feat(iot-ops): upgrade AIO component versions and extend version checker#655
feat(iot-ops): upgrade AIO component versions and extend version checker#655katriendg wants to merge 2 commits into
Conversation
- bump aio 1.3.105→1.3.137, secret-store 1.4.1→1.5.0, cert-manager 0.12.0→0.13.3 - extend aio-version-checker.py to extract arc-extension (cert-manager) versions - cache Bicep file reads and track per-component local_file in checker - update iotops-version-upgrade prompt and upgrade-aio docs ⬆️ - Generated by Copilot
📚 Documentation Health ReportGenerated on: 2026-07-01 11:43:25 UTC 📈 Documentation Statistics
🏗️ Three-Tree Architecture Status
🔍 Quality Metrics
This report is automatically generated by the Documentation Automation workflow. |
📚 Documentation Health ReportGenerated on: 2026-07-01 12:17:02 UTC 📈 Documentation Statistics
🏗️ Three-Tree Architecture Status
🔍 Quality Metrics
This report is automatically generated by the Documentation Automation workflow. |
| logger.debug(f"Reading Terraform arc-extensions file: {tf_arc_file}") | ||
|
|
||
| try: |
There was a problem hiding this comment.
Is the OSError handler here intentional? The two sibling extractors (extract_tf_variables, extract_tf_instance_variables) call sys.exit(1) on all failures, including file-not-found. Returning [] here means that if TERRAFORM_ARC_EXTENSIONS_FILE is ever missing or the path changes, cert-manager produces no local components and the comparison silently reports no mismatches rather than failing. Since catching cert-manager drift is the purpose of this extractor, sys.exit(1) may be the safer choice to keep behavior consistent with the sibling extractors.
Retargets the edge-ai IoT Operations components to the AIO 2606 release and closes a gap in
aio-version-checker.pythat let cert-manager and Terraform default drift slip past CI. Version defaults move in lockstep across Terraform and Bicep, the upgrade guide's version matrix is refreshed, and the checker now inspects the 109-arc-extensions component alongside 110-iot-ops.Description
This PR combines two related pieces of work.
The version upgrade bumps every pinned AIO component default to the 2606 release: the AIO instance (
iotOperations) 1.3.105 → 1.3.137, the Secret Store extension (secretStore) 1.4.1 → 1.5.0, and the cert-manager extension (certManager) 0.12.0 → 0.13.3. Each value is updated in both the Terraform and Bicep sources so the two stay consistent, anddocs/getting-started/upgrade-aio.mdis retargeted from 2605 to 2606 with a refreshed version matrix (CLIazure-iot-ops2.5.0 → 2.7.0).The checker fix addresses
scripts/aio-version-checker.pypreviously only reading the 110-iot-ops files, which meant cert-manager version drift (defined in 109-arc-extensions) and newerpython-hcl2default-wrapping went undetected. The script now covers cert-manager, normalizes HCL default values, tracks the originating file per component, and caches Bicep reads.AIO 2606 version upgrade
Component version defaults bumped together in Terraform and Bicep:
iotOperations1.3.105 → 1.3.137 in 110-iot-ops/bicep/types.bicep (aioExtensionDefaults) and 110-iot-ops/terraform/variables.instance.tf (operations_config).secretStore1.4.1 → 1.5.0 in 110-iot-ops/bicep/types.bicep (secretStoreExtensionDefaults) and 110-iot-ops/terraform/variables.init.tf (secret_sync_controller).certManager0.12.0 → 0.13.3 in 109-arc-extensions/bicep/types.bicep (certManagerExtensionDefaults) and 109-arc-extensions/terraform/variables.tf (cert_manager_extension).ms.date.Version checker drift coverage
Extended scripts/aio-version-checker.py so future upgrades cannot silently miss a component:
TERRAFORM_ARC_EXTENSIONS_FILEandBICEP_ARC_EXTENSIONS_FILEconstants targeting 109-arc-extensions, with aBICEP_COMPONENT_FILESmap that routescertManagerExtensionDefaultsto its real declaring file. TheBICEP_COMPONENTSentry was corrected fromaioCertManagerExtensionDefaultstocertManagerExtensionDefaultsto match the actual Bicep variable name.extract_tf_arc_extension_variables, which reads the nestedarc_extensions.cert_manager_extensiondefault. Container storage is intentionally excluded because the enablement manifest no longer publishes a version for it._unwrap_hcl, normalizing the single-element list wrapper that recent python-hcl2 releases place around block bodies, and applied it in the existing Terraform extractors.local_filethrough extraction socompare_versionsreports the correct source file for each mismatch, and cached Bicep file reads via a local_readclosure.Prompt guidance
Related Issue
Fixes #652
Fixes #654
Type of Change
Implementation Details
Version defaults are the single source of truth for the AIO extension versions in each component; the upgrade edits those defaults directly rather than passing overrides. The checker treats the AIO enablement/instance manifests as the source of truth and compares each manifest key against its mapped Terraform and Bicep variable. The correction to the checker's file resolution and HCL unwrapping ensures the cert-manager key in 109-arc-extensions is now compared, not skipped.
Testing Performed
Validation Steps
python3 scripts/aio-version-checker.py --release-tag <2606-target-tag>and confirm it returns[](no mismatches) for both Terraform and Bicep across 109-arc-extensions and 110-iot-ops.terraform validateandterraform fmtacross the changed components.Checklist
terraform fmton all Terraform codeterraform validateon all Terraform codeaz bicep formaton all Bicep codeaz bicep buildto validate all Bicep codeSecurity Review
Additional Notes
The upgrade touches only version-default values and generated READMEs; no component schema, blueprint, or security-sensitive path was modified. Container storage remains pinned and unmanaged by the checker because the AIO manifest does not publish a version key for it.
Screenshots (if applicable)