Github actions

.github/actions/setup-terraform/action.yml

@@ -0,0 +1,18 @@
+name: "Setup Terraform"
+description: "Sets up Terraform and initializes the configuration"
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.8.3
+        terraform_wrapper: false
+
+    - name: Configure provider
+      run: cp .github/provider.tf .
+      shell: bash
+
+    - name: Terraform init
+      run: terraform init
+      shell: bash

.github/provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "azure-blob"
+    storage_account_name = "azureblobrubygemdev"
+    container_name       = "terraform"
+    key                  = "terraform.tfstate"
+  }
+}

.github/workflows/teardown.yml

@@ -0,0 +1,43 @@
+name: Teardown
+
+on:
+  schedule:
+    - cron: "0 4 * * *"
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+env:
+  ARM_SKIP_PROVIDER_REGISTRATION: true
+  ARM_USE_OIDC: true
+  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+
+jobs:
+  teardown-infrastructure:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Terraform apply
+        run: terraform apply -auto-approve
+
+  clean_storage_containers:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Tests
+        env:
+          AZURE_ACCOUNT_NAME: ${{secrets.AZURE_ACCOUNT_NAME}}
+          AZURE_ACCESS_KEY: ${{secrets.AZURE_ACCESS_KEY}}
+          AZURE_PRIVATE_CONTAINER: ${{secrets.AZURE_PRIVATE_CONTAINER}}
+          AZURE_PUBLIC_CONTAINER: ${{secrets.AZURE_PUBLIC_CONTAINER}}
+          AZURE_PRINCIPAL_ID: ${{secrets.AZURE_PRINCIPAL_ID}}
+        run: bundle exec rake flush_test_container

.github/workflows/test.yml

@@ -0,0 +1,104 @@
+name: Run tests
+
+on:
+  pull_request:
+  push:
+
+permissions:
+  id-token: write
+  contents: read
+env:
+  ARM_SKIP_PROVIDER_REGISTRATION: true
+  ARM_USE_OIDC: true
+  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+
+jobs:
+  deploy-infrastructure:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Terraform apply
+        run: terraform apply -auto-approve -var "create_vm=true" -var "create_app_service=true" -var "ssh_key=${{ secrets.SSH_PUBLIC_KEY }}"
+
+  app_service_test:
+    needs: deploy-infrastructure
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get install -y libvips sshuttle
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Tests
+        env:
+          AZURE_ACCOUNT_NAME: ${{secrets.AZURE_ACCOUNT_NAME}}
+          AZURE_ACCESS_KEY: ${{secrets.AZURE_ACCESS_KEY}}
+          AZURE_PRIVATE_CONTAINER: ${{secrets.AZURE_PRIVATE_CONTAINER}}
+          AZURE_PUBLIC_CONTAINER: ${{secrets.AZURE_PUBLIC_CONTAINER}}
+          AZURE_PRINCIPAL_ID: ${{secrets.AZURE_PRINCIPAL_ID}}
+        run: bundle exec rake test_app_service
+
+  azurevm_test:
+    needs: deploy-infrastructure
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get install -y libvips sshuttle
+      - name: SSH key
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+        run: |
+          mkdir -p /home/runner/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > /home/runner/.ssh/id_rsa
+          chmod 600 /home/runner/.ssh/id_rsa
+          ssh-agent -a $SSH_AUTH_SOCK > /dev/null
+          ssh-add /home/runner/.ssh/id_rsa
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Tests
+        env:
+          AZURE_ACCOUNT_NAME: ${{secrets.AZURE_ACCOUNT_NAME}}
+          AZURE_ACCESS_KEY: ${{secrets.AZURE_ACCESS_KEY}}
+          AZURE_PRIVATE_CONTAINER: ${{secrets.AZURE_PRIVATE_CONTAINER}}
+          AZURE_PUBLIC_CONTAINER: ${{secrets.AZURE_PUBLIC_CONTAINER}}
+          AZURE_PRINCIPAL_ID: ${{secrets.AZURE_PRINCIPAL_ID}}
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+        run: bundle exec rake test_azure_vm
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get install -y libvips
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Tests
+        env:
+          AZURE_ACCOUNT_NAME: ${{secrets.AZURE_ACCOUNT_NAME}}
+          AZURE_ACCESS_KEY: ${{secrets.AZURE_ACCESS_KEY}}
+          AZURE_PRIVATE_CONTAINER: ${{secrets.AZURE_PRIVATE_CONTAINER}}
+          AZURE_PUBLIC_CONTAINER: ${{secrets.AZURE_PUBLIC_CONTAINER}}
+          AZURE_PRINCIPAL_ID: ${{secrets.AZURE_PRINCIPAL_ID}}
+        run: bundle exec rake test

