionBody); + + expect(response.status).toBe(500); + expect(response.body.error.code).toBe("INTERNAL_SERVER_ERROR"); + }); + }); + + // ─── Lifecycle ──────────────────────────────────────────────────────────── + + describe("POST /api/integrations/azure/lifecycle", () => { + it("should execute a lifecycle action (start)", async () => { + (mockPlugin.executeAction as ReturnType).mockResolvedValue({ + id: "azure-start-1", + type: "command", + targetNodes: ["azure:rg-1:my-vm"], + action: "start", + status: "success", + startedAt: new Date().toISOString(), + completedAt: new Date().toISOString(), + results: [], + }); + + const response = await request(app) + .post("/api/integrations/azure/lifecycle") + .send({ vmName: "my-vm", resourceGroup: "rg-1", action: "start" }); + + expect(response.status).toBe(200); + expect(response.body).toHaveProperty("result"); + expect(response.body.result.action).toBe("start"); + }); + + it("should return 400 for invalid action", async () => { + const response = await request(app) + .post("/api/integrations/azure/lifecycle") + .send({ vmName: "my-vm", resourceGroup: "rg-1", action: "destroy" }); + + expect(response.status).toBe(400); + expect(response.body.error.code).toBe("VALIDATION_ERROR"); + }); + + it("should return 400 when vmName is missing", async () => { + const response = await request(app) + .post("/api/integrations/azure/lifecycle") + .send({ resourceGroup: "rg-1", action: "stop" }); + + expect(response.status).toBe(400); + expect(response.body.error.code).toBe("VALIDATION_ERROR"); + }); + + it("should reject deallocate when destructive actions are disabled", async () => { + const restrictedApp = express(); + restrictedApp.use(express.json()); + restrictedApp.use( + "/api/integrations/azure", + createAzureRouter(mockPlugin, undefined, { allowDestructiveActions: false }), + ); + + const response = await request(restrictedApp) + .post("/api/integrations/azure/lifecycle") + .send({ vmName: "my-vm", resourceGroup: "rg-1", action: "deallocate" }); + + expect(response.status).toBe(403); + expect(response.body.error.code).toBe("DESTRUCTIVE_ACTION_DISABLED"); + }); + + it("should use canonical target format azure:{rg}:{vmName}", async () => { + await request(app) + .post("/api/integrations/azure/lifecycle") + .send({ vmName: "my-vm", resourceGroup: "rg-1", action: "restart" }); + + expect(mockPlugin.executeAction).toHaveBeenCalledWith( + expect.objectContaining({ + target: "azure:rg-1:my-vm", + action: "restart", + }), + ); + }); + + it("should return 401 on Azure auth error", async () => { + (mockPlugin.executeAction as ReturnType).mockRejectedValue( + new AzureAuthenticationError("Auth failed"), + ); + + const response = await request(app) + .post("/api/integrations/azure/lifecycle") + .send({ vmName: "my-vm", resourceGroup: "rg-1", action: "stop" }); + + expect(response.status).toBe(401); + }); + }); + + // ─── Test Connection ───────────────────────────────────────────────────── + + describe("POST /api/integrations/azure/test", () => { + it("should return success when health check passes", async () => { + const response = await request(app).post("/api/integrations/azure/test"); + + expect(response.status).toBe(200); + expect(response.body.success).toBe(true); + }); + + it("should return failure when health check fails", async () => { + (mockPlugin.healthCheck as ReturnType).mockResolvedValue({ + healthy: false, + message: "Auth failed", + }); + + const response = await request(app).post("/api/integrations/azure/test"); + + expect(response.status).toBe(200); + expect(response.body.success).toBe(false); + }); + }); + + // ─── Locations ─────────────────────────────────────────────────────────── + + describe("GET /api/integrations/azure/locations", () => { + it("should return available locations", async () => { + const response = await request(app).get("/api/integrations/azure/locations"); + + expect(response.status).toBe(200); + expect(response.body).toHaveProperty("locations"); + expect(response.body.locations).toHaveLength(2); + }); + + it("should return 401 on auth error", async () => { + (mockPlugin.getLocations as ReturnType).mockRejectedValue( + new AzureAuthenticationError("Auth failed"), + ); + + const response = await request(app).get("/api/integrations/azure/locations"); + + expect(response.status).toBe(401); + }); + }); + + // ─── VM Sizes ───────────────────────────────────────────────────────────── + + describe("GET /api/integrations/azure/vm-sizes", () => { + it("should return VM sizes for a location", async () => { + const response = await request(app) + .get("/api/integrations/azure/vm-sizes") + .query({ location: "eastus" }); + + expect(response.status).toBe(200); + expect(response.body).toHaveProperty("vmSizes"); + expect(mockPlugin.getVMSizes).toHaveBeenCalledWith("eastus"); + }); + + it("should return 400 when location is missing", async () => { + const response = await request(app).get("/api/integrations/azure/vm-sizes"); + + expect(response.status).toBe(400); + expect(response.body.error.code).toBe("VALIDATION_ERROR"); + }); + }); + + // ─── Images ────────────────────────────────────────────────────────────── + + describe("GET /api/integrations/azure/images", () => { + it("should return images and pass all query params including location", async () => { + const response = await request(app) + .get("/api/integrations/azure/images") + .query({ location: "westeurope", publisher: "Canonical", offer: "UbuntuServer", sku: "18.04-LTS" }); + + expect(response.status).toBe(200); + expect(response.body).toHaveProperty("images"); + expect(mockPlugin.getImages).toHaveBeenCalledWith("westeurope", "Canonical", "UbuntuServer", "18.04-LTS"); + }); + + it("should work without location (falls back to plugin default)", async () => { + const response = await request(app) + .get("/api/integrations/azure/images") + .query({ publisher: "Canonical", offer: "UbuntuServer", sku: "18.04-LTS" }); + + expect(response.status).toBe(200); + expect(mockPlugin.getImages).toHaveBeenCalledWith(undefined, "Canonical", "UbuntuServer", "18.04-LTS"); + }); + + it("should return 401 on auth error", async () => { + (mockPlugin.getImages as ReturnType).mockRejectedValue( + new AzureAuthenticationError("Auth failed"), + ); + + const response = await request(app) + .get("/api/integrations/azure/images") + .query({ publisher: "Canonical", offer: "UbuntuServer", sku: "18.04-LTS" }); + + expect(response.status).toBe(401); + }); + }); + + // ─── Resource Groups ───────────────────────────────────────────────────── + + describe("GET /api/integrations/azure/resource-groups", () => { + it("should return resource groups", async () => { + const response = await request(app).get("/api/integrations/azure/resource-groups"); + + expect(response.status).toBe(200); + expect(response.body).toHaveProperty("resourceGroups"); + expect(response.body.resourceGroups).toHaveLength(1); + }); + + it("should return 401 on auth error", async () => { + (mockPlugin.getResourceGroups as ReturnType).mockRejectedValue( + new AzureAuthenticationError("Auth failed"), + ); + + const response = await request(app).get("/api/integrations/azure/resource-groups"); + + expect(response.status).toBe(401); + }); + + it("should return 500 on generic error", async () => { + (mockPlugin.getResourceGroups as ReturnType).mockRejectedValue( + new Error("Azure SDK error"), + ); + + const response = await request(app).get("/api/integrations/azure/resource-groups"); + + expect(response.status).toBe(500); + expect(response.body.error.code).toBe("INTERNAL_SERVER_ERROR"); + }); + }); +}); diff --git a/backend/test/services/IntegrationColorService.test.ts b/backend/test/services/IntegrationColorService.test.ts index fdd45f5c..8fe43efe 100644 --- a/backend/test/services/IntegrationColorService.test.ts +++ b/backend/test/services/IntegrationColorService.test.ts @@ -93,7 +93,7 @@ describe('IntegrationColorService', () => { describe('getValidIntegrations', () => { it('should return array of valid integration names', () => { const integrations = service.getValidIntegrations(); - expect(integrations).toEqual(['proxmox', 'aws', 'bolt', 'ansible', 'ssh', 'puppetdb', 'puppetserver', 'hiera']); + expect(integrations).toEqual(['proxmox', 'aws', 'azure', 'bolt', 'ansible', 'ssh', 'puppetdb', 'puppetserver', 'hiera']); }); }); diff --git a/docs/integrations/azure.md b/docs/integrations/azure.md new file mode 100644 index 00000000..5efde425 --- /dev/null +++ b/docs/integrations/azure.md @@ -0,0 +1,94 @@ +# Azure Integration + +Pabawi connects to Azure to discover Virtual Machines across resource groups, manage their lifecycle, and provision new instances. + +## Prerequisites + +- Azure subscription with VM access +- Service