v0.11.1 release (#12)

Fixed issue with deploying private plans
Fixed issue with listing available marketplace plans

Co-authored-by: Tomas Simacek <[email protected]>

Author: tsimacek

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.11.1 (Mar, 13, 2024)
+* Fixed issue with deploying private plans
+* Fixed issue with listing available marketplace plans
+
 ## 0.11.0 (Sep, 20, 2024)
 * Added support for V10MP2R2 model
 * Removed support for specifying version plan by specific version (e.g `6.6.4`)

cbs/acceptance/environment.go

@@ -28,6 +28,11 @@ const (
 	// when using Service Principal auth.
 	EnvTfAccSkipUserPrincipalAuth = "TF_ACC_SKIP_USER_PRINCIPAL_AUTH"
 
+	// Environment variable controlling if the Azure acceptance tests
+	// for service principal should be run. This testing is not available
+	// when using OIDC auth.
+	EnvTfAccSkipServicePrincipalAuth = "TF_ACC_SKIP_SERVICE_PRINCIPAL_AUTH"
+
 	// Environment variable for controlling the Azure acceptance tests
 	// related to deploying an CBS Fusion app from an App Definition
 	EnvTfAccAzureSkipFusionAppId = "TC_ACC_SKIP_AZURE_FUSION_APP_ID"

cbs/data_azure_plans.go

@@ -30,6 +30,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-version"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -125,7 +126,7 @@ func (a PlanByVersion) Len() int           { return len(a) }
 func (a PlanByVersion) Less(i, j int) bool { return a[i].Version.LessThan(&a[j].Version) }
 func (a PlanByVersion) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
 
-var plan_name_regexp = regexp.MustCompile(`^[\w]+_([\d]+)_([\d]+)_(x)$`)
+var plan_name_regexp = regexp.MustCompile(`^[\w]+_([\d]+)_([\d]+)_([\d]+|x)$`)
 
 // Retrieve a plan information from Azure DefaultTemplate artifact
 func GetPlanFromTemplateJson(data []byte) (*Plan, error) {
@@ -148,17 +149,22 @@ func GetPlanFromTemplateJson(data []byte) (*Plan, error) {
 	return &unmarshalled_plan, nil
 }
 
-func versionPlans(plans []Plan) ([]VersionedPlan, error) {
+func versionPlans(ctx context.Context, plans []Plan) ([]VersionedPlan, error) {
 	var versioned_plans []VersionedPlan
 	for _, plan := range plans {
 		match := plan_name_regexp.FindStringSubmatch(plan.Name)
+		// Plan does not match our standard name schema but we want it to show it but treat it as 0.0.0
+		if len(match) < 4 {
+			tflog.Debug(ctx, fmt.Sprintf("Found plan '%s' not matching standard scheme", plan.Name))
+			match = []string{"0", "0", "0", "0"}
+		}
 		patch := match[3]
 		if patch == "x" {
 			patch = "99"
 		}
 		version, err := version.NewVersion(fmt.Sprintf("%s.%s.%s", match[1], match[2], patch))
 		if err != nil {
-			return nil, fmt.Errorf("Unable to parse version string in plan name: %s", plan.Name)
+			return nil, fmt.Errorf("unable to parse version string in plan name: %s", plan.Name)
 		}
 		versioned_plans = append(versioned_plans, VersionedPlan{*version, plan})
 	}
@@ -175,13 +181,15 @@ func QueryMarketplaceForPlans(ctx context.Context) ([]VersionedPlan, error) {
 
