Add azuredevops_serviceendpoint_aws_terraform resource #767
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jwoffindin
changed the title
|
@microsoft-github-policy-service agree |
xuzhang3
requested changes
May 19, 2023
There was a problem hiding this comment.
@jwoffindin Acctest failed:
=== PAUSE TestAccServiceEndpointAwsTerraform_Basic
=== CONT TestAccServiceEndpointAwsTerraform_Basic
resource_serviceendpoint_aws_terraform_test.go:17: Step 1/1 error: Check failed: Check 6/7 error: azuredevops_serviceendpoint_aws_terraform.test: Attribute 'region' expected "", got "us-east-1"
--- FAIL: TestAccServiceEndpointAwsTerraform_Basic (58.08s)
FAIL
FAIL
azuredevops/internal/service/serviceendpoint/resource_serviceendpoint_aws_terraform.go
Show resolved
Hide resolved
azuredevops/internal/service/serviceendpoint/resource_serviceendpoint_aws_terraform.go
Outdated
Show resolved
Hide resolved
azuredevops/internal/service/serviceendpoint/resource_serviceendpoint_aws_terraform.go
Outdated
Show resolved
Hide resolved
azuredevops/internal/service/serviceendpoint/resource_serviceendpoint_aws_terraform.go
Outdated
Show resolved
Hide resolved
xuzhang3
requested changes
May 19, 2023
There was a problem hiding this comment.
@jwoffindin Acctest failed:
=== PAUSE TestAccServiceEndpointAwsTerraform_Basic
=== CONT TestAccServiceEndpointAwsTerraform_Basic
resource_serviceendpoint_aws_terraform_test.go:17: Step 1/1 error: Check failed: Check 6/7 error: azuredevops_serviceendpoint_aws_terraform.test: Attribute 'region' expected "", got "us-east-1"
--- FAIL: TestAccServiceEndpointAwsTerraform_Basic (58.08s)
FAIL
FAIL
|
Please update the latest code from upstream, we recently upgrade the API from v6 to v7. |
Why: Microsoft Labs publish an extension "Terraform Extension for Azure DevOps" <https://github.com/microsoft/azure-pipelines-terraform>. It provides high-level wapper around terraform for Azure DevOps pipelines and adds 3 custom service endpoints (AWS, GCP and Azure) that can be used from Azure Pipeline. I want to use this library with Azure DevOps to deploy into my AWS account. Unfortunately this extension does _not_ work with the standard AWS service endpoint. If you try to use standard `aws` endpoint, the pipeline fails with: > Job Terraform: Step input backendServiceAWS expects a service connection of type AWSServiceEndpoint but the provided service connection XXX is of type aws. This change addresses the need by: * Adding a new resource implementation `azuredevops_serviceendpoint_aws_terraform`. It is pretty much a rip-off of the existing aws endpoint provider with change to type and the parameters it accepts (only access key/secret and region). * Adding unit and integration tests. Again, a blatant rip-off of the existing aws endpoint tests. * Add webpage documentation for the new provide. Note this change only adds support for AWS backend. It does not add support for the GCP/Azure backends - I don't have enough experience to validate a provider for these environments. Refs: microsoft#675
Co-authored-by: xuzhang3 <[email protected]>
Why: Microsoft Labs publish an extension "Terraform Extension for Azure DevOps" <https://github.com/microsoft/azure-pipelines-terraform>. It provides high-level wapper around terraform for Azure DevOps pipelines and adds 3 custom service endpoints (AWS, GCP and Azure) that can be used from Azure Pipeline. I want to use this library with Azure DevOps to deploy into my AWS account. Unfortunately this extension does _not_ work with the standard AWS service endpoint. If you try to use standard `aws` endpoint, the pipeline fails with: > Job Terraform: Step input backendServiceAWS expects a service connection of type AWSServiceEndpoint but the provided service connection XXX is of type aws. This change addresses the need by: * Adding a new resource implementation `azuredevops_serviceendpoint_aws_terraform`. It is pretty much a rip-off of the existing aws endpoint provider with change to type and the parameters it accepts (only access key/secret and region). * Adding unit and integration tests. Again, a blatant rip-off of the existing aws endpoint tests. * Add webpage documentation for the new provide. Note this change only adds support for AWS backend. It does not add support for the GCP/Azure backends - I don't have enough experience to validate a provider for these environments. Refs: microsoft#675
Why: * Service connector expects all fields (access key/secret/region) to be present.
