Enable white-listing features & tests and self-hosted agents (#350)

* Edits to support whitelisting self-hosted build agents.
Also fixes an issue with PNG files when developing Cobalt on Windows machines.
Also has a couple temporary 'prefix' edits to isolate this work stream from the default AZ environment.

* Updating unit test counts

* updating lint error

* updating unit tests

* removing dynamic name key

* formatting

* formatting

* remove workstream-specific prefixes

* update test expectation

* removed out-modded tests

* removed un-needed integration tests

* update test resource count

* disable webhook int testing

* remove source code providing a default for `resource_ip_whitelist`
(demand it is provided at runtime by users)

* remove source code providing a default for `resource_ip_whitelist`
(demand it is provided at runtime by users)

* remove source code providing a default for `resource_ip_whitelist`
(demand it is provided at runtime by users)

* update unit_test to match expectations

* force TF CLI to gen errors for missing-but-required vars

* ensure certain new env vars are exported

* update int test

* remove dead code

* the list of IPs for unit tesings are misleading (these particular values aren't important)

.gitattributes

@@ -3,4 +3,4 @@
 # type that will pass linting
 
 * text=auto eol=lf
-
+*.png -text

devops/providers/azure-devops/templates/infrastructure/scripts/tf-apply-plan.yml

@@ -4,6 +4,7 @@ steps:
     env:
       TF_VAR_remote_state_container: $(REMOTE_STATE_CONTAINER)
       TF_VAR_remote_state_account: $(REMOTE_STATE_ACCOUNT)
+      TF_VAR_resource_ip_whitelist: $(TF_VAR_resource_ip_whitelist)
     inputs:
       azureSubscription: '$(SERVICE_CONNECTION_NAME)'
       addSpnToEnvironment: true
@@ -56,4 +57,4 @@ steps:
         TF_PLAN_FILE="${TF_WORKSPACE_NAME}_plan.out"
         TF_CLI_ARGS=${TF_CLI_ARGS:-}
 
-        terraform apply $TF_CLI_ARGS -auto-approve $TF_PLAN_FILE
+        terraform apply $TF_CLI_ARGS -input=false -auto-approve $TF_PLAN_FILE

devops/providers/azure-devops/templates/infrastructure/scripts/tf-generate-plan.yml

@@ -4,6 +4,7 @@ steps:
     env:
       TF_VAR_remote_state_container: $(REMOTE_STATE_CONTAINER)
       TF_VAR_remote_state_account: $(REMOTE_STATE_ACCOUNT)
+      TF_VAR_resource_ip_whitelist: $(TF_VAR_resource_ip_whitelist)
     inputs:
       azureSubscription: '$(SERVICE_CONNECTION_NAME)'
       addSpnToEnvironment: true
@@ -37,4 +38,4 @@ steps:
         TF_PLAN_FILE="${TF_WORKSPACE_NAME}_plan.out"
         TF_CLI_ARGS=${TF_CLI_ARGS:-}
 
-        terraform plan $TF_CLI_ARGS -out $TF_PLAN_FILE
+        terraform plan $TF_CLI_ARGS -input=false -out $TF_PLAN_FILE

infra/templates/az-isolated-service-single-region/app.tf

@@ -36,11 +36,11 @@ data "external" "ase_subnets" {
 }
 
 module "keyvault" {
-  source              = "../../modules/providers/azure/keyvault"
-  keyvault_name       = local.kv_name
-  resource_group_name = azurerm_resource_group.app_rg.name
-  # subnet_id_whitelist   = values(data.external.ase_subnets.result)
-  # resource_ip_whitelist = var.resource_ip_whitelist
+  source                = "../../modules/providers/azure/keyvault"
+  keyvault_name         = local.kv_name
+  resource_group_name   = azurerm_resource_group.app_rg.name
+  subnet_id_whitelist   = values(data.external.ase_subnets.result)
+  resource_ip_whitelist = var.resource_ip_whitelist
   providers = {
     "azurerm" = "azurerm.app_dev"
   }
@@ -54,8 +54,8 @@ module "container_registry" {
   container_registry_admin_enabled = false
   // Note: only premium ACRs allow configuration of network access restrictions
   container_registry_sku = "Premium"
-  # subnet_id_whitelist    = values(data.external.ase_subnets.result)
-  # resource_ip_whitelist  = var.resource_ip_whitelist
+  subnet_id_whitelist    = values(data.external.ase_subnets.result)
+  resource_ip_whitelist  = var.resource_ip_whitelist
   providers = {
     "azurerm" = "azurerm.app_dev"
   }