Principal credentials, Managed Identity, or Azure CLI login +- `Microsoft.Subscription/subscriptions/read` permission for health checks + +## Configuration + +```bash +AZURE_ENABLED=true +AZURE_SUBSCRIPTION_ID=12345678-abcd-efgh-ijkl-123456789012 + +# Credentials (omit to use DefaultAzureCredential: managed identity, CLI, env vars) +AZURE_TENANT_ID=12345678-abcd-efgh-ijkl-123456789012 +AZURE_CLIENT_ID=12345678-abcd-efgh-ijkl-123456789012 +AZURE_CLIENT_SECRET=your-client-secret-value + +# Optional — scope inventory to specific resource groups (comma-separated) +AZURE_RESOURCE_GROUPS=my-rg-1,my-rg-2 +``` + +See [configuration.md](../configuration.md) for all Azure env vars. + +## Authentication + +**Service Principal (recommended for production):** Create an Azure AD app registration with a client secret and assign the required RBAC role. + +**Managed Identity (Azure-hosted Pabawi):** No credentials needed — `DefaultAzureCredential` picks them up automatically from the VM or App Service. + +**Azure CLI (development):** Run `az login` before starting Pabawi. The SDK uses the cached CLI token. + +All three methods are supported through `DefaultAzureCredential`. When `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET` are all set, `ClientSecretCredential` is used directly instead. + +### Required Azure RBAC Permissions + +Assign the built-in **Virtual Machine Contributor** role to the Service Principal or Managed Identity, scoped to the subscription or target resource groups. + +Alternatively, create a custom role with these minimum permissions: + +```json +{ + "Name": "Pabawi Azure Integration", + "Actions": [ + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/write", + "Microsoft.Compute/virtualMachines/delete", + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.Compute/virtualMachines/powerOff/action", + "Microsoft.Compute/virtualMachines/restart/action", + "Microsoft.Compute/virtualMachines/deallocate/action", + "Microsoft.Compute/virtualMachines/instanceView/read", + "Microsoft.Compute/virtualMachines/vmSizes/read", + "Microsoft.Compute/locations/vmSizes/read", + "Microsoft.Compute/images/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/locations/read", + "Microsoft.Subscription/subscriptions/read" + ], + "AssignableScopes": [ + "/subscriptions/{subscription-id}" + ] +} +``` + +Remove `Microsoft.Compute/virtualMachines/deallocate/action` if you want to enforce `ALLOW_DESTRUCTIVE_PROVISIONING=false` at the Azure RBAC level as well. + +## What It Provides + +| Feature | Details | +|---|---| +| **Inventory** | VMs across all configured resource groups (or entire subscription) | +| **Grouping** | By location, by resource group, by tag (Environment, Project, Team, Application) | +| **Facts** | VM size, OS, power state, IPs, tags, disks, provisioning state | +| **Lifecycle** | Start, stop, restart | +| **Provisioning** | Create new VMs with image, size, networking, and auth configuration | +| **Deallocate** | Release compute resources — blocked unless `ALLOW_DESTRUCTIVE_PROVISIONING=true` | +| **Resource Discovery** | Browse locations, VM sizes, marketplace images, and resource groups | + +## Troubleshooting + +| Problem | Fix | +|---|---| +| "Azure authentication failed" | Check `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, or verify managed identity is assigned. Run `az login` for CLI auth. | +| "AZURE_SUBSCRIPTION_ID is required" | Set `AZURE_SUBSCRIPTION_ID` in `backend/.env`. This is mandatory when `AZURE_ENABLED=true`. | +| "AuthorizationFailed" | The Service Principal or Managed Identity is missing required RBAC permissions. Assign Virtual Machine Contributor or the custom role above. | +| No VMs in inventory | Check `AZURE_RESOURCE_GROUPS`. If not set, all resource groups are queried. Verify VMs exist in the subscription. | +| "Deallocate blocked (403 DESTRUCTIVE_ACTION_DISABLED)" | Set `ALLOW_DESTRUCTIVE_PROVISIONING=true` in `backend/.env`. | +| Resource group discovery returns empty | Verify the identity has `Microsoft.Resources/subscriptions/resourceGroups/read` permission on the subscription scope. | diff --git a/frontend/src/components/AzureSetupGuide.svelte b/frontend/src/components/AzureSetupGuide.svelte new file mode 100644 index 00000000..d0d370a0 --- /dev/null +++ b/frontend/src/components/AzureSetupGuide.svelte @@ -0,0 +1,383 @@ + + +
+
+