feedback from @xuzhang3 "Hash function has been deprecated and can be removed."
xuzhang3
requested changes
May 30, 2023
| sessionToken := "foobar" | ||
| rta := "rta" | ||
| rsn := "rsn" | ||
| externalId := "external_id" |
There was a problem hiding this comment.
external_id not in the schema, can be deleted
| resource.TestCheckResourceAttr(tfSvcEpNode, "secret_access_key", "secretkey"), | ||
| resource.TestCheckResourceAttr(tfSvcEpNode, "description", description), | ||
| resource.TestCheckResourceAttr(tfSvcEpNode, "region", "us-east-1"), | ||
| resource.TestCheckResourceAttr(tfSvcEpNode, "external_id", externalId), |
There was a problem hiding this comment.
external_id not in the schema, can be deleted
| region = "us-east-1" | ||
| service_endpoint_name = "%s" | ||
| description = "%s" | ||
| external_id = "%s" |
There was a problem hiding this comment.
external_id not in the schema, can be deleted
| return fmt.Sprintf("%s\n%s", projectResource, serviceEndpointResource) | ||
| } | ||
|
|
||
| func hclSvcEndpointAwsTerraformResourceComplete(projectName string, serviceEndpointName string, description string, sessionToken string, rta string, rsn string, externalId string) string { |
There was a problem hiding this comment.
essionToken, rta s, rsn
Suggested change
| func hclSvcEndpointAwsTerraformResourceComplete(projectName string, serviceEndpointName string, description string, sessionToken string, rta string, rsn string, externalId string) string { | |
| func hclSvcEndpointAwsTerraformResourceComplete(projectName, serviceEndpointName, description string) string { |
| DefaultFunc: schema.EnvDefaultFunc("AZDO_TF_AWS_SERVICE_CONNECTION_SECRET_ACCESS_KEY", nil), | ||
| Description: "The AWS secret access key for signing programmatic requests.", | ||
| Sensitive: true, | ||
| DiffSuppressFunc: tfhelper.DiffFuncSuppressSecretChanged, |
There was a problem hiding this comment.
DiffSuppressFunc can delete as it is used by the deprecate hash fucntion.
Comment on lines
+61
to
+65
| tfhelper.HelpFlattenSecret(d, "secret_access_key") | ||
|
|
||
| d.Set("access_key_id", (*serviceEndpoint.Authorization.Parameters)["username"]) | ||
| d.Set("secret_access_key", (*serviceEndpoint.Authorization.Parameters)["password"]) | ||
| d.Set("region", (*serviceEndpoint.Authorization.Parameters)["region"]) |
There was a problem hiding this comment.
Sensitive data will always be returned as empty string. Leave unchange or get the value from the HCL.
Suggested change
| tfhelper.HelpFlattenSecret(d, "secret_access_key") | |
| d.Set("access_key_id", (*serviceEndpoint.Authorization.Parameters)["username"]) | |
| d.Set("secret_access_key", (*serviceEndpoint.Authorization.Parameters)["password"]) | |
| d.Set("region", (*serviceEndpoint.Authorization.Parameters)["region"]) | |
| tfhelper.HelpFlattenSecret(d, "secret_access_key") | |
| d.Set("secret_access_key", d.Get("secret_access_key").(string)) | |
| d.Set("access_key_id", (*serviceEndpoint.Authorization.Parameters)["username"]) | |
| d.Set("region", (*serviceEndpoint.Authorization.Parameters)["region"]) |
| CheckDestroy: testutils.CheckServiceEndpointDestroyed(resourceType), | ||
| Steps: []resource.TestStep{ | ||
| { | ||
| Config: hclSvcEndpointAwsTerraformResourceComplete(projectName, serviceEndpointName, description, sessionToken, rta, rsn, externalId), |
There was a problem hiding this comment.
