Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

storage: upgrade giovanni SDK and support AAD auth #24798

Merged
merged 14 commits into from
Mar 14, 2024

Conversation

manicminer
Copy link
Contributor

@manicminer manicminer commented Feb 6, 2024

Storage Data Plane upgrades and support for AAD authentication

  • Use latest tombuildsstuff/giovanni which has switched to the go-azure-sdk base layer
  • Support for sdk-level retries for known eventually consistent scenarios
  • Support for AAD authentication for all data plane APIs (where the API supports it).
    • azurerm_storage_share and azurerm_storage_table will continue to use shared key authentication due to API limitations (official docs)
  • Refactor data plane client helpers to be operation-aware, so that supported authentication methods can be determined not just
    by endpoint but also by the capabilities of the operation (enables more granular support for preferred authentication methods).
  • Adopt data plane resource IDs from tombuildsstuff/giovanni- Some tidying of provider package - move helper functions into own source file
  • Some tidying of services/storage/client package - move data plane client helpers into own source file and add support for parsing out a storage account endpoint for constructing a data plane ID
  • internal/common: adopt client.BaseClient interface from go-azure-sdk to support more SDK base clients
  • internal/provider: move helper functions into own source file

CHANGELOG

  • dependencies: updating to v0.25.1 of github.com/tombuildsstuff/giovanni
  • data.azurerm_storage_table_entities - support for AAD authentication
  • data.azurerm_storage_table_entity - support for AAD authentication
  • azurerm_storage_share_file - support for AAD authentication
  • azurerm_storage_share_directory - support for AAD authentication, deprecate share_name and storage_account_name in favor of storage_share_id
  • azurerm_storage_table_entity - support for AAD authentication, deprecate share_name and storage_account_name in favor of storage_table_id
  • azurerm_storage_table_entity - support for AAD authentication

Depends on:

Closes: #22467

@katbyte
Copy link
Collaborator

katbyte commented Feb 16, 2024

does this close #24213? and unblock #22583?

@manicminer
Copy link
Contributor Author

@katbyte Yes and yes 👍

@manicminer manicminer force-pushed the feature/storage-aad-auth branch from 5f859e4 to d61675f Compare February 20, 2024 12:32
@manicminer manicminer force-pushed the feature/storage-aad-auth branch 3 times, most recently from ab0d29a to 82a7b7c Compare February 20, 2024 12:46
@manicminer manicminer force-pushed the feature/storage-aad-auth branch from 82a7b7c to b76ce67 Compare February 20, 2024 12:51
@manicminer manicminer force-pushed the feature/storage-aad-auth branch from b76ce67 to 256ec27 Compare February 20, 2024 13:25
@manicminer manicminer force-pushed the feature/storage-aad-auth branch from 256ec27 to d238691 Compare February 20, 2024 13:30
@manicminer manicminer marked this pull request as ready for review February 20, 2024 13:30
@manicminer manicminer force-pushed the feature/storage-aad-auth branch from d238691 to e01fadf Compare February 24, 2024 02:08
@manicminer manicminer force-pushed the feature/storage-aad-auth branch from e01fadf to 170d597 Compare February 24, 2024 02:09
@manicminer manicminer force-pushed the feature/storage-aad-auth branch from 170d597 to 28a803d Compare February 24, 2024 02:14
Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments from a partial review inline

@@ -244,7 +243,7 @@ func (r KubernetesFluxConfigurationResource) Arguments() map[string]*pluginsdk.S
"container_id": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: storageValidate.StorageContainerDataPlaneID,
ValidateFunc: validation.IsURLWithPath, // note: storage domain suffix cannot be determined at validation time, so just make sure it's a well-formed URL
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whilst we don't have access to the Environment that doesn't mean we couldn't necessarily do an opt-in enhanced validation here? e.g. expose a global variable for StorageDomainSuffix that's set in a similar manner as we do for Locations and then conditionally validate the domain name, else just check the Path matches?

Copy link
Contributor Author

@manicminer manicminer Mar 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't see a race-free way to achieve this, since the environment (cloud) can be set in provider configuration as well as via environment variable - building the provider also occurs post-validation so we still can't determine the appropriate domain?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work with populating a global variable! Validation function is updated accordingly :)

output.ContainerName = &id.Name
output.Url = pointer.To(strings.TrimSuffix(input.ContainerID, "/"+id.Name))
output.ContainerName = &id.ContainerName
output.Url = pointer.To(strings.TrimSuffix(input.ContainerID, "/"+id.ContainerName))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps pedantic but couldn't we make this:

Suggested change
output.Url = pointer.To(strings.TrimSuffix(input.ContainerID, "/"+id.ContainerName))
output.Url = pointer.To(fmt.Sprintf("https://%s", id.Domain))

(or add a function to return this value?)

That'd allow the usage of this Resource ID to be better highlighted, to help us determine the impact of a change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this can be a lot better. I've reworked so that presumptions about the URL structure are removed from the resource and instead it leans on the ID() method of the underlying AccountId (in both the flatten and expand functions).

}
}

func (client Client) ConfigureDataPlane(ctx context.Context, baseUri, clientName string, baseClient client.BaseClient, account accountDetails, operation DataPlaneOperation) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need to be public/exported?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not 👍

Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aside from a couple comments and the ones Tom left this LGTM 💾

if err != nil {
return fmt.Errorf("parsing ace list: %s", err)
return fmt.Errorf("retrieving Account %q for Data Lake Filesystem %q: %v", accountResourceManagerId.StorageAccountName, filesystemName, err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should these all be noted as Gen2?