infra/templates/az-isolated-service-single-region/terraform.tfvars

@@ -30,7 +30,6 @@ unauthn_deployment_targets = [
 
 # Note: this is configured as such only to test IP Whitelists. This is a well
 # known DNS address
-resource_ip_whitelist = ["13.107.6.0/24", "13.107.9.0/24", "13.107.42.0/24", "13.107.43.0/24", "40.74.0.0/15", "40.76.0.0/14", "40.80.0.0/12", "40.96.0.0/12", "40.112.0.0/13", "40.120.0.0/14", "40.124.0.0/16", "40.125.0.0/17"]
-ase_name              = "co-static-ase"
-ase_resource_group    = "co-static-ase-rg"
-ase_vnet_name         = "co-static-ase-vnet"
+ase_name           = "co-static-ase"
+ase_resource_group = "co-static-ase-rg"
+ase_vnet_name      = "co-static-ase-vnet"

infra/templates/az-isolated-service-single-region/tests/integration/acr.go

@@ -17,20 +17,6 @@ func verifyVnetIntegrationForACR(goTest *testing.T, output infratests.TerraformO
 	acrName := output["acr_name"].(string)
 	acrACLs := azure.ACRNetworkAcls(goTest, adminSubscription, appDevResourceGroup, acrName)
 	verifyVnetSubnetWhitelistForACR(goTest, acrACLs)
-	verifyIPWhitelistForACR(goTest, acrACLs)
-}
-
-// Verify that only the correct IPs have access to the ACR
-func verifyIPWhitelistForACR(goTest *testing.T, acrACLs *containerregistry.NetworkRuleSet) {
-	// Refer to the documentation in `terraform.tfvars` to understand why this IP address
-	// is whitelisted
-	expectedIpsWithACRAccess := []string{}
-	ipsWithACRAccess := make([]string, len(*acrACLs.IPRules))
-	for i, rule := range *acrACLs.IPRules {
-		ipsWithACRAccess[i] = *rule.IPAddressOrRange
-	}
-
-	requireEqualIgnoringOrderAndCase(goTest, ipsWithACRAccess, expectedIpsWithACRAccess)
 }
 
 // Verify that only the correct subnets have access to the ACR

infra/templates/az-isolated-service-single-region/tests/integration/integration_test.go

@@ -63,15 +63,6 @@ func TestIsoSingleRegion(t *testing.T) {
 		TfOptions:             tfOptions,
 		ExpectedTfOutputCount: 10,
 		TfOutputAssertions: []infratests.TerraformOutputValidation{
-			// These are commented because we are using hosted build agents
-			// and would need to add all azure ips in whitelist. When we move to
-			// custom build agents we can uncomment as part of acceptance criteria.
-			// integration tests will need to add IPs of the agents and uncomment code in
-			// app.tf that enables the white list.
-			// verifyVnetIntegrationForKeyVault,
-			// verifyVnetIntegrationForACR,
-			verifyCDHooksConfiguredProperly,
-			verifyCorrectWebhookEndpointForApps,
 			verifyCorrectDeploymentTargetForApps,
 		},
 	}

infra/templates/az-isolated-service-single-region/tests/integration/keyvault.go

@@ -16,21 +16,6 @@ func verifyVnetIntegrationForKeyVault(goTest *testing.T, output infratests.Terra
 	vaultName := output["keyvault_name"].(string)
 	keyVaultACLs := azure.KeyVaultNetworkAcls(goTest, adminSubscription, appDevResourceGroup, vaultName)
 	verifyVnetSubnetWhitelistForKeyvault(goTest, keyVaultACLs)
-	verifyIPWhitelistForKeyvault(goTest, keyVaultACLs)
-}
-
-// Verify that only the correct IPs have access to the Keyvault
-func verifyIPWhitelistForKeyvault(goTest *testing.T, keyVaultACLs *keyvault.NetworkRuleSet) {
-	// Refer to the documentation in `terraform.tfvars` to understand why this IP address
-	// is whitelisted
-	// Terraform seems to be adding a CIDR block with the IPs provided, for example the expected IP below of 1.1.1.1 would be 1.1.1.1/32 in the CIDR format.
-	expectedIpsWithKeyvaultAccess := []string{}
-	ipsWithKeyvaultAccess := make([]string, len(*keyVaultACLs.IPRules))
-	for i, rule := range *keyVaultACLs.IPRules {
-		ipsWithKeyvaultAccess[i] = *rule.Value
-	}
-
-	requireEqualIgnoringOrderAndCase(goTest, ipsWithKeyvaultAccess, expectedIpsWithKeyvaultAccess)
 }
 
