Skip to content

Commit

Permalink
Merge pull request #84 from dynatrace-oss/PCLOUDS-2709_Azure_Log_Forw…
Browse files Browse the repository at this point in the history
…arder_MI_implementation_and_testing

PCLOUDS-2709 Implemented enabling User assigned managed Identity
  • Loading branch information
NematulloKozimov authored Sep 6, 2023
2 parents 6a32a9d + d0b04b2 commit d7a5bfe
Show file tree
Hide file tree
Showing 2 changed files with 121 additions and 17 deletions.
33 changes: 33 additions & 0 deletions deployment/dynatrace-azure-forwarder.json
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,27 @@
"metadata": {
"description": "Filter config"
}
},
"eventhubConnectionClientId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "MI user id"
}
},
"eventhubConnectionCredentials": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Managed Identity"
}
},
"eventhubConnectionFullyQualifiedNamespace": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Eventhub's host name"
}
}
},
"variables": {
Expand Down Expand Up @@ -428,6 +449,18 @@
{
"name": "FILTER_CONFIG",
"value": "[parameters('filterConfig')]"
},
{
"name": "EventHubConnection_clientId",
"value": "[parameters('eventhubConnectionClientId')]"
},
{
"name": "EventHubConnection_credential",
"value": "[parameters('eventhubConnectionCredentials')]"
},
{
"name": "EventHubConnection_fullyQualifiedNamespace",
"value": "[parameters('eventhubConnectionFullyQualifiedNamespace')]"
}
]

Expand Down
105 changes: 88 additions & 17 deletions deployment/dynatrace-azure-logs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ readonly REQUIRE_VALID_CERTIFICATE_DEFAULT=true
print_help()
{
printf "
usage: dynatrace-azure-logs.sh --deployment-name DEPLOYMENT_NAME --target-url TARGET_URL --target-api-token TARGET_API_TOKEN --resource-group RESOURCE_GROUP --event-hub-connection-string EVENT_HUB_CONNECTION_STRING [--use-existing-active-gate USE_EXISTING_ACTIVE_GATE] [--target-paas-token TARGET_PAAS_TOKEN] [--filter-config FILTER_CONFIG] [--require-valid-certificate REQUIRE_VALID_CERTIFICATE] [--enable-self-monitoring SFM_ENABLED] [--repository-release-url REPOSITORY_RELEASE_URL]
usage: dynatrace-azure-logs.sh --deployment-name DEPLOYMENT_NAME --target-url TARGET_URL --target-api-token TARGET_API_TOKEN --resource-group RESOURCE_GROUP --event-hub-connection-string EVENT_HUB_CONNECTION_STRING [--use-existing-active-gate USE_EXISTING_ACTIVE_GATE] [--target-paas-token TARGET_PAAS_TOKEN] [--filter-config FILTER_CONFIG] [--require-valid-certificate REQUIRE_VALID_CERTIFICATE] [--enable-self-monitoring SFM_ENABLED] [--repository-release-url REPOSITORY_RELEASE_URL] [--enable-user-assigned-managed-identity ENABLE_USER_ASSIGNED_MANAGED_IDENTITY]
arguments:
-h, --help Show this help message and exit
Expand Down Expand Up @@ -61,6 +61,15 @@ arguments:
Optional. Apply filters to reduce number of logs that are sent to Dynatrace e.g. filter out logs with Informational level.
--repository-release-url REPOSITORY_RELEASE_URL
Change repository url to custom. Do not change without specific reason
--enable-user-assigned-managed-identity {true|false}
Optional, 'false' by default
if you choose to use user-assigned-managed-identity, you need to change it to 'true' and provide EVENT_HUB_CONNECTION_CLIENT_ID, MANAGED_IDENTITY_RESOURCE_NAME and EVENT_HUB_CONNECTION_FULLY_QUALIFIED_NAMESPACE
--eventhub-connection-client-id EVENT_HUB_CONNECTION_CLIENT_ID
The client id of User-Assigned MI
--managed-identity-resource-name MANAGED_IDENTITY_RESOURCE_NAME
Name of the Managed Identity resource
--eventhub-connection-fully-qualified-namespace EVENT_HUB_CONNECTION_FULLY_QUALIFIED_NAMESPACE
Event Hubs namespace's host name
"
}

