fixup! e2e: smoke test for peerpods

infra/azure-peerpods-iam/main.tf

@@ -0,0 +1,75 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.5.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "3.0.2"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.5.2"
+    }
+  }
+}
+
+provider "azurerm" {
+  subscription_id = var.subscription_id
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azuread_client_config" "current" {}
+
+provider "azuread" {
+  tenant_id = data.azurerm_subscription.current.tenant_id
+}
+
+locals {
+  name = var.resource_group
+}
+
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group
+}
+
+resource "azuread_application" "app" {
+  display_name = "${local.name}-app"
+  owners       = [data.azuread_client_config.current.object_id]
+}
+
+resource "azuread_service_principal" "sp" {
+  client_id                    = azuread_application.app.client_id
+  app_role_assignment_required = false
+  owners                       = [data.azuread_client_config.current.object_id]
+}
+
+resource "azurerm_role_assignment" "ra_vm_contributor" {
+  scope                = data.azurerm_resource_group.rg.id
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id         = azuread_service_principal.sp.object_id
+}
+
+resource "azurerm_role_assignment" "ra_reader" {
+  scope                = data.azurerm_resource_group.rg.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.sp.object_id
+}
+
+resource "azurerm_role_assignment" "ra_network_contributor" {
+  scope                = data.azurerm_resource_group.rg.id
+  role_definition_name = "Network Contributor"
+  principal_id         = azuread_service_principal.sp.object_id
+}
+
+resource "azuread_application_password" "pw" {
+  application_id = azuread_application.app.id
+}
+

infra/azure-peerpods-iam/outs.tf

@@ -0,0 +1,8 @@
+output "client_secret_env" {
+  value = <<EOF
+client_id = "${azuread_application.app.client_id}"
+tenant_id = "${data.azurerm_subscription.current.tenant_id}"
+client_secret = "${azuread_application_password.pw.value}"
+EOF
+  sensitive = true
+}

infra/azure-peerpods-iam/vars.tf

@@ -0,0 +1,7 @@
+variable "resource_group" {
+  type = string
+}
+
+variable "subscription_id" {
+  type = string
+}

justfile

@@ -180,6 +180,29 @@ upload-image:
 
     nix run -L .#scripts.upload-image -- --subscription-id="$azure_subscription_id" --location="$azure_location" --resource-group="${azure_resource_group}_caa_cluster"
 
+# Create a CoCo-enabled AKS cluster.
+create-pre platform=default_platform:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    case {{ platform }} in
+        "AKS-CLH-SNP"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
+            :
+        ;;
+        "AKS-PEER-SNP")
+            # Ensure that the resource group exists.
+            az group create  --name "${azure_resource_group}_caa_cluster" --location "$azure_location"
+            echo "resource_group = \"$azure_resource_group\"" > infra/azure-peerpods-iam/just.auto.tfvars
+            echo "subscription_id = \"$azure_subscription_id\"" >> infra/azure-peerpods-iam/just.auto.tfvars
+            nix run -L .#terraform -- -chdir=infra/azure-peerpods-iam init
+            nix run -L .#terraform -- -chdir=infra/azure-peerpods-iam apply --auto-approve
+            nix run -L .#terraform -- -chdir=infra/azure-peerpods-iam output -raw client_secret_env > infra/azure-peerpods/iam.auto.tfvars
+        ;;
+        *)
+            echo "Unsupported platform: {{ platform }}"
+            exit 1
+        ;;
+    esac
+
 # Create a CoCo-enabled AKS cluster.
 create platform=default_platform:
     #!/usr/bin/env bash
@@ -192,11 +215,10 @@ create platform=default_platform:
             :
         ;;
         "AKS-PEER-SNP")
-            just upload-image
+            # just upload-image
 
-            # Populate Terraform variables.
             echo "name_prefix = \"$azure_resource_group\"" > infra/azure-peerpods/just.auto.tfvars
-            echo "image_resource_group_name = \"$azure_resource_group\"" >> infra/azure-peerpods/just.auto.tfvars
+            echo "resource_group = \"$azure_resource_group\"" >> infra/azure-peerpods/just.auto.tfvars
             echo "subscription_id = \"$azure_subscription_id\"" >> infra/azure-peerpods/just.auto.tfvars
 
             nix run -L .#terraform -- -chdir=infra/azure-peerpods init
@@ -334,7 +356,7 @@ destroy platform=default_platform:
             # Clean-up cached image ids.
             rm -f ${CONTRAST_CACHE_DIR}/image-upload/*.image-id
 
-            az group delete --name "${azure_resource_group}_caa_cluster" --yes
+            az group delete --name "${azure_resource_group}" --yes
         ;;
         *)
             echo "Unsupported platform: {{ platform }}"
@@ -402,6 +424,9 @@ onboard:
     @echo '{{ rctemplate }}' > ./justfile.env
     @echo "Created ./justfile.env. Please fill it out."
 
+experiment:
+    echo "${azure_location}"
+
 # Just configuration.
 
 set dotenv-filename := "justfile.env"

packages/test-peerpods.sh

@@ -16,7 +16,13 @@ else
 fi
 
 
-cat >infra/azure-peerpods/testrun.auto.tfvars <<EOF
+cat >infra/azure-peerpods/just.auto.tfvars <<EOF
+name_prefix = "${azure_resource_group:?}-$RANDOM"
+resource_group = "${azure_resource_group:?}"
+subscription_id = "${azure_subscription_id:?}"
+EOF
+
+cat >infra/azure-peerpods/iam.auto.tfvars <<EOF
 name_prefix = "${azure_resource_group:?}-$RANDOM"
 resource_group = "${azure_resource_group:?}"
 subscription_id = "${azure_subscription_id:?}"