 	var template_plans []Plan
 	for _, response_result := range productSummary.Results {
+		// Filter out non Cloud Block Store offers, unfortunatelly the API does not have offer/product ID available so we need
+		// to take a look at the inner plans to filter out offers we do not want
+		if len(response_result.Plans) == 0 || !strings.HasPrefix(*response_result.Plans[0].UniquePlanID, marketplacePlanIdPrefix) {
+			tflog.Debug(ctx, fmt.Sprintf("Skipping non Cloud Block Store offer %s", *response_result.DisplayName))
+			continue
+		}
+		tflog.Debug(ctx, fmt.Sprintf("Processing plans under offer %s", *response_result.DisplayName))
 		for _, response_plan := range response_result.Plans {
-			if !strings.HasPrefix(*response_plan.PlanID, "cbs_azure") {
-				// Exclude any plans which aren't the Pure Cloud Block Store on Azure offering.
-				// E.g. the Pure Fusion Storage Endpoint Collection offerings.
-				continue
-			}
-
+			tflog.Debug(ctx, fmt.Sprintf("Processing plan %s", *response_plan.PlanID))
 			for _, response_artifact := range response_plan.Artifacts {
 				if *response_artifact.Name != "DefaultTemplate" {
 					continue
@@ -202,7 +210,7 @@ func QueryMarketplaceForPlans(ctx context.Context) ([]VersionedPlan, error) {
 		}
 	}
 
-	return versionPlans(template_plans)
+	return versionPlans(ctx, template_plans)
 }
 
 func dataSourceAzurePlansRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {

cbs/internal/cloud/azure.go

@@ -41,6 +41,7 @@ import (
 
 	vaultSecret "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
 	vaultManagement "github.com/Azure/azure-sdk-for-go/services/preview/keyvault/mgmt/2020-04-01-preview/keyvault"
+	"github.com/manicminer/hamilton/environments"
 
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/resources/mgmt/managedapplications"
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/resources/mgmt/resources"
@@ -128,6 +129,31 @@ func buildAzureClient(ctx context.Context, userConfig AzureConfig) (AzureClientA
 		SupportsAzureCliToken:    true,
 	}
 
+	useOIDCAuth := false
+	useMSAL := false
+	if os.Getenv("TF_ACC_USE_OIDC") != "" {
+		useOIDCAuth = true
+	}
+
+	// Temporary workaround for Vault migration until we do PURE-384171
+	// which is essentialy to use azidentity for auth, however that requires
+	// more significant refactoring of how we use the SDK. The migration guide
+	// https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/MIGRATION.md
+	if useOIDCAuth {
+		builder.SubscriptionID = os.Getenv("AZURE_SUBSCRIPTION_ID")
+		builder.TenantID = os.Getenv("AZURE_TENANT_ID")
+		builder.ClientID = os.Getenv("AZURE_CLIENT_ID")
+		builder.SupportsOIDCAuth = true
+		builder.IDTokenRequestURL = os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL")
+		builder.IDTokenRequestToken = os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
+		// OIDC is not without Microsoft Graph
+		// https://github.com/hashicorp/go-azure-helpers/blob/d43458d68a62a2d14d08ee543e67a7a2d301ad8d/authentication/auth_method_oidc.go#L40
+		builder.UseMicrosoftGraph = true
+		// OIDC only supports MSAL tokens
+		// https://github.com/hashicorp/go-azure-helpers/blob/d43458d68a62a2d14d08ee543e67a7a2d301ad8d/authentication/auth_method_oidc.go#L48
+		useMSAL = true
+	}
+
 	config, err := builder.Build()
 	if err != nil {
 		return nil, err
@@ -149,15 +175,32 @@ func buildAzureClient(ctx context.Context, userConfig AzureConfig) (AzureClientA
 	}
 
