Skip to content

feat(iot-ops): upgrade AIO component versions and extend version checker#655

Open
katriendg wants to merge 2 commits into
mainfrom
feat/652-aio-2606-upgrade
Open

feat(iot-ops): upgrade AIO component versions and extend version checker#655
katriendg wants to merge 2 commits into
mainfrom
feat/652-aio-2606-upgrade

Conversation

@katriendg

Copy link
Copy Markdown
Collaborator

Retargets the edge-ai IoT Operations components to the AIO 2606 release and closes a gap in aio-version-checker.py that let cert-manager and Terraform default drift slip past CI. Version defaults move in lockstep across Terraform and Bicep, the upgrade guide's version matrix is refreshed, and the checker now inspects the 109-arc-extensions component alongside 110-iot-ops.

Description

This PR combines two related pieces of work.

The version upgrade bumps every pinned AIO component default to the 2606 release: the AIO instance (iotOperations) 1.3.105 → 1.3.137, the Secret Store extension (secretStore) 1.4.1 → 1.5.0, and the cert-manager extension (certManager) 0.12.0 → 0.13.3. Each value is updated in both the Terraform and Bicep sources so the two stay consistent, and docs/getting-started/upgrade-aio.md is retargeted from 2605 to 2606 with a refreshed version matrix (CLI azure-iot-ops 2.5.0 → 2.7.0).

The checker fix addresses scripts/aio-version-checker.py previously only reading the 110-iot-ops files, which meant cert-manager version drift (defined in 109-arc-extensions) and newer python-hcl2 default-wrapping went undetected. The script now covers cert-manager, normalizes HCL default values, tracks the originating file per component, and caches Bicep reads.

AIO 2606 version upgrade

Component version defaults bumped together in Terraform and Bicep:

  • AIO instance iotOperations 1.3.105 → 1.3.137 in 110-iot-ops/bicep/types.bicep (aioExtensionDefaults) and 110-iot-ops/terraform/variables.instance.tf (operations_config).
  • Secret Store secretStore 1.4.1 → 1.5.0 in 110-iot-ops/bicep/types.bicep (secretStoreExtensionDefaults) and 110-iot-ops/terraform/variables.init.tf (secret_sync_controller).
  • cert-manager certManager 0.12.0 → 0.13.3 in 109-arc-extensions/bicep/types.bicep (certManagerExtensionDefaults) and 109-arc-extensions/terraform/variables.tf (cert_manager_extension).
  • Updated the upgrade-aio.md version matrix and prerequisite CLI version, and bumped ms.date.

All changes are version-default-only — no variable or type schema was altered.

Version checker drift coverage

Extended scripts/aio-version-checker.py so future upgrades cannot silently miss a component:

  • Added TERRAFORM_ARC_EXTENSIONS_FILE and BICEP_ARC_EXTENSIONS_FILE constants targeting 109-arc-extensions, with a BICEP_COMPONENT_FILES map that routes certManagerExtensionDefaults to its real declaring file. The BICEP_COMPONENTS entry was corrected from aioCertManagerExtensionDefaults to certManagerExtensionDefaults to match the actual Bicep variable name.
  • Added extract_tf_arc_extension_variables, which reads the nested arc_extensions.cert_manager_extension default. Container storage is intentionally excluded because the enablement manifest no longer publishes a version for it.
  • Added _unwrap_hcl, normalizing the single-element list wrapper that recent python-hcl2 releases place around block bodies, and applied it in the existing Terraform extractors.
  • Propagated a per-component local_file through extraction so compare_versions reports the correct source file for each mismatch, and cached Bicep file reads via a local _read closure.

Prompt guidance

  • .github/prompts/iotops-version-upgrade.prompt.md now treats 109-arc-extensions as a fourth analyzed component, adds a component-to-manifest version-map table, a dedicated Arc extensions analysis section, and validation checklist items for running the checker and updating upgrade-aio.md.

