[App Service] az appservice ase create: Command changes for ASE v3 GA (#18748)

* ga changes - draft

* exclude missing v3 apis

* remove debug line

* Add zone support

* Add test for zone redundancy

* Update help

Author: madsd

src/azure-cli/azure/cli/command_modules/appservice/_help.py

@@ -2175,7 +2175,7 @@
 
 helps['appservice ase'] = """
 type: group
-short-summary: Manage App Service Environments v2
+short-summary: Manage App Service Environments
 """
 
 helps['appservice ase list'] = """
@@ -2198,7 +2198,7 @@
 
 helps['appservice ase list-addresses'] = """
     type: command
-    short-summary: List VIPs associated with an app service environment.
+    short-summary: List VIPs associated with an app service environment v2.
     examples:
     - name: List VIPs for an app service environments.
       text: az appservice ase list-addresses --name MyAseName
@@ -2228,8 +2228,7 @@
     - name: Create External app service environments v2 with large front-ends and scale factor of 10 in existing resource group and vNet.
       text: |
           az appservice ase create -n MyAseName -g MyResourceGroup --vnet-name MyVirtualNetwork \\
-            --subnet MyAseSubnet --front-end-sku I3 --front-end-scale-factor 10 \\
-            --virtual-ip-type External
+            --subnet MyAseSubnet --front-end-sku I3 --front-end-scale-factor 10 --virtual-ip-type External
     - name: Create vNet and app service environment v2, but do not create network security group and route table in existing resource group.
       text: |
           az network vnet create -g MyResourceGroup -n MyVirtualNetwork \\
@@ -2249,33 +2248,31 @@
           az group create -g ASEv3ResourceGroup --location westeurope
 
           az network vnet create -g ASEv3ResourceGroup -n MyASEv3VirtualNetwork \\
-            --address-prefixes 10.0.0.0/16 --subnet-name Inbound --subnet-prefixes 10.0.0.0/24
-
-          az network vnet subnet create -g ASEv3ResourceGroup --vnet-name MyASEv3VirtualNetwork \\
-            --name Outbound --address-prefixes 10.0.1.0/24
+            --address-prefixes 10.0.0.0/16 --subnet-name MyASEv3Subnet --subnet-prefixes 10.0.0.0/24
 
           az appservice ase create -n MyASEv3Name -g ASEv3ResourceGroup \\
-            --vnet-name MyASEv3VirtualNetwork --subnet Outbound --kind asev3
+            --vnet-name MyASEv3VirtualNetwork --subnet MyASEv3Subnet --kind asev3
+    - name: Create External zone redundant app service environment v3 with default values.
+      text: |
+          az appservice ase create -n MyASEv3Name -g ASEv3ResourceGroup \\
+            --vnet-name MyASEv3VirtualNetwork --subnet MyASEv3Subnet --kind asev3 \\
+            --zone-redundant --virtual-ip-type External
 """
 
 helps['appservice ase create-inbound-services'] = """
     type: command
-    short-summary: Create the inbound services needed in preview for ASEv3 (private endpoint and DNS) or Private DNS Zone for Internal ASEv2.
+    short-summary: Private DNS Zone for Internal ASEv2.
     examples:
-    - name: Create private endpoint, Private DNS Zone, A records and ensure subnet network policy.
+    - name: Create Private DNS Zone and A records.
       text: |
           az appservice ase create-inbound-services -n MyASEName -g ASEResourceGroup \\
             --vnet-name MyASEVirtualNetwork --subnet MyAseSubnet
-    - name: Create private endpoint and ensure subnet network policy (ASEv3), but do not create DNS Zone and records.
-      text: |
-          az appservice ase create-inbound-services -n MyASEv3Name -g ASEv3ResourceGroup \\
-            --vnet-name MyASEv3VirtualNetwork --subnet Inbound --skip-dns
 """
 
 
 helps['appservice ase update'] = """
     type: command
-    short-summary: Update app service environment.
+    short-summary: Update app service environment v2.
     examples:
     - name: Update app service environment with medium front-ends and scale factor of 10.
       text: |

