appgw.azcli

#######################################################
# Deploy AppGW with VNet-integrated ACIs or VMs
#     as backend.
#
#######################################################

# Control
appgw_use_nsg=no
sku=Standard_v2
aci_image=erjosito/yadaapi:1.0
# aci_image=gcr.io/kuar-demo/kuard-amd64:1
backend_count=2
backend_type=vm  # aci or vm
dualstack=yes

# Variables
rg=appgw
location=eastus2
appgw_pipname=appgwpip
dnsname=myapp
dnszone=cloudtrooper.net
dnsrg=dns
appgw_name=appgw
cookie=Disabled
backenddnsname=myapp
backendfqdn="$backenddnsname"."$dnszone"
vnet_name=appgw
vnet_prefix=10.0.0.0/16
vnet_prefix_v6=fd00:db8:deca::/48
appgw_subnet_name=AppGateway
appgw_subnet_prefix=10.0.0.0/24
appgw_subnet_prefix_v6=fd00:db8:deca:deed::/64
appgw_private_frontend_ip=10.0.0.254
appgw_private_frontend_ip_v6=ace:cab:deca:10::ff
aci_subnet_name=aci
aci_subnet_prefix=10.0.1.0/24
aci_subnet_prefix_v6=ace:cab:deca:11::/64
aci_name=backendaci
vm_subnet_name=vm
vm_subnet_prefix=10.0.2.0/24
vm_subnet_prefix_v6=ace:cab:deca:12::/64
vm_name=testvmlinux
vm_pip_name=testvmlinux-pip
vm_sku=Standard_B1s
vm_cloudinit_filename=/tmp/cloudinit-whoami.txt
vm_cloudinit_url=https://raw.githubusercontent.com/erjosito/azcli/master/cloudinit-whoami.txt
vm_rt_name=vm
vm_nsg_name=vm-nsg
appgw_nsg_name=appgw
log_storage_account=appgwlog$RANDOM

####################
# Helper functions #
####################

# Helper function to create A record in an existing zone
# Returns the FQDN
function create_dns(){
    dns_name=$1
    ip_address=$2
    public_domain=cloudtrooper.net
    public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
    if [[ "$ip_address" == *':'* ]]; then
        record_type="aaaa"
    else
        record_type="a"
    fi
    echo "Setting record-type to $record_type..." 1>&2
    if [[ -z "$public_dns_rg" ]]
    then
      echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name" 1>&2
    else
      # First, remove any existing A-record if already exists
      a_record_set=$(az network dns record-set $record_type show -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
      if [[ -n "$a_record_set" ]]
      then
        echo "Deleting existing $record_type record for ${dns_name}.${public_domain}..." 1>&2
        az network dns record-set $record_type delete -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -y -o none
      else
        # Delete any existing CNAME-record if already exists
        cname_record_set=$(az network dns record-set cname show -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
        if [[ -n "$cname_record_set" ]]
        then
          echo "Deleting existing CNAME record for ${dns_name}.${public_domain}..." 1>&2
          az network dns record-set cname delete -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -y -o none
        else
          echo "No conflicting $record_type or CNAME records found in ${public_domain}" 1>&2
        fi
      fi
      # Now create new A record
      echo "Creating $record_type record for ${dns_name}.${public_domain}..." 1>&2
      az network dns record-set $record_type create -g $public_dns_rg -z cloudtrooper.net -n $dns_name -o none
      az network dns record-set $record_type add-record -g $public_dns_rg -z cloudtrooper.net -n $dns_name -a $ip_address -o none
    fi
    fqdn="${dns_name}.${public_domain}" && echo $fqdn
}

# Wait until a resource finishes creation
function wait_until_finished {
     wait_interval=15
     resource_id=$1
     resource_name=$(echo $resource_id | cut -d/ -f 9)
     echo "Waiting for resource $resource_name to finish provisioning..."
     start_time=`date +%s`
     state=$(az resource show --id $resource_id --query properties.provisioningState -o tsv)
     until [[ "$state" == "Succeeded" ]] || [[ "$state" == "Failed" ]] || [[ -z "$state" ]]
     do
        sleep $wait_interval
        state=$(az resource show --id $resource_id --query properties.provisioningState -o tsv)
     done
     if [[ -z "$state" ]]
     then
        echo "Something really bad happened..."
     else
        run_time=$(expr `date +%s` - $start_time)
        ((minutes=${run_time}/60))
        ((seconds=${run_time}%60))
        echo "Resource $resource_name provisioning state is $state, wait time $minutes minutes and $seconds seconds"
     fi
}

###################
# Enable features #
###################

function enableNetworkFeature () {
    feature_name=$1
    state=$(az feature list -o table --query "[?contains(name, 'Microsoft.Network/$feature_name')].properties.state" -o tsv)
    if [[ "$state" == "Registered" ]]
    then
        echo "$feature_name is already registered"
    else
        echo "Registering feature $feature_name..."
        az feature register --name "$feature_name" --namespace Microsoft.Network
        state=$(az feature list --query "[?contains(name, 'Microsoft.Network/$feature_name')].properties.state" -o tsv)
        echo "Waiting for feature $feature_name to finish registering..."
        wait_interval=15
        until [[ "$state" == "Registered" ]]
        do
            sleep $wait_interval
            state=$(az feature list --query "[?contains(name, 'Microsoft.Network/$feature_name')].properties.state" -o tsv)
            echo "Current registration status for feature $feature_name is $state"
        done
        echo "Registering resource provider Microsoft.Network now..."
        az provider register --namespace Microsoft.Network
    fi
}

enableNetworkFeature "AllowApplicationGatewayIpv6"
enableNetworkFeature "EnableApplicationGatewayNetworkIsolation"

