update lock

baoduy · Apr 18, 2024 · 39a967e · 39a967e
1 parent ed63095
commit 39a967e
Show file tree

Hide file tree

Showing 17 changed files with 229 additions and 219 deletions.
diff --git a/src/Aks/index.ts b/src/Aks/index.ts
@@ -499,7 +499,6 @@ export default async ({
               }
             : undefined,
       },
-
     },
     {
       protect: lock,
@@ -513,7 +512,7 @@ export default async ({
   );
 
   if (lock) {
-    Locker({ name: aksName, resourceId: aks.id, dependsOn: aks });
+    Locker({ name: aksName, resource: aks });
   }
 
   if (nodePools) {

diff --git a/src/AzAd/B2C.ts b/src/AzAd/B2C.ts
@@ -45,7 +45,7 @@ export default ({ name, group, location, displayName, lock }: Props) => {
   });
 
   if (lock) {
-    Locker({ name, resourceId: b2cTenant.id, dependsOn: b2cTenant });
+    Locker({ name, resource: b2cTenant });
   }
 
   return b2cTenant;

diff --git a/src/AzAd/ManagedIdentity.ts b/src/AzAd/ManagedIdentity.ts
@@ -1,7 +1,7 @@
-import { BasicResourceArgs } from "../types";
-import * as azure from "@pulumi/azure-native";
-import { getManagedIdentityName } from "../Common/Naming";
-import Locker from "../Core/Locker";
+import { BasicResourceArgs } from '../types';
+import * as azure from '@pulumi/azure-native';
+import { getManagedIdentityName } from '../Common/Naming';
+import Locker from '../Core/Locker';
 
 interface Props extends BasicResourceArgs {
   lock?: boolean;
@@ -12,14 +12,12 @@ export default ({ name, group, lock }: Props) => {
   const managedIdentity = new azure.managedidentity.UserAssignedIdentity(n, {
     resourceName: n,
     ...group,
-
   });
 
   if (lock) {
     Locker({
       name: n,
-      resourceId: managedIdentity.id,
-      dependsOn: managedIdentity,
+      resource: managedIdentity,
     });
   }
 

diff --git a/src/Core/Locker.ts b/src/Core/Locker.ts
@@ -4,10 +4,9 @@ import { Input, Resource } from '@pulumi/pulumi';
 
 interface Props {
   name: string;
-  resourceId: pulumi.Output<string>;
+  resource: Input<Resource>;
   level?: authorization.LockLevel;
   protect?: boolean;
-  dependsOn?: Input<Input<Resource>[]> | Input<Resource>;
 }
 
 /** Lock Delete from Resource group level.*/
@@ -16,7 +15,6 @@ export default ({
   resourceId,
   level = authorization.LockLevel.CanNotDelete,
   protect = true,
-  dependsOn,
 }: Props) => {
   const n = `${name}-${level}`;
 
@@ -25,9 +23,9 @@ export default ({
     {
       lockName: n,
       level,
-      scope: resourceId,
+      scope: resource.id,
       notes: `Lock ${name} from ${level}`,
     },
-    { dependsOn, protect }
+    { dependsOn: resource, protect }
   );
 };
diff --git a/src/Core/ResourceCreator.ts b/src/Core/ResourceCreator.ts
@@ -64,7 +64,7 @@ export default function <
   //Lock Azure Resource from Delete
   let locker: authorization.ManagementLockByScope | undefined = undefined;
   if (lock) {
-    locker = Locker({ name, resourceId: resource.id, dependsOn: resource });
+    locker = Locker({ name, resource });
   }
 
