Merge pull request #525 from DataBiosphere/jsaun/ref-lz-update

Support for deployment in Azure Government Cloud (lzs)

library/src/main/java/bio/terra/landingzone/common/utils/LandingZoneFlightBeanBag.java

@@ -4,6 +4,7 @@
 import bio.terra.landingzone.library.AzureCredentialsProvider;
 import bio.terra.landingzone.library.LandingZoneManagerProvider;
 import bio.terra.landingzone.library.configuration.AzureCustomerUsageConfiguration;
+import bio.terra.landingzone.library.configuration.LandingZoneAzureConfiguration;
 import bio.terra.landingzone.library.configuration.LandingZoneProtectedDataConfiguration;
 import bio.terra.landingzone.library.configuration.LandingZoneTestingConfiguration;
 import bio.terra.landingzone.service.bpm.LandingZoneBillingProfileManagerService;
@@ -28,6 +29,7 @@ public class LandingZoneFlightBeanBag {
   private final ParametersResolverProvider parametersResolverProvider;
   private final AzureCustomerUsageConfiguration azureCustomerUsageConfiguration;
   private final AzureCredentialsProvider azureCredentialsProvider;
+  private final LandingZoneAzureConfiguration azureConfiguration;
 
   @Lazy
   @Autowired
@@ -42,6 +44,7 @@ public LandingZoneFlightBeanBag(
       ParametersResolverProvider parametersResolverProvider,
       AzureCustomerUsageConfiguration azureCustomerUsageConfiguration,
       AzureCredentialsProvider azureCredentialsProvider,
+      LandingZoneAzureConfiguration azureConfiguration,
       ObjectMapper objectMapper) {
     this.landingZoneService = landingZoneService;
     this.landingZoneDao = landingZoneDao;
@@ -53,6 +56,7 @@ public LandingZoneFlightBeanBag(
     this.parametersResolverProvider = parametersResolverProvider;
     this.azureCustomerUsageConfiguration = azureCustomerUsageConfiguration;
     this.azureCredentialsProvider = azureCredentialsProvider;
+    this.azureConfiguration = azureConfiguration;
     this.objectMapper = objectMapper;
   }
 
@@ -103,4 +107,8 @@ public AzureCustomerUsageConfiguration getAzureCustomerUsageConfiguration() {
   public AzureCredentialsProvider getAzureCredentialsProvider() {
     return azureCredentialsProvider;
   }
+
+  public LandingZoneAzureConfiguration getAzureConfiguration() {
+    return azureConfiguration;
+  }
 }

library/src/main/java/bio/terra/landingzone/library/AzureCredentialsProvider.java

@@ -33,12 +33,15 @@ public TokenCredential getTokenCredential() {
         && Objects.nonNull(azureConfiguration.getManagedAppClientSecret())
         && Objects.nonNull(azureConfiguration.getManagedAppClientId())) {
       return new ClientSecretCredentialBuilder()
+          .authorityHost(azureConfiguration.getAzureEnvironment().getActiveDirectoryEndpoint())
           .clientId(azureConfiguration.getManagedAppClientId())
           .clientSecret(azureConfiguration.getManagedAppClientSecret())
           .tenantId(azureConfiguration.getManagedAppTenantId())
           .build();
     }
 
-    return new DefaultAzureCredentialBuilder().build();
+    return new DefaultAzureCredentialBuilder()
+        .authorityHost(azureConfiguration.getAzureEnvironment().getActiveDirectoryEndpoint())
+        .build();
   }
 }

library/src/main/java/bio/terra/landingzone/library/LandingZoneManagerProvider.java

