Skip to content

Commit

Permalink
feat: Create\Update User Defined Types with sensitive values to include
Browse files Browse the repository at this point in the history
@secure() decorator. - `avm/res/container-instance/container-group` (Azure#1919)

## Description
Update containerType (user defined type) to set
environmentVariables.secureValue to be of type secureString.
Followed the same logic and created the user defined type for
imageRegistryCredentials (imageRegistryCredentialType) as it also has a
password attribute.

Fixes Azure#1868
Closes Azure#1868
-->

## Pipeline Reference

| Pipeline |
| -------- |

[![avm.res.container-instance.container-group](https://github.com/rodney-almeida/bicep-registry-modules/actions/workflows/avm.res.container-instance.container-group.yml/badge.svg?branch=rodney-almeida-1868)](https://github.com/rodney-almeida/bicep-registry-modules/actions/workflows/avm.res.container-instance.container-group.yml)

## Type of Change

<!-- Use the check-boxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utlities (Non-module effecting
changes)
- [ ] Azure Verified Module updates:
- [X] Bugfix containing backwards compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [X] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [X] I'm sure there are no other open Pull Requests for the same
update/change
- [X] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [X] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to day with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Rodney Almeida <[email protected]>
  • Loading branch information
2 people authored and hundredacres committed Jun 19, 2024
1 parent 1d62062 commit ce4ee26
Show file tree
Hide file tree
Showing 4 changed files with 189 additions and 55 deletions.
76 changes: 72 additions & 4 deletions avm/res/container-instance/container-group/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -355,7 +355,16 @@ module containerGroup 'br/public:avm/res/container-instance/container-group:<ver
name: 'az-aci-x-001'
properties: {
command: []
environmentVariables: []
environmentVariables: [
{
name: 'CLIENT_ID'
value: 'TestClientId'
}
{
name: 'CLIENT_SECRET'
secureValue: 'TestSecret'
}
]
image: 'mcr.microsoft.com/azuredocs/aci-helloworld'
ports: [
{
Expand Down Expand Up @@ -447,7 +456,16 @@ module containerGroup 'br/public:avm/res/container-instance/container-group:<ver
"name": "az-aci-x-001",
"properties": {
"command": [],
"environmentVariables": [],
"environmentVariables": [
{
"name": "CLIENT_ID",
"value": "TestClientId"
},
{
"name": "CLIENT_SECRET",
"secureValue": "TestSecret"
}
],
"image": "mcr.microsoft.com/azuredocs/aci-helloworld",
"ports": [
{
Expand Down Expand Up @@ -1268,7 +1286,7 @@ The environment variables to set in the container instance.

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`secureValue`](#parameter-containerspropertiesenvironmentvariablessecurevalue) | string | The value of the secure environment variable. |
| [`secureValue`](#parameter-containerspropertiesenvironmentvariablessecurevalue) | securestring | The value of the secure environment variable. |
| [`value`](#parameter-containerspropertiesenvironmentvariablesvalue) | string | The value of the environment variable. |

### Parameter: `containers.properties.environmentVariables.name`
Expand All @@ -1283,7 +1301,7 @@ The name of the environment variable.
The value of the secure environment variable.

- Required: No
- Type: string
- Type: securestring

### Parameter: `containers.properties.environmentVariables.value`

Expand Down Expand Up @@ -1506,6 +1524,56 @@ The image registry credentials by which the container group is created from.
- Required: No
- Type: array

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`server`](#parameter-imageregistrycredentialsserver) | string | The Docker image registry server without a protocol such as "http" and "https". |

**Optional parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`identity`](#parameter-imageregistrycredentialsidentity) | string | The identity for the private registry. |
| [`identityUrl`](#parameter-imageregistrycredentialsidentityurl) | string | The identity URL for the private registry. |
| [`password`](#parameter-imageregistrycredentialspassword) | securestring | The password for the private registry. |
| [`username`](#parameter-imageregistrycredentialsusername) | string | The username for the private registry. |

### Parameter: `imageRegistryCredentials.server`

The Docker image registry server without a protocol such as "http" and "https".

- Required: Yes
- Type: string

### Parameter: `imageRegistryCredentials.identity`

The identity for the private registry.

- Required: No
- Type: string

### Parameter: `imageRegistryCredentials.identityUrl`

The identity URL for the private registry.

- Required: No
- Type: string

### Parameter: `imageRegistryCredentials.password`

The password for the private registry.

- Required: No
- Type: securestring

### Parameter: `imageRegistryCredentials.username`

The username for the private registry.