.gitignore

@@ -24,6 +24,7 @@ terraform.tfstate
 terraform.tfstate.backup
 .terraform.tfstate.lock.info
 *.tfvars
+provider.tf
 
 __azurite_db*
 __blobstorage__/

.ruby-version

@@ -0,0 +1 @@
+3.1.6

bin/proxy-vps

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+exec sshuttle -e "ssh -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" -r "$(terraform output --raw vm_username)@$(terraform output --raw vm_ip)" 0/0

bin/start-app-service-ssh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+resource_group=$(terraform output --raw "resource_group")
+app_name=$(terraform output --raw "app_service_app_name")
+exec az webapp create-remote-connection --resource-group $resource_group --name $app_name

devenv.nix

@@ -24,14 +24,4 @@
   scripts.generate-env-file.exec = ''
     terraform output -raw devenv_local_nix > devenv.local.nix
   '';
-
-  scripts.proxy-vps.exec = ''
-    exec sshuttle -e "ssh -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" -r "$(terraform output --raw vm_username)@$(terraform output --raw vm_ip)" 0/0
-  '';
-
-  scripts.start-app-service-ssh.exec = ''
-      resource_group=$(terraform output --raw "resource_group")
-      app_name=$(terraform output --raw "app_service_app_name")
-      exec az webapp create-remote-connection --resource-group $resource_group --name $app_name
-  '';
 }

test/support/app_service_vpn.rb

@@ -7,7 +7,7 @@ class AppServiceVpn
 
   attr_reader :header, :endpoint
 
-  def initialize(verbose: false)
+  def initialize(verbose: true)
     @verbose = verbose
     establish_vpn_connection
   end
@@ -25,7 +25,7 @@ def establish_vpn_connection
 
     puts "Establishing VPN connection..."
 
-    tunnel_stdin, tunnel_stdout, @tunnel_wait_thread = Open3.popen2e([ "sshuttle", "-e", "ssh -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null", "-r", "#{username}:#{password}@#{HOST}:#{port}", "0/0" ].shelljoin)
+    tunnel_stdin, tunnel_stdout, @tunnel_wait_thread = Open3.popen2e([ "sshuttle", "-e", "ssh -o PubkeyAuthentication=no -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null", "-r", "#{username}:#{password}@#{HOST}:#{port}", "0/0" ].shelljoin)
 
     connection_successful = false
     tunnel_stdout.each do |line|
@@ -42,7 +42,7 @@ def establish_vpn_connection
 
   def establish_app_service_tunnel
     puts "Establishing tunnel connection to app service..."
-    connection_stdin, connection_stdout, @connection_wait_thread = Open3.popen2e("start-app-service-ssh")
+    connection_stdin, connection_stdout, @connection_wait_thread = Open3.popen2e("bin/start-app-service-ssh")
 
     port = nil
     username = nil
@@ -74,7 +74,7 @@ def extract_msi_info
     puts "Extracting MSI endpoint info..."
     endpoint = nil
     header = nil
-    Net::SSH.start(HOST, username, password:, port:) do |ssh|
+    Net::SSH.start(HOST, username, password:, port:, encryption: 'aes256-ctr', hmac: 'hmac-sha1-96', auth_methods: ['password']) do |ssh|
       endpoint = ssh.exec! [ "bash", "-l", "-c", %(printf "%s" "$IDENTITY_ENDPOINT") ].shelljoin
       header = ssh.exec! [ "bash", "-l", "-c", %(printf "%s" "$IDENTITY_HEADER") ].shelljoin
     end

test/support/azure_vm_vpn.rb

@@ -4,8 +4,9 @@
 class AzureVmVpn
   def initialize(verbose: false)
     @verbose = verbose
-    stdin, stdout, @wait_thread = Open3.popen2e("proxy-vps")
+    stdin, stdout, @wait_thread = Open3.popen2e("bin/proxy-vps")
     stdout.each do |line|
+      puts line if @verbose
       break if line.include?("Connected to server")
     end
   end