 	sender := sender.BuildSender("cbs")
-	auth, err := config.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
-	if err != nil {
-		return nil, err
+
+	var auth, graphAuth, vaultAuthorizer autorest.Authorizer = nil, nil, nil
+	var authErr error = nil
+	if useMSAL {
+		auth, authErr = config.GetMSALToken(ctx, environments.ResourceManagerPublic, sender, oauthConfig, env.TokenAudience)
+	} else {
+		auth, authErr = config.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
 	}
-	graphAuth, err := config.GetADALToken(ctx, sender, oauthConfig, env.GraphEndpoint)
-	if err != nil {
-		return nil, err
+	if authErr != nil {
+		return nil, authErr
+	}
+
+	if useMSAL {
+		graphAuth, authErr = config.GetMSALToken(ctx, environments.MsGraphGlobal, sender, oauthConfig, env.GraphEndpoint)
+	} else {
+		graphAuth, authErr = config.GetADALToken(ctx, sender, oauthConfig, env.GraphEndpoint)
+	}
+	if authErr != nil {
+		return nil, authErr
+	}
+
+	if useMSAL {
+		vaultAuthorizer = config.MSALBearerAuthorizerCallback(ctx, environments.KeyVaultPublic, sender, oauthConfig, env.KeyVaultEndpoint)
+	} else {
+		vaultAuthorizer = config.ADALBearerAuthorizerCallback(ctx, sender, oauthConfig)
 	}
-	vaultAuthorizer := config.ADALBearerAuthorizerCallback(ctx, sender, oauthConfig)
 
 	vaultSecretClient := vaultSecret.New()
 	vaultSecretClient.Authorizer = vaultAuthorizer

cbs/provider_test.go

@@ -194,6 +194,10 @@ func TestAccProvider_azureCLIAuth(t *testing.T) {
 }
 
 func TestAccProvider_azureServicePrincipalAuth(t *testing.T) {
+	if os.Getenv(acceptance.EnvTfAccSkipServicePrincipalAuth) != "" {
+		t.Skip("Skipping due to env variable set")
+	}
+
 	if os.Getenv("TF_ACC") == "" {
 		return
 	}

cbs/resource_array_azure.go

@@ -57,6 +57,28 @@ const (
 	defaultPlanVersion   = "1.0.0"
 )
 
+const marketplacePlanIdPrefix = "purestoragemarketplaceadmin.pure_cloud_block_store_product_deployment"
+
+var staticResourceList = []string{
+	"Microsoft.Solutions/applications",
+	"Microsoft.Resources/tags",
+	"Microsoft.Compute/virtualMachines",
+	"Microsoft.Network/networkInterfaces",
+	"Microsoft.DocumentDB/databaseAccounts",
+	"Microsoft.Storage/storageAccounts",
+	"Microsoft.ManagedIdentity/userAssignedIdentities",
+	"Microsoft.KeyVault/vaults",
+	"Microsoft.Network/loadBalancers",
+	"Microsoft.Network/publicIPAddresses",
+	"Microsoft.Compute/disks",
+	"Microsoft.Compute/virtualMachines/extensions",
+	"Microsoft.Network/networkSecurityGroups",
+	"Microsoft.Network/applicationSecurityGroups",
+	"Microsoft.Compute/capacityReservationGroups",
+	"Microsoft.Compute/capacityReservationGroups/capacityReservations",
+	"Microsoft.Resources/deploymentScripts",
+}
+
 var azureParams = []interface{}{
 	"arrayName",
 	"licenseKey",
@@ -407,43 +429,61 @@ func GetResourcesFromTemplateJson(data []byte) ([]string, error) {
 	return resources, nil
 }
 
-func GetPlanArtifacts(ctx context.Context, planName string) (map[string]*appcatalog.Artifact, error) {
+func GetPlanArtifacts(ctx context.Context, plan Plan) (map[string]*appcatalog.Artifact, error) {
 	productSummary, err := GetProductSummary(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	for _, response_result := range productSummary.Results {
+		// Filter out non Cloud Block Store offers, unfortunatelly the API does not have offer/product ID available so we need
+		// to take a look at the inner plans to filter out offers we do not want
+		if len(response_result.Plans) == 0 || !strings.HasPrefix(*response_result.Plans[0].UniquePlanID, marketplacePlanIdPrefix) {
+			tflog.Debug(ctx, fmt.Sprintf("Skipping non Cloud Block Store offer %s", *response_result.DisplayName))
+			continue
+		}
+		tflog.Debug(ctx, fmt.Sprintf("Processing plans under offer %s", *response_result.DisplayName))
 		for _, response_plan := range response_result.Plans {
-			if !strings.HasPrefix(*response_plan.PlanID, "cbs_azure") {
+			if plan.Name != *response_plan.PlanID {
+				tflog.Debug(ctx, fmt.Sprintf("Skipping non matching plan %s", *response_plan.PlanID))
 				continue
 			}
+			tflog.Debug(ctx, fmt.Sprintf("Found matching plan %s", *response_plan.PlanID))
 