src/azure-cli/azure/cli/command_modules/appservice/_params.py

@@ -914,19 +914,21 @@ def load_arguments(self, _):
         c.argument('ignore_subnet_size_validation', arg_type=get_three_state_flag(),
                    help='Do not check if subnet is sized according to recommendations.')
         c.argument('ignore_route_table', arg_type=get_three_state_flag(),
-                   help='Configure route table manually.')
+                   help='Configure route table manually. Applies to ASEv2 only.')
         c.argument('ignore_network_security_group', arg_type=get_three_state_flag(),
-                   help='Configure network security group manually.')
+                   help='Configure network security group manually. Applies to ASEv2 only.')
         c.argument('force_route_table', arg_type=get_three_state_flag(),
-                   help='Override route table for subnet')
+                   help='Override route table for subnet. Applies to ASEv2 only.')
         c.argument('force_network_security_group', arg_type=get_three_state_flag(),
-                   help='Override network security group for subnet')
+                   help='Override network security group for subnet. Applies to ASEv2 only.')
         c.argument('front_end_scale_factor', type=int, validator=validate_front_end_scale_factor,
-                   help='Scale of front ends to app service plan instance ratio.', default=15)
+                   help='Scale of front ends to app service plan instance ratio. Applies to ASEv2 only.', default=15)
         c.argument('front_end_sku', arg_type=isolated_sku_arg_type, default='I1',
-                   help='Size of front end servers.')
+                   help='Size of front end servers. Applies to ASEv2 only.')
         c.argument('os_preference', arg_type=get_enum_type(ASE_OS_PREFERENCE_TYPES),
                    help='Determine if app service environment should start with Linux workers. Applies to ASEv2 only.')
+        c.argument('zone_redundant', arg_type=get_three_state_flag(),
+                   help='Configure App Service Environment as Zone Redundant. Applies to ASEv3 only.')
     with self.argument_context('appservice ase delete') as c:
         c.argument('name', options_list=['--name', '-n'], help='Name of the app service environment')
     with self.argument_context('appservice ase update') as c:

src/azure-cli/azure/cli/command_modules/appservice/appservice_environment.py

@@ -10,8 +10,7 @@
 from azure.mgmt.privatedns import PrivateDnsManagementClient
 
 # Models
-from azure.mgmt.network.models import (RouteTable, Route, NetworkSecurityGroup, SecurityRule, Delegation,
-                                       PrivateEndpoint, Subnet, PrivateLinkServiceConnection)
+from azure.mgmt.network.models import (RouteTable, Route, NetworkSecurityGroup, SecurityRule, Delegation)
 from azure.mgmt.resource.resources.models import (DeploymentProperties, Deployment, SubResource)
 from azure.mgmt.privatedns.models import (PrivateZone, VirtualNetworkLink, RecordSet, ARecord)
 
@@ -50,7 +49,7 @@ def create_appserviceenvironment_arm(cmd, resource_group_name, name, subnet, kin
                                      ignore_network_security_group=False, virtual_ip_type='Internal',
                                      front_end_scale_factor=None, front_end_sku=None, force_route_table=False,
                                      force_network_security_group=False, ignore_subnet_size_validation=False,
-                                     location=None, no_wait=False, os_preference=None):
+                                     location=None, no_wait=False, os_preference=None, zone_redundant=None):
     # The current SDK has a couple of challenges creating ASE. The current swagger version used,
     # did not have 201 as valid response code, and thus will fail with polling operations.
     # The Load Balancer Type is an Enum Flag, that is expressed as a simple string enum in swagger,
@@ -79,7 +78,9 @@ def create_appserviceenvironment_arm(cmd, resource_group_name, name, subnet, kin
     elif kind == 'ASEv3':
         _ensure_subnet_delegation(cmd.cli_ctx, subnet_id, 'Microsoft.Web/hostingEnvironments')
         ase_deployment_properties = _build_ase_deployment_properties(name=name, location=location,
-                                                                     subnet_id=subnet_id, kind='ASEv3')
+                                                                     subnet_id=subnet_id, kind='ASEv3',
+                                                                     virtual_ip_type=virtual_ip_type,
+                                                                     zone_redundant=zone_redundant)
     logger.info('Create App Service Environment...')
     deployment_client = _get_resource_client_factory(cmd.cli_ctx).deployments
     return sdk_no_wait(no_wait, deployment_client.begin_create_or_update,
@@ -122,8 +123,8 @@ def list_appserviceenvironment_addresses(cmd, name, resource_group_name=None):
         resource_group_name = _get_resource_group_name_from_ase(ase_client, name)
     ase = ase_client.get(resource_group_name, name)
     if ase.kind.lower() == 'asev3':
-        raise CommandNotFoundError('list-addresses is currently not supported for ASEv3. '
-                                   'Inbound IP is associated with the private endpoint.')
+        # return ase_client.get_ase_v3_networking_configuration(resource_group_name, name) # pending SDK update
+        raise CommandNotFoundError('list-addresses is currently not supported for ASEv3.')
     return ase_client.get_vip_info(resource_group_name, name)
 
 
@@ -140,34 +141,23 @@ def create_ase_inbound_services(cmd, resource_group_name, name, subnet, vnet_nam
     if not ase:
         raise ResourceNotFoundError("App Service Environment '{}' not found.".format(name))
 