Expand All @@ -76,10 +85,11 @@ ensure_param_value_given() {
}

print_all_parameters() {
PARAMETERS="DEPLOYMENT_NAME=$DEPLOYMENT_NAME, USE_EXISTING_ACTIVE_GATE=$USE_EXISTING_ACTIVE_GATE, TARGET_URL=$TARGET_URL, TARGET_API_TOKEN=*****, RESOURCE_GROUP=$RESOURCE_GROUP, EVENT_HUB_CONNECTION_STRING=*****, REQUIRE_VALID_CERTIFICATE=$REQUIRE_VALID_CERTIFICATE, SFM_ENABLED=$SFM_ENABLED, REPOSITORY_RELEASE_URL=$REPOSITORY_RELEASE_URL"
PARAMETERS="DEPLOYMENT_NAME=$DEPLOYMENT_NAME, USE_EXISTING_ACTIVE_GATE=$USE_EXISTING_ACTIVE_GATE, TARGET_URL=$TARGET_URL, TARGET_API_TOKEN=*****, RESOURCE_GROUP=$RESOURCE_GROUP, EVENT_HUB_CONNECTION_STRING=*****, REQUIRE_VALID_CERTIFICATE=$REQUIRE_VALID_CERTIFICATE, SFM_ENABLED=$SFM_ENABLED, REPOSITORY_RELEASE_URL=$REPOSITORY_RELEASE_URL, ENABLE_USER_ASSIGNED_MANAGED_IDENTITY=$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY"
if [[ "$USE_EXISTING_ACTIVE_GATE" == "false" ]]; then PARAMETERS+=", TARGET_PAAS_TOKEN=*****"; fi
if [ -n "$FILTER_CONFIG" ]; then PARAMETERS+=", FILTER_CONFIG=$FILTER_CONFIG"; fi
if [ -n "$TAGS" ]; then PARAMETERS+=", TAGS=$TAGS"; fi
if [[ "$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY" == "true" ]]; then PARAMETERS+=", EVENT_HUB_CONNECTION_CLIENT_ID=$EVENT_HUB_CONNECTION_CLIENT_ID, MANAGED_IDENTITY_RESOURCE_NAME=$MANAGED_IDENTITY_RESOURCE_NAME, EVENT_HUB_CONNECTION_FULLY_QUALIFIED_NAMESPACE=$EVENT_HUB_CONNECTION_FULLY_QUALIFIED_NAMESPACE"; fi
echo
echo "Deployment script will use following parameters:"
echo $PARAMETERS
Expand Down Expand Up @@ -236,6 +246,30 @@ while (( "$#" )); do
shift; shift
;;

"--enable-user-assigned-managed-identity")
ensure_param_value_given $1 $2
ENABLE_USER_ASSIGNED_MANAGED_IDENTITY=$2
shift; shift
;;

"--eventhub-connection-client-id")
ensure_param_value_given $1 $2
EVENT_HUB_CONNECTION_CLIENT_ID=$2
shift; shift
;;

"--managed-identity-resource-name")
ensure_param_value_given $1 $2
MANAGED_IDENTITY_RESOURCE_NAME=$2
shift; shift
;;

"--eventhub-connection-fully-qualified-namespace")
ensure_param_value_given $1 $2
EVENT_HUB_CONNECTION_FULLY_QUALIFIED_NAMESPACE=$2
shift; shift
;;

*)
echo "Unknown param $1"
print_help
Expand Down Expand Up @@ -289,6 +323,12 @@ elif [[ "$USE_EXISTING_ACTIVE_GATE" != "true" ]] && [[ "$USE_EXISTING_ACTIVE_GAT
echo "Not correct --use-existing-active-gate. Provide 'true' or 'false'";
exit 1;
fi
if [[ -z "$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY" ]]; then
ENABLE_USER_ASSIGNED_MANAGED_IDENTITY="false"
elif [[ "$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY" != "true" ]] && [[ "$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY" != "false" ]]; then
echo "Not correct --enable-user-assigned-managed-identity. Provide 'true' or 'false'";
exit 1;
fi

if [ -n "$FILTER_CONFIG" ]; then check_arg --filter-config "$FILTER_CONFIG" "$FILTER_CONFIG_REGEX";fi
if [ -n "$TAGS" ]; then check_arg --tags "$TAGS" "$TAGS_REGEX"; fi
Expand All @@ -312,11 +352,17 @@ if [ -z "$TARGET_API_TOKEN" ]; then echo "No --target-api-token"; exit 1; fi
if [[ "$USE_EXISTING_ACTIVE_GATE" == "false" ]] && [ -z "$TARGET_PAAS_TOKEN" ]; then echo "No --target-paas-token"; exit 1; fi
if [[ "$USE_EXISTING_ACTIVE_GATE" == true ]]; then DEPLOY_ACTIVEGATE=false;else DEPLOY_ACTIVEGATE=true;fi
if [ -z "$REPOSITORY_RELEASE_URL" ]; then REPOSITORY_RELEASE_URL=${FUNCTION_REPOSITORY_RELEASE_URL}; fi
if [[ "$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY" == "true" ]]; then
EVENT_HUB_CONNECTION_CREDENTIALS="managedidentity";
if [ -z "$EVENT_HUB_CONNECTION_CLIENT_ID" ]; then echo "No --eventhub-connection-client-id"; exit 1; fi
if [ -z "$MANAGED_IDENTITY_RESOURCE_NAME" ]; then echo "No --managed-identity-resource-name"; exit 1; fi
if [ -z "$EVENT_HUB_CONNECTION_FULLY_QUALIFIED_NAMESPACE" ]; then echo "No --eventhub-connection-fully-qualified-namespace"; exit 1; fi
fi