Suggested change
| Config: hclSvcEndpointAwsTerraformResourceComplete(projectName, serviceEndpointName, description, sessionToken, rta, rsn, externalId), | |
| Config: hclSvcEndpointAwsTerraformResourceComplete(projectName, serviceEndpointName, description), |
Comment on lines
+41
to
+43
| sessionToken := "foobar" | ||
| rta := "rta" | ||
| rsn := "rsn" |
There was a problem hiding this comment.
can be remove as not used
Comment on lines
+53
to
+54
| * [azure-pipelines-terraform](https://github.com/microsoft/azure-pipelines-terraform) | ||
| * [Azure DevOps Service REST API 6.0 - Agent Pools](https://docs.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-6.0) |
There was a problem hiding this comment.
Suggested change
| * [azure-pipelines-terraform](https://github.com/microsoft/azure-pipelines-terraform) | |
| * [Azure DevOps Service REST API 6.0 - Agent Pools](https://docs.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-6.0) | |
| * [Azure DevOps Service REST API 7.0 - Service connections](https://docs.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-7.0) | |
| * `access_key_id` - (Required) The AWS access key ID for signing programmatic requests. | ||
| * `secret_access_key` - (Required) The AWS secret access key for signing programmatic requests. | ||
| * `region` - (Required) The AWS region to send requests to. | ||
| * `description` - (Optional) The Service Endpoint description. Defaults to `Managed by Terraform`. |
There was a problem hiding this comment.
Suggested change
| * `description` - (Optional) The Service Endpoint description. Defaults to `Managed by Terraform`. | |
| --- | |
| * `description` - (Optional) The Service Endpoint description. Defaults to `Managed by Terraform`. |
xuzhang3
requested changes
May 30, 2023
There was a problem hiding this comment.
@jwoffindin A few changes requested, others looks good to me.
11 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why:
Microsoft Labs publish an extension "Terraform Extension for Azure DevOps" https://github.com/microsoft/azure-pipelines-terraform.
It provides high-level wapper around terraform for Azure DevOps pipelines and adds 3 custom service endpoints (AWS, GCP and Azure) that can be used from Azure Pipeline.
I want to use this library with Azure DevOps so I can use Terraform to manage my Azure DevOps pipelines that deploy into AWS.
Unfortunately this extension does not work with the standard AWS service endpoint. If you try to use standard
awsendpoint, the pipeline fails with:So currently I need to create and manage these service endpoints manually, rather than using Terraform, which makes me sad :-/
This change addresses the need by:
Adding a new resource implementation
azuredevops_serviceendpoint_aws_terraform. It is pretty much a rip-off of the existing aws endpoint provider with change to type and the parameters it accepts (only access key/secret and region).Adding unit and integration tests. Again, a blatant rip-off of the existing aws endpoint tests.
Add webpage documentation for the new provider.
Note this change only adds support for AWS backend. It does not add support for the GCP/Azure backends - I don't have enough experience to validate a provider for these environments.
Refs: #675
All Submissions:
What about the current behavior has changed?
No changes to existing functionality. It just adds a new resource. Note, that while this endpoint is AWS related, it's
not the same as the existing
azuredevops_serviceendpoint_awsprovider, confusingly enough.Issue Number: #675
This existing issue was raised for GCP and AWS, although the original author was more interested in GCP support.
This change should add the requested support for AWS.
Does this introduce a change to
go.mod,go.sumorvendor/?Does this introduce a breaking change?
Any relevant logs, error output, etc?
This is a new feature, so no existing logs.
Other information
Here's an example from my testing:
and attached a screenshot of service endpoint resource it creates :