##########
#  Main  #
##########

# Create RG
echo "Creating RG and VNet..."
az group create -n $rg -l $location -o none --only-show-errors
if [[ "$dualstack" == "no" ]]; then
    az network vnet create -n $vnet_name -g $rg --address-prefix $vnet_prefix --subnet-name $appgw_subnet_name --subnet-prefix $appgw_subnet_prefix -o none --only-show-errors
else
    az network vnet create -n $vnet_name -g $rg --address-prefixes $vnet_prefix $vnet_prefix_v6 --subnet-name $appgw_subnet_name --subnet-prefixes $appgw_subnet_prefix $appgw_subnet_prefix_v6 -o none --only-show-errors
fi

# Create Log Analytics Workspace
logws_name=$(az monitor log-analytics workspace list -g $rg --query '[0].name' -o tsv)
if [[ -z "$logws_name" ]]
then
    echo "Creating new Log Analytics workspace"
    logws_name=log$RANDOM
    az monitor log-analytics workspace create -n $logws_name -g $rg -o none --only-show-errors
else
    echo "Log Analytics workspace $logws_name found"
fi
logws_id=$(az resource list -g $rg -n $logws_name --query '[].id' -o tsv)
logws_customerid=$(az monitor log-analytics workspace show -n $logws_name -g $rg --query customerId -o tsv)

# Optionally, create NSG and attach it to the subnet
if [[ "$appgw_use_nsg" == "yes" ]]
then
    echo "Creating NSG for App Gateway..."
    az network nsg create -n $appgw_nsg_name -g $rg -o none --only-show-errors
    # Inbound
    az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_GWM_In' -g $rg \
        --description 'Required for Microsoft to manage the service' \
        --priority 100 --access Allow --direction Inbound --protocol '*' \
        --destination-port-ranges 65200-65535 --source-address-prefixes 'GatewayManager' -o none --only-show-errors
    az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_ALB_In' -g $rg \
        --description 'Required for ALB healthchecks to work' \
        --priority 110 --access Allow  --direction Inbound --protocol '*' \
        --source-address-prefixes 'AzureLoadBalancer' --destination-port-ranges '*' -o none --only-show-errors
    az network nsg rule create --nsg-name $appgw_nsg_name -n 'Deny_Internet_in' -g $rg \
        --description 'Default deny' \
        --priority 1000 --access Deny  --direction Inbound --protocol '*' \
        --source-address-prefixes 'Internet' --destination-port-ranges '*' -o none --only-show-errors
    # Outbound
    # az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_GWM_Out' -g $rg \
    #     --priority 100 --access Allow  --direction Outbound --protocol '*' \
    #     --destination-address-prefixes 'GatewayManager' --destination-port-ranges '*' -o none --only-show-errors
    # az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_AzMonitor_Out' -g $rg \
    #     --description 'Required for sending metrics/logs to AzMonitor' \
    #     --priority 110 --access Allow  --direction Outbound --protocol '*' \
    #     --destination-address-prefixes 'AzureMonitor' --destination-port-ranges '*' -o none --only-show-errors
    # az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_AKV_Out' -g $rg \
    #     --description 'Required for accessing AKV to get certificates' \
    #     --priority 120 --access Allow  --direction Outbound --protocol '*' \
    #     --destination-address-prefixes 'AzureKeyVault' --destination-port-ranges '*' -o none --only-show-errors
    # az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_AAD_Out' -g $rg \
    #     --description 'Required for authenticating to AKV' \
    #     --priority 130 --access Allow  --direction Outbound --protocol '*' \
    #     --destination-address-prefixes 'AzureActiveDirectory' --destination-port-ranges '*' -o none --only-show-errors
    # az network nsg rule create --nsg-name $appgw_nsg_name -n 'Deny_Internet_Out' -g $rg \
    #     --description 'Default deny' \
    #     --priority 1000 --access Deny  --direction Outbound --protocol '*' \
    #     --destination-address-prefixes 'Internet' --destination-port-ranges '*' -o none --only-show-errors
    # Configure NSG flow logging 
    echo "Configuring NSG flow logging for NSG..."
    az storage account create -n $log_storage_account -g $rg --sku Standard_LRS --kind StorageV2
    az network watcher flow-log create -l $location -n flowlog-$location -g $rg \
        --nsg $appgw_nsg_name --storage-account $log_storage_account --log-version 2 --retention 7 \
        --workspace $logws_id --interval 10 --traffic-analytics true -o none --only-show-errors
    flowlog_id=$(az network nsg show -n $appgw_nsg_name -g $rg --query 'flowLogs[0].id' -o tsv)
    az resource show --id $flowlog_id --query properties
    # Attach NSG to subnet
    az network vnet subnet update --vnet-name $vnet_name --name $appgw_subnet_name -g $rg --nsg $appgw_nsg_name -o none --only-show-errors
fi

