modules/VMPublicIPConfigMigration/VMPublicIPConfigMigration.psm1

Import-Module ((Split-Path $PSScriptRoot -Parent) + "/Log/Log.psd1")

Function UpgradeVMPublicIP {
    param (
        [Parameter(Mandatory = $True)][Microsoft.Azure.Commands.Network.Models.PSLoadBalancer] $BasicLoadBalancer
    )

    log -Message "[UpgradeVMPublicIP] Starting upgrade of Public IP SKUs for VMs associated with the Basic Load Balancer $($BasicLoadBalancer.Name)"

    # get the NIC IDs associated with the Basic Load Balancer
    $nicIDs = @() 
    foreach ($backendAddressPool in $BasicLoadBalancer.BackendAddressPools) {
        foreach ($backendIpConfiguration in ($backendAddressPool.BackendIpConfigurations | Select-Object -Property Id -Unique)) {
            $nicIDs += "'$(($backendIpConfiguration.Id -split '/ipconfigurations/')[0])'"
        }
    }

    $joinedNicIDs = $nicIDs -join ','
    
    # get VMs associated with the Lb NIC IDs which have Public IP Addresses, return public IP IDs
    # every PIP assiciated with a VM must be the same SKU, and align with the SKU of the load balancer
    #
    # NOTE: the resoruce graph data will lag behind ARM by a couple minutes, so creating resource and immediately
    # attempting migration (as in a test) will result in not ARG results. As a workaround, set the Environment Variable $env:LBMIG_WAIT_FOR_ARG = $true
    #

    $graphQuery = @"
    Resources |
        where type =~ 'microsoft.network/networkinterfaces' and id in~ ($joinedNicIDs) |
        project lbNicVMId = tolower(tostring(properties.virtualMachine.id)) |
        join ( Resources | where type =~ 'microsoft.compute/virtualmachines' | project vmId = tolower(id), vmNics = properties.networkProfile.networkInterfaces) on `$left.lbNicVMId == `$right.vmId |
        join ( Resources | where type =~ 'microsoft.network/networkinterfaces' | project nicVMId = tolower(tostring(properties.virtualMachine.id)), allVMNicID = tolower(id), nicIPConfigs = properties.ipConfigurations ) on `$left.vmId == `$right.nicVMId |
        join kind=leftouter ( Resources |
            where type =~ 'microsoft.network/publicipaddresses' and isnotnull(properties.ipConfiguration.id) |
            project pipId = id, pipAssociatedNicId = tolower(tostring(split(properties.ipConfiguration.id,'/ipConfigurations/')[0])),pipIpConfig = properties.ipConfiguration.id) on `$left.allVMNicID == `$right.pipAssociatedNicId |
    project pipId,vmNics,nicIPConfigs,pipIpConfig,pipAssociatedNicId
"@


    log -Severity Verbose -Message "Graph Query Text: `n$graphQuery"

    $waitingForARG = $false
    $timeoutStopwatch = [System.Diagnostics.Stopwatch]::StartNew()
    do {        
        If (!$waitingForARG) {
            log -Message "[UpgradeVMPublicIP] Querying Resource Graph for PIPs associated with VMs in the backend pool(s)..."
        }
        Else {
            log -Message "[UpgradeVMPublicIP] Waiting 15 seconds before querying ARG again (total wait time up to 15 minutes before failure)..."
            Start-Sleep 15
        }

        $VMPIPRecords = Search-AzGraph -Query $graphQuery

        $waitingForARG = $true
    } while ($VMPIPRecords.count -eq 0 -and $env:LBMIG_WAIT_FOR_ARG -and $timeoutStopwatch.Elapsed.Minutes -lt 15)

    If ($timeoutStopwatch.Elapsed.Minutes -gt 15) {
        log -Severity Error -Message "[UpgradeVMPublicIP] Resource Graph query timed out before results were returned! The Resource Graph lags behind ARM by several minutes--if the resources to migrate were just created (as in a test), test the query from the log to determine if this was an ingestion lag or synax failure. Once the issue has been corrected follow the steps at https://aka.ms/basiclbupgradefailure to retry the migration." -terminateOnError
    }

