Creates new Variablegroup with a link to Azure Key Vault (#73)

* Adding Variable group implementation

* added new environment variables in example file.

* refactoted code and added comments

* Changed node mode to development in webpack config and added debug statements in variable group

* Fixed naming issue in the production build. Added Service Point interfaces

* removed tslint disabling

* Fixed linting issues

* updated mock config file and extracted azure-devops interface

* Made some config variables nullable

* Updated mock config file with variablegroup info

* Added interfaces for service connection and implemented feedback comments

* Fixed lint issue

* renamed service connection to service endpoint to be consistent with rest api

* Fixed file reanming issue

* refatored azdo.ts methods to be singleton

* Fixed lint issues

* adding tests

* uncommented code

* Fixed unit test cases

* added more test cases and created new section for vsts variables

* added more test cases and created new section for vsts variables

* Added test cases

* updated test description

* updated comments

* refactored code and added create command for variable group

* added docs

* updated docs and added valiadtion to check variable group type

* Moved ts-node to dev dependencies

* updated docs

* renamed file

* Fixed type refactoring issue

* fixed doc error

* changed docs and fixed unit test

* Force merging master

* added variable group types back after force overwrite

Author: sarath-p

.env.example

@@ -3,3 +3,10 @@ AZURE_TENANT_ID="AAD tenant id"
 AZURE_CLIENT_ID="Azure service principal client Id"
 AZURE_CLIENT_SECRET="Azure service principal client secret/password"
 AZURE_SUBSCRIPTION_ID="Azure subscription id" 
+
+AZDO_PERSONAL_ACCESS_TOKEN=" Azure DevOps Personal Access Token"
+
+AZDO_SERVICE_CONNECTION_SUBSCRIPTION_ID="Azure Key Vault Subscription Id"
+AZDO_SERVICE_CONNECTION_CLIENT_ID="Azure Service Principal Id with [get, list] access to Key Vault secrets"
+AZDO_SERVICE_CONNECTION_CLIENT_SECRET="Azure Service Principal secret/password"
+AZDO_SERVICE_CONNECTION_TENANT_ID="AAD Tenant Id for Azure Service Principal Id"