##############
# Create ACI #
##############

# Create ACI instances in the vnet with a loop
# No IPv6 supported
if [[ $backend_type == "aci" ]]; then
    echo "Creating subnet for ACIs..."
    az network vnet subnet create -g $rg --vnet-name $vnet_name -n $aci_subnet_name --address-prefix $aci_subnet_prefix -o none --only-show-errors
    vnet_id=$(az network vnet show -n $vnet_name -g $rg --query id -o tsv)
    aci_subnet_id=$(az network vnet subnet show -n $aci_subnet_name --vnet-name $vnet_name -g $rg --query id -o tsv)
    for i in $(seq 1 $backend_count)
    do
        echo "Creating ACI $i..."
        az container create -n ${aci_name}-$i -g $rg --image $aci_image --ip-address private --ports 8080 --vnet $vnet_id --subnet $aci_subnet_id -o none --only-show-errors
        aci_ip=$(az container show -n ${aci_name}-$i -g $rg --query 'ipAddress.ip' -o tsv)
        echo "ACI $i created with IP $aci_ip"
    done
fi

###############
#  Create VM  #
###############

# Deploy a Linux VM with a troubleshooting web page
if [[ $backend_type == "vm" ]]; then
    if [[ "$dualstack" == "no" ]]; then
        az network vnet subnet create -g $rg --vnet-name $vnet_name -n $vm_subnet_name --address-prefix $vm_subnet_prefix -o none --only-show-errors
    else
        az network vnet subnet create -g $rg --vnet-name $vnet_name -n $vm_subnet_name --address-prefixes $vm_subnet_prefix $vm_subnet_prefix_v6 -o none --only-show-errors
    fi
    az network public-ip create -g $rg -n $vm_pip_name --sku standard --allocation-method static -l $location -o none --only-show-errors
    az network nsg create -n $vm_nsg_name -g $rg -o none --only-show-errors
    az network nsg rule create -n ssh --nsg-name $vm_nsg_name -g $rg --priority 500 --destination-port-ranges 22 --access Allow --protocol Tcp -o none --only-show-errors
    az network nsg rule create -n web --nsg-name $vm_nsg_name -g $rg --priority 510 --destination-port-ranges 8080 --access Allow --protocol Tcp -o none --only-show-errors
    az network nsg rule create -n web80 --nsg-name $vm_nsg_name -g $rg --priority 515 --destination-port-ranges 80 --access Allow --protocol Tcp -o none --only-show-errors
    az network nsg rule create -n https --nsg-name $vm_nsg_name -g $rg --priority 520 --destination-port-ranges 443 --access Allow --protocol Tcp -o none --only-show-errors
    cat <<EOF > $vm_cloudinit_filename
#cloud-config
runcmd:
  - apt update && apt install -y python3-pip
  - pip3 install flask
  - wget https://raw.githubusercontent.com/erjosito/azcli/master/myip.py -O /root/myip.py
  - python3 /root/myip.py &
EOF
    az vm create -n $vm_name -g $rg --image Ubuntu2204 --generate-ssh-keys --size $vm_sku \
      --vnet-name $vnet_name --subnet $vm_subnet_name \
      --nsg $vm_nsg_name --public-ip-address $vm_pip_name \
      --custom-data $vm_cloudinit_filename -o none --only-show-errors
    vm_private_ip=$(az vm show -g $rg -n $vm_name -d --query privateIps -o tsv) && echo $vm_private_ip

    # Verify Linux VM deployed correctly and SSH is working fine
    vm_pip_address=$(az network public-ip show -n $vm_pip_name -g $rg --query ipAddress -o tsv) && echo $vm_pip_address
    ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "ip a"
    curl ${vm_pip_address}:8080/api/healthcheck
    curl ${vm_pip_address}:8080/api/ip

#     # Create service to automatically run the script on startup
#     # Goes to /etc/systemd/system/myip.service
#     cat <<EOF > /tmp/run_app.sh
# [unit]
# Description=Test app
# [service]
# ExecStart=/usr/bin/python3 /root/myip.py &
# EOF
#     cat <<EOF > /tmp/run_app.sh
# #!/bin/bash
# /usr/bin/python3 /root/myip.py &
# EOF
#     user=$(whoami)
#     scp /tmp/run_app.sh "${vm_pip_address}:/home/${user}/" && rm /tmp/run_app.sh
#     ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "chmod +x /home/${user}/run_app.sh"
#     ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo cp /home/${user}/run_app.sh /etc/init.d/"
#     ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo update-rc.d run_app.sh defaults"

    # If required (for example because you restarted the VM), restart the python app
    # ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo python3 /root/myip.py &"

    # Create DNS record
    vm_fqdn=$(create_dns "vm" "$vm_pip_address") && echo $vm_fqdn
    curl "http://${vm_fqdn}:8080/api/healthcheck"

    # Install nginx for SSL termination
    ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo apt install -y nginx"
    nginx_config_file=/tmp/nginx.conf
    cat <<EOF > $nginx_config_file
worker_processes auto;
events {
  worker_connections 1024;
}
#pid        /var/run/nginx.pid;
http {
    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        listen [::]:80;
        listen 80;
        server_name localhost;
        ssl_protocols              TLSv1.2;
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;
        keepalive_timeout 75; # up from 75 secs default
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;
        location /api/ {
            proxy_pass http://127.0.0.1:8080 ;
            proxy_set_header Connection "";
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            # proxy_set_header X-Forwarded-For \$remote_addr;
            proxy_buffer_size          128k;
            proxy_buffers              4 256k;
            proxy_busy_buffers_size    256k;
        }
        location / {
            rewrite ^/(.*)\$ https://$vm_fqdn/api/\$1 redirect;
        }
    }
}
EOF
    scp "$nginx_config_file" "${vm_pip_address}:~/"