    $publicIPsToUpgrade = $VMPIPRecords | Where-Object {![string]::IsNullOrEmpty($_.pipId)} # filtering out null outer-join records

    log -Message "[UpgradeVMPublicIP] Found '$($publicIPsToUpgrade.count)' Public IPs associcated with VMs in the Basic LB's backend pool"

    $pipAllocationMethodJobs = @()
    ForEach ($pipRecord in $publicIPsToUpgrade) {
        $pipRecord | Add-Member @{pipObject = ($pip = Get-AzResource -ResourceId $pipRecord.pipId | Get-AzPublicIpAddress)}

        If ($pipRecord.pipObject.PublicIpAllocationMethod -eq 'Dynamic') {
            log -Message "[UpgradeVMPublicIP] Public IP '$($pipRecord.pipObject.id)' allocation is Dynamic, changing to Static to support upgrade to Standard SKU"
            $pipRecord.pipObject.PublicIpAllocationMethod = 'Static'

            $pipAllocationMethodJobs += $pipRecord.pipObject | Set-AzPublicIpAddress -AsJob
        }
        Else {
            log -Message "[UpgradeVMPublicIP] Public IP '$($pipRecord.pipObject.id)' allocation is Static, no change required"
        }
    }

    log -Message "[UpgradeVMPublicIP] Waiting for '$($pipAllocationMethodJobs.count)' PIP allocation method change jobs to complete before starting upgrade of Public IP SKUs"
    $pipAllocationMethodJobs | Wait-Job -Timeout $defaultJobWaitTimeout | Foreach-Object {
        $job = $_
        If ($job.Error -or $job.State -eq 'Failed') {
            $publicIPsToUpgrade | Select-Object -Property pipId,pipIpConfig | ConvertTo-Json
            log -Severity Error -Message "Changing a Public IP allocation method from Dynamic to Static failed with the following errors: $($job.error; $job | Receive-Job). To continue, address the error then follow the steps at https://aka.ms/basiclbupgradefailure to retry the migration" -terminateOnError
        }
    }

    # detach all PIPs from each VM in the backend pool (even from NICs not associated with the LB because all PIPs and LBs assoicated with a VM must be the same SKU)
    $nicDetachJobs = @()
    $nicsWithPIPsToReattach = @{}
    $nicGroupedPIPRecords = $publicIPsToUpgrade | Group-Object -Property pipAssociatedNicId
    ForEach ($nicGroup in $nicGroupedPIPRecords) {
        $nic = Get-AzResource -ResourceId $nicGroup.Name | Get-AzNetworkInterface

        $nicUpdateRequired = $false
        ForEach ($pipRecord in $nicGroup.Group) {
            
            log -Message "[UpgradeVMPublicIP] Detaching Public IP $($pipRecord.pipObject.Name) from NIC $($pipRecord.nicName) to upgrade to Standard SKU"
            $nicUpdateRequired = $true

            If (!$nicsWithPIPsToReattach[$nic.Id]) {
                $nicsWithPIPsToReattach[$nic.Id] = @(@{ipConfigs = @{} })
            }
            If (!$nicsWithPIPsToReattach[$nic.Id].ipConfigs[$pipRecord.pipIpConfig]) {
                $nicsWithPIPsToReattach[$nic.Id].ipConfigs[$pipRecord.pipIpConfig] = $pipRecord.pipId
            }

            $pipNicIPConfig = $nic.IpConfigurations | Where-Object { $_.Id -eq $pipRecord.pipIpConfig }
            $pipNicIPConfig.PublicIpAddress = $null

        }

        If ($nicUpdateRequired) {
            log -Message "[UpgradeVMPublicIP] Updating NIC $($nic.Name) to detach Public IPs from NIC"
            $nicDetachJobs += $nic | Set-AzNetworkInterface -AsJob
        }
    }

    log -Message "[UpgradeVMPublicIP] Waiting for all '$($nicDetachJobs.count)' NIC detach jobs to complete before starting upgrade of Public IP SKUs"
    $nicDetachJobs | Wait-Job -Timeout $defaultJobWaitTimeout | Foreach-Object {
        $job = $_
        If ($job.Error -or $job.State -eq 'Failed') {
            $pipToIpConfigTable = $publicIPsToUpgrade | Select-Object -Property pipId,pipIpConfig | ConvertTo-Json
            log -Severity Error -Message "Detaching PIP from an IP config failed with the following errors: $($job.error; $job | Receive-Job). Migration will continue--to recover, manually upgrade Public IPs and associate NICs with their Public IP Addresses after the script completes. Use the following table to match PIPs with IPconfigs: `n$pipToIpConfigTable"
        }
    }

    # update the PIPs to Standard SKU
    $pipUpgradeSKUJobs = @()
    ForEach ($pip in $publicIPsToUpgrade.pipObject) {
        log -Message "[UpgradeVMPublicIP] Upgrading Public IP '$($pip.Name)' to Standard SKU"

        $pip.Sku.Name = 'Standard'
        $pipUpgradeSKUJobs += $pip | Set-AzPublicIpAddress -AsJob
    }

    log -Message "[UpgradeVMPublicIP] Waiting for all '$($pipUpgradeSKUJobs.count)' PIP SKU upgrade jobs to complete"
    $nicDetachJobs | Wait-Job -Timeout $defaultJobWaitTimeout | Foreach-Object {
        $job = $_
        If ($job.Error -or $job.State -eq 'Failed') {
            $pipToIpConfigTable = $publicIPsToUpgrade | Select-Object -Property pipId,pipIpConfig | ConvertTo-Json
            log -Severity Error -Message "Upgrading Public IP to Standard SKU failed with the following errors: $($job.error; $job | Receive-Job). Migration will continue--to recover, manually upgrade Public IPs and associate NICs with their Public IP Addresses after the script completes. Use the following table to match PIPs with IPconfigs: `n$pipToIpConfigTable"
        }
    }

    # reattach the PIPs to the NICs - one job per NIC
    $nicPIPReattachJobs = @()
    ForEach ($nicRecord in $nicsWithPIPsToReattach.GetEnumerator()) {
        $nic = Get-AzResource -ResourceId $nicRecord.Name | Get-AzNetworkInterface

        ForEach ($ipConfigRecord in $nicsWithPIPsToReattach[$nicRecord.Name].ipConfigs.GetEnumerator()) {
            $ipConfig = $nic.IpConfigurations | Where-Object { $_.Id -eq $ipConfigRecord.Name }

            log -Message "[UpgradeVMPublicIP] Reattaching Public IP '$($nicsWithPIPsToReattach[$nicRecord.Name].ipConfigs[$ipConfigRecord.Name])' to NIC IPConfig '$($ipConfigRecord.Name)'"
            $ipConfig[0].PublicIpAddress = @{ id = $nicsWithPIPsToReattach[$nicRecord.Name].ipConfigs[$ipConfigRecord.Name] }
        }

        $nicPIPReattachJobs += $nic | Set-AzNetworkInterface -AsJob
    }

    log -Message "[UpgradeVMPublicIP] Waiting for '$($nicPIPReattachJobs.count)' PIP reattach to NIC jobs to complete..."
    $nicPIPReattachJobs | Wait-Job -Timeout $defaultJobWaitTimeout | Foreach-Object {
        $job = $_
        If ($job.Error -or $job.State -eq 'Failed') {
            log -Severity Error -Message "Reassociating upgraded Public IPs with NICs failed with the following errors: $($job.error; $job | Receive-Job). Migration will continue--to recover, manually associate NICs with their Public IP Addresses after the script completes."
        }
    }

    log -Message "[UpgradeVMPublicIP] Completed upgrade of VM Public IP SKUs"
}

Export-ModuleMember -Function UpgradeVMPublicIP