README.md

@@ -37,6 +37,7 @@ Commands:
   service           Create and manage services for a Bedrock project.
   infra             Manage and modify your Bedrock infrastructure.
   hld               Commands for initalizing and managing a bedrock HLD repository.
+  variable-group    Creates Variable Group in Azure DevOps project.
 ```
 
 ## `spk` commands docs
@@ -47,6 +48,7 @@ Commands:
 - [spk init](./docs/init.md)
 - [spk project](./docs/project-management.md)
 - [spk service](./docs/service-management.md)
+- [spk variable group](./docs/variable-group.md)
 
 ## Getting Started
 

docs/variable-group.md

@@ -0,0 +1,121 @@
+# Variable Group
+
+Create
+[variable group](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups)
+in Azure DevOps project.
+
+Usage:
+
+```
+spk variable-group [command] [options]
+```
+
+Commands:
+
+- [Variable Group](#variable-group)
+  - [Prerequisites](#prerequisites)
+  - [Commands](#commands)
+    - [create](#create)
+
+Global options:
+
+```
+  -v, --verbose        Enable verbose logging
+  -h, --help           Usage information
+```
+
+## Prerequisites
+
+An existing
+[Azure DevOps project](https://azure.microsoft.com/en-us/services/devops/) is
+required to create a Variable Group. In addition, to link secrets from an Azure
+key vault as variables in Variable Group, you will need an existing key vault
+containing your secrets and the Service Principal for authorization with Azure
+Key Vault.
+
+1. Use existng or
+   [create a service prrincipal either in Azure Portal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
+   or
+   [with Azure CLI](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest).
+2. Use existing or
+   [create a Key Vault in Azure Portal](https://docs.microsoft.com/en-us/azure/key-vault/quick-create-portal)
+   or
+   [with Azure CLI](https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli).
+3. Give the service principal `get` and `list` access in Azure Key Vault. Follow
+   step 2 from
+   [these instructions](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault).
+
+## Commands
+
+### create
+
+Add a new variable group in Azure DevOps project
+
+```
+Usage:
+spk variable-group create|c [options]
+
+Options:
+  -f, --file <file>                     Path to the yaml file that contains variable group manifest
+  -o, --org-name <org>                  Azure DevOps organization name; falls back to azure_devops.org in spk config
+  -p, --project <project>               Azure DevOps project name; falls back to azure_devops.project in spk config
+  -t, --personal-access-token <token>   Personal access token from Azure DevOps org; falls back to azure_devops.access_token in spk config
+```
+
+Variable Group Yaml Manifest File Format
+
+1. Variable Group manifest with variables stored in Azure DevOps
+
+   ```
+   name: "myvg"
+   description: "myvg description"
+   type: "Vsts"
+   variables:
+     storage-account-name:
+       value: fabrikamstorage
+     storage-account-access-key:
+       value: "fabrikamstorage access key"
+       isSecret: true
+   ```
+
+   _*NOTE:*_
+
+   - `variables` value can also support json format as shown below.
+     ```
+     variables: { storage-account-name: { value: "fabrikamstorage" }, storage-account-access-key: {value: "fabrikamstorage access key", isSecret: true } }
+     ```
+
+2. Variable Group manifest with varibles linking to secrets in Azure Key Vault
+
+   ```
+   name: "myvg"
+   description: "myvg description"
+   type: "AzureKeyVault"
+   variables:
+       storage-account-name:
+           enabled: true
+       storage-account-access-key:
+           enabled: true
+       personal-access-token:
+           enabled: true
+   key_vault_provider:
+     name: "mykeyvault"                                      # name of the Azure Key Vault with Secrets
+     service_endpoint:                                       # service endpoint is required to authorize with Azure Key Vault
+       name: "service-connection-name"                       # service endpoint name to find an existing endpoint or to create a new endpoint with this name
+       subscription_id: "subscription-id"                    # Azure Subscription id where Key Vault exist
+       subscription_name: "sub-name"                         # Azure Subscription name where Key Vault exist
+       service_principal_id: "service-principal-id"          # Service Principal Id that has 'Get' and 'List' in Key Vault Access Policy
+       service_principal_secret: "service-principal-secret"  # Service Principal secret
+       tenant_id: "tenant-id"                                # AAD Tenant Id for the above Service Principal
+
+   ```
+
+   **_NOTE:_**
+
+   - SPK will create a new service endpoint when it does not exist by
+     `service_endpoint: name`.
+
+   - `variables` value can also support json format as shown below.
+     ```
+     variables: { fabrikam-storage-account: { enabled: true }, fabrikam-storage-account-access-key: { enabled: true }, azdo-personal-access-token: { enabled: true } }
+     ```

package.json

@@ -37,6 +37,7 @@
     "shx": "^0.3.2",
     "ts-jest": "^24.0.2",
     "ts-loader": "^6.0.4",
+    "ts-node": "^8.4.1",
     "tslint": "^5.19.0",
     "tslint-config-prettier": "^1.18.0",
     "typescript": "^3.6.2",

src/commands/variable-group/create.ts

@@ -0,0 +1,127 @@
+import { VariableGroup } from "azure-devops-node-api/interfaces/ReleaseInterfaces";
+import commander from "commander";
+import fs from "fs";
+import { readYaml } from "../../config";
+import { IAzureDevOpsOpts } from "../../lib/git";
+import {
+  addVariableGroup,
+  addVariableGroupWithKeyVaultMap
+} from "../../lib/pipelines/variableGroup";
+import { logger } from "../../logger";
+import { IVariableGroupData } from "../../types";
+
+/**
+ * Adds the create command to the variable-group command object
+ *
+ * @param command Commander command object to decorate
+ */
+export const createCommandDecorator = (command: commander.Command): void => {
+  command
+    .command("create")
+    .alias("c")
+    .description("Add a new variable group in Azure DevOps project.")
+    .option(
+      "-f, --file <variable-group-manifest-file-path>",
+      "Path to the yaml file that contains variable group manifest."
+    )
+    .option(
+      "-o, --org-name <organization-name>",
+      "Azure DevOps organization name; falls back to azure_devops.org in spk config"
+    )
+    .option(
+      "-p, --project <project>",
+      "Azure DevOps project name; falls back to azure_devops.project in spk config"
+    )
+    .option(
+      "-t, --personal-access-token <personal-access-token>",
+      "Personal access token associated with the Azure DevOps org; falls back to azure_devops.access_token in spk config"
+    )
+    .action(async opts => {
+      try {
+        if (!opts.file) {
+          logger.error(
+            "You need to specify a file with variable group manifest"
+          );
+          return;
+        }
+
+        const { file, orgName, project, personalAccessToken } = opts;
+
+        logger.debug(
+          `opts: ${file}, ${orgName}, ${project}, ${personalAccessToken}`
+        );
+
+        // type check
+        if (typeof orgName !== "undefined" && typeof orgName !== "string") {
+          throw Error(
+            `--org-name must be of type 'string', ${typeof orgName} specified.`
+          );
+        }
+
+        if (typeof project !== "undefined" && typeof project !== "string") {
+          throw Error(
+            `--project must be of type 'string', ${typeof project} specified.`
+          );
+        }
+
+        if (
+          typeof personalAccessToken !== "undefined" &&
+          typeof personalAccessToken !== "string"
+        ) {
+          throw Error(
+            `--personal-access-token must be of type 'string', ${typeof personalAccessToken} specified.`
+          );
+        }
+
+        const accessOpts: IAzureDevOpsOpts = {
+          orgName,
+          personalAccessToken,
+          project
+        };
+        logger.debug(`access options: ${JSON.stringify(accessOpts)}`);
+
+        await create(opts.file, accessOpts);
+
+        logger.info(
+          "Successfully added a variable group in Azure DevOps project!"
+        );
+      } catch (err) {
+        logger.error(`Error occurred while creating variable group`);
+        logger.error(err);
+      }
+    });
+};
+
+/**
+ * Loads varible group manifest from a given filename
+ *
+ * @param filepath file to read manifest
+ * @param accessOpts Azure DevOps access options from command options to override spk config
+ */
+export const create = async (
+  filepath: string,
+  accessOpts: IAzureDevOpsOpts
+) => {
+  logger.info("Creating variale group");
+  try {
+    fs.statSync(filepath);
+    const data = readYaml<IVariableGroupData>(filepath);
+    logger.debug(`Varible Group Yaml data: ${JSON.stringify(data)}`);
+
+    // validate variable group type
+
+    let variableGroup: VariableGroup;
+
+    if (data.type === "AzureKeyVault") {
+      variableGroup = await addVariableGroupWithKeyVaultMap(data, accessOpts);
+    } else if (data.type === "Vsts") {
+      variableGroup = await addVariableGroup(data, accessOpts);
+    } else {
+      throw new Error(
+        `Varible Group type "${data.type}" is not supported. Only "Vsts" and "AzureKeyVault" are valid types and case sensitive.`
+      );
+    }
+  } catch (err) {
+    throw err;
+  }
+};

src/commands/variable-group/index.ts

@@ -0,0 +1,7 @@
+import { Command } from "../command";
+import { createCommandDecorator } from "./create";
+export const variableGroupCommand = Command(
+  "variable-group",
+  "Creates Variable Group in Azure DevOps project.",
+  [createCommandDecorator]
+);

src/config.ts

@@ -21,7 +21,7 @@ let spkConfig: IConfigYaml = {}; // DANGEROUS! this var is globally retrievable
  *
  * @param filepath filepath of the yaml file
  */
-const readYaml = <T>(filepath: string): T => {
+export const readYaml = <T>(filepath: string): T => {
   if (fs.existsSync(filepath)) {
     const contents = fs.readFileSync(filepath, "utf8");
     return yaml.safeLoad(contents) as T;

src/index.ts

@@ -20,6 +20,7 @@ import { infraCommand } from "./commands/infra";
 import { initCommandDecorator } from "./commands/init";
 import { projectCommand } from "./commands/project";
 import { serviceCommand } from "./commands/service";
+import { variableGroupCommand } from "./commands/variable-group";
 
 ////////////////////////////////////////////////////////////////////////////////
 // Instantiate core command object
@@ -33,7 +34,14 @@ const rootCommand = Command(
     },
     initCommandDecorator
   ],
-  [deploymentCommand, projectCommand, serviceCommand, infraCommand, hldCommand]
+  [
+    deploymentCommand,
+    projectCommand,
+    serviceCommand,
+    infraCommand,
+    hldCommand,
+    variableGroupCommand
+  ]
 );
 
 ////////////////////////////////////////////////////////////////////////////////