Azure Integration Setup

+

+ Generate a .env snippet to configure Pabawi for Azure VM provisioning and management. +

+
+ +
+
+

Prerequisites

+
    +
  • + + An active Azure subscription +
    • +
  • + + A Service Principal with Virtual Machine Contributor role (or equivalent RBAC permissions) +
    • +
  • + + Service Principal credentials: Tenant ID, Client ID, and Client Secret +
    • +
  • + + Network connectivity to Azure Resource Manager API endpoints +
    • +
+
+
+ +
+
+

Step 1: Configure Credentials

+ +
+
+ + +

Your Azure subscription ID (required)

+
+ +
+ + +

Azure Active Directory tenant ID

+
+ +
+ + +

Service Principal application (client) ID

+
+ +
+ + +

Service Principal client secret value

+
+ +
+ + +

Comma-separated list of resource groups to scope inventory (leave empty for all)

+
+
+
+
+ +
+
+

Step 2: Copy Environment Variables

+

+ Copy the generated snippet below and paste it into your backend/.env file, then restart the application. +

+ +
+
+ .env Configuration + +
+ 
{maskedSnippet}
+
+ + {#if isFormValid} +
+

+ Next: Paste into backend/.env and restart the application. Then check the Integration Status dashboard to verify the connection. +

+
+ {:else} +
+

+ Fill in the Subscription ID above to generate a complete snippet. +

+
+ {/if} +
+
+ +
+
+

Step 3: Create a Service Principal (Recommended)

+

+ Create a dedicated Service Principal with least-privilege permissions for Pabawi: +

+
    +
  1. Open the Azure Portal and navigate to Azure Active Directory
    2. +
  2. Go to App registrations and create a new registration (e.g., pabawi-azure)
    3. +
  3. Note the Application (client) ID and Directory (tenant) ID
    4. +
  4. Create a client secret under Certificates & secrets
    5. +
  5. Assign the Virtual Machine Contributor role at the subscription or resource group level
    6. +
+
+

+ Tip: For production, use a custom role with only the specific VM actions Pabawi needs, rather than the full Virtual Machine Contributor role. +

+
+
+
+ +
+
+

Step 4: Validate with Azure CLI

+

Test your credentials using the Azure CLI before configuring Pabawi:

+ +
+
+ Azure CLI Test Commands + +
+ 
{cliTest}
+
+
+
+ +
+
+

Step 5: Restart and Verify

+

After pasting the snippet into backend/.env, restart the backend:

+
+
cd backend
+
npm run dev
+
+
    +
  1. Open the Integration Status dashboard in Pabawi
    2. +
  2. Confirm Azure status is connected
    3. +
  3. Use the Test Connection button on the dashboard to verify
    4. +
  4. Navigate to Provision page to launch Azure VMs
    5. +
+
+
+ +
+
+

Features Available

+
+
+ ☁️ +

VM Provisioning

+

Create and configure Azure VMs

+
+
+ +

Lifecycle Management

+

Start, stop, restart, and deallocate

+
+
+ 📋 +

Inventory Discovery

+

View VMs across resource groups

+
+
+
+
+ +
+
+

Troubleshooting

+ +
+
+ + Authentication Failed + +
+

Error: "Azure authentication failed" or "AuthenticationFailed"

+
    +
  • Verify Tenant ID, Client ID, and Client Secret are correct
    • +
  • Check that the Service Principal is not disabled or deleted
    • +
  • Ensure the client secret has not expired
    • +
  • Confirm the Tenant ID matches the directory where the app is registered
    • +
+
+
+ +
+ + Permission Denied + +
+

Error: "AuthorizationFailed" or "The client does not have authorization"

+
    +
  • Verify the Service Principal has the Virtual Machine Contributor role
    • +
  • Check that the role assignment is scoped to the correct subscription or resource group
    • +
  • Ensure there are no deny assignments blocking access
    • +
  • Review Azure Activity Log for detailed authorization errors
    • +
+
+
+ +
+ + Connection Timeout + +
+

Error: "Connection timeout" or "ECONNREFUSED"

+
    +
  • Check network connectivity to Azure Resource Manager endpoints
    • +
  • Verify proxy settings if behind a corporate firewall
    • +
  • Ensure DNS resolution works for management.azure.com
    • +
  • Check if Azure services are experiencing an outage
    • +
+
+
+
+
+
+ +
+

+ For detailed documentation, see the Azure Integration guide in the documentation. +

