Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(webhooks): add optional service_account_id for authZ #348

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(webhooks): add optional service_account_id for authZ #348

wants to merge 3 commits into from

Conversation

parkedwards
Copy link
Contributor

@parkedwards parkedwards commented Dec 24, 2024
edited
Loading

resolves #346
resolves https://linear.app/prefect/issue/PLA-864/support-service-account-on-webhooks

in #261 , we didn't include the option to set a service_account_id, which is required if the account has Webhook Auth enabled
image

cc: @EmilRex

Testing

resource "prefect_service_account" "service_account" {
  name              = "service-account"
  account_role_name = "Member"
}

resource "prefect_webhook" "target_webhook" {
  name    = "webhook"
  enabled = true
  template = jsonencode({
    event = "prefect.event.received"
    resource = {
      "prefect.resource.id"   = "prefect.event"
      "prefect.resource.name" = "Prefect Event"
    }
    data = "{{ body }}"
  })

  service_account_id = prefect_service_account.service_account.id
}

# ensure that the datasource also has the correct attribute set
data "prefect_webhook" "target_webhook" {
  id = prefect_webhook.target_webhook.id
}
output "service_account_id" {
  value = data.prefect_webhook.target_webhook.service_account_id
}

result:

➜ terraform apply --auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.prefect_webhook.target_webhook will be read during apply
  # (config refers to values not yet known)
 <= data "prefect_webhook" "target_webhook" {
      + created            = (known after apply)
      + description        = (known after apply)
      + enabled            = (known after apply)
      + id                 = (known after apply)
      + name               = (known after apply)
      + service_account_id = (known after apply)
      + slug               = (known after apply)
      + template           = (known after apply)
      + updated            = (known after apply)
    }

  # prefect_service_account.service_account will be created
  + resource "prefect_service_account" "service_account" {
      + account_id                 = (known after apply)
      + account_role_name          = "Member"
      + actor_id                   = (known after apply)
      + api_key                    = (sensitive value)
      + api_key_created            = (known after apply)
      + api_key_id                 = (known after apply)
      + api_key_name               = (known after apply)
      + created                    = (known after apply)
      + id                         = (known after apply)
      + name                       = "service-account"
      + old_key_expires_in_seconds = 0
      + updated                    = (known after apply)
    }

  # prefect_webhook.target_webhook will be created
  + resource "prefect_webhook" "target_webhook" {
      + account_id         = (known after apply)
      + created            = (known after apply)
      + enabled            = true
      + endpoint           = (known after apply)
      + id                 = (known after apply)
      + name               = "webhook"
      + service_account_id = (known after apply)
      + template           = jsonencode(
            {
              + data     = "{{ body }}"
              + event    = "prefect.event.received"
              + resource = {
                  + "prefect.resource.id"   = "prefect.event"
                  + "prefect.resource.name" = "Prefect Event"
                }
            }
        )
      + updated            = (known after apply)
      + workspace_id       = (known after apply)
        # (1 unchanged attribute hidden)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + service_account_id = (known after apply)
prefect_service_account.service_account: Creating...
prefect_service_account.service_account: Creation complete after 0s [id=6bf0eada-f6f0-4e9a-ac60-c29ba137c85c]
prefect_webhook.target_webhook: Creating...
prefect_webhook.target_webhook: Creation complete after 1s [id=7b9f4f3d-4c87-489b-b773-5f84aa7c1915]
data.prefect_webhook.target_webhook: Reading...
data.prefect_webhook.target_webhook: Read complete after 0s [id=7b9f4f3d-4c87-489b-b773-5f84aa7c1915]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

service_account_id = "6bf0eada-f6f0-4e9a-ac60-c29ba137c85c"

@github-actions github-actions bot added the docs label Dec 26, 2024
@parkedwards parkedwards marked this pull request as ready for review December 26, 2024 18:37
@parkedwards parkedwards requested a review from a team as a code owner December 26, 2024 18:37
@parkedwards parkedwards added the bugfix Fixing a bug label Dec 26, 2024
@parkedwards parkedwards changed the title add service_account_id to webhook resource schema fix(webhooks): add optional service_account_id for authZ Dec 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix Fixing a bug docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Service Account on Webhooks
1 participant
@parkedwards