feat: expose access group support in DA #314
Conversation
|
/run pipeline |
|
|
/run pipeline |
|
same error occurs on main branch, still can't figure out what changed. |
|
/run pipeline |
…nforced"<br>- The "standard" variation has been deprecated does not exist in this release (#300) BREAKING CHANGE: There is no upgrade path from the deprecated "Standard" DA variation to either of the new "Fully configurable" or "Security-enforced variations
|
/run pipeline |
|
/run pipeline |
1 similar comment
|
/run pipeline |
|
Only test currently failing locally is due to the validation bug introduced in secret-manager-secret-group v1.3. Fix for that here: terraform-ibm-modules/terraform-ibm-secrets-manager-secret-group#277 |
|
/run pipeline |
ocofaigh
left a comment
ocofaigh
left a comment
There was a problem hiding this comment.
I think we need to make this more flexible. Expose a "list of objects" type input where user can create multiple secret groups with associated access groups. Perhaps give it a default value with 1 group (General) with SecretsReader access, but it must be exposed.
We would need a markdown helper doc too so users will know the required format, and the variable descrption should link to it.
solutions/fully-configurable/main.tf
Outdated
| secrets_manager_guid = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[7] : null) : module.secrets_manager.secrets_manager_guid | ||
| secrets_manager_crn = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn | ||
| secrets_manager_region = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region | ||
| secrets_manager_endpoint_type = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[3] : null) : var.secrets_manager_endpoint_type |
There was a problem hiding this comment.
There is already a variable for this var.secrets_manager_endpoint_type
solutions/fully-configurable/main.tf
Outdated
| } | ||
|
|
||
| module "secrets_manager_group" { | ||
| depends_on = [module.secrets_manager] |
There was a problem hiding this comment.
why the explicit depends_on? Its a bad practise, there is already an implicit dependency by passing the guid to this module
solutions/fully-configurable/main.tf
Outdated
| secret_group_name = "General" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value | ||
| secret_group_description = "Initially created secret group" #tfsec:ignore:general-secrets-no-plaintext-exposure | ||
| create_access_group = var.create_general_secret_group_access_group | ||
| access_group_name = "${var.prefix}-General-secrets-group-access-group" |
There was a problem hiding this comment.
prefix is optional (it can be null). Ensure to account for this like we do everywhere else prefix is used
|
@ocofaigh Switched it to the secrets object as an input. |
|
/run pipeline |
ocofaigh
left a comment
ocofaigh
left a comment
There was a problem hiding this comment.
The DA should only support creating secret group / access group. Not secrets too
| secret_group_name = "General" | ||
| create_access_group = true | ||
| access_group_name = "general-secrets-group-access-group" | ||
| access_group_roles = ["SecretsReader"] |
There was a problem hiding this comment.
Can we add secret_group_description value
| { | ||
| secret_group_name = "General" | ||
| create_access_group = true | ||
| access_group_name = "general-secrets-group-access-group" |
There was a problem hiding this comment.
hmm, this is going to cause us issues in our account since access group names have to be unique. Perhaps we override it in our tests?
| access_group_roles = optional(list(string)) | ||
| access_group_tags = optional(list(string)) | ||
| })) | ||
| description = "Secret Manager secret group configurations." |
There was a problem hiding this comment.
Description should mention about access group support too. And it should link to a helper markdown doc
| secret_group_name = string | ||
| secret_group_description = optional(string) | ||
| existing_secret_group = optional(bool, false) | ||
| create_access_group = optional(bool, false) |
There was a problem hiding this comment.
I would default this to true as a best practise
There was a problem hiding this comment.
if we default to true, have to set a default for access_group_roles
| type = list(object({ | ||
| secret_group_name = string | ||
| secret_group_description = optional(string) | ||
| existing_secret_group = optional(bool, false) |
There was a problem hiding this comment.
not sure we need to support existing_secret_group
|
/run pipeline |
| } | ||
| } | ||
|
|
||
| variable "secrets" { |
There was a problem hiding this comment.
This should be called secret_groups
| default = [ | ||
| { | ||
| secret_group_name = "General" | ||
| secret_group_description = "A general purpose secrets group with an associated access group" |
There was a problem hiding this comment.
| secret_group_description = "A general purpose secrets group with an associated access group" | |
| secret_group_description = "A general purpose secrets group with an associated access group which has a secrets reader role" |
| true if(group.create_access_group && group.access_group_roles == null) | ||
| ]) == 0 | ||
| } | ||
| } |
There was a problem hiding this comment.
I think this has to be set to nullable = false since there is a for loop used here. You should add it to the secrets input in both the root module and submodule too.
There was a problem hiding this comment.
@ocofaigh Is it possible to set one field inside the variable as not nullable?
There was a problem hiding this comment.
no, but the whole variable should be set to nullable = false because the for loop would fail if it was null. Use would just pass [] if they didnt wan't to create any groups
tests/pr_test.go
Outdated
| {Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"}, | ||
| {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, | ||
| {Name: "service_plan", Value: "trial", DataType: "string"}, | ||
| {Name: "secrets", Value: []map[string]interface{}{ |
There was a problem hiding this comment.
you have duplicated this code in every test. Suggest to store it as a global variable and re-use it instead of duplicating it
ocofaigh
left a comment
ocofaigh
left a comment
There was a problem hiding this comment.
The diagram is not displaying well in dark mode
|
/run pipeline |
|
🎉 This PR is included in version 2.1.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Description
Release required?
x.x.X)x.X.x)X.x.x)Release notes content
Run the pipeline
If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.
Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:
Checklist for reviewers
For mergers