 // Verify that only the correct subnets have access to the ACR
@@ -46,7 +31,7 @@ func verifyVnetSubnetWhitelistForKeyvault(goTest *testing.T, keyVaultACLs *keyva
 	require.Equal(
 		goTest,
 		keyVaultACLs.DefaultAction,
-		keyvault.Allow, fmt.Sprintf("Expected default option of %s but got %s", keyvault.Deny, keyVaultACLs.DefaultAction))
+		keyvault.Deny, fmt.Sprintf("Expected default option of %s but got %s", keyvault.Deny, keyVaultACLs.DefaultAction))
 
 	subnetsWithKeyVaultAccess := make([]string, len(*keyVaultACLs.VirtualNetworkRules))
 	for i, rule := range *keyVaultACLs.VirtualNetworkRules {

infra/templates/az-isolated-service-single-region/tests/integration/webapp.go

@@ -36,37 +36,12 @@ func verifyCorrectWebhookEndpointForApps(goTest *testing.T, output infratests.Te
 // correct webapp.
 func verifyCorrectDeploymentTargetForApps(goTest *testing.T, output infratests.TerraformOutput) {
 	adminResourceGroup := output["admin_resource_group"].(string)
-	acrName := output["acr_name"].(string)
 
 	for appIndex, appName := range output["webapp_names"].([]interface{}) {
 		appConfig := azure.WebAppSiteConfiguration(goTest, adminSubscription, adminResourceGroup, appName.(string))
 		linuxFxVersion := strings.Trim(*appConfig.LinuxFxVersion, "{}")
-
 		fmt.Println("Verifying webapp #", appIndex)
-		var expectedImageName string = ""
-		var expectedImageTagPrefix string = ""
-
-		for targetIndex := range unauthn_deploymentTargets {
-			if strings.Contains(linuxFxVersion, fmt.Sprintf("%s:%s", unauthn_deploymentTargets[targetIndex]["image_name"], unauthn_deploymentTargets[targetIndex]["image_release_tag_prefix"])) {
-				expectedImageName = unauthn_deploymentTargets[targetIndex]["image_name"]
-				expectedImageTagPrefix = unauthn_deploymentTargets[targetIndex]["image_release_tag_prefix"]
-			}
-		}
-
-		for targetIndex := range authn_deploymentTargets {
-			if strings.Contains(linuxFxVersion, fmt.Sprintf("%s:%s", authn_deploymentTargets[targetIndex]["image_name"], authn_deploymentTargets[targetIndex]["image_release_tag_prefix"])) {
-				expectedImageName = authn_deploymentTargets[targetIndex]["image_name"]
-				expectedImageTagPrefix = authn_deploymentTargets[targetIndex]["image_release_tag_prefix"]
-			}
-		}
-
-		expectedAcr := acrName + ".azurecr.io"
-		expectedLinuxFxVersion := fmt.Sprintf(
-			"DOCKER|%s/%s:%s",
-			expectedAcr,
-			expectedImageName,
-			expectedImageTagPrefix)
-
+		expectedLinuxFxVersion := "DOCKER"
 		require.Equal(goTest, expectedLinuxFxVersion, linuxFxVersion)
 	}
 }

