Skip to content

Add secret scopes support in assets bundling #2744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 40 commits into from
May 14, 2025
Merged

Add secret scopes support in assets bundling #2744

merged 40 commits into from
May 14, 2025
+1,338 −491

Conversation

anton-107
Copy link
Contributor

@anton-107 anton-107 commented Apr 22, 2025
edited
Loading

Changes

  1. Defined SecretScope as a new resource
  2. Added SecretScope into supported resource types
  3. Generated docs and schema

Why

This change allows users to define secret scopes as part of their assets bundle:

...
resources:
  ...
  secret_scopes:
    my_secret_scope:
      name: my_secret_scope
   ...

Setting custom ACL is supported via permissions field:

resources:
  secret_scopes:
    my_secret_scope:
      name: my_secret_scope
      permissions:
        - user_name: admins
          level: WRITE
        - user_name: users
          level: READ

Tests

  1. Added acceptance tests for secret scope deployments and binding
  2. Added unit tests

@anton-107 anton-107 temporarily deployed to test-trigger-is April 22, 2025 11:18 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 1f5b1ec to bac1861 Compare April 23, 2025 12:42
@anton-107 anton-107 temporarily deployed to test-trigger-is April 23, 2025 12:42 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is April 23, 2025 15:41 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 5021a64 to 939be8d Compare April 25, 2025 13:58
@anton-107 anton-107 temporarily deployed to test-trigger-is April 25, 2025 13:58 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is April 25, 2025 15:03 — with GitHub Actions Inactive
pietern
pietern reviewed Apr 29, 2025
View reviewed changes
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 0866f1e to 582c555 Compare May 1, 2025 15:03
@anton-107 anton-107 temporarily deployed to test-trigger-is May 1, 2025 15:03 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 1, 2025 15:06 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 51b5162 to 33e7575 Compare May 2, 2025 13:39
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 13:39 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 14:30 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 14:56 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 15:27 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 09:37 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 11:03 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 11:42 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 12:35 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 6ad0889 to 413ad92 Compare May 6, 2025 13:03
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 13:03 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 13:26 — with GitHub Actions Inactive
@anton-107 anton-107 marked this pull request as ready for review May 6, 2025 13:29
@anton-107 anton-107 requested a review from pietern May 6, 2025 13:56
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 15:25 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 15:27 — with GitHub Actions Inactive
anton-107 and others added 23 commits May 14, 2025 11:57
@anton-107
add random suffix to the scope name in acceptance test
3d2ea8b
@anton-107
map secret scope permissions to secret acl
af48f72
@anton-107
make schema
d7e1ceb
@anton-107
add a test for a secret scope backed by azure keyvault
8a7b1cc
@anton-107
add a test for a setting top level permissions to a secret scope
bcafeaa
@anton-107
sort requests output to make the permissions test deterministic
9453ec9
@anton-107
disable local-only tests in the cloud; make cloud test deterministic
9c03d00
@anton-107
add enum values for resource.SecretScopePermissionLevel in jsonschema
c8b70a0
@anton-107
minor cleanup: remove debug line and fix spelling in the comment
6abed4e
@anton-107
drop the initial_manage_principal field from SecretScope struct
e8491c5
@anton-107
make schema
9668d17
@anton-107
make docs; fix lint
e53d070
@anton-107
add fields descriptions to the annotations.yml
f6cfd0a
@anton-107
make schema
77dd526
@anton-107 @shreyas-goenka
Update bundle/config/resources/secret_scope.go
c8b49be 
Co-authored-by: shreyas-goenka <[email protected]>
@anton-107
add secret_scopes to the allow list for run_as
ecc1e07
@anton-107
add fields directly to SecretScope struct without embedding *workspac…
66b9260 
…e.SecretScope
@anton-107
change the annotation for service_principal_name field for the secret…
54fc36f 
… scope resource
@anton-107
add a comment on using list api to check if a scope exists
c920f61
@anton-107
fix NEXT_CHANGELOG.md bullet formatting
ecb90df
@anton-107
add a comment on inlining fields to SecretScope struct
ed2979a
@anton-107
make schema
056a1cf
@anton-107
fix bundle name in bundle/deployment/bind/secret-scope acc test
fe13c7e
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 3b30e52 to fe13c7e Compare May 14, 2025 10:00
@anton-107 anton-107 temporarily deployed to test-trigger-is May 14, 2025 10:00 — with GitHub Actions Inactive
@anton-107 anton-107 added this pull request to the merge queue May 14, 2025
Merged via the queue into main with commit b14d81c May 14, 2025
10 checks passed
@anton-107 anton-107 deleted the anton-107/secret-scopes branch May 14, 2025 10:57
deco-sdk-tagging bot added a commit that referenced this pull request May 14, 2025
@deco-sdk-tagging
[Release] Release v0.252.0
eb427dd 
## Release v0.252.0

### Dependency updates
* Upgraded Go SDK to 0.69.0 ([#2867](#2867))
* Upgraded to TF provider 1.79.0 ([#2869](#2869))

### Bundles
* Remove unused fields from resources.models schema: creation\_timestamp, last\_updated\_timestamp, latest\_versions and user\_id. Using them now raises a warning ([#2828](#2828)).
* Preserve folder structure for app source code in bundle generate ([#2848](#2848))
* Fix normalising requirements file path in dependencies section ([#2861](#2861))
* Fix default-python template not to add environments when serverless=yes and include\_python=no ([#2866](#2866))
* Fix handling of Unicode characters in Python support ([#2873](#2873))
* Add support for secret scopes in DABs ([#2744](#2744))
* Make `artifacts.*.type` optional in bundle JSON schema ([#2881](#2881))
* Fix support for `spot_bid_max_price` field in Python support ([#2883](#2883))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pietern pietern pietern approved these changes

@denik denik denik left review comments

@shreyas-goenka shreyas-goenka shreyas-goenka left review comments

@andrewnester andrewnester Awaiting requested review from andrewnester andrewnester is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@anton-107 @pietern @denik @shreyas-goenka