Suggested change
return fmt.Errorf("retrieving Account %q for Data Lake Filesystem %q: %v", accountResourceManagerId.StorageAccountName, filesystemName, err)
return fmt.Errorf("retrieving Account %q for Data Lake Gen2 Filesystem %q: %v", accountResourceManagerId.StorageAccountName, filesystemName, err)

if utils.ResponseWasNotFound(storageAccount.Response) {
return fmt.Errorf("%s was not found", storageID)
}
return fmt.Errorf("building Data Lake Filesystems Client: %v", err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

etc

Suggested change
return fmt.Errorf("building Data Lake Filesystems Client: %v", err)
return fmt.Errorf("building Data Lake Gen2 Filesystems Client: %v", err)

@manicminer
Copy link
Contributor Author

Latest test results

Screenshot 2024-03-14 at 11 01 30
Screenshot 2024-03-14 at 11 01 40

@manicminer manicminer merged commit 5c9b4dd into main Mar 14, 2024
28 of 29 checks passed
@manicminer manicminer deleted the feature/storage-aad-auth branch March 14, 2024 11:03
@github-actions github-actions bot added this to the v3.96.0 milestone Mar 14, 2024
manicminer added a commit that referenced this pull request Mar 14, 2024
reastyn pushed a commit to reastyn/terraform-provider-azurerm that referenced this pull request Mar 14, 2024
dduportal referenced this pull request in jenkins-infra/azure Mar 18, 2024
<Actions>
<action
id="f410411e63aff4bb73a81c2aec1d373cf8a903e63b30dee2006b0030d8a94cc8">
        <h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>changes detected:&#xA;&#x9;&#34;hashicorp/azurerm&#34; updated from
&#34;3.95.0&#34; to &#34;3.96.0&#34; in file
&#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>3.96.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.96.0&#xA;ENHANCEMENTS:&#xD;&#xA;&#xD;&#xA;*
dependencies: updating to `v0.20240314.1083835` of
`github.com/hashicorp/go-azure-sdk`
([#25255](https://github.com/hashicorp/terraform-provider-azurerm/issues/25255))&#xD;&#xA;*
dependencies: updating to `v0.25.1` of
`github.com/tombuildsstuff/giovanni`
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
dependencies: updating to `v1.33.0` of `google.golang.org/protobuf`
([#25243](https://github.com/hashicorp/terraform-provider-azurerm/issues/25243))&#xD;&#xA;*
`storage`: updating the data plane resources to use the transport layer
from `hashicorp/go-azure-sdk` rather than `Azure/go-autorest`
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
Data Source: `azurerm_storage_table_entities` - support for AAD
authentication
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
Data Source: `azurerm_storage_table_entity` - support for AAD
authentication
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
`azurerm_kusto_cluster` - support `None` pattern for the
`virtual_network_configuration` block
([#24733](https://github.com/hashicorp/terraform-provider-azurerm/issues/24733))&#xD;&#xA;*
`azurerm_linux_function_app` - support for the Node `20` runtime
([#24073](https://github.com/hashicorp/terraform-provider-azurerm/issues/24073))&#xD;&#xA;*
`azurerm_linux_function_app_slot` - support for the Node `20` runtime
([#24073](https://github.com/hashicorp/terraform-provider-azurerm/issues/24073))&#xD;&#xA;*
`azurerm_stack_hci_cluster` - support the `identity`, `cloud_id`,
`service_endpoint` and `resource_provider_object_id` properties
[GH-25031]&#xD;&#xA;* `azurerm_storage_share_file` - support for AAD
authentication
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
`azurerm_storage_share_directory` - support for AAD authentication,
deprecate `share_name` and `storage_account_name` in favor of
`storage_share_id`
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
`azurerm_storage_table_entity` - support for AAD authentication,
deprecate `share_name` and `storage_account_name` in favor of
`storage_table_id`
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
`azurerm_storage_table_entity` - support for AAD authentication
([#24798](https://github.com/hashicorp/terraform-provider-azurerm/issues/24798))&#xD;&#xA;*
`azurerm_windows_function_app` - support for the Node `20` runtime
([#24073](https://github.com/hashicorp/terraform-provider-azurerm/issues/24073))&#xD;&#xA;*
`azurerm_windows_function_app_slot` - support for the Node `20` runtime
([#24073](https://github.com/hashicorp/terraform-provider-azurerm/issues/24073))&#xD;&#xA;*
`azurerm_windows_web_app` - support for the Node `20` runtime
([#24073](https://github.com/hashicorp/terraform-provider-azurerm/issues/24073))&#xD;&#xA;*
`azurerm_windows_web_app_slot` - support for the Node `20` runtime
([#24073](https://github.com/hashicorp/terraform-provider-azurerm/issues/24073))&#xD;&#xA;&#xD;&#xA;BUG
FIXES:&#xD;&#xA;&#xD;&#xA;* `azurerm_container_app_custom_domain` - fix
resource ID parsing bug preventing import
([#25192](https://github.com/hashicorp/terraform-provider-azurerm/issues/25192))&#xD;&#xA;*
`azurerm_windows_web_app` - fix incorrect warning message when checking
name availability
([#25214](https://github.com/hashicorp/terraform-provider-azurerm/issues/25214))&#xD;&#xA;*
`azurerm_virtual_machine_run_command` - prevent a bug during updates
([#25186](https://github.com/hashicorp/terraform-provider-azurerm/issues/25186))&#xD;&#xA;*
Data Source: `azurerm_storage_table_entities` - Fix `items.x.properties`
truncating to one entry
([#25211](https://github.com/hashicorp/terraform-provider-azurerm/issues/25211))</pre>
            </details>
        </details>
<a
href="https://infra.ci.jenkins.io/job/updatecli/job/azure/job/main/52/">Jenkins
pipeline link</a>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.