 			artifacts := make(map[string]*appcatalog.Artifact)
-			var plan *Plan
+			var templatePlan *Plan
 			for _, response_artifact := range response_plan.Artifacts {
 				artifacts[*response_artifact.Name] = response_artifact
-				// we get the current plan from Default Template
+				// Get the plan properties from the DefaultTemplate artifact to verify integrity
 				if *response_artifact.Name == "DefaultTemplate" {
 					template_data, err := downloadToBuffer(*response_artifact.URI)
 					if err != nil {
-						return artifacts, err
+						return nil, err
 					}
 
-					plan, err = GetPlanFromTemplateJson(template_data)
+					templatePlan, err = GetPlanFromTemplateJson(template_data)
 					if err != nil {
-						return artifacts, err
+						return nil, err
 					}
 				}
 			}
-
-			if plan.Name == planName {
-				return artifacts, nil
+			// Verify the integrity of the artifact and that it matches our expectations
+			if templatePlan.Name != plan.Name {
+				return nil, fmt.Errorf("mismatch between planID in marketplace DefaultTemplate")
+			}
+			if templatePlan.Product != plan.Product {
+				return nil, fmt.Errorf("mismatch between product in marketplace response and DefaultTemplate")
 			}
+			if templatePlan.Publisher != plan.Publisher {
+				return nil, fmt.Errorf("mismatch between publisher in marketplace response and DefaultTemplate")
+			}
+			if templatePlan.Version != plan.Version {
+				return nil, fmt.Errorf("mismatch between plan version in marketplace response and DefaultTemplate")
+			}
+			return artifacts, nil
 		}
 	}
-
-	return nil, fmt.Errorf("plan %s not found to get artifacts", planName)
+	return nil, fmt.Errorf("could not find plan %s in marketplace in order to get Cloud Block Store artifacts", plan.Name)
 }
 
 func GetProductSummary(ctx context.Context) (appcatalog.SearchClientGetResponse, error) {
@@ -460,12 +500,8 @@ func GetResourceListFromUiDefinitionUrl(url string) ([]string, error) {
 	return GetResourcesFromTemplateJson(template_data)
 }
 
-func getPlanResources(ctx context.Context, p interface{}) ([]string, error) {
-	planInterface := p.([]interface{})[0]
-	plan := planInterface.(map[string]interface{})
-	planName := plan["name"].(string)
-
-	artifacts, err := GetPlanArtifacts(ctx, planName)
+func getPlanResources(ctx context.Context, plan Plan) ([]string, error) {
+	artifacts, err := GetPlanArtifacts(ctx, plan)
 	if err != nil {
 		return nil, err
 	}
@@ -516,9 +552,17 @@ func getResourcesForCurrentDeployment(ctx context.Context, azureClient cloud.Azu
 	}
 
 	if planParam, ok := d.GetOk("plan"); ok {
-		resources, err = getPlanResources(ctx, planParam)
+		// We rely on Terraform framework here that this will always be convertible, otherwise we would panic
+		planDecoded := planParam.([]interface{})[0].(map[string]interface{})
+		plan := Plan{
+			Name:      planDecoded["name"].(string),
+			Product:   planDecoded["product"].(string),
+			Publisher: planDecoded["publisher"].(string),
+			Version:   planDecoded["version"].(string),
+		}
+		resources, err = getPlanResources(ctx, plan)
 		if err != nil {
-			return nil, fmt.Errorf("failed to retrieve resource list based on plan %+v", err)
+			return nil, fmt.Errorf("could not get resource list from plan %s: %+v", plan.Name, err)
 		}
 	}
 
