Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: avm/res/cache/redis: add support for AKV secrets export #4138

Merged
merged 5 commits into from
Jan 22, 2025
Merged

feat: avm/res/cache/redis: add support for AKV secrets export #4138

merged 5 commits into from
Jan 22, 2025

Conversation

JeffreyCA
Copy link
Contributor

Description

Closes #4137

Add support for AKV secrets export by introducing a new secretsExportConfiguration input param as per https://azure.github.io/Azure-Verified-Modules/specs/bcp/res/interfaces/#secrets-export.

In addition to the primary and secondary access key, I also added support for connection strings in the form rediss://..., which is supported by most Redis clients:

Secret key name Secret value
secretsExportConfiguration.primaryAccessKeyName Primary access key
secretsExportConfiguration.primaryConnectionStringName TLS-enabled primary connection string in Redis URI form: rediss://:<primaryaccesskey>@<hostname>:6380
secretsExportConfiguration.secondaryAccessKeyName Secondary access key
secretsExportConfiguration.secondaryConnectionStringName TLS-enabled secondary connection string in Redis URI form: rediss://:<secondaryaccesskey>@<hostname>:6380

Usage example:

module redis 'br/public:avm/res/cache/redis:<version>' = {
  name: 'redisDeployment'
  params: {
    // Required parameters
    name: 'kvref'
    // Non-required parameters
    location: '<location>'
    secretsExportConfiguration: {
      keyVaultResourceId: '<keyVaultResourceId>'
      primaryAccessKeyName: 'custom-primaryAccessKey-name'
      primaryConnectionStringName: 'custom-primaryConnectionString-name'
      secondaryAccessKeyName: 'custom-secondaryAccessKey-name'
      secondaryConnectionStringName: 'custom-secondaryConnectionString-name'
    }
  }
}

Pipeline Reference

Ran the kv-secrets E2E test locally and passed:

image

Pipeline

Type of Change

  • Update to CI Environment or utilities (Non-module affecting changes)
  • Azure Verified Module updates:
    • Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in version.json:
      • Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description.
      • The bug was found by the module author, and no one has opened an issue to report it yet.
    • Feature update backwards compatible feature updates, and I have bumped the MINOR version in version.json.
    • Breaking changes and I have bumped the MAJOR version in version.json.
    • Update to documentation

Checklist

  • I'm sure there are no other open Pull Requests for the same update/change
  • I have run Set-AVMModule locally to generate the supporting module files.
  • My corresponding pipelines / checks run clean and green without any errors or warnings

@JeffreyCA JeffreyCA requested review from a team as code owners January 9, 2025 18:32
@avm-team-linter avm-team-linter bot added the Needs: Module Owner 📣 This module needs an owner to develop or maintain it label Jan 9, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue labels Jan 9, 2025
AlexanderSehr
AlexanderSehr previously approved these changes Jan 9, 2025
View reviewed changes
Copy link
Contributor

@AlexanderSehr AlexanderSehr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @JeffreyCA, much appreciated 💪

@JeffreyCA
Copy link
Contributor Author

Great work @JeffreyCA, much appreciated 💪

Thanks for the review, do I need any other approvals?

@AlexanderSehr
Copy link
Contributor

Great work @JeffreyCA, much appreciated 💪

Thanks for the review, do I need any other approvals?

Now that you mention it. Actually yes - @hundredacres, could you give it a look? From where I'm standing it looks good :) Your review & approval would be much appreciated.

@JeffreyCA JeffreyCA linked an issue Jan 14, 2025 that may be closed by this pull request
compose: investigate moving set-redis-conn.bicep logic to upstream AVM Azure/azure-dev#4681
Closed
hundredacres
hundredacres previously approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@hundredacres hundredacres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

hundredacres
hundredacres approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@hundredacres hundredacres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@hundredacres hundredacres merged commit 9a0b5af into Azure:main Jan 22, 2025
4 checks passed
@JeffreyCA JeffreyCA deleted the cache/redis/kv-secrets branch January 22, 2025 21:19
@JeffreyCA JeffreyCA mentioned this pull request Jan 22, 2025
Merged
@Ipifo
Copy link

Ipifo commented Jan 29, 2025

Great work on add this feature to the Redis Cache resource. I was wondering if the Connection String could have the same format as what you would find in the 'Settings -> Authentication -> Access Key -> Primary connection string (StackExchange.Redis) & Secondary connection string (StackExchange.Redis)' This format looks like this;
redis-cache-DEV-aue02.redis.cache.windows.net:6380,password==,ssl=True,abortConnect=False
currently the connection string format being saved in key vault looks like this.
rediss://:*********@redis-cache-DEV-aue02.redis.cache.windows.net:6380.

@JeffreyCA
Copy link
Contributor Author

Good point - unlike most Redis clients, the StackExchange.Redis client (for .NET) uses its own connection string format and doesn't support the redis[s]:// style connection strings: StackExchange/StackExchange.Redis#1590. I originally added the rediss:// one as it was the more universally accepted one.

image

@AlexanderSehr @hundredacres I was thinking maybe we could add another pair of exportable secrets, something like primaryStackExchangeRedisConnectionStringName/secondaryStackExchangeRedisConnectionStringName. Any thoughts?

@hundredacres
Copy link
Contributor

hundredacres commented Jan 29, 2025 via email
edited by AlexanderSehr
Loading

@JeffreyCA
Copy link
Contributor Author

Sounds good to me. Happy to take a PR, or I can whip something up tomorrow

Sure, I opened #4343

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexanderSehr AlexanderSehr AlexanderSehr left review comments

@hundredacres hundredacres hundredacres approved these changes

Assignees

@AlexanderSehr AlexanderSehr

@JeffreyCA JeffreyCA

Labels
Needs: Module Owner 📣 This module needs an owner to develop or maintain it Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue
Projects
None yet
Milestone
No milestone
4 participants
@JeffreyCA @AlexanderSehr @Ipifo @hundredacres