    # Put public certs in NGINX. Note: you need to have some public certs in advance
    cert_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2023/star_cloudtrooper_net_fullchain.pem"
    key_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2023/CSR/star_cloudtrooper_net.key"
    scp "$cert_file" "${vm_pip_address}:~/ssl.crt"
    scp "$key_file" "${vm_pip_address}:~/ssl.key"
    ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo mv ./* /etc/nginx/"
    ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo systemctl restart nginx"
    ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo systemctl enable nginx"

    # Verify nginx is working fine
    ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "systemctl status nginx"
    curl "https://${vm_fqdn}/api/healthcheck"
    curl "http://${vm_fqdn}/api/healthcheck"
    if [[ "$dualstack" == "yes" ]]; then
        az network vnet subnet update -g $rg --vnet-name $vnet_name -n $vm_subnet_name --address-prefixes $vm_subnet_prefix $vm_subnet_prefix_v6 -o none --only-show-errors
        echo "Adding IPv6 configuration to VM..."
        az network public-ip create -n "${vm_pip_name}-v6" -g $rg --sku Standard --version IPv6 -o none --only-show-errors
        vm_pip_address_v6=$(az network public-ip show -n "${vm_pip_name}-v6" -g $rg --query ipAddress -o tsv) && echo $vm_pip_address_v6
        nic_id=$(az vm show -n $vm_name -g $rg --query 'networkProfile.networkInterfaces[0].id' -o tsv)
        nic_name=$(echo $nic_id | cut -d'/' -f9)
        az network nic ip-config create -n myIPv6config -g $rg --nic-name $nic_name --private-ip-address-version IPv6 --vnet-name $vnet_name --subnet $vm_subnet_name --public-ip-address "${vm_pip_name}-v6" -o none --only-show-errors
        vm_private_ipv6=$(az network nic ip-config show -n myIPv6config -g $rg --nic-name $nic_name --query privateIPAddress -o tsv)
        az vm restart -n $vm_name -g $rg -o none
        ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo python3 /root/myip.py &"
        vm_fqdn_v6=$(create_dns "vmv6" "$vm_pip_address_v6") && echo $vm_fqdn_v6
        curl "http://${vm_fqdn_v6}/api/healthcheck"
    fi
fi

#################
# Create App GW #
#################

# Override subnet if required
# appgw_name=appg21
# appgw_subnet_name=appgw21
# appgw_subnet_prefix=10.0.21.0/24
# appgw_subnet_prefix_v6=ace:cab:deca:21::/64
# appgw_pipname=${appgw_name}-pip

# Verify appgw_subnet exists
appgw_subnet_id=$(az network vnet subnet show -n $appgw_subnet_name --vnet-name $vnet_name -g $rg --query id -o tsv)
if [[ -z "$appgw_subnet_id" ]]; then
    if [[ "$dualstack" == "yes" ]]; then
        echo "Creating subnet $appgw_subnet_name with prefixes $appgw_subnet_prefix and $appgw_subnet_prefix_v6..."
        az network vnet subnet create -g $rg --vnet-name $vnet_name -n $appgw_subnet_name --address-prefixes $appgw_subnet_prefix $appgw_subnet_prefix_v6 -o none --only-show-errors
    else
        echo "Creating subnet $appgw_subnet_name with prefix $appgw_subnet_prefix..."
        az network vnet subnet create -g $rg --vnet-name $vnet_name -n $appgw_subnet_name --address-prefix $appgw_subnet_prefix -o none --only-show-errors
    fi
fi

# Create PIP
echo "Creating PIP(s) for App GW..."
allocation_method=Static
az network public-ip create -g $rg -n $appgw_pipname --sku Standard --allocation-method $allocation_method -l $location -o none --only-show-errors
if [[ "$dualstack" == "yes" ]]; then
    az network public-ip create -g $rg -n "${appgw_pipname}-v6" --sku Standard --allocation-method $allocation_method -l $location --version IPv6 -o none --only-show-errors
fi
#fqdn=$(az network public-ip show -g $rg -n $appgw_pipname --query dnsSettings.fqdn -o tsv)

# Variable with backend IPs
if [[ "$backend_type" == "vm" ]]; then
    if [[ "$dualstack" == "no" ]]; then
        backend_ips=$vm_private_ip
    else
        # backend_ips=$vm_private_ipv6          # Not working the appgw creation command errors out when supplying an IPv6 address as backend server
        backend_ips=$vm_private_ip
    fi
else
    backend_ips=""
    for i in $(seq 1 $backend_count)
    do
        aci_ip=$(az container show -n ${aci_name}-$i -g $rg --query 'ipAddress.ip' -o tsv)
        backend_ips="$backend_ips $aci_ip"
    done
fi