print_all_parameters

TARGET_URL=$(echo "$TARGET_URL" | sed 's:/*$::')

echo
if [[ "${DEPLOY_ACTIVEGATE}" == "false" ]]; then
check_activegate_state
fi
Expand All @@ -339,20 +385,40 @@ for TAG_PAIR in "${TAG_PAIRS[@]}"; do
done
LOG_FORWARDER_TAGS="{${LOG_FORWARDER_TAGS}}"

az deployment group create \
--resource-group ${RESOURCE_GROUP} \
--template-uri ${REPOSITORY_RELEASE_URL}${FUNCTION_ARM} \
--parameters forwarderName="${DEPLOYMENT_NAME}" \
targetUrl="${TARGET_URL}" \
targetAPIToken="${TARGET_API_TOKEN}" \
eventHubConnectionString="${EVENT_HUB_CONNECTION_STRING}" \
eventHubName="${EVENT_HUB_NAME}" \
requireValidCertificate=${REQUIRE_VALID_CERTIFICATE} \
selfMonitoringEnabled="${SFM_ENABLED}" \
deployActiveGateContainer="${DEPLOY_ACTIVEGATE}" \
targetPaasToken="${TARGET_PAAS_TOKEN}" \
filterConfig="${FILTER_CONFIG}" \
resourceTags="${LOG_FORWARDER_TAGS}"
if [ "$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY" = "true" ]; then
az deployment group create \
--resource-group ${RESOURCE_GROUP} \
--template-uri ${REPOSITORY_RELEASE_URL}${FUNCTION_ARM} \
--parameters forwarderName="${DEPLOYMENT_NAME}" \
targetUrl="${TARGET_URL}" \
targetAPIToken="${TARGET_API_TOKEN}" \
eventHubConnectionString="${EVENT_HUB_CONNECTION_STRING}" \
eventHubName="${EVENT_HUB_NAME}" \
requireValidCertificate=${REQUIRE_VALID_CERTIFICATE} \
selfMonitoringEnabled="${SFM_ENABLED}" \
deployActiveGateContainer="${DEPLOY_ACTIVEGATE}" \
targetPaasToken="${TARGET_PAAS_TOKEN}" \
filterConfig="${FILTER_CONFIG}" \
resourceTags="${LOG_FORWARDER_TAGS}" \
eventhubConnectionClientId="${EVENT_HUB_CONNECTION_CLIENT_ID}" \
eventhubConnectionCredentials="${EVENT_HUB_CONNECTION_CREDENTIALS}" \
eventhubConnectionFullyQualifiedNamespace="${EVENT_HUB_CONNECTION_FULLY_QUALIFIED_NAMESPACE}"
else
az deployment group create \
--resource-group ${RESOURCE_GROUP} \
--template-uri ${REPOSITORY_RELEASE_URL}${FUNCTION_ARM} \
--parameters forwarderName="${DEPLOYMENT_NAME}" \
targetUrl="${TARGET_URL}" \
targetAPIToken="${TARGET_API_TOKEN}" \
eventHubConnectionString="${EVENT_HUB_CONNECTION_STRING}" \
eventHubName="${EVENT_HUB_NAME}" \
requireValidCertificate=${REQUIRE_VALID_CERTIFICATE} \
selfMonitoringEnabled="${SFM_ENABLED}" \
deployActiveGateContainer="${DEPLOY_ACTIVEGATE}" \
targetPaasToken="${TARGET_PAAS_TOKEN}" \
filterConfig="${FILTER_CONFIG}" \
resourceTags="${LOG_FORWARDER_TAGS}"
fi

if [[ $? != 0 ]]; then
echo -e "\e[91mFunction deployment failed"
Expand All @@ -371,6 +437,11 @@ sleep 60 # wait some time to allow functionapp to warmup

az webapp deployment source config-zip -n ${FUNCTIONAPP_NAME} -g ${RESOURCE_GROUP} --src ${FUNCTION_ZIP_PACKAGE}

if [[ "$ENABLE_USER_ASSIGNED_MANAGED_IDENTITY" == "true" ]]; then
MANAGED_IDENTITY_RESOURCE_ID=$(az identity show --name ${MANAGED_IDENTITY_RESOURCE_NAME} -g ${RESOURCE_GROUP} --query id --output tsv)
az webapp identity assign -n ${FUNCTIONAPP_NAME} -g ${RESOURCE_GROUP} --identities ${MANAGED_IDENTITY_RESOURCE_ID}
fi

if [[ $? != 0 ]]; then
echo -e "\e[91mFunction code deployment failed"
exit 3
Expand Down

0 comments on commit d7a5bfe

Please sign in to comment.