aci_oauth2.azcli

###############################################
# Azure Container Instances with Azure CLI
#
# Deploys a container group with SSL offload,
#   OAuth2 proxy and AKV integration
#
# Jose Moreno, October 2020
###############################################

# ToDo:
# - Redundancy with TM/AFD

# Variables
aci_name=sslaci
aci_dns=${aci_name}${RANDOM}
aci_fqdn=${aci_dns}.${location}.azurecontainer.io

# Certificates
openssl req -new -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.csr -subj "/C=US/ST=WA/L=Redmond/O=AppDev/OU=IT/CN=${aci_dns}.${location}.azurecontainer.io"
openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt

# Create nginx.conf for SSL
nginx_config_file=/tmp/nginx.conf
cat <<EOF > $nginx_config_file
user nginx;
worker_processes auto;
events {
  worker_connections 1024;
}
pid        /var/run/nginx.pid;
http {
    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name localhost;
        ssl_protocols              TLSv1.2;
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;
        keepalive_timeout 300; # up from 75 secs default
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;
        location /api/ {
            proxy_pass http://127.0.0.1:8080 ;
            proxy_set_header Connection "";
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$remote_addr;
            proxy_buffer_size          128k;
            proxy_buffers              4 256k;
            proxy_busy_buffers_size    256k;
        }
        location / {
            proxy_pass http://127.0.0.1:4180 ;
            proxy_set_header Connection "";
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$remote_addr;
            proxy_buffer_size          128k;
            proxy_buffers              4 256k;
            proxy_busy_buffers_size    256k;
        }
    }
}
EOF

# Encode to Base64
nginx_conf=$(cat $nginx_config_file | base64)
ssl_crt=$(cat ssl.crt | base64)
ssl_key=$(cat ssl.key | base64)

# Create database
sql_server_name=sqlserver$RANDOM
sql_db_name=mydb
sql_username=azure
sql_password=Microsoft123!
az sql server create -n $sql_server_name -g $rg -l $location --admin-user $sql_username --admin-password $sql_password
sql_server_fqdn=$(az sql server show -n $sql_server_name -g $rg -o tsv --query fullyQualifiedDomainName)
az sql db create -n $sql_db_name -s $sql_server_name -g $rg -e Basic -c 5 --no-wait

# Create key vault
akv_name=akv$RANDOM
az keyvault create -n $akv_name -g $rg -l $location
az keyvault secret set -n sqlpassword --value $sql_password --vault-name $akv_name

# Create user identity
identity_name=myACIid
az identity create -n $identity_name -g $rg
identity_spid=$(az identity show -g $rg -n $identity_name --query principalId -o tsv)
identity_appid=$(az identity show -g $rg -n $identity_name --query clientId -o tsv)
identity_id=$(az identity show -g $rg -n $identity_name --query id -o tsv)
az keyvault set-policy -n $akv_name -g $rg --object-id $identity_spid --secret-permissions get
scope=$(az group show -n $rg --query id -o tsv)
az role assignment create --scope $scope --role Contributor --assignee $identity_appid

# Create script for init container
storage_account_name="$rg$RANDOM"
az storage account create -n $storage_account_name -g $rg --sku Standard_LRS --kind StorageV2
storage_account_key=$(az storage account keys list --account-name $storage_account_name -g $rg --query '[0].value' -o tsv)
az storage share create --account-name $storage_account_name --account-key $storage_account_key --name initscript
init_script_filename=init.sh
init_script_path=/tmp/
cat <<EOF > ${init_script_path}${init_script_filename}
echo "DEBUG: Environment variables:"
printenv
echo "Logging into Azure..."
az login --identity
echo "Getting secrets for Azure Key Vault \$AKV_NAME..."
az keyvault secret show --vault-name \$AKV_NAME -n sqlpassword --query 'value' -o tsv > /secrets/SQL_PASSWORD
echo "Getting my public IP addresss..."
myip=\$(curl -s4 ifconfig.co)
echo "Adding \$myip to firewall rules of SQL Server \$SQL_SERVER_NAME in RG \$RG..."
az sql server firewall-rule create -g \$RG -s \$SQL_SERVER_NAME -n \$RANDOM --start-ip-address \$myip --end-ip-address \$myip
EOF
az storage file upload --account-name $storage_account_name --account-key $storage_account_key -s initscript --source ${init_script_path}${init_script_filename}

# Create AAD app for authentication
aad_app_id=$(az ad app create --display-name "$aci_name" --identifier-uris "https://${aci_fqdn}" --query appId -o tsv)
ad_app_appid=$(az ad app show --id $aad_app_id --query appId -o tsv)
az ad app update --id $aad_app_id --reply-urls "https://${aci_fqdn}/oauth2/callback"
az ad sp create --id $aad_app_id
ad_app_secret=$(az ad sp credential reset --name $aad_app_id --credential-description "aci test" --query password -o tsv)
az ad app permission add \
    --id $aad_app_id \
    --api 00000003-0000-0000-c000-000000000000 \
    --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 37f7f235-527c-4136-accd-4a02d197296e=Scope
az ad app permission grant --id $aad_app_id --api 00000003-0000-0000-c000-000000000000
az ad app permission admin-consent --id  $aad_app_id

# Create YAML
aci_yaml_file=/tmp/sqlapi.yaml
cat <<EOF > $aci_yaml_file
apiVersion: 2019-12-01
location: westus
name: $aci_name
identity:
  type: UserAssigned
  userAssignedIdentities:
    $identity_id: {}
properties:
  initContainers:
  - name: azcli
    properties:
      image: microsoft/azure-cli:latest
      command:
      # - "az login --identity && az keyvault secret show --vault-name $akv_name -n sqlpassword --query 'value' -o tsv > /secrets/SQL_PASSWORD"
      # - "touch"
      # - "/secrets/helloworld.txt"
      - "/bin/sh"
      - "-c"
      - "/mnt/init/$init_script_filename"
      environmentVariables:
      - name: RG
        value: $rg
      - name: AKV_NAME
        value: $akv_name
      - name: SQL_SERVER_NAME
        value: $sql_server_name
      volumeMounts:
      - name: secrets
        mountPath: /secrets
      - name: initscript
        mountPath: /mnt/init/
  containers:
  - name: nginx
    properties:
      image: nginx
      ports:
      - port: 443
        protocol: TCP
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1
      volumeMounts:
      - name: nginx-config
        mountPath: /etc/nginx
  - name: oauth
    properties:
      image: quay.io/oauth2-proxy/oauth2-proxy:latest
      environmentVariables:
      - name: OAUTH2_PROXY_EMAIL_DOMAINS
        value: "*"
      - name: OAUTH2_PROXY_REVERSE_PROXY
        value: true
      - name: OAUTH2_PROXY_COOKIE_SECRET
        secureValue: ffdsfwerewrwe173
      - name: OAUTH2_PROXY_UPSTREAMS
        value: http://127.0.0.1:80/
      - name: OAUTH2_PROXY_PASS_HOST_HEADER
        value: false
      - name: OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER
        value: true
      - name: OAUTH2_PROXY_PROVIDER
        value: azure
      - name: OAUTH2_PROXY_CLIENT_ID
        value: $ad_app_appid
      - name: OAUTH2_PROXY_CLIENT_SECRET
        secureValue: $ad_app_secret
      ports:
      - port: 4180
        protocol: TCP
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1
  - name: web
    properties:
      image: erjosito/web:1.0
      environmentVariables:
      - name: API_URL
        value: 127.0.0.1:8080
      ports:
      - port: 80
        protocol: TCP
      resources:
        requests:
          cpu: 0.5
          memoryInGB: 0.5
  - name: sqlapi
    properties:
      image: erjosito/sqlapi:1.0
      environmentVariables:
      - name: SQL_SERVER_USERNAME
        value: $sql_username
      - name: SQL_SERVER_PASSWORD
        secureValue: $sql_password
      - name: SQL_SERVER_FQDN
        value: $sql_server_fqdn
      - name: SQL_SERVER_DB
        value: $sql_db_name
      ports:
      - port: 8080
        protocol: TCP
      resources:
        requests:
          cpu: 0.5
          memoryInGB: 0.5
      volumeMounts:
      - name: secrets
        mountPath: /secrets/
  volumes:
  - name: nginx-config
    secret:
      ssl.crt: "$ssl_crt"
      ssl.key: "$ssl_key"
      nginx.conf: "$nginx_conf"
  - name: secrets
    emptyDir: {}
  - name: initscript
    azureFile:
      readOnly: false
      shareName: initscript
      storageAccountName: $storage_account_name
      storageAccountKey: $storage_account_key
  ipAddress:
    ports:
    - port: 443
      protocol: TCP
    type: Public
    dnsNameLabel: $aci_dns
  osType: Linux
tags: null
type: Microsoft.ContainerInstance/containerGroups
EOF

# Verify created YAML
# more $aci_yaml_file

# Deploy ACI
az container create -g $rg --file $aci_yaml_file
echo "Container FQDN: $aci_dns"

# Add public IP to SQL Server Firewall
aci_source_ip=40.91.206.16  # Take this from the GUI
az sql server firewall-rule create -g $rg -s $sql_server_name -n public_sqlapi_aci-source --start-ip-address $aci_source_ip --end-ip-address $aci_source_ip

# Show
az container list -g $rg -o table
az container show -n $aci_name -g $rg --query ipAddress
az container show -n $aci_name -g $rg --query instanceView.events -o table

# Logs
az container logs -n $aci_name -g $rg --container-name azcli
az container logs -n $aci_name -g $rg --container-name nginx
az container logs -n $aci_name -g $rg --container-name oauth
az container logs -n $aci_name -g $rg --container-name web
az container logs -n $aci_name -g $rg --container-name sqlapi

# Verify Azure SQL Server rules
az sql server firewall-rule list -s $sql_server_name -g $rg -o table

# Exec
az container exec -n $aci_name -g $rg --container-name oauth --exec-command /bin/sh
az container exec -n $aci_name -g $rg --container-name azcli --exec-command /bin/sh
az container exec -n $aci_name -g $rg --container-name sqlapi --exec-command /bin/sh
az container exec -n $aci_name -g $rg --container-name sqlapi --exec-command "ls -l /secrets/SQL_PASSWORD"

# Restart containers, for example after image update
az container restart -n $aci_name -g $rg

# Cleanup
az container delete -n $aci_name -g $rg -y

# Danger Zone!
# az group delete -n $rg -y --no-wait