Merge pull request #457 from hookdeck/chore/azure-script-updates

leggetter · web-flow · commit 8683052604a0 · 2025-08-13T09:57:46.000+01:00
chore(azure): add diagnostics-clean script and enhance diagnostics.sh…
diff --git a/examples/azure/dependencies.sh b/examples/azure/dependencies.sh
@@ -94,7 +94,7 @@ if ! az redis show --name "$REDIS_NAME" --resource-group "$RESOURCE_GROUP" &>/de
     --location "$LOCATION" \
     --sku Basic \
     --vm-size c0
-    --enable-non-ssl-port # Comment out or remove if you only want SSL
+    --enable-non-ssl-port \ # Comment out or remove if you only want SSL
 else
   echo "✅ Redis instance already exists"
 fi
diff --git a/examples/azure/diagnostics-clean.sh b/examples/azure/diagnostics-clean.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Argument parsing
+RUN_LOCAL=false
+RUN_AZURE=false
+
+if [ "$#" -eq 0 ]; then
+    RUN_LOCAL=true
+    RUN_AZURE=true
+else
+    while [[ "$#" -gt 0 ]]; do
+        case $1 in
+            --local)
+            RUN_LOCAL=true
+            shift
+            ;;
+            --azure)
+            RUN_AZURE=true
+            shift
+            ;;
+            *)
+            shift
+            ;;
+        esac
+    done
+fi
+
+# Environment files
+ENV_FILES=(".env.outpost" ".env.runtime")
+
+# Check and load environment files
+for ENV_FILE in "${ENV_FILES[@]}"; do
+    if [ ! -f "$ENV_FILE" ]; then
+        echo "❌ $ENV_FILE not found. Please run your deploy script first."
+        exit 1
+    fi
+    echo "📄 Loading environment variables from $ENV_FILE..."
+    set -a; source "$ENV_FILE"; set +a
+done
+
+# Required variables
+REQUIRED_VARS=(
+  API_KEY
+  RESOURCE_GROUP
+)
+
+echo "🔍 Validating required environment variables..."
+for VAR in "${REQUIRED_VARS[@]}"; do
+  if [ -z "${!VAR:-}" ]; then
+    echo "❌ Missing: $VAR"
+    exit 1
+  fi
+done
+echo "✅ All required env vars are set."
+
+# Reusable Cleanup Function
+run_cleanup() {
+    local base_url=$1
+    local env_name=$2
+    echo "🧹 Cleaning up $env_name environment at $base_url..."
+    TENANT_ID="diagnostics-tenant-x"
+
+    echo "   (Fetching destinations for tenant: $TENANT_ID...)"
+    DESTINATION_IDS=$(curl -sf -X GET "$base_url/api/v1/$TENANT_ID/destinations" \
+        -H "Authorization: Bearer $API_KEY" | jq -r '.[].id')
+
+    if [ -z "$DESTINATION_IDS" ]; then
+        echo "   -> No destinations found for tenant $TENANT_ID."
+    else
+        for DEST_ID in $DESTINATION_IDS; do
+            echo "   (Deleting destination: $DEST_ID...)"
+            if ! curl -sf -X DELETE "$base_url/api/v1/$TENANT_ID/destinations/$DEST_ID" -H "Authorization: Bearer $API_KEY" >/dev/null; then
+                echo "   -> ❌ Failed to delete destination $DEST_ID."
+            else
+                echo "   -> ✅ Destination $DEST_ID deleted."
+            fi
+        done
+    fi
+
+    echo "   (Deleting tenant: $TENANT_ID...)"
+    if ! curl -sf -X DELETE "$base_url/api/v1/$TENANT_ID" -H "Authorization: Bearer $API_KEY" >/dev/null; then
+        echo "   -> ❌ Failed to delete tenant $TENANT_ID."
+    else
+        echo "   -> ✅ Tenant $TENANT_ID deleted."
+    fi
+}
+
+# Local Cleanup
+if [ "$RUN_LOCAL" = true ]; then
+    echo "-------------------------------------"
+    echo "🧹 Running LOCAL Cleanup..."
+    echo "-------------------------------------"
+    run_cleanup "http://localhost:3333" "local"
+fi
+
+# Azure Cleanup
+if [ "$RUN_AZURE" = true ]; then
+    echo "-------------------------------------"
+    echo "☁️ Running AZURE Cleanup..."
+    echo "-------------------------------------"
+    
+    if ! command -v az &> /dev/null; then
+        echo "   -> ❌ Azure CLI 'az' is not installed. Skipping Azure cleanup."
+    else
+        AZURE_CONTAINER_APP_NAME="outpost-api"
+        echo "   (Fetching Azure Container App URL for '$AZURE_CONTAINER_APP_NAME'...)"
+        AZURE_URL=$(az containerapp show --name "$AZURE_CONTAINER_APP_NAME" --resource-group "$RESOURCE_GROUP" --query "properties.configuration.ingress.fqdn" -o tsv)
+        if [ -z "$AZURE_URL" ]; then
+            echo "   -> ❌ Could not fetch Azure Container App URL for '$AZURE_CONTAINER_APP_NAME'. Check your Azure login and configuration."
+        else
+            run_cleanup "https://$AZURE_URL" "azure"
+        fi
+    fi
+fi
+
+echo "✅ Cleanup complete."
diff --git a/examples/azure/diagnostics.sh b/examples/azure/diagnostics.sh
@@ -120,25 +120,54 @@ echo "🔐 Testing Azure Service Bus permissions..."
 if ! command -v jq &> /dev/null; then
     echo "   -> ❌ jq is not installed, which is required for this check. Skipping permissions test."
 else
-    SCOPE="/subscriptions/$AZURE_SERVICEBUS_SUBSCRIPTION_ID/resourceGroups/$AZURE_SERVICEBUS_RESOURCE_GROUP/providers/Microsoft.ServiceBus/namespaces/$AZURE_SERVICEBUS_NAMESPACE"
+    # Define the two scopes we will check against
+    NAMESPACE_SCOPE="/subscriptions/$AZURE_SERVICEBUS_SUBSCRIPTION_ID/resourceGroups/$AZURE_SERVICEBUS_RESOURCE_GROUP/providers/Microsoft.ServiceBus/namespaces/$AZURE_SERVICEBUS_NAMESPACE"
+    TOPIC_SCOPE="$NAMESPACE_SCOPE/topics/$AZURE_SERVICEBUS_DELIVERY_TOPIC"
 
     echo "   (Getting Service Principal Object ID...)"
     # Note: This command relies on the user being logged into the az CLI
     SP_OBJECT_ID=$(az ad sp show --id "$AZURE_SERVICEBUS_CLIENT_ID" --query "id" -o tsv)
+
     if [ -z "$SP_OBJECT_ID" ]; then
         echo "   -> ❌ Could not retrieve Service Principal Object ID. Please check your Azure login and that the SP exists."
     else
+        permission_found=false
+        # Function to check for a specific role assignment at a specific scope
         check_role() {
             local role_name=$1
-            echo "   (Checking for role: '$role_name')..."
-            if az role assignment list --assignee "$SP_OBJECT_ID" --scope "$SCOPE" --query "contains([].roleDefinitionName, '$role_name')" | grep -q "true"; then
-                echo "   -> ✅ Service principal has the required '$role_name' role."
+            local scope=$2
+            local scope_name=$3 # A friendly name for the scope for logging
+
+            echo "   (Checking for role: '$role_name' at $scope_name scope...)"
+            if az role assignment list --assignee "$SP_OBJECT_ID" --scope "$scope" --query "contains([].roleDefinitionName, '$role_name')" | grep -q "true"; then
+                echo "   -> ✅ Service principal has the required '$role_name' role at the $scope_name scope."
+                permission_found=true
             else
-                echo "   -> ❌ Service principal does NOT have the required '$role_name' role."
-                echo "      To fix, run: az role assignment create --assignee \"$SP_OBJECT_ID\" --role \"$role_name\" --scope \"$SCOPE\""
+                echo "   -> No '$role_name' role found at $scope_name scope."
             fi
         }
-        check_role "Azure Service Bus Data Owner"
+
+        # 1. Check for Data Owner at the Namespace level (highest privilege)
+        check_role "Azure Service Bus Data Owner" "$NAMESPACE_SCOPE" "Namespace"
+
+        # 2. Check for Data Sender at the Namespace level
+        check_role "Azure Service Bus Data Sender" "$NAMESPACE_SCOPE" "Namespace"
+
+        # 3. Check for Data Sender at the Topic level (most specific)
+        check_role "Azure Service Bus Data Sender" "$TOPIC_SCOPE" "Topic"
+
+        # If none of the checks passed, show a final error
+        if [ "$permission_found" = false ]; then
+            echo ""
+            echo "   -> ❌ PERMISSION FAILURE: The Service Principal does NOT have the required permissions to publish to topic '$AZURE_SERVICEBUS_DELIVERY_TOPIC'."
+            echo "      To fix, grant the 'Azure Service Bus Data Sender' role at either the Namespace or the specific Topic scope."
+            echo "      (Alternatively, 'Azure Service Bus Data Owner' at the Namespace level also works)."
+            echo "      Run one of the following commands:"
+            echo "      Namespace Level: az role assignment create --assignee \"$SP_OBJECT_ID\" --role \"Azure Service Bus Data Sender\" --scope \"$NAMESPACE_SCOPE\""
+            echo "      Topic Level:     az role assignment create --assignee \"$SP_OBJECT_ID\" --role \"Azure Service Bus Data Sender\" --scope \"$TOPIC_SCOPE\""
+        else
+            echo "   -> ✅ Permissions are sufficient for publishing."
+        fi
     fi
 fi
 
diff --git a/examples/azure/local-deploy.sh b/examples/azure/local-deploy.sh
@@ -58,6 +58,9 @@ API_KEY="$API_KEY_VALUE"
 API_JWT_SECRET="$API_JWT_SECRET_VALUE"
 AES_ENCRYPTION_SECRET="$AES_ENCRYPTION_SECRET_VALUE"
 
+# Not required, but recommended
+# TOPICS=diagnostics.test,order.created,order.updated,order.deleted
+
 # Required for Postgres logging
 POSTGRES_URL=$POSTGRES_URL
 
