Skip to content

Introduce AzureKeyVaultSecretReference #8171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Mar 25, 2025
Merged

Introduce AzureKeyVaultSecretReference #8171

merged 20 commits into from
Mar 25, 2025

Conversation

@davidfowl
Copy link
Member

@davidfowl davidfowl commented Mar 19, 2025
edited
Loading

Description

  • This is a replacement for the magic secret outputs implementation. Resources that support keys push those keys into an explicitly defined per resource key vault and now into any key vault that is provided. The IKeyVaultSecretReference is a new primitive reference type that can is understood natively by compute environments like ACA and the azure preparer.

Fixes #8134

Checklist

@github-actions github-actions bot added the area-app-model Issues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication label Mar 19, 2025
eerhardt
eerhardt reviewed Mar 19, 2025
View reviewed changes
@eerhardt eerhardt mentioned this pull request Mar 20, 2025
Merged
7 tasks
@davidfowl davidfowl force-pushed the davidfowl/no-secret-outputs branch from 0d4156b to 94ceb65 Compare March 21, 2025 06:55
@davidfowl
Introduce AzureKeyVaultSecretReference
b66df54 
- This is a replacement for the magic secret outputs implementation. Resources that support keys push those keys into an explicitly defined per resoure key vault and now into any keyvault that is provided. The IKeyVaultSecretReference is a new primitive reference type that can is understood natively by compute environments like ACA and the azure preparer.
@davidfowl davidfowl force-pushed the davidfowl/no-secret-outputs branch from 94ceb65 to b66df54 Compare March 22, 2025 06:40
@davidfowl davidfowl marked this pull request as ready for review March 22, 2025 09:08
mitchdenny
mitchdenny reviewed Mar 23, 2025
View reviewed changes
mitchdenny
mitchdenny reviewed Mar 23, 2025
View reviewed changes
mitchdenny
mitchdenny reviewed Mar 23, 2025
View reviewed changes
tests/Aspire.Hosting.Azure.Tests/AzurePostgresExtensionsTests.cs Outdated
{
"type": "azure.bicep.v0",
"connectionString": "{postgres-data.secretOutputs.connectionString}",
"connectionString": "{postgres-data-kv.secrets.postgres-data--connectionString}",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a change queued up on the azd side to process .secrets instead of secret outputs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @vhvb1989

mitchdenny
mitchdenny reviewed Mar 23, 2025
View reviewed changes
Copy link
Member

@mitchdenny mitchdenny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good - a few minor questions/comments.

I think it's worth going through all the playgrounds and regenerating the manifest publisher output, so we have a new baseline for comparison. The outputs of that command all make sense.

davidfowl added 11 commits March 22, 2025 22:27
@davidfowl
Add output for Key Vault ID in Bicep resource tests
fc6cd64
@davidfowl
Refactor Azure Key Vault resource output references and improve inter…
edebd8c 
…nal access to secrets and secret client
@davidfowl
Add output for Key Vault ID in existing Azure resource tests
eb9824e
@davidfowl
Refactor AzureKeyVaultResource to simplify output reference properties
1c408c0
@davidfowl
Rename KeyVaultResource property to Resource for consistency across k…
9a74e0f 
…ey vault references
@davidfowl
Refactor Azure Key Vault resource tests to support dynamic Key Vault …
7309928 
…names and improve authentication handling
@davidfowl
Refactor connection string secret naming convention to use a consiste…
aac96ef 
…nt prefix across Azure resources
@davidfowl
Refactor connection string naming convention to use a consistent pref…
f1f0b99 
…ix across Azure resources
@davidfowl
Refactor IKeyVaultResource interface documentation for clarity and co…
cef5c65 
…nsistency
@davidfowl
Update manifests
2a9f630
@davidfowl
Refactor Azure Container Apps identity configuration to use UserAssig…
f522f3d 
…ned type
eerhardt
eerhardt reviewed Mar 24, 2025
View reviewed changes
src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppsInfrastructure.cs
Comment on lines +95 to 97
SetKnownParameterValue(r, AzureBicepResource.KnownParameters.PrincipalId, _ => environment.ContainerRegistryManagedIdentityId);
SetKnownParameterValue(r, AzureBicepResource.KnownParameters.PrincipalType, _ => "ServicePrincipal");
SetKnownParameterValue(r, AzureBicepResource.KnownParameters.PrincipalName, _ => environment.PrincipalName);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels wrong that we still have PrincipalName on the environment. Shouldn't it be ContainerRegistryManagedIdentityPrincipalName?

Copy link
Member

@eerhardt eerhardt Mar 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I almost half wonder if we should no longer support these "KnownParameters" for PrincipalId, Type, and Name in ACA. Our Azure resources will never use them (or at least, if they do it is a mistake that needs to be fixed).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separate change. Not in this PR, it's too big already 😄 . I agree.

eerhardt
eerhardt reviewed Mar 24, 2025
View reviewed changes
eerhardt
eerhardt reviewed Mar 24, 2025
View reviewed changes
eerhardt
eerhardt reviewed Mar 24, 2025
View reviewed changes
eerhardt
eerhardt reviewed Mar 24, 2025
View reviewed changes
@eerhardt
Copy link
Member

image
We should open a breaking change issue in our docs for this.

@davidfowl
PR feedback
3458820 
Refactor Azure Key Vault integration to use a secret resolver function for runtime secret resolution
@davidfowl davidfowl mentioned this pull request Mar 25, 2025
Closed
3 tasks
@davidfowl davidfowl merged commit 5fd2b10 into main Mar 25, 2025
163 checks passed
@davidfowl davidfowl deleted the davidfowl/no-secret-outputs branch March 25, 2025 07:15
@davidfowl davidfowl added area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure and removed area-app-model Issues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication labels Mar 25, 2025
@davidfowl davidfowl mentioned this pull request Mar 25, 2025
Closed
18 tasks
@davidfowl davidfowl mentioned this pull request Apr 6, 2025
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Apr 24, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@eerhardt eerhardt eerhardt left review comments

@mitchdenny mitchdenny mitchdenny approved these changes

Assignees

No one assigned

Labels

area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Deprecate BicepSecretOutput and build a first class AzureKeyVaultSecretReference

4 participants

@davidfowl @eerhardt @mitchdenny