+    if ase.internal_load_balancing_mode == 'None':
+        raise ValidationError('Private DNS Zone is not relevant for External ASE.')
+
+    if ase.kind.lower() == 'asev3':
+        # pending SDK update (ase_client.get_ase_v3_networking_configuration(resource_group_name, name))
+        raise CommandNotFoundError('create-inbound-services is currently not supported for ASEv3.')
+
+    ase_vip_info = ase_client.get_vip_info(resource_group_name, name)
+    inbound_ip_address = ase_vip_info.internal_ip_address
     inbound_subnet_id = _validate_subnet_id(cmd.cli_ctx, subnet, vnet_name, resource_group_name)
     inbound_vnet_id = _get_vnet_id_from_subnet(cmd.cli_ctx, inbound_subnet_id)
-    if ase.kind.lower() == 'asev3':
-        _ensure_subnet_private_endpoint_network_policy(cmd.cli_ctx, inbound_subnet_id, False)
-        network_client = _get_network_client_factory(cmd.cli_ctx)
-        pls_connection = PrivateLinkServiceConnection(private_link_service_id=ase.id,
-                                                      group_ids=['hostingEnvironments'],
-                                                      request_message='Link from CLI',
-                                                      name='{}-private-connection'.format(name))
-        private_endpoint = PrivateEndpoint(location=ase.location, tags=None, subnet=Subnet(id=inbound_subnet_id))
-        private_endpoint.private_link_service_connections = [pls_connection]
-        poller = network_client.private_endpoints.begin_create_or_update(resource_group_name,
-                                                                         '{}-private-endpoint'.format(name),
-                                                                         private_endpoint)
-        LongRunningOperation(cmd.cli_ctx)(poller)
-        ase_pe = poller.result()
-        nic_name = parse_resource_id(ase_pe.network_interfaces[0].id)['name']
-        nic = network_client.network_interfaces.get(resource_group_name, nic_name)
-        inbound_ip_address = nic.ip_configurations[0].private_ip_address
-    elif ase.kind.lower() == 'asev2':
-        if ase.internal_load_balancing_mode == 0:
-            raise ValidationError('Private DNS Zone is not relevant for External ASEv2.')
-        ase_vip_info = ase_client.get_vip_info(resource_group_name, name)
-        inbound_ip_address = ase_vip_info.internal_ip_address
 
     if not skip_dns:
         _ensure_ase_private_dns_zone(cmd.cli_ctx, resource_group_name=resource_group_name, name=name,
                                      inbound_vnet_id=inbound_vnet_id, inbound_ip_address=inbound_ip_address)
+    else:
+        logger.warning('Parameter --skip-dns is deprecated.')
 
 
 def _get_ase_client_factory(cli_ctx, api_version=None):
@@ -288,29 +278,6 @@ def _validate_subnet_size(cli_ctx, subnet_id):
         raise validation_error
 
 
-def _ensure_subnet_private_endpoint_network_policy(cli_ctx, subnet_id, network_policy_enabled):
-    network_client = _get_network_client_factory(cli_ctx)
-    subnet_id_parts = parse_resource_id(subnet_id)
-    vnet_resource_group = subnet_id_parts['resource_group']
-    vnet_name = subnet_id_parts['name']
-    subnet_name = subnet_id_parts['resource_name']
-    subnet_obj = network_client.subnets.get(vnet_resource_group, vnet_name, subnet_name)
-    target_state = 'Enabled' if network_policy_enabled else 'Disabled'
-
-    if subnet_obj.private_endpoint_network_policies != target_state:
-        subnet_obj.private_endpoint_network_policies = target_state
-        try:
-            poller = network_client.subnets.begin_create_or_update(
-                vnet_resource_group, vnet_name, subnet_name, subnet_parameters=subnet_obj)
-            LongRunningOperation(cli_ctx)(poller)
-        except Exception:
-            err_msg = 'Subnet must have Private Endpoint Network Policy {}.'.format(target_state)
-            rec_msg = 'Use: az network vnet subnet update --disable-private-endpoint-network-policies'
-            validation_error = ValidationError(err_msg)
-            validation_error.set_recommendation(rec_msg)
-            raise validation_error
-
-
 def _ensure_subnet_delegation(cli_ctx, subnet_id, delegation_service_name):
     network_client = _get_network_client_factory(cli_ctx)
     subnet_id_parts = parse_resource_id(subnet_id)
@@ -441,7 +408,7 @@ def _get_unique_deployment_name(prefix):
 