@@ -639,13 +683,17 @@ func resourceArrayAzureCreate(ctx context.Context, d *schema.ResourceData, m int
 
 	parameters.Identity = expandIdentityObject(identities)
 
+	// Fetch the list of resources which will be deployed. We rely on createUiDefinition.json artifact which should
+	// be available through the marketplace api in case of public plans. In case that the plan is not available in
+	// the marketplace API for any reason we fall back to a statically defined list.
+	resources, err := getResourcesForCurrentDeployment(ctx, azureClient, d)
+	if err != nil {
+		tflog.Warn(ctx, fmt.Sprintf("Could not get resource list for current deployment, falling back to static resource list: %s", err))
+		resources = staticResourceList
+	}
+
 	tagsMap := make(map[string]interface{})
 	if v, ok := d.GetOk("tags"); ok {
-		resources, err := getResourcesForCurrentDeployment(ctx, azureClient, d)
-		if err != nil {
-			return diag.Errorf("cannot get resource list %+v", err)
-		}
-
 		tags := v.(map[string]interface{})
 		for _, tag := range resources {
 			copyMap := make(map[string]interface{})
@@ -657,11 +705,6 @@ func resourceArrayAzureCreate(ctx context.Context, d *schema.ResourceData, m int
 	}
 
 	if v, ok := d.GetOk("resource_tags"); ok {
-		resources, err := getResourcesForCurrentDeployment(ctx, azureClient, d)
-		if err != nil {
-			return diag.Errorf("cannot get resource list %+v", err)
-		}
-
 		resource_tags := v.([]interface{})
 		for _, resource_tag := range resource_tags {
 			resource := resource_tag.(map[string]interface{})["resource"].(string)

docs/data-sources/azure_plans.md

@@ -8,7 +8,7 @@ description: |-
 
 # cbs_plan_azure (Data Source)
 
-Provides plan specific details specified by plan version parameter. The version needs to be specified in format of version prefix e.g. `6.5.x` or `6.6.x` and similar. Specific versions like `6.6.10` are not supported as only the latest version in a given release line is svailable in the marketplace offer for deployment.
+Provides plan specific details specified by plan version parameter. The version needs to be specified in format of version prefix e.g. `6.7.x` or `6.8.x` and similar. Specific versions like `6.8.2` are not supported as only the latest version in a given release line is svailable in the marketplace offer for deployment.
 
 ## Example Usage
 ```hcl

docs/resources/array_aws.md

@@ -27,7 +27,7 @@ resource "cbs_array_aws" "cbs_example" {
 
     array_name = "terraform-example-instance"
 
-    deployment_template_url = "https://s3.amazonaws.com/awsmp-fulfillment-cf-templates-prod/4ea2905b-7939-4ee0-a521-d5c2fcb41214/e52106cb-f0af-4409-88af-34a93018f603.template"
+    deployment_template_url = "https://s3.amazonaws.com/awsmp-fulfillment-cf-templates-prod/4ea2905b-7939-4ee0-a521-d5c2fcb41214/9e8d86fec7df43a285273e60b3f40e1f.template"
     deployment_role_arn = "arn:aws:iam::xxxxxxxxxxxx:role/example_role"
 
     log_sender_domain = "example-company.org"

docs/resources/array_azure.md

@@ -61,7 +61,7 @@ resource "azurerm_key_vault" "cbs_key_vault" {
 }
 
 data "cbs_plan_azure" "version_plan" {
-    plan_version = "6.6.x"
+    plan_version = "6.8.x"
 }
 
 resource "cbs_array_azure" "azure_instance" {

examples/aws_array/main.tf

@@ -2,7 +2,7 @@ terraform {
     required_providers {
         cbs = {
             source = "PureStorage-OpenConnect/cbs"
-            version = "~> 0.11.0"
+            version = "~> 0.11.1"
         }
     }
 }