@@ -1,10 +1,10 @@
 package bio.terra.landingzone.library;
 
 import bio.terra.landingzone.library.configuration.AzureCustomerUsageConfiguration;
+import bio.terra.landingzone.library.configuration.LandingZoneAzureConfiguration;
 import bio.terra.landingzone.library.landingzones.management.LandingZoneManager;
 import bio.terra.landingzone.model.LandingZoneTarget;
 import com.azure.core.credential.TokenCredential;
-import com.azure.core.management.AzureEnvironment;
 import com.azure.core.management.profile.AzureProfile;
 import com.azure.resourcemanager.AzureResourceManager;
 import org.jetbrains.annotations.NotNull;
@@ -15,13 +15,16 @@
 public class LandingZoneManagerProvider {
   private AzureCustomerUsageConfiguration azureCustomerUsageConfiguration;
   private final AzureCredentialsProvider azureCredentialsProvider;
+  private final LandingZoneAzureConfiguration azureConfiguration;
 
   @Autowired
   public LandingZoneManagerProvider(
       AzureCustomerUsageConfiguration azureCustomerUsageConfiguration,
-      AzureCredentialsProvider azureCredentialsProvider) {
+      AzureCredentialsProvider azureCredentialsProvider,
+      LandingZoneAzureConfiguration azureConfiguration) {
     this.azureCustomerUsageConfiguration = azureCustomerUsageConfiguration;
     this.azureCredentialsProvider = azureCredentialsProvider;
+    this.azureConfiguration = azureConfiguration;
   }
 
   public LandingZoneManager createLandingZoneManager(LandingZoneTarget landingZoneTarget) {
@@ -38,7 +41,7 @@ public AzureProfile createAzureProfile(LandingZoneTarget landingZoneTarget) {
     return new AzureProfile(
         landingZoneTarget.azureTenantId(),
         landingZoneTarget.azureSubscriptionId(),
-        AzureEnvironment.AZURE);
+        azureConfiguration.getAzureEnvironment());
   }
 
   public AzureResourceManager createAzureResourceManagerClient(

library/src/main/java/bio/terra/landingzone/library/configuration/LandingZoneAzureConfiguration.java

@@ -1,5 +1,6 @@
 package bio.terra.landingzone.library.configuration;
 
+import com.azure.core.management.AzureEnvironment;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 
@@ -10,6 +11,7 @@ public class LandingZoneAzureConfiguration {
   private String managedAppClientId;
   private String managedAppClientSecret;
   private String managedAppTenantId;
+  private String azureEnvironment;
 
   public String getManagedAppClientId() {
     return managedAppClientId;
@@ -34,4 +36,21 @@ public String getManagedAppTenantId() {
   public void setManagedAppTenantId(String managedAppTenantId) {
     this.managedAppTenantId = managedAppTenantId;
   }
+
+  // AzureCloud or AzureUSGovernmentCloud
+  public AzureEnvironment getAzureEnvironment() {
+    switch (azureEnvironment) {
+      case "AzureCloud":
+        return AzureEnvironment.AZURE;
+      case "AzureUSGovernmentCloud":
+        return AzureEnvironment.AZURE_US_GOVERNMENT;
+      default:
+        throw new IllegalArgumentException(
+            String.format("Unknown Azure environment: %s", azureEnvironment));
+    }
+  }
+
+  public void setAzureEnvironment(String azureEnvironment) {
+    this.azureEnvironment = azureEnvironment;
+  }
 }

library/src/main/java/bio/terra/landingzone/library/landingzones/definition/factories/ReferencedLandingZoneStepsDefinitionProvider.java

@@ -55,6 +55,12 @@ public List<Pair<Step, RetryRule>> get(
         Pair.of(new ReferencedBatchStep(armManagers), RetryRules.cloud()),
         Pair.of(new ReferencedStorageStep(armManagers), RetryRules.cloud()),
         Pair.of(new ReferencedRelayNamespaceStep(armManagers), RetryRules.cloud()),
-        Pair.of(new ReferencedAppInsightsStep(armManagers), RetryRules.cloud()));
+        Pair.of(new ReferencedManagedIdentityStep(armManagers), RetryRules.cloud()),
+        Pair.of(new ReferencedPostgresqlServerStep(armManagers), RetryRules.cloud()),
+        Pair.of(new ReferencedAppInsightsStep(armManagers), RetryRules.cloud()),
+        Pair.of(
+            new CreateLandingZoneFederatedIdentityStep(
+                armManagers, new KubernetesClientProviderImpl()),
+            RetryRules.cloud()));
   }
 }

library/src/main/java/bio/terra/landingzone/stairway/flight/create/CreateLandingZoneFlight.java