   //Azure DiagnosticSetting

diff --git a/src/IOT/Hub/index.ts b/src/IOT/Hub/index.ts
@@ -1,7 +1,7 @@
 import { BasicResourceArgs, KeyVaultInfo } from '../../types';
 import { getIotHubName } from '../../Common/Naming';
 import * as devices from '@pulumi/azure-native/devices';
-import {  subscriptionId } from '../../Common/AzureEnv';
+import { subscriptionId } from '../../Common/AzureEnv';
 import { Input } from '@pulumi/pulumi';
 import Locker from '../../Core/Locker';
 import { EnvRoleNamesType } from '../../AzAd/EnvRoles';
@@ -215,7 +215,7 @@ export default async ({
   );
 
   if (lock) {
-    Locker({ name, resourceId: hub.id, dependsOn: hub });
+    Locker({ name, resource: hub });
   }
   //Connection Strings
   if (vaultInfo) {

diff --git a/src/MySql/index.ts b/src/MySql/index.ts
@@ -1,24 +1,25 @@
-import { BasicResourceArgs, KeyVaultInfo } from "../types";
-import { getMySqlName } from "../Common/Naming";
-import * as pulumi from "@pulumi/pulumi";
-import * as dbformysql from "@pulumi/azure-native/dbformysql";
-import { randomPassword } from "../Core/Random";
-import * as inputs from "@pulumi/azure-native/types/input";
-import { addCustomSecret } from "../KeyVault/CustomHelper";
-import { currentEnv, isPrd, tenantId } from "../Common/AzureEnv";
-import { getAdGroup } from "../AzAd/Group";
-import Role from "../AzAd/Role";
-import { EnvRoleNamesType } from "../AzAd/EnvRoles";
-import { getEncryptionKey } from "../KeyVault/Helper";
-import UserIdentity from "../AzAd/UserIdentity";
-import { grantVaultAccessToIdentity } from "../KeyVault/VaultPermissions";
-import { RandomString } from "@pulumi/random";
-import PrivateEndpoint from "../VNet/PrivateEndpoint";
+import { BasicResourceArgs, KeyVaultInfo } from '../types';
+import { getMySqlName } from '../Common/Naming';
+import * as pulumi from '@pulumi/pulumi';
+import * as dbformysql from '@pulumi/azure-native/dbformysql';
+import { randomPassword } from '../Core/Random';
+import * as inputs from '@pulumi/azure-native/types/input';
+import { addCustomSecret } from '../KeyVault/CustomHelper';
+import { currentEnv, isPrd, tenantId } from '../Common/AzureEnv';
+import { getAdGroup } from '../AzAd/Group';
+import Role from '../AzAd/Role';
+import { EnvRoleNamesType } from '../AzAd/EnvRoles';
+import { getEncryptionKey } from '../KeyVault/Helper';
+import UserIdentity from '../AzAd/UserIdentity';
+import { grantVaultAccessToIdentity } from '../KeyVault/VaultPermissions';
+import { RandomString } from '@pulumi/random';
+import PrivateEndpoint from '../VNet/PrivateEndpoint';
+import Locker from '../Core/Locker';
 
 export interface MySqlProps extends BasicResourceArgs {
   enableEncryption?: boolean;
   vaultInfo: KeyVaultInfo;
-  auth: {
+  auth?: {
     enableAdAdministrator?: boolean;
     envRoleNames?: EnvRoleNamesType;
 
@@ -39,6 +40,7 @@ export interface MySqlProps extends BasicResourceArgs {
       endIpAddress: string;
     }>;
   };
+  lock?:boolean
 }
 