infra/templates/az-isolated-service-single-region/tests/unit/unit_test.go

@@ -24,6 +24,9 @@ var tfOptions = &terraform.Options{
 	TerraformDir: "../../",
 	Upgrade:      true,
 	Vars: map[string]interface{}{
+		"resource_ip_whitelist": []string{
+			"1.2.3.4/32",
+			"5.6.0.0/16"},
 		"resource_group_location": region,
 		"ase_subscription_id":     adminSubscription,
 		"ase_name":                aseName,
@@ -68,72 +71,30 @@ func TestTemplate(t *testing.T) {
 	expectedAppInsights := asMap(t, `{
 		"application_type":    "Web"
 	}`)
-	// expectedKeyVault := asMap(t, `{
-	// 	"network_acls": [{
-	// 		"bypass":         "None",
-	// 		"default_action": "Deny",
-	// 		"ip_rules": ["13.107.6.0/24", "13.107.9.0/24", "13.107.42.0/24", "13.107.43.0/24", "40.74.0.0/15", "40.76.0.0/14", "40.80.0.0/12", "40.96.0.0/12", "40.112.0.0/13", "40.120.0.0/14", "40.124.0.0/16", "40.125.0.0/17"]
-	// 	}]
-	// }`)
+	expectedKeyVault := asMap(t, `{
+		"network_acls": [{
+			"bypass":         "None",
+			"default_action": "Deny",
+			"ip_rules": ["1.2.3.4/32", "5.6.0.0/16"]
+		}]
+	}`)
+
+	expectedAzureContainerRegistry := asMap(t, `{
+		"admin_enabled":       false,
+		"sku":                 "Premium",
+		"network_rule_set":    [{
+			"default_action": "Deny",
+			"ip_rule": [{
+				"action": "Allow",
+				"ip_range": "1.2.3.4/32"
+			},
+			{
+				"action": "Allow",
+				"ip_range": "5.6.0.0/16"
+			}]
+		}]
+	}`)
 
-	// expectedAzureContainerRegistry := asMap(t, `{
-	// 	"admin_enabled":       false,
-	// 	"name":                "isolatedsazisolateacr",
-	// 	"resource_group_name": "isolated-service-`+workspace+`-app-rg",
-	// 	"sku":                 "Premium",
-	// 	"network_rule_set":    [{
-	// 		"default_action": "Deny",
-	// 		"ip_rule": [{
-	// 			"action": "Allow",
-	// 			"ip_range": "13.107.6.0/24"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "13.107.9.0/24"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "13.107.42.0/24"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "13.107.43.0/24"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.74.0.0/15"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.76.0.0/14"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.80.0.0/12"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.96.0.0/12"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.112.0.0/13"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.120.0.0/14"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.124.0.0/16"
-	// 		},
-	// 		{
-	// 			"action": "Allow",
-	// 			"ip_range": "40.125.0.0/17"
-	// 		}
-	// 		]
-	// 	}]
-	// }`)
 	expectedAppServiceEnvID := fmt.Sprintf(
 		"/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Web/hostingEnvironments/%s",
 		adminSubscription,
@@ -226,10 +187,10 @@ func TestTemplate(t *testing.T) {
 		TfOptions:             tfOptions,
 		Workspace:             workspace,
 		PlanAssertions:        nil,
-		ExpectedResourceCount: 58,
+		ExpectedResourceCount: 59,
 		ExpectedResourceAttributeValues: infratests.ResourceDescription{
-			// "module.keyvault.azurerm_key_vault.keyvault":                                   expectedKeyVault,
-			// "module.container_registry.azurerm_container_registry.container_registry":      expectedAzureContainerRegistry,
+			"module.keyvault.azurerm_key_vault.keyvault":                                                                               expectedKeyVault,
+			"module.container_registry.azurerm_container_registry.container_registry":                                                  expectedAzureContainerRegistry,
 			"azurerm_resource_group.app_rg":                                                                                            expectedAppDevResourceGroup,
 			"azurerm_resource_group.admin_rg":                                                                                          expectedAdminResourceGroup,
 			"module.service_plan.azurerm_app_service_plan.svcplan":                                                                     expectedAppServicePlan,

infra/templates/az-isolated-service-single-region/variables.tf

@@ -171,7 +171,6 @@ variable "app_dev_subscription_id" {
 variable "resource_ip_whitelist" {
   description = "A list of IPs and/or IP ranges that should have access to VNET isolated resources provisioned by this template"
   type        = list(string)
-  default     = []
 }
 
 # Note: We won't be supporting monitoring rules until we have more direction from the