From a46282050e20461fa1e5c2fd5a934086bb9086db Mon Sep 17 00:00:00 2001
From: Yi Shi <yi.shi@thetradedesk.com>
Date: Fri, 13 Oct 2023 14:52:15 +0800
Subject: [PATCH] refine policy

---
 e2e/e2e.sh                                    |  7 +++--
 scripts/azure-cc/README.md                    | 15 ++++++++--
 scripts/azure-cc/arm-template.json            | 26 ++++++++--------
 .../azure-cc/template-policy.parameters.json  | 30 +++++++++++++++++++
 scripts/azure-cc/template.parameters.json     | 16 +++++-----
 5 files changed, 68 insertions(+), 26 deletions(-)
 create mode 100644 scripts/azure-cc/template-policy.parameters.json

diff --git a/e2e/e2e.sh b/e2e/e2e.sh
index ecfd55a06..52aa0a6ab 100644
--- a/e2e/e2e.sh
+++ b/e2e/e2e.sh
@@ -3,7 +3,7 @@ set -x
 # to facilitate local test
 
 # common configs for all enclaves
-NGROK_TOKEN=
+NGROK_TOKEN=2U9hyPLFDbc8nTny7woMOudqAAN_7HiFVXjjcNiVYcXBD1k5w
 CORE_VERSION=2.14.5-SNAPSHOT-default
 OPTOUT_VERSION=2.6.18-60727cf243-default
 
@@ -12,15 +12,16 @@ TEST_GCP_OIDC=false
 IMAGE_HASH=
 
 # Azure CC enclave configs
-TEST_AZURE_CC=false
+TEST_AZURE_CC=true
 # TODO(lun.wang) eventually digest may be derived via IMAGE_HASH, and no need to be explicitly set
-AZURE_CC_POLICY_DIGEST=
+AZURE_CC_POLICY_DIGEST=3e1f6eb87bd7b73c618cd1522abbb2d3a8a1baf50c10c78a186db347b962e331
 
 # replace below with your local repo root of uid2-core and uid2-optout
 CORE_ROOT="../../uid2-core"
 OPTOUT_ROOT="../../uid2-optout"
 
 # copy to a different folder in local to avoid data pollution
+rm -rf "./e2e-target"
 cp -rf "./e2e/" "./e2e-target"
 
 cd ./e2e-target
diff --git a/scripts/azure-cc/README.md b/scripts/azure-cc/README.md
index cb4dd8df5..cb97f1d61 100644
--- a/scripts/azure-cc/README.md
+++ b/scripts/azure-cc/README.md
@@ -1,7 +1,18 @@
 # UID2 Operator - Azure Confidential Container package
 