 export default ({
@@ -52,13 +54,14 @@ export default ({
    [Standard_B1ms, Standard_B1s, Standard_B2ms, Standard_B2s, Standard_B4ms, Standard_B8ms, Standard_D16s_v3, Standard_D2s_v3, Standard_D32s_v3, Standard_D4s_v3, Standard_D64s_v3, Standard_D8s_v3, Standard_E16s_v3, Standard_E2s_v3, Standard_E32s_v3, Standard_E4s_v3, Standard_E64s_v3, Standard_E8s_v3, Standard_M128ms, Standard_M128s, Standard_M64ms, Standard_M64s, Standard_E48s_v3, Standard_D2ds_v4, Standard_D4ds_v4, Standard_D8ds_v4, Standard_D16ds_v4, Standard_D32ds_v4, Standard_D48ds_v4, Standard_D64ds_v4, Standard_E2ds_v4, Standard_E4ds_v4, Standard_E8ds_v4, Standard_E16ds_v4, Standard_E32ds_v4, Standard_E48ds_v4, Standard_E64ds_v4, Standard_D48s_v3, Standard_E20ds_v4, Standard_M8ms, Standard_M16ms, Standard_M32ts, Standard_M32ls, Standard_M32ms, Standard_M64ls, Standard_M64, Standard_M64m, Standard_M128, Standard_M128m, Standard_B12ms, Standard_B16ms, Standard_B20ms, Standard_D2ads_v5, Standard_D4ads_v5, Standard_D8ads_v5, Standard_D16ads_v5, Standard_D32ads_v5, Standard_D48ads_v5, Standard_D64ads_v5, Standard_D96ads_v5, Standard_E2ads_v5, Standard_E4ads_v5, Standard_E8ads_v5, Standard_E16ads_v5, Standard_E20ads_v5, Standard_E32ads_v5, Standard_E48ads_v5, Standard_E64ads_v5, Standard_E96ads_v5, Standard_D2_v5, Standard_D4_v5, Standard_D8_v5, Standard_D16_v5, Standard_D32_v5, Standard_D48_v5, Standard_D64_v5, Standard_D96_v5, Standard_D2ds_v5, Standard_D4ds_v5, Standard_D8ds_v5, Standard_D16ds_v5, Standard_D32ds_v5, Standard_D48ds_v5, Standard_D64ds_v5, Standard_D96ds_v5, Standard_E2ds_v5, Standard_E4ds_v5, Standard_E8ds_v5, Standard_E16ds_v5, Standard_E20ds_v5, Standard_E32ds_v5, Standard_E48ds_v5, Standard_E64ds_v5, Standard_E96ds_v5, Standard_E104ids_v5, Standard_E2bds_v5, Standard_E4bds_v5, Standard_E8bds_v5, Standard_E16bds_v5, Standard_E32bds_v5, Standard_E48bds_v5, Standard_E64bds_v5, Standard_E112iads_v5, Standard_M32dms_v2, Standard_M64ds_v2, Standard_M64dms_v2, Standard_M128ds_v2, Standard_M128dms_v2, Standard_M192ids_v2, Standard_M192idms_v2]
    */
   sku = {
-    name: "Standard_B1ms",
-    tier: "Burstable",
+    name: 'Standard_B1ms',
+    tier: 'Burstable',
   },
   network,
   databases,
   vaultInfo,
   dependsOn,
+  lock:true,
 }: MySqlProps) => {
   name = getMySqlName(name);
 
@@ -104,8 +107,8 @@ export default ({
       version,
       storage: {
         storageSizeGB,
-        autoGrow: isPrd ? "Enabled" : "Disabled",
-        autoIoScaling: isPrd ? "Enabled" : "Disabled",
+        autoGrow: isPrd ? 'Enabled' : 'Disabled',
+        autoIoScaling: isPrd ? 'Enabled' : 'Disabled',
       },
 
       // identity: {
@@ -132,32 +135,36 @@ export default ({
       //maintenanceWindow: { dayOfWeek: 6 },
       sku,
       backup: {
-        geoRedundantBackup: isPrd ? "Enabled" : "Disabled",
+        geoRedundantBackup: isPrd ? 'Enabled' : 'Disabled',
         backupRetentionDays: isPrd ? 7 : 1,
       },
       highAvailability: {
-        mode: isPrd ? "ZoneRedundant" : "Disabled",
-        standbyAvailabilityZone: "3",
+        mode: isPrd ? 'ZoneRedundant' : 'Disabled',
+        standbyAvailabilityZone: '3',
       },
-      availabilityZone: "1",
+      availabilityZone: '1',
     },
     {
       dependsOn,
-      protect: true,
-      ignoreChanges: ["administratorLogin", "dataEncryption"],
+      protect: lock,
+      ignoreChanges: ['administratorLogin', 'dataEncryption'],
     }
   );
 
+  if (lock) {
+    Locker({ name, resource: mySql });
+  }
+
   if (auth?.enableAdAdministrator) {
     const adminGroup = auth.envRoleNames
       ? getAdGroup(auth.envRoleNames.admin)
-      : Role({ env: currentEnv, roleName: "ADMIN", appName: "MYSQL" });
+      : Role({ env: currentEnv, roleName: 'ADMIN', appName: 'MYSQL' });
 
     new dbformysql.AzureADAdministrator(name, {
       serverName: mySql.name,
       ...group,
       login: username,
-      administratorType: "ActiveDirectory",
+      administratorType: 'ActiveDirectory',
       sid: adminGroup.objectId,
       tenantId,
     });
@@ -181,17 +188,17 @@ export default ({
         firewallRuleName: `${name}-firewall-allowpublic`,
         serverName: mySql.name,
         ...group,
-        startIpAddress: "0.0.0.0",
-        endIpAddress: "255.255.255.255",
+        startIpAddress: '0.0.0.0',
+        endIpAddress: '255.255.255.255',
       });
 
     if (network.privateLink) {
       PrivateEndpoint({
         name,
         group,
         resourceId: mySql.id,
-        privateDnsZoneName: "mysql.database.azure.com",
-        linkServiceGroupIds: ["mysql"],
+        privateDnsZoneName: 'mysql.database.azure.com',
+        linkServiceGroupIds: ['mysql'],
         subnetId: network.privateLink.subnetId,
       });
     }

diff --git a/src/Postgresql/index.ts b/src/Postgresql/index.ts
@@ -1,13 +1,14 @@
-import { BasicResourceArgs, KeyVaultInfo } from "../types";
-import { getPostgresqlName } from "../Common/Naming";
-import * as pulumi from "@pulumi/pulumi";
-import * as azure from "@pulumi/azure-native";
-import { isPrd, tenantId } from "../Common/AzureEnv";
-import { randomPassword } from "../Core/Random";
-import * as inputs from "@pulumi/azure-native/types/input";
-import { addCustomSecret } from "../KeyVault/CustomHelper";
-import { RandomString } from "@pulumi/random";
-import PrivateEndpoint from "../VNet/PrivateEndpoint";
+import { BasicResourceArgs, KeyVaultInfo } from '../types';
+import { getPostgresqlName } from '../Common/Naming';
+import * as pulumi from '@pulumi/pulumi';
+import * as azure from '@pulumi/azure-native';
+import { isPrd, tenantId } from '../Common/AzureEnv';
+import { randomPassword } from '../Core/Random';
+import * as inputs from '@pulumi/azure-native/types/input';
+import { addCustomSecret } from '../KeyVault/CustomHelper';
+import { RandomString } from '@pulumi/random';
+import PrivateEndpoint from '../VNet/PrivateEndpoint';
+import Locker from '../Core/Locker';
 
 export interface PostgresProps extends BasicResourceArgs {
   // auth: {
@@ -29,6 +30,7 @@ export interface PostgresProps extends BasicResourceArgs {
       endIpAddress: string;
     }>;
   };
+  lock?: true;
 }
 