# Create GW with sample config for port 80
# To create private GW, add --private-ip-address <ip_address>
echo "Creating App GW..."
az network application-gateway create -g $rg -n $appgw_name --sku $sku \
    --min-capacity 1 --max-capacity 2 \
    --frontend-port 80 --routing-rule-type basic \
    --http-settings-port 8080 --http-settings-protocol Http --priority 1001 \
    --public-ip-address "${appgw_pipname}" --vnet-name $vnet_name --subnet $appgw_subnet_name \
    --servers ${(z)backend_ips} -o none --only-show-errors

# If dual stack, add IPv6 frontend
if [[ "$dualstack" == "yes" ]]; then
    az network application-gateway frontend-ip create -g $rg --gateway-name $appgw_name -n FrontendPIPv6 --public-ip-address "${appgw_pipname}-v6" -o none --only-show-errors
    # We can add a private IPv4 and try to remove the public IPv4
    az network application-gateway frontend-ip create --gateway-name $appgw_name -g $rg -n FrontendIPv4 --private-ip-address $appgw_private_frontend_ip --subnet $appgw_subnet_name --vnet-name $vnet_name -o none --only-show-errors
    listener_name=$(az network application-gateway http-listener list --gateway-name $appgw_name -g $rg --query '[0].name' -o tsv)
    az network application-gateway http-listener update --gateway-name $appgw_name -g $rg -n $listener_name --frontend-ip FrontendPIPv6 -o none --only-show-errors
    az network application-gateway frontend-ip delete --gateway-name $appgw_name -g $rg -n appGatewayFrontendIP -o none --only-show-errors
    # And now that we are at it, we can add a private IPv6 frontend
    az network application-gateway frontend-ip create --gateway-name $appgw_name -g $rg -n FrontendIPv6 --private-ip-address $appgw_private_frontend_ip_v6 --subnet $appgw_subnet_name --vnet-name $vnet_name -o none --only-show-errors
fi

# If dual stack, add IPv6 backend pool
if [[ "$dualstack" == "yes" ]]; then
    address_pool_name=$(az network application-gateway address-pool list --gateway-name $appgw_name -g $rg --query '[0].name' -o tsv)
    address_pool_v6_name="${address_pool_name}-v6"
    az network application-gateway address-pool create --gateway-name $appgw_name -g $rg -n $address_pool_v6_name --servers $vm_private_ipv6 -o none --only-show-errors
fi

# If using a DNS entry, create A record(s) pointing to the PIP
appgw_pip=$(az network public-ip show -g $rg -n $appgw_pipname --query ipAddress -o tsv) && echo "App Gw's public IP is $appgw_pip"
appgw_fqdn=$(create_dns "appgw" "$appgw_pip") && echo "You can access App GW's public IP with FQDN $appgw_fqdn"
if [[ "$dualstack" == "yes" ]]; then
    appgw_pip_v6=$(az network public-ip show -g $rg -n "${appgw_pipname}-v6" --query ipAddress -o tsv) && echo "App Gw's public IPv6 is $appgw_pip_v6"
    appgw_fqdn_v6=$(create_dns "appgwv6" "$appgw_pip_v6") && echo "You can access App GW's public IPv6 with FQDN $appgw_fqdn_v6"
fi

# Wait for GW to be created (only needed if using --no-wait when created the appgw)
# appgw_id=$(az network application-gateway show -n $appgw_name -g $rg --query id -o tsv)
# wait_until_finished $appgw_id

# Add diagnostic setting
appgw_id=$(az network application-gateway show -n $appgw_name -g $rg --query id -o tsv)
echo "Adding diagnostic settings to App GW..."
az monitor diagnostic-settings create -n mydiag --resource $appgw_id --workspace $logws_id -o none --only-show-errors \
    --metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
    --logs '[{"category": "ApplicationGatewayAccessLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}, 
        {"category": "ApplicationGatewayPerformanceLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}, 
        {"category": "ApplicationGatewayFirewallLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]'


# Add healthcheck probe with custom path to existing settings
echo "Adding custom healthcheck probe to App GW..."
az network application-gateway probe create -g "$rg" --gateway-name "$appgw_name" \
--name probe8080 --protocol Http --host-name-from-http-settings --match-status-codes 200-399 --port 8080 --path /api/healthcheck -o none --only-show-errors
default_settings_name=$(az network application-gateway http-settings list -g "$rg" --gateway-name "$appgw_name" --query '[0].name' -o tsv)
az network application-gateway http-settings update -g "$rg" --gateway-name "$appgw_name" -n $default_settings_name --probe probe8080 --host-name-from-backend-pool -o none --only-show-errors

# Test app
curl "http://${appgw_fqdn}/api/healthcheck"

###########
# ACI app #
###########

# # Create backend
# az network application-gateway address-pool create -n kuardpool -g $rg --gateway-name $appgw_name --servers $aci_ip

# # Create probe and HTTP settings
# az network application-gateway probe create -g $rg --gateway-name $appgw_name \
#   --name kuardprobe --protocol Http --host-name-from-http-settings \
#   --match-status-codes 200-399 --port 8080
# az network application-gateway http-settings create -g $rg --gateway-name $appgw_name \
#   --name kuardsettings --protocol http --port 8080 --host-name-from-backend-pool \
#   --probe kuardprobe