Related Issue

Fixes #652
Fixes #654

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Blueprint modification or addition
  • Component modification or addition
  • Documentation update
  • CI/CD pipeline change
  • Other (please describe):

Implementation Details

Version defaults are the single source of truth for the AIO extension versions in each component; the upgrade edits those defaults directly rather than passing overrides. The checker treats the AIO enablement/instance manifests as the source of truth and compares each manifest key against its mapped Terraform and Bicep variable. The correction to the checker's file resolution and HCL unwrapping ensures the cert-manager key in 109-arc-extensions is now compared, not skipped.

Testing Performed

  • Terraform plan/apply
  • Blueprint deployment test
  • Unit tests
  • Integration tests
  • Bug fix includes regression test (see Test Policy)
  • Manual validation
  • Other:

Validation Steps

  1. Run python3 scripts/aio-version-checker.py --release-tag <2606-target-tag> and confirm it returns [] (no mismatches) for both Terraform and Bicep across 109-arc-extensions and 110-iot-ops.
  2. Run terraform validate and terraform fmt across the changed components.
  3. Confirm docs/getting-started/upgrade-aio.md version matrix reflects the 2606 component versions.

Checklist

  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have run terraform fmt on all Terraform code
  • I have run terraform validate on all Terraform code
  • I have run az bicep format on all Bicep code
  • I have run az bicep build to validate all Bicep code
  • I have checked for any sensitive data/tokens that should not be committed
  • Lint checks pass (run applicable linters for changed file types)

Security Review

  • No credentials, secrets, or tokens are hardcoded or logged
  • RBAC and identity changes follow least-privilege principles
  • No new network exposure or public endpoints introduced without justification
  • Dependency additions or updates have been reviewed for known vulnerabilities
  • Container image changes use pinned digests or SHA references

Additional Notes

The upgrade touches only version-default values and generated READMEs; no component schema, blueprint, or security-sensitive path was modified. Container storage remains pinned and unmanaged by the checker because the AIO manifest does not publish a version key for it.

Screenshots (if applicable)

- bump aio 1.3.105→1.3.137, secret-store 1.4.1→1.5.0, cert-manager 0.12.0→0.13.3
- extend aio-version-checker.py to extract arc-extension (cert-manager) versions
- cache Bicep file reads and track per-component local_file in checker
- update iotops-version-upgrade prompt and upgrade-aio docs

⬆️ - Generated by Copilot
@katriendg katriendg requested a review from a team July 1, 2026 11:39
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

📚 Documentation Health Report

Generated on: 2026-07-01 11:43:25 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 222
Infrastructure Components 228
Blueprints 37
GitHub Resources 26
AI Assistant Guides (Copilot) 17
Total 530

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Link Validation: success

This report is automatically generated by the Documentation Automation workflow.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

📚 Documentation Health Report

Generated on: 2026-07-01 12:17:02 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 222
Infrastructure Components 228
Blueprints 37
GitHub Resources 26
AI Assistant Guides (Copilot) 17
Total 530

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Link Validation: success

This report is automatically generated by the Documentation Automation workflow.

@benljbrooks benljbrooks left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment on lines +596 to +598
logger.debug(f"Reading Terraform arc-extensions file: {tf_arc_file}")

try:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the OSError handler here intentional? The two sibling extractors (extract_tf_variables, extract_tf_instance_variables) call sys.exit(1) on all failures, including file-not-found. Returning [] here means that if TERRAFORM_ARC_EXTENSIONS_FILE is ever missing or the path changes, cert-manager produces no local components and the comparison silently reports no mismatches rather than failing. Since catching cert-manager drift is the purpose of this extractor, sys.exit(1) may be the safer choice to keep behavior consistent with the sibling extractors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(scripts): aio-version-checker misses Terraform and cert-manager drift chore: upgrade Azure IoT Operations to 2606 (v1.3.137)

3 participants