@@ -15,7 +15,6 @@
 import bio.terra.landingzone.stairway.flight.exception.LandingZoneCreateException;
 import bio.terra.profile.model.ProfileModel;
 import bio.terra.stairway.*;
-import com.azure.core.management.AzureEnvironment;
 import com.azure.core.management.profile.AzureProfile;
 import java.util.UUID;
 
@@ -112,7 +111,7 @@ protected ArmManagers getArmManagers(
         new AzureProfile(
             landingZoneTarget.azureTenantId(),
             landingZoneTarget.azureSubscriptionId(),
-            AzureEnvironment.AZURE);
+            flightBeanBag.getAzureConfiguration().getAzureEnvironment());
     return LandingZoneManager.createArmManagers(
         flightBeanBag.getAzureCredentialsProvider().getTokenCredential(),
         azureProfile,

library/src/main/java/bio/terra/landingzone/stairway/flight/create/reference/resource/step/ArmResourceType.java

@@ -7,6 +7,8 @@ public enum ArmResourceType {
   POSTGRES_FLEXIBLE("Microsoft.DBforPostgreSQL/flexibleServers"),
   BATCH("Microsoft.Batch/batchAccounts"),
   APP_INSIGHTS("Microsoft.Insights/components"),
+  MANAGED_IDENTITY("Microsoft.ManagedIdentity/userAssignedIdentities"),
+  PRIVATE_DNS_ZONE("Microsoft.Network/privateDnsZones"),
   RELAY_NAMESPACE("Microsoft.Relay/namespaces");
 
   private final String value;

library/src/main/java/bio/terra/landingzone/stairway/flight/create/reference/resource/step/BaseReferencedResourceStep.java

@@ -96,10 +96,15 @@ private void tagReferencedResourceAndSetContext(FlightContext context) {
                             getArmResourceType(), getMRGName(context))));
 
     setLandingZoneResourceTags(context, resource);
+    updateWorkingMap(context, armManagers, resource.id());
 
     context.getWorkingMap().put(REFERENCED_RESOURCE_ID, resource.id());
   }
 
+  // Optional hook for subclasses
+  protected void updateWorkingMap(
+      FlightContext context, ArmManagers armManagers, String resourceId) {}
+
   private void setLandingZoneResourceTags(FlightContext context, GenericResource genericResource) {
 
     UUID lzId = getLandingZoneId(context);

library/src/main/java/bio/terra/landingzone/stairway/flight/create/reference/resource/step/ReferencedAksStep.java

@@ -1,6 +1,11 @@
 package bio.terra.landingzone.stairway.flight.create.reference.resource.step;
 
+import static bio.terra.landingzone.stairway.flight.create.resource.step.CreateAksStep.AKS_OIDC_ISSUER_URL;
+import static bio.terra.landingzone.stairway.flight.create.resource.step.CreateAksStep.AKS_RESOURCE_KEY;
+
 import bio.terra.landingzone.library.landingzones.definition.ArmManagers;
+import bio.terra.landingzone.service.landingzone.azure.model.LandingZoneResource;
+import bio.terra.stairway.FlightContext;
 
