[HORIZONDB] az horizondb create/update/firewall-rule: Add public access support#10066
Open
petarperin-mdcs wants to merge 1 commit into
Open
[HORIZONDB] az horizondb create/update/firewall-rule: Add public access support#10066petarperin-mdcs wants to merge 1 commit into
az horizondb create/update/firewall-rule: Add public access support#10066petarperin-mdcs wants to merge 1 commit into
Conversation
…cess support
Add an `--public-access` argument to `az horizondb create` and `az horizondb update`,
and a new `az horizondb firewall-rule` command group, mirroring the Azure CLI
PostgreSQL Flexible Server pattern.
HorizonDB firewall rules are pool-scoped and target the seeded default pool
("DefaultPool"). Because `network.publicNetworkAccess` is service-computed
(read-only), public access is managed via firewall rules:
- create `--public-access` accepts Enabled/Disabled/All/None/<ip>/<ip>-<ip>.
Supplying an IP/range or `All` auto-creates a firewall rule once the cluster
exists; `Enabled` detects the caller IP (with prompt); omitting the argument
preserves existing behavior (no rule).
- update `--public-access` accepts Enabled/Disabled.
- `az horizondb firewall-rule create/show/list/update/delete` manage rules
directly.
Includes unit tests for validators, public-access parsing/resolution, and rule
building, plus a live-only end-to-end scenario test.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| horizondb create | cmd horizondb create added parameter public_access |
||
| horizondb create | cmd horizondb create added parameter yes |
||
| horizondb firewall-rule | sub group horizondb firewall-rule added |
||
| horizondb update | cmd horizondb update added parameter public_access |
||
| horizondb update | cmd horizondb update added parameter yes |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands the horizondb Azure CLI extension to support configuring cluster public access via pool-scoped firewall rules, aligning the UX with patterns used by other Azure database CLIs.
Changes:
- Adds
--public-accesstoaz horizondb createandaz horizondb update, including client-IP auto-detection forEnabled. - Introduces a new
az horizondb firewall-rulecommand group (create/show/list/update/delete) targeting the seededDefaultPool. - Adds unit tests for parsing/validation and a live-only scenario test for end-to-end firewall rule lifecycle.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/horizondb/setup.py | Bumps extension version to 1.0.0b5. |
| src/horizondb/HISTORY.rst | Documents the new public access + firewall-rule capabilities. |
| src/horizondb/azext_horizondb/utils/validators.py | Adds validators/helpers for --public-access and firewall-rule IP args. |
| src/horizondb/azext_horizondb/utils/_network.py | Adds parsing + client-IP detection logic for --public-access Enabled. |
| src/horizondb/azext_horizondb/commands/firewall_rule_commands.py | Implements firewall-rule CRUD operations and rule model building. |
| src/horizondb/azext_horizondb/commands/custom_commands.py | Wires create/update flows to optionally create firewall rules from --public-access. |
| src/horizondb/azext_horizondb/cluster_commands.py | Registers the horizondb firewall-rule command group and client factory usage. |
| src/horizondb/azext_horizondb/_params.py | Defines new arguments for --public-access and firewall-rule subcommands. |
| src/horizondb/azext_horizondb/_help.py | Adds help/examples for public-access and firewall-rule commands. |
| src/horizondb/azext_horizondb/_client_factory.py | Adds cf_horizondb_firewall_rules factory for firewall-rule operations. |
| src/horizondb/azext_horizondb/tests/latest/test_horizondb_firewall_rule.py | Adds unit tests for validators/parsing and firewall-rule command helpers. |
| src/horizondb/azext_horizondb/tests/latest/test_horizondb_firewall_rule_scenario.py | Adds a live-only scenario test covering create-with-public-access and rule lifecycle. |
Comment on lines
+146
to
+151
| if public_access is not None: | ||
| _apply_public_access(cmd, resource_group_name, cluster_name, public_access, yes) | ||
|
|
||
| return sdk_no_wait(no_wait, client.begin_update, | ||
| resource_group_name=resource_group_name, | ||
| cluster_name=cluster_name, | ||
| properties=properties) | ||
| if update_result is not None: | ||
| return update_result | ||
| return client.get(resource_group_name=resource_group_name, cluster_name=cluster_name) |
Comment on lines
+90
to
+94
| if val == 'disabled': | ||
| logger.warning("HorizonDB public network access is managed through firewall rules. To remove " | ||
| "public access, delete rules with 'az horizondb firewall-rule delete' " | ||
| "(list them with 'az horizondb firewall-rule list').") | ||
| return |
Comment on lines
+19
to
+20
| now = datetime.now() | ||
| suffix = '{}-{}-{}_{}-{}-{}'.format(now.year, now.month, now.day, now.hour, now.minute, now.second) |
Collaborator
|
HORIZONDB |
Contributor
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related command
az horizondb create --public-access,az horizondb update --public-access,az horizondb firewall-rule create/show/list/update/deleteDescription
Expands the
horizondbextension to support configuring public access on a cluster, mirroring the Azure CLI PostgreSQL Flexible Server pattern.--public-accesstoaz horizondb create(acceptsEnabled/Disabled/All/None/<ip>/<startIp>-<endIp>). Supplying an IP/range orAllautomatically creates a firewall rule once the cluster exists;Enableddetects the caller's client IP (via an IP echo service) and prompts before allowing it. Omitting the argument preserves today's behavior (no firewall rule, no prompt).--public-accesstoaz horizondb update(Enabled/Disabled).az horizondb firewall-rulecommand group:create,show,list,update,delete.Design notes
.../clusters/{cluster}/pools/{pool}/firewallRules/{name}). The CLI targets the seeded default pool (DefaultPool).network.publicNetworkAccessis service-computed (read-only in the spec/SDK), so public access is managed via firewall rules rather than by setting a flag.horizon_db_firewall_rulesoperations andHorizonDbFirewallRulemodels were already present.--cluster-name/-cfor the cluster and--name/-nfor the firewall rule, consistent with prior HorizonDB child-command conventions;firewall-rule listdoes not expose--ids.Testing
test_horizondb_firewall_rule.py).test_horizondb_firewall_rule_scenario.py) covering create-with-public-access plus the full firewall-rule lifecycle; skipped in playback until a recording is captured.azdev style,azdev linter --min-severity medium,compileall,test_index.py, and the existing scenario suite all pass locally.Note for reviewers: because
publicNetworkAccessis read-only,update --public-access Disabledcurrently emits guidance toward thefirewall-rulecommands rather than toggling a flag. Happy to adjust the update semantics if the RP will acceptpublicNetworkAccesson PATCH.General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally?About Extension Publish
setup.pyversion bumped to1.0.0b5andHISTORY.rstupdated.src/index.jsonis intentionally not modified.