Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ACI - added secure environment variables #2024

Merged
merged 24 commits into from
Oct 18, 2018
Merged

ACI - added secure environment variables #2024

merged 24 commits into from
Oct 18, 2018

Conversation

neilpeterson
Copy link
Contributor

@neilpeterson neilpeterson commented Oct 4, 2018

This PR adds Azure Container Instances secure environment variables.

Fundamentally the only difference between an environment variable and a secured variable is the value property name (Value vs. SecureValue), however for ease of use I am treating them as separate properties (seen in the below sample).

resource "azurerm_container_group" "both" {
  name                = "both"
  location            = "${azurerm_resource_group.vote-resource-group.location}"
  resource_group_name = "${azurerm_resource_group.vote-resource-group.name}"
  ip_address_type     = "public"
  os_type             = "linux"

  container {
    name   = "both"
    image  = "neilpeterson/nepetersv1"
    cpu    = "0.5"
    memory = "1.5"
    port   = "80"

    environment_variables {
      "NON_SECURE"  = "This is exposed in the portal and logs etc..."
    }

    secure_environment_variables {
      "SECURE"  = "This is not exposed in the portal and logs etc..."
    }

  }
}

@ghost ghost added the size/XXL label Oct 4, 2018
@neilpeterson
Copy link
Contributor Author

neilpeterson commented Oct 4, 2018

This PR replaces #1874

I am still working through the feedback and will give indication when this is ready for review.

@neilpeterson neilpeterson reopened this Oct 4, 2018
@neilpeterson

This comment has been minimized.

@neilpeterson

This comment has been minimized.

@neilpeterson
Copy link
Contributor Author

neilpeterson commented Oct 7, 2018

Outstanding Issues from corrupt PR:

#1874 (comment)

#1874 (comment)

@metacpp metacpp self-requested a review October 8, 2018 01:56
@metacpp metacpp changed the title Container group add secure variables ACI - added secure environment variables Oct 8, 2018
@metacpp
Copy link
Contributor

metacpp commented Oct 8, 2018

@metacpp in the old PR, you ask to rev the ACI SDK version. It seems this version introduces some changes which will require a refactor of the Terraform provider. Do you want the refactor + my additional functionality added in one PR, or would it be ok for me to add the functionality first, and then follow up with a PR to refactor the provider to the new SDK version?

#1874 (comment)

@neilpeterson please go ahead with current SDK version.

@metacpp
Copy link
Contributor

metacpp commented Oct 8, 2018

@metacpp can you point me towards the docs so that I can update. I am unable to locate them.

@neilpeterson Please add description for secure_environment_variables at:
https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/website/docs/r/container_group.html.markdown

Copy link
Contributor

@metacpp metacpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the missed documentation change in the PR.

vendor/vendor.json Outdated Show resolved Hide resolved
"path": "github.com/Azure/go-autorest/logger",
"revision": "a35eae345f69bbfbe3b8fa0b1d3fe98f8430b21a",
"revisionTime": "2018-08-30T19:44:05Z"
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to update go-autorest/logger here?

"revisionTime": "2018-08-30T19:44:05Z"
},
{
"checksumSHA1": "scpSozMdk4sqSpkbQqupLKUfLiM=",
"path": "github.com/Azure/go-autorest/version",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to change it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unable to successfully run make vendor-status without this change.

vendor/vendor.json Outdated Show resolved Hide resolved
@hashicorp hashicorp deleted a comment from neilpeterson Oct 11, 2018
@neilpeterson
Copy link
Contributor Author

@metacpp thanks a bunch. I had checked the build and everything looked good. My apologies for these issues.

Copy link
Contributor

@metacpp metacpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@neilpeterson @jeffreyCline Please resolve the comment in PR.

ForceNew: true,
},

"sensitive_environment_variables": {
Copy link
Contributor

@metacpp metacpp Oct 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree, as this implies a higher level of security that isn't there since the values are persisted in the HCL file plan test. Since it is not encrypted I would feel better if we would expose it as sensitive and in the code pass it as secureValue as required by the API.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there was a misunderstanding that this wasn't surfacing something the API here internally. While these variable are not "secure" in Terraform, they are more secure in the container group and that is the name used in the API, so we should probably match it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, I have reverted back to using the secure name instead of sensitive.

@ghost ghost added size/XXL and removed size/XL labels Oct 17, 2018
@WodansSon
Copy link
Collaborator

image

Copy link
Contributor

@metacpp metacpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but please do more testing.

Copy link
Collaborator

@WodansSon WodansSon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, more testing is needed and more test cases need to be added, but this is a functional resource for the happy path scenario.

Copy link
Collaborator

@WodansSon WodansSon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@katbyte Appreciate the updates to the lookup, code LGTM

@katbyte
Copy link
Collaborator

katbyte commented Oct 18, 2018

tests pass:
screen shot 2018-10-18 at 00 06 24

@katbyte katbyte merged commit dbf79d7 into hashicorp:master Oct 18, 2018
katbyte added a commit that referenced this pull request Oct 18, 2018
@katbyte katbyte modified the milestones: Soon, 1.17.0 Oct 18, 2018
@ghost
Copy link

ghost commented Mar 6, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants