Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The terraform output from a provisioned API-mgmt service returns an scm_url with no credentials. #3002

Closed
NathanielRose opened this issue Mar 5, 2019 · 5 comments

Comments

@NathanielRose
Copy link

NathanielRose commented Mar 5, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The terraform output from a provisioned API-mgmt service returns an scm_url with no credentials. This requires us to run a separate script to generate the tokens for us to push to the repo.

New or Affected Resource(s)

  • azurerm_api_management

Potential Terraform Configuration

It would be better to have the url pass some sore of tokens or credentials for a user to begin cloning the API management service repo. Once keys are generated you then have to deploy your commit to the API-mgmt service through the rest api adding another step in an automated script.

nmrose@MININT-IQPVRH0:/mnt/c/Users/naros/Desktop/FY19/k8s/microsoft/api-mgmt/bedrock/cluster/azure/api-mgmt$ terraform init
Initializing modules...
- module.azure-provider

Initializing provider plugins...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
nmrose@MININT-IQPVRH0:/mnt/c/Users/naros/Desktop/FY19/k8s/microsoft/api-mgmt/bedrock/cluster/azure/api-mgmt$ terraform apply
var.location
  The location/region where the api management service will be deployed. The full list of Azure regions can be found at https://azure.microsoft.com/regions

  Enter a value: West US


An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + azurerm_api_management.apimgmt
      id:                        <computed>
      gateway_regional_url:      <computed>
      gateway_url:               <computed>
      hostname_configuration.#:  <computed>
      location:                  "westus"
      management_api_url:        <computed>
      name:                      "acctapimgmt"
      notification_sender_email: <computed>
      portal_url:                <computed>
      public_ip_addresses.#:     <computed>
      publisher_email:           "terraform@mycompany.co"
      publisher_name:            "mycompany.co"
      resource_group_name:       "myapimgmt-rg"
      scm_url:                   <computed>
      security.#:                <computed>
      sku.#:                     "1"
      sku.0.capacity:            "1"
      sku.0.name:                "Premium"
      tags.%:                    <computed>

  + azurerm_resource_group.apimgmt
      id:                        <computed>
      location:                  "westus"
      name:                      "myapimgmt-rg"
      tags.%:                    <computed>


Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_resource_group.apimgmt: Creating...
  location: "" => "westus"
  name:     "" => "myapimgmt-rg"
  tags.%:   "" => "<computed>"
azurerm_resource_group.apimgmt: Creation complete after 4s (ID: /subscriptions/7060bca0-7a3c-44bd-b54c-4bb1e9facfac/resourceGroups/myapimgmt-rg)
azurerm_api_management.apimgmt: Creating...
  gateway_regional_url:      "" => "<computed>"
  gateway_url:               "" => "<computed>"
  hostname_configuration.#:  "" => "<computed>"
  location:                  "" => "westus"
  management_api_url:        "" => "<computed>"
  name:                      "" => "acctapimgmt"
  notification_sender_email: "" => "<computed>"
  portal_url:                "" => "<computed>"
  public_ip_addresses.#:     "" => "<computed>"
  publisher_email:           "" => "terraform@mycompany.co"
  publisher_name:            "" => "mycompany.co"
  resource_group_name:       "" => "myapimgmt-rg"
  scm_url:                   "" => "<computed>"
  security.#:                "" => "<computed>"
  sku.#:                     "" => "1"
  sku.0.capacity:            "" => "1"
  sku.0.name:                "" => "Premium"
  tags.%:                    "" => "<computed>"
azurerm_api_management.apimgmt: Still creating... (17m21s elapsed)
azurerm_api_management.apimgmt: Creation complete after 17m30s (ID: /subscriptions/7060bca0-7a3c-44bd-b54c-...soft.ApiManagement/service/acctapimgmt)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

scm_url = https://acctapimgmt.scm.azure-api.net

References

@tombuildsstuff
Copy link
Contributor

hey @NathanielRose

Thanks for splitting this out into it's own issue :)

Out of interest, would it be possible to provide an example of the script you're using to obtain these credentials? I'm assuming this calls either the Tenant Access API or the Tenant Access Git API - but it'd be good to confirm which so that we could look to add support for this.

Thanks!

@NathanielRose
Copy link
Author

NathanielRose commented Mar 20, 2019

Hey @tombuildsstuff ,

It was a bit confusing at first on how to obtain the credentials which turns out does not involved the Tenant Access API or the Tenant Access Git API. Here is a code snippet we currently are using for it.

#!/bin/sh
while getopts :b:f:g:k:d: option 
do 
 case "${option}" in 
 b) subscription_id=${OPTARG};;
 f) rg_name=${OPTARG};; 
 g) service_name=${OPTARG};; 
 k) api_config_repo=${OPTARG};; 
 d) authorization_bearer=${OPTARG};;
 esac
done 

urlencode() {
  python -c 'import urllib, sys; print urllib.quote(sys.argv[1], sys.argv[2])' \
    "$1" "$urlencode_safe"
}

expire_time=$(date -d "+1 days" +%FT%TZ)

response_out=$(curl -X \
    POST -d '{"api-version":"2018-06-01-preview", "keyType":"primary", "expiry": "'"$expiry_time"'"}' \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer "'"$bearer_token"'" \
   https://management.azure.com/subscriptions/${subscription_id}/resourceGroups/${rg_name}/providers/Microsoft.ApiManagement/service/${service_name}/tenant/configuration/git?api-version=2018-06-01-preview&keyType=primary&expiry=$expire_time)

token=$(urlencode $(echo $response_out | jq '.value' --raw-output))

git clone https://apim:$token@$service_name.scm.azure-api.net

@ghost ghost removed the waiting-response label Mar 20, 2019
@NathanielRose
Copy link
Author

NathanielRose commented Mar 27, 2019

Hey @tombuildsstuff ,

We have built an improved script for API Management with terraform deployment here https://github.com/Microsoft/bedrock/tree/api-mgmt/cluster/environments/azure-api-mgmt

Any updates on a new version of the API Management provider?

@tombuildsstuff tombuildsstuff modified the milestones: v1.24.0, v1.25.0 Apr 1, 2019
@tombuildsstuff tombuildsstuff modified the milestones: v1.25.0, v1.26.0 Apr 10, 2019
@katbyte katbyte modified the milestones: v1.26.0, v1.27.0 Apr 17, 2019
@tombuildsstuff tombuildsstuff modified the milestones: v1.28.0, v1.29.0 May 7, 2019
@tombuildsstuff tombuildsstuff modified the milestones: v1.29.0, Future May 22, 2019
@favoretti
Copy link
Collaborator

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report if this is still relevant. Thank you.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants