Skip to content

Commit

Permalink
Resolve secrets in pipeline config outside of the environment. (#3866)
Browse files Browse the repository at this point in the history
* Resolve secrets in pipeline config outside of the environment.

// TODO: Figure out a better way to handle this, either by making config.Raw() resolve secrets, or by adding a new api RawResolved().
Need to review this with the team.

* lint
  • Loading branch information
vhvb1989 authored May 7, 2024
1 parent 94596da commit 651394c
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 1 deletion.
35 changes: 35 additions & 0 deletions cli/azd/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ var vaultPattern = regexp.MustCompile(
// Configuration data is stored in user's home directory @ ~/.azd/config.json
type Config interface {
Raw() map[string]any
// similar to Raw() but it will resolve any vault references
ResolvedRaw() map[string]any
Get(path string) (any, bool)
GetString(path string) (string, bool)
GetSection(path string, section any) (bool, error)
Expand Down Expand Up @@ -70,6 +72,39 @@ func (c *config) Raw() map[string]any {
return c.data
}

// Gets the raw values stored in the configuration and resolve any vault references
func (c *config) ResolvedRaw() map[string]any {
resolvedRaw := &config{
data: map[string]any{},
}
paths := paths(c.data)
for _, path := range paths {
// get will always return true (no need to check) because the path was gotten from the raw config
value, _ := c.Get(path)
if err := resolvedRaw.Set(path, value); err != nil {
panic(fmt.Errorf("failed setting resolved raw value: %w", err))
}
}
return resolvedRaw.data
}

// paths recursively traverses a map and returns a list of all the paths to the leaf nodes.
// The start parameter is the initial map to start traversing from.
// It returns a slice of strings representing the paths to the leaf nodes.
func paths(start map[string]any) []string {
var all []string
for path, value := range start {
if node, isNode := value.(map[string]any); isNode {
for _, child := range paths(node) {
all = append(all, fmt.Sprintf("%s.%s", path, child))
}
} else {
all = append(all, path)
}
}
return all
}

// SetSecret stores the secrets at the specified path within a local user vault
func (c *config) SetSecret(path string, value string) error {
if c.vaultId == "" {
Expand Down
5 changes: 5 additions & 0 deletions cli/azd/pkg/config/file_config_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,11 @@ func Test_FileConfigManager_GetSetSecrets(t *testing.T) {
missingPassword, ok := updatedConfig.GetString("secrets.misingVaultRef")
require.False(t, ok)
require.Empty(t, missingPassword)

require.NotEqual(t, updatedConfig.Raw(), updatedConfig.ResolvedRaw())
require.Equal(t, azdConfig.Raw(), updatedConfig.Raw())
require.Equal(t, azdConfig.ResolvedRaw(), updatedConfig.ResolvedRaw())

}

func Test_FileConfigManager_GetSetSecretsInSection(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion cli/azd/pkg/pipeline/pipeline_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,7 @@ func (pm *PipelineManager) Configure(ctx context.Context) (result *PipelineConfi
// Adding environment.AzdInitialEnvironmentConfigName as a secret to the pipeline as the base configuration for
// whenever a new environment is created. This means loading the local environment config into a pipeline secret which
// azd will use to restore the the config on CI
localEnvConfig, err := json.Marshal(pm.env.Config.Raw())
localEnvConfig, err := json.Marshal(pm.env.Config.ResolvedRaw())
if err != nil {
return result, fmt.Errorf("failed to marshal environment config: %w", err)
}
Expand Down

0 comments on commit 651394c

Please sign in to comment.