-## Generate deployment ARM
+## Generate CCE policy
+
+Note: only `deploymentEnvironment` and `image` need to be specified. Other empty parameters are wildcards.
+
+```
+az confcom acipolicygen -a arm-template.json -p template-policy.parameters.json --approve-wildcards -y --debug-mode
+```
+
+## Deploy
 
 ```
-az confcom acipolicygen -a .\arm-template.json -p .\template.parameters.json --debug-mode
+RESOURCE_GROUP=uid-enclave-test
+az deployment group create --resource-group $RESOURCE_GROUP --name rollout \
+    --template-file arm-template.json  \
+    --parameters @template.parameters.json
 ```
\ No newline at end of file
diff --git a/scripts/azure-cc/arm-template.json b/scripts/azure-cc/arm-template.json
index abee1dead..3778f3bec 100644
--- a/scripts/azure-cc/arm-template.json
+++ b/scripts/azure-cc/arm-template.json
@@ -2,7 +2,7 @@
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
-    "name": {
+    "containerGroupName": {
       "type": "string",
       "defaultValue": "uid2-operator",
       "metadata": {
@@ -22,31 +22,31 @@
         "description": "ManagedIdentity to launch the container"
       }
     },
-    "vault-name": {
+    "vaultName": {
       "type": "string",
       "metadata": {
         "description": "Vault name"
       }
     },
-    "operator-key-secret-name": {
+    "operatorKeySecretName": {
       "type": "string",
       "metadata": {
         "description": "Operator key secret name"
       }
     },
-    "deployment-environment": {
+    "deploymentEnvironment": {
       "type": "string",
       "metadata": {
         "description": "Deployment environment"
       }
     },
-    "core-base-url": {
+    "coreBaseUrl": {
       "type": "string",
       "metadata": {
         "description": "UID2 core base url override"
       }
     },
-    "optout-base-url": {
+    "optoutBaseUrl": {
       "type": "string",
       "metadata": {
         "description": "UID2 optout base url override"
@@ -57,7 +57,7 @@
     {
       "type": "Microsoft.ContainerInstance/containerGroups",
       "apiVersion": "2023-05-01",
-      "name": "[parameters('name')]",
+      "name": "[parameters('containerGroupName')]",
       "location": "[resourceGroup().location]",
       "identity": {
         "type": "userAssigned",
@@ -115,23 +115,23 @@
               "environmentVariables": [
                 {
                   "name": "VAULT_NAME",
-                  "value": "[parameters('vault-name')]"
+                  "value": "[parameters('vaultName')]"
                 },
                 {
                   "name": "OPERATOR_KEY_SECRET_NAME",
-                  "value": "[parameters('operator-key-secret-name')]"
+                  "value": "[parameters('operatorKeySecretName')]"
                 },
                 {
                   "name": "DEPLOYMENT_ENVIRONMENT",
-                  "value": "[parameters('deployment-environment')]"
+                  "value": "[parameters('deploymentEnvironment')]"
                 },
                 {
                   "name": "CORE_BASE_URL",
-                  "value": "[parameters('core-base-url')]"
+                  "value": "[parameters('coreBaseUrl')]"
                 },
                 {
                   "name": "OPTOUT_BASE_URL",
-                  "value": "[parameters('optout-base-url')]"
+                  "value": "[parameters('optoutBaseUrl')]"
                 }
               ]
             }
@@ -155,7 +155,7 @@
   "outputs": {
     "containerIPv4Address": {
       "type": "string",
-      "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name'))).ipAddress.ip]"
+      "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('containerGroupName'))).ipAddress.ip]"
     }
   }
 }
diff --git a/scripts/azure-cc/template-policy.parameters.json b/scripts/azure-cc/template-policy.parameters.json
new file mode 100644
index 000000000..813174066
--- /dev/null
+++ b/scripts/azure-cc/template-policy.parameters.json
@@ -0,0 +1,30 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "containerGroupName": {
+      "value": ""
+    },
+    "image": {
+      "value": "ghcr.io/iabtechlab/uid2-operator:5.17.12-SNAPSHOT-azure-cc"
+    },
+    "identity": {
+      "value": ""
+    },
+    "vaultName": {
+      "value": ""
+    },
+    "operatorKeySecretName": {
+      "value": ""
+    },
+    "deploymentEnvironment": {
+      "value": "integ"
+    },
+    "coreBaseUrl":  {
+      "value": ""
+    },
+    "optoutBaseUrl":  {
+      "value": ""
+    }
+  }
+}
\ No newline at end of file
diff --git a/scripts/azure-cc/template.parameters.json b/scripts/azure-cc/template.parameters.json
index 226009a24..febd26a68 100644
--- a/scripts/azure-cc/template.parameters.json
+++ b/scripts/azure-cc/template.parameters.json
@@ -2,7 +2,7 @@
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
-    "name": {
+    "containerGroupName": {
       "value": "ysh-uid2-operator"
     },
     "image": {
@@ -11,20 +11,20 @@
     "identity": {
       "value": "uid-operator"
     },
-    "vault-name": {
+    "vaultName": {
       "value": "uid-operator"
     },
-    "operator-key-secret-name": {
+    "operatorKeySecretName": {
       "value": "operator-key"
     },
-    "deployment-environment": {
+    "deploymentEnvironment": {
       "value": "integ"
     },
-    "core-base-url":  {
-      "value": "<>"
+    "coreBaseUrl":  {
+      "value": "https://943b-58-246-6-18.ngrok-free.app"
     },
-    "optout-base-url":  {
-      "value": "<>"
+    "optoutBaseUrl":  {
+      "value": "https://3272-58-246-6-18.ngrok-free.app"
     }
   }
 }
\ No newline at end of file