d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
Files
fc3a95de08c95e1d0a96b640ea1fda99ac56510e
smom-dbis-138/scripts/deployment/fix-resource-groups-and-keyvaults.sh
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

233 lines
7.6 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env bash
# Fix Resource Groups and Key Vaults
# REFACTORED - Uses common libraries
# 1. Create resource groups if missing (6 per region × 37 regions = 222 total)
# 2. Create Key Vaults with correct naming (dashes) if missing
# 3. Ensure proper permissions on all Key Vaults
# Note: Azure Key Vaults cannot be renamed - new vaults created with correct names
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../lib/init.sh"
# Initialize
SUBSCRIPTION_ID="$(get_subscription_id)"
OBJECT_ID="${OBJECT_ID:-5c40d456-49d2-4f2a-b35c-66255ca33b04}"
ensure_azure_cli || exit 1
set_subscription "$SUBSCRIPTION_ID" || true
log_section "FIXING RESOURCE GROUPS AND KEY VAULTS"
# Get all regions from library
region_map=($(get_all_regions))
log_subsection "PHASE 1: CREATE MISSING RESOURCE GROUPS"
rg_created=0
rg_existing=0
for region_info in "${region_map[@]}"; do
region_name="${region_info%%:*}"
region_code="${region_info#*:}"
# Resource groups (6 per region)
rgs=(
"az-p-${region_code}-rg-net-001"
"az-p-${region_code}-rg-comp-001"
"az-p-${region_code}-rg-stor-001"
"az-p-${region_code}-rg-sec-001"
"az-p-${region_code}-rg-mon-001"
"az-p-${region_code}-rg-id-001"
)
for rg_name in "${rgs[@]}"; do
# Check if resource group exists
if az group show --name "$rg_name" &> /dev/null; then
((rg_existing++))
if [ "$rg_created" -eq 0 ] && [ "$rg_existing" -le 6 ]; then
log_success "Resource groups exist for ${region_name}..."
fi
else
# Create resource group
if az group create \
--name "$rg_name" \
--location "$region_name" \
--tags Environment=production Project="DeFi Oracle Meta Mainnet" ChainID=138 ManagedBy=Terraform \
&> /dev/null; then
log_success "Created: $rg_name"
((rg_created++))
else
log_failure "Failed: $rg_name"
fi
fi
done
done
echo ""
log_info "Resource Groups: Created=$rg_created, Existing=$rg_existing, Total=$((rg_created + rg_existing))"
echo ""
log_subsection "PHASE 2: CREATE KEY VAULTS WITH CORRECT NAMING (DASHES)"
kv_created=0
kv_existing=0
kv_legacy=0
for region_info in "${region_map[@]}"; do
region_name="${region_info%%:*}"
region_code="${region_info#*:}"
expected_name="az-p-${region_code}-kv-secrets-001"
legacy_name="azp${region_code}kvsecrets001"
rg_name="az-p-${region_code}-rg-sec-001"
# Check if Key Vault exists with expected name (dashes)
if az keyvault show --name "$expected_name" &> /dev/null; then
((kv_existing++))
if [ "$kv_created" -eq 0 ]; then
log_success "Key Vaults with correct naming exist..."
fi
continue
fi
# Check if legacy name exists (no dashes)
if az keyvault show --name "$legacy_name" &> /dev/null; then
log_warn "Legacy vault found: $legacy_name"
log_info " → Creating new vault with correct name: $expected_name"
((kv_legacy++))
else
log_warn "Missing: $expected_name"
fi
# Ensure resource group exists first
if ! az group show --name "$rg_name" &> /dev/null; then
az group create --name "$rg_name" --location "$region_name" \
--tags Environment=production Project="DeFi Oracle Meta Mainnet" ChainID=138 ManagedBy=Terraform \
&> /dev/null
fi
# Create new Key Vault with correct name
if az keyvault create \
--name "$expected_name" \
--resource-group "$rg_name" \
--location "$region_name" \
--sku standard \
--soft-delete-retention-days 7 \
&> /dev/null; then
echo -e " ${GREEN}✅ Created: $expected_name${NC}"
((kv_created++))
else
echo -e " ${RED}❌ Failed: $expected_name${NC}"
fi
done
echo ""
log_info "Key Vaults: Created=$kv_created, Existing=$kv_existing, Legacy=$kv_legacy"
echo ""
if [ "$kv_legacy" -gt 0 ]; then
log_warn "Note: Legacy Key Vaults cannot be renamed. New vaults created with correct naming."
