Resolve secrets in pipeline config outside of the environment. (#3866)

* Resolve secrets in pipeline config outside of the environment. // TODO: Figure out a better way to handle this, either by making config.Raw() resolve secrets, or by adding a new api RawResolved(). Need to review this with the team. * lint
Azure · May 7, 2024 · 651394c · 651394c
1 parent 94596da
commit 651394c
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/cli/azd/pkg/config/config.go b/cli/azd/pkg/config/config.go
@@ -27,6 +27,8 @@ var vaultPattern = regexp.MustCompile(
 // Configuration data is stored in user's home directory @ ~/.azd/config.json
 type Config interface {
  Raw() map[string]any
+ // similar to Raw() but it will resolve any vault references
+ ResolvedRaw() map[string]any
  Get(path string) (any, bool)
  GetString(path string) (string, bool)
  GetSection(path string, section any) (bool, error)
@@ -70,6 +72,39 @@ func (c *config) Raw() map[string]any {
  return c.data
 }
 
+// Gets the raw values stored in the configuration and resolve any vault references
+func (c *config) ResolvedRaw() map[string]any {
+ resolvedRaw := &config{
+ data: map[string]any{},
+ }
+ paths := paths(c.data)
+ for _, path := range paths {
+ // get will always return true (no need to check) because the path was gotten from the raw config
+ value, _ := c.Get(path)
+ if err := resolvedRaw.Set(path, value); err != nil {
+ panic(fmt.Errorf("failed setting resolved raw value: %w", err))
+ }
+ }
+ return resolvedRaw.data
+}
+
+// paths recursively traverses a map and returns a list of all the paths to the leaf nodes.
+// The start parameter is the initial map to start traversing from.
+// It returns a slice of strings representing the paths to the leaf nodes.
+func paths(start map[string]any) []string {
+ var all []string
+ for path, value := range start {
+ if node, isNode := value.(map[string]any); isNode {
+ for _, child := range paths(node) {
+ all = append(all, fmt.Sprintf("%s.%s", path, child))
+ }
+ } else {
+ all = append(all, path)
+ }
+ }
+ return all
+}
+
 // SetSecret stores the secrets at the specified path within a local user vault
 func (c *config) SetSecret(path string, value string) error {
  if c.vaultId == "" {

diff --git a/cli/azd/pkg/config/file_config_manager_test.go b/cli/azd/pkg/config/file_config_manager_test.go
@@ -97,6 +97,11 @@ func Test_FileConfigManager_GetSetSecrets(t *testing.T) {
  missingPassword, ok := updatedConfig.GetString("secrets.misingVaultRef")
  require.False(t, ok)
  require.Empty(t, missingPassword)
+
+ require.NotEqual(t, updatedConfig.Raw(), updatedConfig.ResolvedRaw())
+ require.Equal(t, azdConfig.Raw(), updatedConfig.Raw())
+ require.Equal(t, azdConfig.ResolvedRaw(), updatedConfig.ResolvedRaw())
+
 }
 
 func Test_FileConfigManager_GetSetSecretsInSection(t *testing.T) {

diff --git a/cli/azd/pkg/pipeline/pipeline_manager.go b/cli/azd/pkg/pipeline/pipeline_manager.go
@@ -357,7 +357,7 @@ func (pm *PipelineManager) Configure(ctx context.Context) (result *PipelineConfi
  // Adding environment.AzdInitialEnvironmentConfigName as a secret to the pipeline as the base configuration for
  // whenever a new environment is created. This means loading the local environment config into a pipeline secret which
  // azd will use to restore the the config on CI
- localEnvConfig, err := json.Marshal(pm.env.Config.Raw())
+ localEnvConfig, err := json.Marshal(pm.env.Config.ResolvedRaw())
  if err != nil {
  return result, fmt.Errorf("failed to marshal environment config: %w", err)
  }