# # Create HTTP listener
# frontend_name=$(az network application-gateway frontend-ip list -g $rg --gateway-name $appgw_name --query '[0].name' -o tsv)
# az network application-gateway http-listener create -n kuardlistener -g $rg --gateway-name $appgw_name \
#   --frontend-port 80 --frontend-ip $frontend_name --host-name $dnsname.$dnszone

# # Create rule
# az network application-gateway rule create -g $rg --gateway-name $appgw_name \
#   -n kuardrule --http-listener kuardlistener --rule-type Basic \
#   --address-pool kuardpool --http-settings kuardsettings

#######
# SSL #
#######

# Keyvault
# keyvault_name=joseakv-airs
keyvault_name=erjositoKeyvault

# Option 1: cert already uploaded to AKV
cert_name=cloudtroopernet

# Option 2: upload a cert to AKV
# cert_name=selfsigned01
# az keyvault certificate create --vault-name $keyvault_name -n $cert_name -p "$(az keyvault certificate get-default-policy)"

# Create Identity to access the AKV
id_name=appgwid
az identity create -n $id_name -g $rg
id_principal_id=$(az identity show -n $id_name -g $rg --query principalId -o tsv)

# Grant permissions, depending on whether Azure RBAC is enabled or not
akv_azure_rbac=$(az keyvault show -n $keyvault_name --query properties.enableRbacAuthorization -o tsv)
if [[ "$akv_azure_rbac" == "true" ]]
then
    keyvault_id=$(az keyvault show -n $keyvault_name --query id -o tsv)
    az role assignment create --scope $keyvault_id --role "Key Vault Secrets User" --assignee $id_principal_id -o none
else
    az keyvault set-policy -n "$keyvault_name" --object-id "$id_principal_id" -o none \
      --secret-permissions get list \
      --certificate-permissions get list
fi
id_id=$(az identity show -n $id_name -g $rg --query id -o tsv)
az network application-gateway identity assign --gateway-name $appgw_name -g $rg --identity $id_id -o none

# Import cert from AKV
cert_sid=$(az keyvault certificate show --vault-name $keyvault_name -n $cert_name --query sid -o tsv) && echo $cert_sid
# az network application-gateway ssl-cert delete -n $cert_name -g $rg --gateway-name $appgw_name  # In case the certificate already existed
az network application-gateway ssl-cert create -n $cert_name -g $rg --gateway-name $appgw_name --key-vault-secret-id $cert_sid -o none

# Check certs in appgw
az network application-gateway ssl-cert list -g $rg --gateway-name $appgw_name -o table

# Create from file
# az network application-gateway ssl-cert create -g $rg --gateway-name $appgw_name -n starcloudtrooper \
#   --cert-file ~/certs/cloudtrooper.net/star_cloudtrooper_net.p7b --cert-password Microsoft123!

# Configure AppGw for end-to-end SSL
# HTTP Settings and probe
echo "Creating SSL probe and HTTP settings..."
az network application-gateway probe create -g "$rg" --gateway-name "$appgw_name" \
--name sslprobe --protocol Https --host-name-from-http-settings --match-status-codes 200-399 --port 443 --path /api/healthcheck -o none
az network application-gateway http-settings create -g "$rg" --gateway-name "$appgw_name" --port 443 \
--name sslsettings --protocol https --host-name ${vm_fqdn} --probe sslprobe -o none
# Create rule (using url-path-maps to make it more exciting)
default_address_pool_name=$(az network application-gateway address-pool list -g $rg --gateway-name $appgw_name -o tsv --query '[0].name') && echo $default_address_pool_name
default_frontend_name=$(az network application-gateway frontend-ip list -g "$rg" --gateway-name "$appgw_name" --query '[0].name' -o tsv) && echo $default_frontend_name
az network application-gateway frontend-port create -n sslport -g "$rg" --gateway-name "$appgw_name" --port 443 -o none
az network application-gateway http-listener create -n ssllistener -g "$rg" --gateway-name "$appgw_name" \
  --frontend-port sslport --frontend-ip "$default_frontend_name" --ssl-cert "$cert_name" -o none
az network application-gateway url-path-map create --gateway-name $appgw_name -g $rg -n sslpathmap \
  --rule-name rule01 --paths '/api/*' --address-pool $default_address_pool_name --http-settings sslsettings \
  --default-address-pool $default_address_pool_name --default-http-settings sslsettings -o none
az network application-gateway rule create -g "$rg" --gateway-name "$appgw_name" -n sslrule \
  --url-path-map sslpathmap --rule-type PathBasedRouting --priority 1010 \
  --http-listener ssllistener --address-pool $default_address_pool_name --http-settings sslsettings -o none

# Verify
curl -vvl "https://${appgw_fqdn}/api/healthcheck"

##################
# Header rewrite #
##################

ruleset_name=ruleset01
rule_name=locationrewrite
az network application-gateway rewrite-rule set create --gateway-name $appgw_name -g $rg -n $ruleset_name
az network application-gateway rewrite-rule create --gateway-name $appgw_name -g $rg -n $rule_name --rule-set-name $ruleset_name \
    --response-headers 'Location=/api/{http_resp_Location_2}'
az network application-gateway rewrite-rule condition create --gateway-name $appgw_name -g $rg --rule-name $rule_name --rule-set-name $ruleset_name  \
    --ignore-case true --negate false --pattern '(https?):\/\/vm\.cloudtrooper\.net\/api\/(.*)$' --variable "http_resp_Location"
# Update HTTP LB rule
default_rule_name=$(az network application-gateway rule list -g $rg --gateway-name $appgw_name --query '[0].name' -o tsv) && echo $default_rule_name  # should be something like "rule1"
az network application-gateway rule update -g "$rg" --gateway-name "$appgw_name" -n $default_rule_name --rewrite-rule-set $ruleset_name
# Update SSL LB rule - This only works for non-path-based rules!!!
# az network application-gateway rule update -g "$rg" --gateway-name "$appgw_name" -n sslrule --rewrite-rule-set $ruleset_name
# If using PathBased rules, the urlPathMap needs to be updated too
# Either the default one for the whole path map:
az network application-gateway url-path-map update --gateway-name $appgw_name -g $rg -n sslpathmap --default-rewrite-rule-set $ruleset_name
# Or the individual rule:
az network application-gateway url-path-map rule create --gateway-name $appgw_name -g $rg --path-map-name sslpathmap \
  --name rule01 --paths '/api/*' --address-pool $default_address_pool_name --http-settings sslsettings --rewrite-rule-set $ruleset_name

# Test
curl -i "https://${appgw_fqdn}/healthcheck"

##############
#     WAF    #
##############

# Arguments
#     --match-variables [Required] : Space-separated list of variables to use when matching. Variable
#                                    values: RemoteAddr, RequestMethod, QueryString, PostArgs,
#                                    RequestUri, RequestHeaders, RequestBody, RequestCookies.
#     --operator        [Required] : Operator for matching.  Allowed values: BeginsWith, Contains,
#                                    EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual,
#                                    IPMatch, LessThan, LessThanOrEqual, Regex.
#     --values          [Required] : Space-separated list of values to match.
#     --negate                     : Match the negative of the condition.  Allowed values: false,
#                                    true.
#     --transforms                 : Space-separated list of transforms to apply when matching.
#                                    Allowed values: HtmlEntityDecode, Lowercase, RemoveNulls, Trim,
#                                    UrlDecode, UrlEncode.

# Create policy
waf_policy_name=wafpolicy
az network application-gateway waf-policy create -n $waf_policy_name -g $rg

# Blocking an IP
waf_rule_name=blockip
myip=$(curl -s4 ifconfig.co)
az network application-gateway waf-policy custom-rule create -n $waf_rule_name -g $rg --policy-name $waf_policy_name \
    --action Block --priority 10 --rule-type MatchRule
az network application-gateway waf-policy custom-rule match-condition add -n $waf_rule_name --policy-name $waf_policy_name -g $rg \
    --negate false --match-variables RemoteAddr --values $myip --operator IPMatch 
# az network application-gateway waf-policy custom-rule delete -n $waf_rule_name -g $rg --policy-name $waf_policy_name

# Blocking a certain UserAgent (Header)
# No support for "selector" (to specify which header) in CLI!!!!!
waf_rule_name=blockuseragent
az network application-gateway waf-policy custom-rule create -n $waf_rule_name -g $rg --policy-name $waf_policy_name \
    --action Block --priority 20 --rule-type MatchRule
az network application-gateway waf-policy custom-rule match-condition add -n $waf_rule_name --policy-name $waf_policy_name -g $rg \
    --negate false --match-variables RequestHeaders --values "evil" --operator Equal --transforms Lowercase
# az network application-gateway waf-policy custom-rule delete -n $waf_rule_name -g $rg --policy-name $waf_policy_name

# Allowing certain countries (using negate true!)
waf_rule_name=allowcountry
az network application-gateway waf-policy custom-rule create -n $waf_rule_name -g $rg --policy-name $waf_policy_name \
    --action Block --priority 30 --rule-type MatchRule
az network application-gateway waf-policy custom-rule match-condition add -n $waf_rule_name --policy-name $waf_policy_name -g $rg \
    --negate true --match-variables RemoteAddr --values "de" --operator GeoMatch --transforms Lowercase

# Apply policy to url path map
waf_policy_id=$(az network application-gateway waf-policy show -n $waf_policy_name -g $rg --query id -o tsv) && echo $waf_policy_id
az network application-gateway url-path-map rule create --gateway-name $appgw_name -g $rg --path-map-name sslpathmap \
  --name rule01 --paths '/api/*' --address-pool $default_address_pool_name --http-settings sslsettings --rewrite-rule-set $ruleset_name --waf-policy $waf_policy_id

# Apply policy to the listener
az network application-gateway http-listener update -n ssllistener -g $rg --gateway-name $appgw_name --waf-policy $waf_policy_id

# Apply policy to full AppGW (NOT WORKING!)
az network application-gateway waf-policy update -n $waf_policy_name -g $rg --add applicationGateways id=$appgw_id

# Test
curl -A "evil" "https://appgw.cloudtrooper.net/api/healthcheck"

###############
# Redirection #
###############

# Configure redirection from HTTP:8080 to HTTPS:443
az network application-gateway frontend-port create -n port8080 -g "$rg" --gateway-name "$appgw_name" --port 8080
az network application-gateway http-listener create -n listener8080 -g $rg --gateway-name $appgw_name \
  --frontend-port port8080 --frontend-ip $default_frontend_name --host-name "$appgw_fqdn"
az network application-gateway redirect-config create --gateway-name $appgw_name -g $rg -n 8080to443 --type Permanent \
    --include-path true --include-query-string true --target-listener ssllistener
az network application-gateway rule create --gateway-name $appgw_name -g $rg -n redirect8080 \
    --http-listener listener8080 --rule-type Basic --redirect-config 8080to443