 public class ReferencedAksStep extends SharedReferencedResourceStep {
 
@@ -12,4 +17,26 @@ public ReferencedAksStep(ArmManagers armManagers) {
   protected ArmResourceType getArmResourceType() {
     return ArmResourceType.AKS;
   }
+
+  @Override
+  protected void updateWorkingMap(
+      FlightContext context, ArmManagers armManagers, String resourceId) {
+    var aks = armManagers.azureResourceManager().kubernetesClusters().getById(resourceId);
+
+    context
+        .getWorkingMap()
+        .put(AKS_OIDC_ISSUER_URL, aks.innerModel().oidcIssuerProfile().issuerUrl());
+
+    context
+        .getWorkingMap()
+        .put(
+            AKS_RESOURCE_KEY,
+            LandingZoneResource.builder()
+                .resourceId(aks.id())
+                .resourceType(aks.type())
+                .tags(aks.tags())
+                .region(aks.regionName())
+                .resourceName(aks.name())
+                .build());
+  }
 }

library/src/main/java/bio/terra/landingzone/stairway/flight/create/reference/resource/step/ReferencedManagedIdentityStep.java

@@ -0,0 +1,39 @@
+package bio.terra.landingzone.stairway.flight.create.reference.resource.step;
+
+import static bio.terra.landingzone.stairway.flight.create.resource.step.CreateLandingZoneIdentityStep.LANDING_ZONE_IDENTITY_CLIENT_ID;
+import static bio.terra.landingzone.stairway.flight.create.resource.step.CreateLandingZoneIdentityStep.LANDING_ZONE_IDENTITY_RESOURCE_KEY;
+
+import bio.terra.landingzone.library.landingzones.definition.ArmManagers;
+import bio.terra.landingzone.service.landingzone.azure.model.LandingZoneResource;
+import bio.terra.stairway.FlightContext;
+
+public class ReferencedManagedIdentityStep extends SharedReferencedResourceStep {
+  public ReferencedManagedIdentityStep(ArmManagers armManagers) {
+    super(armManagers);
+  }
+
+  @Override
+  protected ArmResourceType getArmResourceType() {
+    return ArmResourceType.MANAGED_IDENTITY;
+  }
+
+  @Override
+  protected void updateWorkingMap(
+      FlightContext context, ArmManagers armManagers, String resourceId) {
+    var uami = armManagers.azureResourceManager().identities().getById(resourceId);
+
+    context.getWorkingMap().put(LANDING_ZONE_IDENTITY_CLIENT_ID, uami.clientId());
+
+    context
+        .getWorkingMap()
+        .put(
+            LANDING_ZONE_IDENTITY_RESOURCE_KEY,
+            LandingZoneResource.builder()
+                .resourceId(uami.id())
+                .resourceType(uami.type())
+                .tags(uami.tags())
+                .region(uami.regionName())
+                .resourceName(uami.name())
+                .build());
+  }
+}

library/src/main/java/bio/terra/landingzone/stairway/flight/create/reference/resource/step/ReferencedPostgresqlServerStep.java

@@ -0,0 +1,14 @@
+package bio.terra.landingzone.stairway.flight.create.reference.resource.step;
+
+import bio.terra.landingzone.library.landingzones.definition.ArmManagers;
+
+public class ReferencedPostgresqlServerStep extends SharedReferencedResourceStep {
+  public ReferencedPostgresqlServerStep(ArmManagers armManagers) {
+    super(armManagers);
+  }
+
+  @Override
+  protected ArmResourceType getArmResourceType() {
+    return ArmResourceType.POSTGRES_FLEXIBLE;
+  }
+}

library/src/main/java/bio/terra/landingzone/stairway/flight/create/reference/resource/step/ReferencedPrivateDNSStep.java

@@ -0,0 +1,14 @@
+package bio.terra.landingzone.stairway.flight.create.reference.resource.step;
+
+import bio.terra.landingzone.library.landingzones.definition.ArmManagers;
+
+public class ReferencedPrivateDNSStep extends SharedReferencedResourceStep {
+  public ReferencedPrivateDNSStep(ArmManagers armManagers) {
+    super(armManagers);
+  }
+
+  @Override
+  protected ArmResourceType getArmResourceType() {
+    return ArmResourceType.PRIVATE_DNS_ZONE;
+  }
+}

library/src/main/java/bio/terra/landingzone/stairway/flight/create/resource/step/CreateBatchLogSettingsStep.java