 export default ({
@@ -41,13 +43,14 @@ export default ({
   [Standard_B1ms, Standard_B1s, Standard_B2ms, Standard_B2s, Standard_B4ms, Standard_B8ms, Standard_D16s_v3, Standard_D2s_v3, Standard_D32s_v3, Standard_D4s_v3, Standard_D64s_v3, Standard_D8s_v3, Standard_E16s_v3, Standard_E2s_v3, Standard_E32s_v3, Standard_E4s_v3, Standard_E64s_v3, Standard_E8s_v3, Standard_M128ms, Standard_M128s, Standard_M64ms, Standard_M64s, Standard_E48s_v3, Standard_D2ds_v4, Standard_D4ds_v4, Standard_D8ds_v4, Standard_D16ds_v4, Standard_D32ds_v4, Standard_D48ds_v4, Standard_D64ds_v4, Standard_E2ds_v4, Standard_E4ds_v4, Standard_E8ds_v4, Standard_E16ds_v4, Standard_E32ds_v4, Standard_E48ds_v4, Standard_E64ds_v4, Standard_D48s_v3, Standard_E20ds_v4, Standard_M8ms, Standard_M16ms, Standard_M32ts, Standard_M32ls, Standard_M32ms, Standard_M64ls, Standard_M64, Standard_M64m, Standard_M128, Standard_M128m, Standard_B12ms, Standard_B16ms, Standard_B20ms, Standard_D2ads_v5, Standard_D4ads_v5, Standard_D8ads_v5, Standard_D16ads_v5, Standard_D32ads_v5, Standard_D48ads_v5, Standard_D64ads_v5, Standard_D96ads_v5, Standard_E2ads_v5, Standard_E4ads_v5, Standard_E8ads_v5, Standard_E16ads_v5, Standard_E20ads_v5, Standard_E32ads_v5, Standard_E48ads_v5, Standard_E64ads_v5, Standard_E96ads_v5, Standard_D2_v5, Standard_D4_v5, Standard_D8_v5, Standard_D16_v5, Standard_D32_v5, Standard_D48_v5, Standard_D64_v5, Standard_D96_v5, Standard_D2ds_v5, Standard_D4ds_v5, Standard_D8ds_v5, Standard_D16ds_v5, Standard_D32ds_v5, Standard_D48ds_v5, Standard_D64ds_v5, Standard_D96ds_v5, Standard_E2ds_v5, Standard_E4ds_v5, Standard_E8ds_v5, Standard_E16ds_v5, Standard_E20ds_v5, Standard_E32ds_v5, Standard_E48ds_v5, Standard_E64ds_v5, Standard_E96ds_v5, Standard_E104ids_v5, Standard_E2bds_v5, Standard_E4bds_v5, Standard_E8bds_v5, Standard_E16bds_v5, Standard_E32bds_v5, Standard_E48bds_v5, Standard_E64bds_v5, Standard_E112iads_v5, Standard_M32dms_v2, Standard_M64ds_v2, Standard_M64dms_v2, Standard_M128ds_v2, Standard_M128dms_v2, Standard_M192ids_v2, Standard_M192idms_v2]
    */
   sku = {
-    name: "Standard_B1ms",
-    tier: "Burstable",
+    name: 'Standard_B1ms',
+    tier: 'Burstable',
   },
   network,
   databases,
   vaultInfo,
   dependsOn,
+  lock:true,
 }: PostgresProps) => {
   name = getPostgresqlName(name);
 
@@ -72,30 +75,34 @@ export default ({
       storage: { storageSizeGB },
 
       authConfig: {
-        passwordAuth: "Enabled",
-        activeDirectoryAuth: "Enabled",
+        passwordAuth: 'Enabled',
+        activeDirectoryAuth: 'Enabled',
         tenantId,
       },
       administratorLogin: username,
       administratorLoginPassword: password,
-      dataEncryption: { type: "SystemManaged" },
+      dataEncryption: { type: 'SystemManaged' },
       //maintenanceWindow: { dayOfWeek: 6 },
       sku,
       //network: {},
       backup: {
-        geoRedundantBackup: isPrd ? "Enabled" : "Disabled",
+        geoRedundantBackup: isPrd ? 'Enabled' : 'Disabled',
         backupRetentionDays: 7,
       },
-      highAvailability: { mode: isPrd ? "ZoneRedundant" : "Disabled" },
+      highAvailability: { mode: isPrd ? 'ZoneRedundant' : 'Disabled' },
       //availabilityZone: isPrd ? 3 : 1,
     },
     {
       dependsOn,
-      protect: true,
-      ignoreChanges: ["administratorLogin", "dataEncryption"],
+      protect: lock,
+      ignoreChanges: ['administratorLogin', 'dataEncryption'],
     }
   );
 
+  if (lock) {
+    Locker({ name, resource: postgres });
+  }
+
   if (network) {
     if (network.firewallRules) {
       network.firewallRules.map(
@@ -114,17 +121,17 @@ export default ({
         firewallRuleName: `${name}-firewall-allowpublic`,
         serverName: postgres.name,
         ...group,
-        startIpAddress: "0.0.0.0",
-        endIpAddress: "255.255.255.255",
+        startIpAddress: '0.0.0.0',
+        endIpAddress: '255.255.255.255',
       });
 
     if (network.privateLink) {
       PrivateEndpoint({
         name,
         group,
         resourceId: postgres.id,
-        privateDnsZoneName: "postgres.database.azure.com",
-        linkServiceGroupIds: ["postgresql"],
+        privateDnsZoneName: 'postgres.database.azure.com',
+        linkServiceGroupIds: ['postgresql'],
         subnetId: network.privateLink.subnetId,
       });
     }