# Test
curl -vvl "http://${appgw_fqdn}:8080/api/healthcheck"

####################
# Update AppGW SKU #
####################

# Upgrade / Downgrade
az network application-gateway update -g $rg -n $appgw_name --sku WAF_v2
az network application-gateway update -g $rg -n $appgw_name --sku Standard_v2  # Downgrade not supported??
ruleset_version=$(az network application-gateway waf-config list-rule-sets --query '[0].ruleSetVersion' -o tsv) && echo $ruleset_version
az network application-gateway waf-config set -g $rg --gateway-name $appgw_name --enabled true --firewall-mode Prevention --rule-set-version $ruleset_version


########################
# Query AzMonitor logs #
########################

# AppGW Log Categories
query='AzureDiagnostics 
| where ResourceType == "APPLICATIONGATEWAYS" 
| distinct Category '
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AppGW Access Logs
myip=$(curl -s4 ifconfig.co)
query_acc='AzureDiagnostics 
| where TimeGenerated >= ago(5m) 
| where ResourceType == "APPLICATIONGATEWAYS" 
| where Category == "ApplicationGatewayAccessLog"
| project timeStamp_t, clientIP_s, clientPort_d, host_s, originalHost_s, originalRequestUriWithArgs_s, serverRouted_s, httpMethod_s, httpStatus_d, ruleName_s, transactionId_g
| where clientIP_s == "'$myip'"
| take 20'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_acc -o tsv
# AppGW WAF Logs
query_waf='AzureDiagnostics 
| where TimeGenerated >= ago(5m) 
| where ResourceType == "APPLICATIONGATEWAYS" 
| where Category == "ApplicationGatewayFirewallLog"
| project timeStamp_t, ruleId_s, ruleSetType_s, clientIp_s, hostname_s, transactionId_g, Message
| take 20'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_waf -o tsv


###############
# Diagnostics #
###############

# Troubleshoot
az network application-gateway list -g $rg -o table
az network application-gateway http-listener list -g $rg --gateway-name $appgw_name -o table
az network application-gateway frontend-ip list -g $rg --gateway-name $appgw_name -o table
az network application-gateway probe list -g $rg --gateway-name $appgw_name -o table
az network application-gateway address-pool list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rule list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n rule1
az network application-gateway rule list -g $rg --gateway-name $appgw_name -o table
default_rule_name=$(az network application-gateway rule list -g $rg --gateway-name $appgw_name --query '[0].name' -o tsv) && echo $default_rule_name
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n $default_rule_name
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n sslrule
az network application-gateway url-path-map list -g $rg --gateway-name $appgw_name -o table
az network application-gateway http-settings list -g $rg --gateway-name $appgw_name -o table
az network application-gateway show-backend-health -g $rg --gateway-name $appgw_name -o table
# Rewrite
az network application-gateway rewrite-rule list-request-headers -o table
az network application-gateway rewrite-rule list-response-headers -o table
az network application-gateway rewrite-rule set list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rewrite-rule list -g $rg --gateway-name $appgw_name --rule-set-name $ruleset_name -o table
az network application-gateway rewrite-rule condition list -g $rg --gateway-name $appgw_name --rule-set-name $ruleset_name --rule-name $rule_name -o table
# WAF
az network application-gateway waf-config list-rule-sets -o table
az network application-gateway waf-config show --gateway-name $appgw_name -g $rg
az network application-gateway waf-policy policy-setting list --policy-name $waf_policy_name -g $rg
az network application-gateway waf-policy custom-rule list --policy-name $waf_policy_name -g $rg -o table
az network application-gateway waf-policy custom-rule match-condition list --policy-name $waf_policy_name -g $rg -n blockip
az network application-gateway waf-policy custom-rule match-condition list --policy-name $waf_policy_name -g $rg -n blockuseragent
az network application-gateway waf-policy custom-rule match-condition list --policy-name $waf_policy_name -g $rg -n allowcountry

################
#  Stop/Start  #
################

# Stop
az network application-gateway stop -g $rg -n $appgw_name
az vm deallocate -g $rg -n $vm_name

# Start
az network application-gateway start -g $rg -n $appgw_name
az vm start -g $rg -n $vm_name
# Update DNS?
vm_pip_address=$(az network public-ip show -n $vm_pip_name -g $rg --query ipAddress -o tsv) && echo $vm_pip_address
vm_fqdn=$(create_dns "vm" "$vm_pip_address") && echo $vm_fqdn
appgw_pip=$(az network public-ip show -g $rg -n $appgw_pipname --query ipAddress -o tsv) && echo $appgw_pip
appgw_fqdn=$(create_dns "appgw" "$appgw_pip") && echo $appgw_fqdn


# curl cheatsheet
# url="https://${appgw_fqdn}/api/healthcheck"
# curl -i $url    # Show response headers
# curl -vvl $url  # Show certificate data
# curl -L $url    # Follow redirections
# curl --resolve appgw.cloudtrooper.net:443:1.2.3.4    # Follow redirections

#############
#  Cleanup  #
#############

# az group delete -n $rg -y --no-wait