 def _build_ase_deployment_properties(name, location, subnet_id, virtual_ip_type=None,
                                      front_end_scale_factor=None, front_end_sku=None, tags=None,
-                                     kind='ASEv2', os_preference=None):
+                                     kind='ASEv2', os_preference=None, zone_redundant=None):
     # InternalLoadBalancingMode Enum: None 0, Web 1, Publishing 2.
     # External: 0 (None), Internal: 3 (Web + Publishing)
     ilb_mode = 3 if virtual_ip_type == 'Internal' else 0
@@ -460,6 +427,8 @@ def _build_ase_deployment_properties(name, location, subnet_id, virtual_ip_type=
         ase_properties['multiSize'] = worker_sku
     if os_preference:
         ase_properties['osPreference'] = os_preference
+    if zone_redundant:
+        ase_properties['zoneRedundant'] = zone_redundant
 
     ase_resource = {
         'name': name,
@@ -555,15 +524,15 @@ def _ensure_ase_private_dns_zone(cli_ctx, resource_group_name, name, inbound_vne
     private_dns_client = _get_private_dns_client_factory(cli_ctx)
     zone_name = '{}.appserviceenvironment.net'.format(name)
     zone = PrivateZone(location='global', tags=None)
-    poller = private_dns_client.private_zones.create_or_update(resource_group_name, zone_name, zone)
+    poller = private_dns_client.private_zones.begin_create_or_update(resource_group_name, zone_name, zone)
     LongRunningOperation(cli_ctx)(poller)
 
     link_name = '{}_link'.format(name)
     link = VirtualNetworkLink(location='global', tags=None)
     link.virtual_network = SubResource(id=inbound_vnet_id)
     link.registration_enabled = False
-    private_dns_client.virtual_network_links.create_or_update(resource_group_name, zone_name,
-                                                              link_name, link, if_none_match='*')
+    private_dns_client.virtual_network_links.begin_create_or_update(resource_group_name, zone_name,
+                                                                    link_name, link, if_none_match='*')
     ase_record = ARecord(ipv4_address=inbound_ip_address)
     record_set = RecordSet(ttl=3600)
     record_set.a_records = [ase_record]

src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_app_service_environment_commands_thru_mock.py

@@ -218,6 +218,43 @@ def test_app_service_environment_v3_create(self, ase_client_factory_mock, networ
         self.assertEqual(call_args[0][0], rg_name)
         self.assertEqual(call_args[0][1], deployment_name)
 
+    @mock.patch('azure.cli.command_modules.appservice.appservice_environment._get_unique_deployment_name', autospec=True)
+    @mock.patch('azure.cli.command_modules.appservice.appservice_environment._get_resource_client_factory', autospec=True)
+    @mock.patch('azure.cli.command_modules.appservice.appservice_environment._get_network_client_factory', autospec=True)
+    @mock.patch('azure.cli.command_modules.appservice.appservice_environment._get_ase_client_factory', autospec=True)
+    def test_app_service_environment_v3_zone_create(self, ase_client_factory_mock, network_client_factory_mock,
+                                               resource_client_factory_mock, deployment_name_mock):
+        ase_name = 'mock_ase_name'
+        rg_name = 'mock_rg_name'
+        vnet_name = 'mock_vnet_name'
+        subnet_name = 'mock_subnet_name'
+        deployment_name = 'mock_deployment_name'
+
+        ase_client = mock.MagicMock()
+        ase_client_factory_mock.return_value = ase_client
+
+        resource_client_mock = mock.MagicMock()
+        resource_client_factory_mock.return_value = resource_client_mock
+
+        deployment_name_mock.return_value = deployment_name
+
+        network_client = mock.MagicMock()
+        network_client_factory_mock.return_value = network_client
+
+        subnet = Subnet(id=1, address_prefix='10.10.10.10/24')
+        hosting_delegation = Delegation(id=1, service_name='Microsoft.Web/hostingEnvironments')
+        subnet.delegations = [hosting_delegation]
+        network_client.subnets.get.return_value = subnet
+        create_appserviceenvironment_arm(self.mock_cmd, resource_group_name=rg_name, name=ase_name,
+                                         subnet=subnet_name, vnet_name=vnet_name, kind='ASEv3',
+                                         location='westeurope', zone_redundant=True)
+
+        # Assert begin_create_or_update is called with correct rg and deployment name
+        resource_client_mock.deployments.begin_create_or_update.assert_called_once()
+        call_args = resource_client_mock.deployments.begin_create_or_update.call_args
+        self.assertEqual(call_args[0][0], rg_name)
+        self.assertEqual(call_args[0][1], deployment_name)
+
 
 if __name__ == '__main__':
     unittest.main()