log_warn "Secrets can be migrated manually from legacy vaults."
echo ""
fi
log_subsection "PHASE 3: ENSURE PERMISSIONS"
permissions_granted=0
permissions_failed=0
for region_info in "${region_map[@]}"; do
region_code="${region_info#*:}"
kv_name="az-p-${region_code}-kv-secrets-001"
# Only grant permissions to vaults with correct naming
if az keyvault show --name "$kv_name" &> /dev/null; then
kv_rg=$(az keyvault show --name "$kv_name" --query "resourceGroup" -o tsv 2>/dev/null)
# Check if RBAC or access policy
is_rbac=$(az keyvault show --name "$kv_name" --query "properties.enableRbacAuthorization" -o tsv 2>/dev/null)
if [ "$is_rbac" = "true" ]; then
# RBAC - check if role already assigned
role_exists=$(az role assignment list \
--scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$kv_rg/providers/Microsoft.KeyVault/vaults/$kv_name" \
--assignee "$OBJECT_ID" \
--role "Key Vault Secrets Officer" \
--query "[].{principalName:principalName}" \
-o tsv 2>/dev/null | wc -l)
if [ "$role_exists" -gt 0 ]; then
((permissions_granted++))
if [ "$permissions_granted" -le 5 ]; then
log_success "$kv_name: RBAC role assigned"
fi
else
if az role assignment create \
--role "Key Vault Secrets Officer" \
--assignee "$OBJECT_ID" \
--scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$kv_rg/providers/Microsoft.KeyVault/vaults/$kv_name" \
&> /dev/null; then
((permissions_granted++))
log_success "$kv_name: RBAC role assigned"
else
((permissions_failed++))
log_failure "$kv_name: Failed RBAC assignment"
fi
fi
else
# Access Policy - update policy
if az keyvault set-policy \
--name "$kv_name" \
--object-id "$OBJECT_ID" \
--secret-permissions get list set delete backup restore recover purge \
&> /dev/null; then
((permissions_granted++))
if [ "$permissions_granted" -le 5 ]; then
log_success "$kv_name: Access policy updated"
fi
else
((permissions_failed++))
log_failure "$kv_name: Failed policy update"
fi
fi
fi
done
echo ""
log_section "SUMMARY"
log_info "Resource Groups:"
echo " Created: $rg_created"
echo " Existing: $rg_existing"
echo " Total: $((rg_created + rg_existing))"
echo ""
log_info "Key Vaults:"
echo " Created (with dashes): $kv_created"
echo " Existing (with dashes): $kv_existing"
echo " Legacy (no dashes): $kv_legacy"
echo ""
log_info "Permissions:"
echo " Granted: $permissions_granted"
echo " Failed: $permissions_failed"
echo ""
if [ "$kv_legacy" -gt 0 ]; then
log_warn "ACTION: Legacy Key Vaults found. New vaults created with correct naming."
log_info " Migrate secrets from legacy vaults to new vaults if needed."
echo ""
fi
if [ "$permissions_failed" -eq 0 ] && [ "$kv_created" -eq 0 ]; then
log_success "All resource groups and Key Vaults configured correctly"
exit 0
else
log_success "Resource groups and Key Vaults configured"
exit 0
fi
Reference in New Issue View Git Blame Copy Permalink