Add terraform template path validation #6969
Conversation
sk593
force-pushed
the
validate-tf-paths
branch
from
ff53c81 to
2777c07
Compare
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
sk593
force-pushed
the
validate-tf-paths
branch
from
9b47d5e to
50ddbc0
Compare
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
| err: &v1.ErrClientRP{Code: v1.CodeInvalid, Message: fmt.Sprintf(invalidModulePathFmt, "../not-allowed/")}, | ||
| }, | ||
| { | ||
| filename: "environmentresource-terraformrecipe-unsupported.json", |
There was a problem hiding this comment.
This will be denied by the ParseRequestURI and the other one by the ParseModuleSource, right?
There was a problem hiding this comment.
They should both error out since neither of these are a TF registry or an HTTP URL
pkg/corerp/api/v20231001preview/testdata/environmentresource-terraformrecipe-unsupported.json
Outdated
Show resolved
Hide resolved
| // We first validate if the template path is a valid Terraform registry module source. | ||
| _, err := tfaddr.ParseModuleSource(to.String(c.TemplatePath)) | ||
| if err != nil { | ||
| // If the template path is not a Terraform registry module source, we validate if it is an HTTP URL. | ||
| _, err = url.ParseRequestURI(to.String(c.TemplatePath)) | ||
| if err != nil { | ||
| return datamodel.EnvironmentRecipeProperties{}, v1.NewClientErrInvalidRequest(fmt.Sprintf(invalidModulePathFmt, to.String(c.TemplatePath))) | ||
| } |
There was a problem hiding this comment.
Should this be a separate function? Is this going to be used elsewhere in the code?
There was a problem hiding this comment.
No, this is just going to be used here when we try to register a recipe to an environment. We don't want to deploy the resource/recipe at all if we know the module source isn't supported and this is the first entry point for registering the recipe
| rp_util "github.com/radius-project/radius/pkg/rp/portableresources" | ||
| rpv1 "github.com/radius-project/radius/pkg/rp/v1" | ||
| "github.com/radius-project/radius/pkg/to" | ||
| ) | ||
|
|
||
| const ( | ||
| EnvironmentComputeKindKubernetes = "kubernetes" | ||
| invalidLocalModulePathFmt = "local module paths are not supported with Terraform Recipes. The 'templatePath' '%s' was detected as a local module path because it begins with '/' or './' or '../'." | ||
| invalidModulePathFmt = "only Terraform registry and HTTP URLs are supported as module sources with Terraform Recipes. The 'templatePath' '%s' was detected as an invalid module source." |
sk593
force-pushed
the
validate-tf-paths
branch
from
50ddbc0 to
f451e1d
Compare
There was a problem hiding this comment.
Given we verified that git:/ works correctly today, we should probably also support that. I believe @rynowak uses this today as part of AWS demos.
Git repositories are considered valid HTTP URLs by |
Signed-off-by: sk593 <[email protected]>
sk593
force-pushed
the
validate-tf-paths
branch
from
f451e1d to
8e35415
Compare
Hmm good question. Let's also add GitHub as well, as it's essentially just an alias for git. It should work as well. Thanks! |
|
Closing, we thought the initial issue was caused by Radius not supporting all module sources. This doesn't seem to be the case as Git, S3, etc are able to be used so there's no need for additional validation. |
sk593
had a problem deploying
to
functional-tests
GitHub Actions
Failure
Description
This adds validation for terraform template paths. We will only support Terraform registry and HTTP URLs as allowed module sources for Terraform recipe template paths. Module sources outside these will be treated as unsupported and an error will be returned.
Type of change
Fixes: #6642
Auto-generated summary
copilot:all