@@ -6,6 +6,7 @@
 import bio.terra.landingzone.stairway.flight.ResourceNameRequirements;
 import bio.terra.stairway.FlightContext;
 import bio.terra.stairway.StepResult;
+import com.azure.resourcemanager.monitor.models.DiagnosticSettingsCategory;
 import java.util.List;
 import java.util.Optional;
 import org.slf4j.Logger;
@@ -37,6 +38,17 @@ protected void createResource(FlightContext context, ArmManagers armManagers) {
             String.class);
 
     var batchLogSettingsName = resourceNameProvider.getName(getResourceType());
+
+    for (DiagnosticSettingsCategory diagnosticSettingsCategory :
+        armManagers
+            .monitorManager()
+            .diagnosticSettings()
+            .listCategoriesByResource(batchAccountId)) {
+      logger.info(
+          "Currently valid diagnostic settings category for batch in current azure Environment :"
+              + diagnosticSettingsCategory.name());
+    }
+
     var batchLogSettings =
         armManagers
             .monitorManager()

library/src/main/java/bio/terra/landingzone/stairway/flight/create/resource/step/postgres/CreatePostgresqlDNSStep.java

@@ -1,5 +1,6 @@
 package bio.terra.landingzone.stairway.flight.create.resource.step.postgres;
 
+import bio.terra.landingzone.common.utils.LandingZoneFlightBeanBag;
 import bio.terra.landingzone.library.landingzones.definition.ArmManagers;
 import bio.terra.landingzone.library.landingzones.definition.ResourceNameGenerator;
 import bio.terra.landingzone.library.landingzones.deployment.LandingZoneTagKeys;
@@ -9,6 +10,7 @@
 import bio.terra.landingzone.stairway.flight.ResourceNameRequirements;
 import bio.terra.landingzone.stairway.flight.create.resource.step.BaseResourceCreateStep;
 import bio.terra.stairway.FlightContext;
+import com.azure.core.management.AzureEnvironment;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -21,6 +23,8 @@ public class CreatePostgresqlDNSStep extends BaseResourceCreateStep {
   public static final String POSTGRESQL_DNS_ID = "POSTGRESQL_DNS_ID";
   public static final String POSTGRESQL_DNS_RESOURCE_KEY = "POSTGRESQL_DNS";
   public static final String POSTGRES_DNS_SUFFIX = ".private.postgres.database.azure.com";
+  public static final String POSTGRES_DNS_SUFFIX_GOV =
+      ".private.postgres.database.usgovcloudapi.net";
 
   public CreatePostgresqlDNSStep(
       ArmManagers armManagers, ResourceNameProvider resourceNameProvider) {
@@ -29,17 +33,25 @@ public CreatePostgresqlDNSStep(
 
   @Override
   protected void createResource(FlightContext context, ArmManagers armManagers) {
+    var beanBag = LandingZoneFlightBeanBag.getFromObject(context.getApplicationContext());
+    var azureEnvironment = beanBag.getAzureConfiguration().getAzureEnvironment();
+
     var landingZoneId =
         getParameterOrThrow(
             context.getInputParameters(), LandingZoneFlightMapKeys.LANDING_ZONE_ID, UUID.class);
 
     var dnsZoneName = resourceNameProvider.getName(getResourceType());
 
+    String postgresDnsSuffixForEnvironment =
+        azureEnvironment == AzureEnvironment.AZURE_US_GOVERNMENT
+            ? POSTGRES_DNS_SUFFIX_GOV
+            : POSTGRES_DNS_SUFFIX;
+
     var dns =
         armManagers
             .azureResourceManager()
             .privateDnsZones()
-            .define(dnsZoneName + POSTGRES_DNS_SUFFIX)
+            .define(dnsZoneName + postgresDnsSuffixForEnvironment)
             .withExistingResourceGroup(getMRGName(context))
             .withTags(
                 Map.of(LandingZoneTagKeys.LANDING_ZONE_ID.toString(), landingZoneId.toString()))