shared_image_version - support for new block uefi_settings
#28076
Conversation
|
When can I expect that somebody has a look at this? |
|
This PR is being labeled as "stale" because it has not been updated for 30 or more days. If this PR is still valid, please remove the "stale" label. If this PR is blocked, please add it to the "Blocked" milestone. If you need some help completing this PR, please leave a comment letting us know. Thank you! |
…sions to 2023-07-03
yeoldegrove
force-pushed
the
shared_image_version_uefi_settings
branch
from
5cde4dd to
58ad4cf
Compare
|
It would be great if somebody would take a look at this. |
|
Kindly adding some active maintainers for comments: @katbyte @jackofallops @stephybun |
|
@codgician @katbyte @jackofallops @stephybun Can anybody please start reviewing this? |
There was a problem hiding this comment.
Hi @yeoldegrove,
Thanks for this PR - I've taken a look through and left some comments inline. If we can fix those up, this should be good to go 👍
yeoldegrove
force-pushed
the
shared_image_version_uefi_settings
branch
from
58ad4cf to
57ef77c
Compare
|
@ms-zhenhua Thanks for the review! I just fixed all the issues you pointed out and force pushed to this PR. |
There was a problem hiding this comment.
Hi @yeoldegrove,
Thanks for your updates - I've taken another look through and left some comments inline. Please help confirm.
yeoldegrove
force-pushed
the
shared_image_version_uefi_settings
branch
from
57ef77c to
d74f0fc
Compare
|
@ms-zhenhua another round of improvements ;) |
There was a problem hiding this comment.
Hi @yeoldegrove,
Thanks for your updates - I've taken another look through and left some comments inline. Please help confirm.
| data := input[0].(map[string]interface{}) | ||
| return &galleryimageversions.UefiKey{ | ||
| Type: pointer.To(galleryimageversions.UefiKeyType(data["type"].(string))), | ||
| Value: &[]string{data["certificate_base64"].(string)}, |
There was a problem hiding this comment.
since certificate_base64 is a string list, why convert it to a string ?
There was a problem hiding this comment.
Removed both Single functions. Those were artifacts I missed in the refactoring.
|
|
||
| result := make(map[string]interface{}) | ||
| if input.Value != nil && len(*input.Value) > 0 { | ||
| result["certificate_base64"] = (*input.Value)[0] |
There was a problem hiding this comment.
certificate_base64 is a string list, why assign the first element only?
There was a problem hiding this comment.
Removed both Single functions. Those were artifacts I missed in the refactoring.
| return results | ||
| } | ||
|
|
||
| func flattenUefiKey(input *galleryimageversions.UefiKey) []interface{} { |
There was a problem hiding this comment.
what's the difference between flattenSingleUefiKey and flattenUefiKey ?
There was a problem hiding this comment.
Removed both Single functions. Those were artifacts I missed in the refactoring.
| check.That(data.ResourceName).Key("uefi_settings.0.signature_template_names.#").HasValue("1"), | ||
| check.That(data.ResourceName).Key("uefi_settings.0.signature_template_names.0").HasValue("MicrosoftUefiCertificateAuthorityTemplate"), | ||
| check.That(data.ResourceName).Key("uefi_settings.0.additional_signatures.0.db.0.type").HasValue(keyType), | ||
| check.That(data.ResourceName).Key("uefi_settings.0.additional_signatures.0.db.0.certificate_base64.0").HasValue(certData), |
There was a problem hiding this comment.
why these checks still exist?
There was a problem hiding this comment.
Forgot to add this to the commit 🤦
| if securityProfile := props.SecurityProfile; securityProfile != nil { | ||
| if uefiSettings := securityProfile.UefiSettings; uefiSettings != nil { | ||
| d.Set("uefi_settings", flattenUefiSettings(uefiSettings)) | ||
| } else { | ||
| d.Set("uefi_settings", nil) | ||
| } | ||
| } else { | ||
| d.Set("uefi_settings", nil) | ||
| } |
There was a problem hiding this comment.
| if securityProfile := props.SecurityProfile; securityProfile != nil { | |
| if uefiSettings := securityProfile.UefiSettings; uefiSettings != nil { | |
| d.Set("uefi_settings", flattenUefiSettings(uefiSettings)) | |
| } else { | |
| d.Set("uefi_settings", nil) | |
| } | |
| } else { | |
| d.Set("uefi_settings", nil) | |
| } | |
| if securityProfile := props.SecurityProfile; securityProfile != nil { | |
| d.Set("uefi_settings", flattenUefiSettings(securityProfile.UefiSettings;)) | |
| } |
There was a problem hiding this comment.
👍 I guess I thought to complicated here.
| }) | ||
| } | ||
|
|
||
| func TestAccSharedImageVersion_uefiSettingsUpdateKeyType(t *testing.T) { |
There was a problem hiding this comment.
please consider combing TestAccSharedImageVersion_uefiSettings and TestAccSharedImageVersion_uefiSettingsUpdateKeyType into one testcase as their first steps are the same.
There was a problem hiding this comment.
I can remove one of those and only use the combined one, correct.
| additional_signatures { | ||
| db { | ||
| type = "%s" | ||
| certificate_base64 = "%s" |
There was a problem hiding this comment.
since certificate_base64 is a string list in the schema, why it is a string here? Could you provide your local test result?
There was a problem hiding this comment.
Actually my testing setup/cycle was provisioning resources with my built provider by hand.
I now checked out https://github.com/hashicorp/terraform-provider-azurerm/blob/main/DEVELOPER.md#developing-the-provider and managed to run make acctests SERVICE='compute' TESTARGS='-run=TestAccSharedImageVersion_uefiSettings' TESTTIMEOUT='60m'
I must say... having to create ARM_CLIENT_ID was a bit complicated as the subscription I have did not initially allow this.
But now I managed to fix most of the test cases. But now I have to figure out to boot a secure bootable VM in this test setup. This will most likely take a few hours.
@ms-zhenhua Do you think it is advisable to really boot a secure_boot_enabled and vtpm_enabled enabled VM (with real keys) inside the test suite?
| signature_template_names = [%s] | ||
|
|
||
| additional_signatures { | ||
| db { |
There was a problem hiding this comment.
could you also test dbx, kek and pk ?
Community Note
Description
Bump galleryimageversions API to support security profile and uefi settings.
For resource
shared_image_versionuefi_settingsuefi_settingsNot adding a matching block to the data source as the Azure API does not return any security profiles.
PR Checklist
For example: “
resource_name_here- description of change e.g. adding propertynew_property_name_here”Changes to existing Resource / Data Source
Testing
Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
shared_image_version- support for new blockuefi_settings[https://github.com/shared_image_version- support for new blockuefi_settings#28076]This is a (please select all that apply):
Related Issue(s)
Fixes #28064
Note
If this PR changes meaningfully during the course of review please update the title and description as required.