Skip to content

feat: default azlin new to private/bastion (no public IP)#966

Merged
rysweet merged 3 commits intomainfrom
feat/bastion-default
Apr 9, 2026
Merged

feat: default azlin new to private/bastion (no public IP)#966
rysweet merged 3 commits intomainfrom
feat/bastion-default

Conversation

@rysweet
Copy link
Copy Markdown
Owner

@rysweet rysweet commented Apr 8, 2026
edited
Loading

Summary

VMs created with azlin new are now private by default and route through Azure Bastion, matching the Python CLI behavior.

Changes

  • Default behavior: azlin new creates VMs without a public IP (bastion-routed)
  • Add --public flag to opt into public IP creation
  • --no-bastion also opts into public IP (unchanged behavior)
  • --private kept as hidden backward-compat flag (now the default, so it is a no-op)
  • Validation: --private conflicts with --public/--no-bastion
  • Updated credential forwarding docs to reflect bastion-by-default
  • Fixed pre-existing test_code_has_workspace_flag_with_default parity test failure

Also done (operational)

  • Removed public IP from existing "ia" VM; confirmed bastion routing via azlin list --no-cache showing 10.0.0.6 (Bast)

Merge readiness

QA-team evidence

  • Scenario files: tests/agentic-scenarios/pr-966-bastion-default.yaml, tests/agentic-scenarios/new-command-parity.yaml
  • Validation command: gadugi-test validate -f tests/agentic-scenarios/pr-966-bastion-default.yaml
  • Validation result: passed (1/1 valid)
  • Run command: gadugi-test run -d tests/agentic-scenarios -s pr-966-bastion-default
  • Run target: local (debug binary at rust/target/debug/azlin)
  • Run result: passed (6/6 steps, 1/1 scenario)
  • Parity scenario also run and passed: gadugi-test run -d tests/agentic-scenarios -s new-command-parity (4/4 steps, ALL 22 FLAGS PRESENT)

Documentation

  • User-facing docs impact: yes (CLI behavior change)
  • Updated docs:
    • docs/how-to/forward-credentials.md — removed --private example, documented bastion-by-default
    • docs/reference/credential-forwarding.md — updated flag table (--private--public)
  • PR description links added: see above

Quality-audit

  • Cycle 1: zero findings (correctness, security, logic review)
  • Cycle 2: 2 medium findings — stale docs referencing --private as a user-facing flag in docs/how-to/forward-credentials.md:55 and docs/reference/credential-forwarding.md:10. Both fixed in commit ea895bc.
  • Cycle 3 (final): zero findings. Verified cycle 2 fixes correct. All 8 changed files reviewed. No remaining --private references in docs. No unrelated changes.
  • Final clean cycle: cycle 3 (zero critical/high, zero medium correctness/security findings)
  • Fixes followed default-workflow: yes (docs updated, committed, pushed)
  • Convergence summary: 3 cycles total. Cycle 2 surfaced doc staleness, fixed immediately. Cycle 3 confirmed clean.

CI

  • Checks command: gh pr checks 966
  • Result: all green (10 successful, 0 failing, 0 pending)
  • Skipped checks: OSSF Scorecard (conditional workflow, skipped on PRs)
  • Flaky reruns performed: none
  • Real failures fixed: pre-existing test_code_has_workspace_flag_with_default parity test (expected /home/user but actual default is /home/azureuser); fixed in this PR

Scope

  • Changed files: rust/crates/azlin-cli/src/lib.rs, rust/crates/azlin-cli/src/parity_tests.rs, rust/crates/azlin/src/cmd_vm.rs, rust/crates/azlin/src/cmd_vm_ops.rs, docs/how-to/forward-credentials.md, docs/reference/credential-forwarding.md, tests/agentic-scenarios/pr-966-bastion-default.yaml, tests/agentic-scenarios/new-command-parity.yaml
  • Unrelated changes: none (parity test fix is tightly coupled — it was blocking CI for this PR)

Verdict

  • Merge-ready: yes
  • Remaining blockers: none

Ryan Sweet and others added 3 commits April 8, 2026 15:29
feat: default azlin new to private/bastion (no public IP)
8e7e06e 
VMs created with 'azlin new' are now private by default and route
through Azure Bastion, matching the Python CLI behavior.

- Add --public flag to opt into public IP creation
- --no-bastion also opts into public IP (unchanged behavior)
- --private is kept as a hidden backward-compat flag (now a no-op)
- Update validation: --private conflicts with --public/--no-bastion

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
test: add bastion-default QA scenarios and fix pre-existing parity test
1b8180d 
- Add pr-966-bastion-default.yaml scenario: validates --public flag,
  --private hidden compat, help text, and bastion-only default
- Update new-command-parity.yaml: check --public instead of --private
  (--private is now hidden)
- Fix parity_tests.rs: workspace default is /home/azureuser, not /home/user
  (pre-existing CI failure on main)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
docs: update credential forwarding docs for bastion-by-default
ea895bc 
Remove references to --private flag (now hidden/default behavior).
Document --public as the opt-out flag for bastion routing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@rysweet rysweet merged commit 1af6088 into main Apr 9, 2026
11 checks passed
@rysweet rysweet deleted the feat/bastion-default branch April 9, 2026 06:16
This was referenced Apr 13, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rysweet