Add az_key_name support at glue script level only (#263)

Add validation and hana_media.yaml write of this new parameter. In a second commit it will be used to generate the SAS token in Ansible.
SUSE · Aug 30, 2024 · f3e2b04 · f3e2b04
1 parent a59df8e
commit f3e2b04
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 53 deletions.
diff --git a/docs/secure_storage_account.md b/docs/secure_storage_account.md
@@ -49,19 +49,21 @@ az storage container create -n sapmedia --account-name qesapmedia
 ## Allowing secure access the SAS tokens
 
 If the storage account and container were created using the above
-instructions then the blobs stored within will not be available to the
+instructions then the blobs stored within will be available to the
 public. To allow secure, private access to blobs a SAS token needs to
-be generated. SAS tokens have start and expiration dates, allowing
-tokens to expire over time. To create a SAS token which allows read only
-access and expires on 1/1/2025 for the container created with the above
+be generated.
+SAS tokens have start and expiration dates, allowing tokens
+to expire over time.
+To create a SAS token which allows read only access and expires on
+a specific date for the container created with the above
 instructions, run the following:
 
 ```shell
 az storage container generate-sas --account-name qesapmedia --expiry 2025-01-01 --name sapmedia --permissions r
 ```
 
 A token will be returned in the form of a string. Copy this token and store it
-securely. This token will not be recoverable from Azure!
+securely. This token will not be recoverable from Azure neither manually revokable!
 
 ## Uploading blobs
 
@@ -88,8 +90,7 @@ no public access to the data.
 
 ## How to consume with Ansible
 
-The old playbook used to take a single variable which was a list of blob urls.
-The new version of the playbook will take four variables:
+The playbook will take four variables:
 
 * az_storage_account_name: string
 * az_container_name:       string
@@ -102,8 +103,3 @@ correctly.
 The playbook will compile the complete urls and download the media to `hana_download_path`
 which by default is `/hana/shared/install`.
 
-## Next Steps
-
-The proposal at the moment is to have a long standing SAS token which is
-reusable, however, a better approach may be use short lived SAS tokens
-which are generated on demand.
diff --git a/scripts/qesap/lib/cmds.py b/scripts/qesap/lib/cmds.py
@@ -58,6 +58,8 @@ def create_hana_media(config_ansible, apiver):
     hanamedia_content['az_container_name'] = config_ansible['az_container_name']
     if 'az_sas_token' in config_ansible:
         hanamedia_content['az_sas_token'] = config_ansible['az_sas_token']
+    if 'az_key_name' in config_ansible:
+        hanamedia_content['az_key_name'] = config_ansible['az_key_name']
     hanamedia_content['az_blobs'] = config_ansible['hana_media']
     return hanamedia_content, None
 

diff --git a/scripts/qesap/lib/config.py b/scripts/qesap/lib/config.py
@@ -206,22 +206,25 @@ def validate_ansible_media_config(ansible_conf, apiver):
         if apiver < 3:
             log.error("Apiver: %d is no longer supported", apiver)
             return False
+
         if 'hana_media' not in ansible_conf or ansible_conf['hana_media'] is None:
             log.error("Missing or empty 'hana_media' in 'ansible' in the config")
             return False
+
         for media in ansible_conf['hana_media']:
             match = re.search(r'^http[s]?://.*', media)
             if match:
                 log.error("Media %s provided as full url. File name expected.", media)
                 return False
-        if 'az_storage_account_name' not in ansible_conf:
-            log.error("Missing 'az_storage_account_name' in 'ansible' in the config")
-            return False
-        if 'az_container_name' not in ansible_conf:
-            log.error("Missing 'az_container_name' in 'ansible' in the config")
+
+        for var in ['az_storage_account_name', 'az_container_name']:
+            if var not in ansible_conf:
+                log.error("Missing '%s' in 'ansible' in the config", var)
+                return False
+
+        if 'az_sas_token' not in ansible_conf and 'az_key_name' not in ansible_conf:
+            log.error("Both az_sas_token and az_key_name missing in the config")
             return False
-        if 'az_sas_token' not in ansible_conf:
-            log.warning("Missing 'az_sas_token' in 'ansible' in the config")
         return True
 
     def has_ansible_playbooks(self, sequence):

diff --git a/scripts/qesap/test/conftest.py b/scripts/qesap/test/conftest.py
@@ -73,6 +73,7 @@ def config_yaml_sample():
 ansible:
   az_storage_account_name: SOMEONE
   az_container_name: SOMETHING
+  az_sas_token: SECRET
   hana_media:
     - SAPCAR_EXE
     - SAP_HANA_EXE
@@ -111,6 +112,7 @@ def config_yaml_sample_for_terraform():
 ansible:
   az_storage_account_name: SOMEONE
   az_container_name: SOMETHING
+  az_sas_token: SECRET
   hana_media:
     - SAPCAR_EXE
     - SAP_HANA_EXE
@@ -177,6 +179,7 @@ def _callback(provider, playbooks):
 ansible:
     az_container_name: pippo
     az_storage_account_name: pippo
+    az_sas_token: SECRET
     hana_media:
     - pippo"""
 
@@ -425,6 +428,7 @@ def validate_hana_media():
     az_storage_account_name: <ACCOUNT>
     az_container_name:       <CONTAINER>
     az_sas_token:            <SAS_TOKEN>
+    az_key_name:             <KEY>
     az_blobs:
       - <SAPCAR_EXE>
       - <IMDB_SERVER_SAR>
@@ -437,6 +441,7 @@ def _callback(
         account="ACCOUNT",
         container="CONTAINER",
         token=None,
+        key=None,
         sapcar="SAPCAR_EXE",
         imdb_srv="IMDB_SERVER_SAR",
         imdb_cln="IMDB_CLIENT_SAR",
@@ -479,6 +484,19 @@ def _callback(
                         f"az_sas_token value is {data['az_sas_token']} and not expected {token}",
                     )
 
+            # az_key_name is optional, test it only if requested
+            if key:
+                if "az_key_name" not in data:
+                    return (
+                        False,
+                        "az_key_name missing in the generated hana_media.yaml",
+                    )
+                if key != data["az_key_name"]:
+                    return (
+                        False,
+                        f"az_key_name value is {data['az_key_name']} and not expected {key}",
+                    )
+
             blob_key = "az_blobs"
             if blob_key not in data:
                 return (

diff --git a/scripts/qesap/test/e2e/test_3.yaml b/scripts/qesap/test/e2e/test_3.yaml
@@ -11,3 +11,4 @@ ansible:
   hana_urls: mirtillo
   az_storage_account_name: ribes
   az_container_name: uvaspina
+  az_sas_token: SECRET
diff --git a/scripts/qesap/test/unit/test_qesap_ansible.py b/scripts/qesap/test/unit/test_qesap_ansible.py
@@ -381,6 +381,7 @@ def test_ansible_playbook_argument(
 ansible:
     az_storage_account_name: pippo
     az_container_name: pippo
+    az_sas_token: SECRET
     hana_media:
     - somesome
     create:
@@ -432,6 +433,7 @@ def test_ansible_e_reg(
 ansible:
     az_storage_account_name: pippo
     az_container_name: pippo
+    az_sas_token: SECRET
     hana_media:
     - somesome
     create:
@@ -490,6 +492,7 @@ def test_ansible_e_sapconf(
 ansible:
     az_storage_account_name: pippo
     az_container_name: pippo
+    az_sas_token: SECRET
     hana_media:
     - somesome
     create:
@@ -746,6 +749,7 @@ def test_ansible_env_roles_path(
 ansible:
     az_storage_account_name: pippo
     az_container_name: pippo
+    az_sas_token: SECRET
     hana_media:
     - somesome
     roles_path: somewhere