- Required: No
- Type: string

### Parameter: `initContainers`

A list of container definitions which will be executed before the application container starts.
Expand Down
104 changes: 59 additions & 45 deletions avm/res/container-instance/container-group/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ param restartPolicy string = 'Always'
param ipAddressType string = 'Public'

@description('Optional. The image registry credentials by which the container group is created from.')
param imageRegistryCredentials array?
param imageRegistryCredentials imageRegistryCredentialType

@description('Optional. Location for all Resources.')
param location string = resourceGroup().location
Expand Down Expand Up @@ -100,47 +100,43 @@ var identity = !empty(managedIdentities)
}
: null

resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
if (enableTelemetry) {
name: '46d3xbcp.res.containerinstance-containergroup.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
outputs: {
telemetry: {
type: 'String'
value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
}
resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) {
name: '46d3xbcp.res.containerinstance-containergroup.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
outputs: {
telemetry: {
type: 'String'
value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
}
}
}
}
}

resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing =
if (!empty(customerManagedKey.?keyVaultResourceId)) {
name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/'))
scope: resourceGroup(
split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2],
split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]
)

resource cMKKey 'keys@2023-02-01' existing =
if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
name: customerManagedKey.?keyName ?? 'dummyKey'
}
}
resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) {
name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/'))
scope: resourceGroup(
split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2],
split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]
)

resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing =
if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) {
name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/'))
scope: resourceGroup(
split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2],
split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]
)
resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
name: customerManagedKey.?keyName ?? 'dummyKey'
}
}

resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) {
name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/'))
scope: resourceGroup(
split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2],
split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]
)
}

resource containergroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01' = {
name: name
Expand Down Expand Up @@ -193,17 +189,16 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01'
)
}

resource containergroup_lock 'Microsoft.Authorization/locks@2020-05-01' =
if (!empty(lock ?? {}) && lock.?kind != 'None') {
name: lock.?name ?? 'lock-${name}'
properties: {
level: lock.?kind ?? ''
notes: lock.?kind == 'CanNotDelete'
? 'Cannot delete resource or child resources.'
: 'Cannot delete or modify the resource or child resources.'
}
scope: containergroup
resource containergroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
name: lock.?name ?? 'lock-${name}'
properties: {
level: lock.?kind ?? ''
notes: lock.?kind == 'CanNotDelete'
? 'Cannot delete resource or child resources.'
: 'Cannot delete or modify the resource or child resources.'
}
scope: containergroup
}

@description('The name of the container group.')
output name string = containergroup.name
Expand Down Expand Up @@ -353,6 +348,7 @@ type containerType = {
name: string

@description('Optional. The value of the secure environment variable.')
@secure()
secureValue: string?

@description('Optional. The value of the environment variable.')
Expand All @@ -361,6 +357,24 @@ type containerType = {
}
}[]

type imageRegistryCredentialType = {
@description('Required. The Docker image registry server without a protocol such as "http" and "https".')
server: string

@description('Optional. The identity for the private registry.')
identity: string?

@description('Optional. The identity URL for the private registry.')
identityUrl: string?

@description('Optional. The username for the private registry.')
username: string?

@description('Optional. The password for the private registry.')
@secure()
password: string?
}[]?

type ipAddressPortsType = {
@description('Required. The port number exposed on the container instance.')
port: int
Expand Down
53 changes: 48 additions & 5 deletions avm/res/container-instance/container-group/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "1114274520149552239"
"version": "0.27.1.19265",
"templateHash": "5407376593955341482"
},
"name": "Container Instances Container Groups",
"description": "This module deploys a Container Instance Container Group.",
Expand Down Expand Up @@ -115,6 +115,7 @@
},
"livenessProbe": {
"type": "object",
"properties": {},
"nullable": true,
"metadata": {
"description": "Optional. The liveness probe."
Expand Down Expand Up @@ -335,7 +336,7 @@
}
},
"secureValue": {
"type": "string",
"type": "securestring",
"nullable": true,
"metadata": {
"description": "Optional. The value of the secure environment variable."
Expand Down Expand Up @@ -363,6 +364,49 @@
}
}
},
"imageRegistryCredentialType": {
"type": "array",
"items": {
"type": "object",
"properties": {
"server": {
"type": "string",
"metadata": {
"description": "Required. The Docker image registry server without a protocol such as \"http\" and \"https\"."
}
},
"identity": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The identity for the private registry."
}
},
"identityUrl": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The identity URL for the private registry."
}
},
"username": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The username for the private registry."
}
},
"password": {
"type": "securestring",
"nullable": true,
"metadata": {
"description": "Optional. The password for the private registry."
}
}
}
},
"nullable": true
},
"ipAddressPortsType": {
"type": "array",
"items": {
Expand Down Expand Up @@ -457,8 +501,7 @@
}
},
"imageRegistryCredentials": {
"type": "array",
"nullable": true,
"$ref": "#/definitions/imageRegistryCredentialType",
"metadata": {
"description": "Optional. The image registry credentials by which the container group is created from."
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,16 @@ module testDeployment '../../../main.bicep' = [
name: '${namePrefix}-az-aci-x-001'
properties: {
command: []
environmentVariables: []
environmentVariables: [
{
name: 'CLIENT_ID'
value: 'TestClientId'
}
{
name: 'CLIENT_SECRET'
secureValue: 'TestSecret'
}
]
image: 'mcr.microsoft.com/azuredocs/aci-helloworld'
ports: [
{
Expand Down

0 comments on commit ce4ee26

Please sign in to comment.