+
+
diff --git a/frontend/src/components/AzureSetupGuide.test.ts b/frontend/src/components/AzureSetupGuide.test.ts new file mode 100644 index 00000000..ae318344 --- /dev/null +++ b/frontend/src/components/AzureSetupGuide.test.ts @@ -0,0 +1,206 @@ +/** + * Tests for AzureSetupGuide (Env Snippet Wizard) + * + * Validates: snippet contains required vars, secrets are masked in preview, + * required fields gate the copy button, no save API calls are made. + */ + +import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'; +import { render, screen, cleanup, fireEvent } from '@testing-library/svelte'; +import '@testing-library/jest-dom/vitest'; +import fc from 'fast-check'; +import AzureSetupGuide from './AzureSetupGuide.svelte'; + +// Mock the toast module +vi.mock('../lib/toast.svelte', () => ({ + showSuccess: vi.fn(), + showError: vi.fn(), + showWarning: vi.fn(), + showInfo: vi.fn(), +})); + +/** Stable clipboard mock — reused across all tests */ +const clipboardWriteText = vi.fn<(text: string) => Promise>().mockResolvedValue(undefined); + +/** + * Helper to set an input value and trigger Svelte's bind:value reactivity. + */ +async function setInputValue(el: HTMLInputElement, value: string): Promise { + el.value = value; + await fireEvent.input(el); +} + +/** + * Arbitrary for Azure config values. + */ +function azureConfigArbitrary(): fc.Arbitrary<{ + subscriptionId: string; + tenantId: string; + clientId: string; + clientSecret: string; +}> { + const uuidArb = fc.uuid(); + return fc.record({ + subscriptionId: uuidArb, + tenantId: uuidArb, + clientId: uuidArb, + clientSecret: fc.stringMatching(/^[A-Za-z0-9~._-]{8,32}$/), + }); +} + +describe('AzureSetupGuide', () => { + beforeEach(() => { + vi.clearAllMocks(); + Object.assign(navigator, { + clipboard: { writeText: clipboardWriteText }, + }); + }); + + afterEach(() => { + cleanup(); + }); + + // ─── Property-Based Tests ─────────────────────────────────────────── + + describe('Property-Based Tests', () => { + it('generated snippet contains all required Azure env vars', async () => { + await fc.assert( + fc.asyncProperty( + azureConfigArbitrary(), + async (config) => { + cleanup(); + clipboardWriteText.mockClear(); + + const { container } = render(AzureSetupGuide); + + const subscriptionInput = container.querySelector('#azure-subscription-id') as HTMLInputElement; + const tenantInput = container.querySelector('#azure-tenant-id') as HTMLInputElement; + const clientIdInput = container.querySelector('#azure-client-id') as HTMLInputElement; + const clientSecretInput = container.querySelector('#azure-client-secret') as HTMLInputElement; + + await setInputValue(subscriptionInput, config.subscriptionId); + await setInputValue(tenantInput, config.tenantId); + await setInputValue(clientIdInput, config.clientId); + await setInputValue(clientSecretInput, config.clientSecret); + + const copyButton = screen.getByText(/copy to clipboard/i); + await fireEvent.click(copyButton); + + expect(clipboardWriteText).toHaveBeenCalledTimes(1); + const snippet = clipboardWriteText.mock.calls[0][0]; + + expect(snippet).toContain('AZURE_ENABLED=true'); + expect(snippet).toContain(`AZURE_SUBSCRIPTION_ID=${config.subscriptionId}`); + expect(snippet).toContain(`AZURE_TENANT_ID=${config.tenantId}`); + expect(snippet).toContain(`AZURE_CLIENT_ID=${config.clientId}`); + expect(snippet).toContain(`AZURE_CLIENT_SECRET=${config.clientSecret}`); + } + ), + { numRuns: 20, timeout: 60000 } + ); + }, 120000); + + it('secret values are masked in the preview but not in clipboard content', async () => { + await fc.assert( + fc.asyncProperty( + azureConfigArbitrary(), + async (config) => { + cleanup(); + clipboardWriteText.mockClear(); + + const { container } = render(AzureSetupGuide); + + const subscriptionInput = container.querySelector('#azure-subscription-id') as HTMLInputElement; + const clientSecretInput = container.querySelector('#azure-client-secret') as HTMLInputElement; + + await setInputValue(subscriptionInput, config.subscriptionId); + await setInputValue(clientSecretInput, config.clientSecret); + + // The visible preview (pre element) should mask the secret + const pre = container.querySelector('pre'); + expect(pre).not.toBeNull(); + if (pre && config.clientSecret.length > 0) { + expect(pre.textContent).not.toContain(`AZURE_CLIENT_SECRET=${config.clientSecret}`); + // It should show asterisks instead + expect(pre.textContent).toMatch(/AZURE_CLIENT_SECRET=\*+/); + } + + // The actual clipboard content should contain the real secret + const copyButton = screen.getByText(/copy to clipboard/i); + await fireEvent.click(copyButton); + expect(clipboardWriteText).toHaveBeenCalledTimes(1); + const snippet = clipboardWriteText.mock.calls[0][0]; + expect(snippet).toContain(`AZURE_CLIENT_SECRET=${config.clientSecret}`); + } + ), + { numRuns: 15, timeout: 60000 } + ); + }, 120000); + + it('component makes zero save/persist API calls for any interaction', async () => { + const fetchSpy = vi.spyOn(globalThis, 'fetch'); + + await fc.assert( + fc.asyncProperty( + azureConfigArbitrary(), + async (config) => { + cleanup(); + fetchSpy.mockClear(); + + const { container } = render(AzureSetupGuide); + + const subscriptionInput = container.querySelector('#azure-subscription-id') as HTMLInputElement; + await setInputValue(subscriptionInput, config.subscriptionId); + + const copyButton = screen.getByText(/copy to clipboard/i); + await fireEvent.click(copyButton); + + const apiCalls = fetchSpy.mock.calls.filter(([url]) => { + const urlStr = typeof url === 'string' ? url : (url as Request).url; + return urlStr.includes('/api/'); + }); + expect(apiCalls).toHaveLength(0); + } + ), + { numRuns: 15, timeout: 60000 } + ); + + fetchSpy.mockRestore(); + }, 120000); + }); + + // ─── Unit Tests ───────────────────────────────────────────────────── + + describe('Form Validation', () => { + it('copy button is disabled (form invalid) when subscriptionId is empty', async () => { + render(AzureSetupGuide); + + // Without any input, the snippet preview should warn about missing subscription + const warningText = screen.queryByText(/Fill in the Subscription ID/i); + expect(warningText).not.toBeNull(); + }); + + it('shows next steps after subscriptionId is filled', async () => { + const { container } = render(AzureSetupGuide); + + const subscriptionInput = container.querySelector('#azure-subscription-id') as HTMLInputElement; + await setInputValue(subscriptionInput, '12345678-0000-0000-0000-000000000000'); + + const nextTip = screen.queryByText(/Paste into/i); + expect(nextTip).not.toBeNull(); + }); + + it('snippet does not contain AZURE_DEFAULT_LOCATION', async () => { + const { container } = render(AzureSetupGuide); + + const subscriptionInput = container.querySelector('#azure-subscription-id') as HTMLInputElement; + await setInputValue(subscriptionInput, 'sub-1234'); + + const copyButton = screen.getByText(/copy to clipboard/i); + await fireEvent.click(copyButton); + + const snippet = clipboardWriteText.mock.calls[0]?.[0] ?? ''; + expect(snippet).not.toContain('AZURE_DEFAULT_LOCATION'); + }); + }); +}); diff --git a/frontend/src/components/index.ts b/frontend/src/components/index.ts index a2a074fb..ff4bbcf8 100644 --- a/frontend/src/components/index.ts +++ b/frontend/src/components/index.ts @@ -18,6 +18,7 @@ export { default as GlobalHieraTab } from "./GlobalHieraTab.svelte"; export { default as HieraSetupGuide } from "./HieraSetupGuide.svelte"; export { default as AnsibleSetupGuide } from "./AnsibleSetupGuide.svelte"; export { default as AWSSetupGuide } from "./AWSSetupGuide.svelte"; +export { default as AzureSetupGuide } from "./AzureSetupGuide.svelte"; export { default as IntegrationBadge } from "./IntegrationBadge.svelte"; export { default as MultiSourceFactsViewer } from "./MultiSourceFactsViewer.svelte"; export { default as IntegrationStatus } from "./IntegrationStatus.svelte"; diff --git a/frontend/src/pages/IntegrationSetupPage.svelte b/frontend/src/pages/IntegrationSetupPage.svelte index 65b36e68..43827d91 100644 --- a/frontend/src/pages/IntegrationSetupPage.svelte +++ b/frontend/src/pages/IntegrationSetupPage.svelte @@ -1,7 +1,7 @@