Deploy and tests

microsoft · Jun 20, 2024 · 79f541a · 79f541a
1 parent ac727e2
commit 79f541a
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 3 deletions.
diff --git a/deployment/bin/deploy b/deployment/bin/deploy
@@ -49,9 +49,30 @@ while [[ "$#" -gt 0 ]]; do case $1 in
         ;;
     esac done
 
+disable_shared_access_keys() {
+    echo "Disabling shared access key on storage account..."
+    az storage account update \
+        --name ${SAK_STORAGE_ACCOUNT} \
+        --resource-group ${SAK_RESOURCE_GROUP} \
+        --allow-shared-key-access false \
+        --output none
+
+    if [ $? -ne 0 ]; then
+        echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+        echo "WARNING: Failed to turn off shared key access on the storage account."
+        echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+        exit 2
+    fi
+}
+
+# Always disable shared access keys on script exit
+trap disable_shared_access_keys EXIT
+
 ###################################
 # Check and configure environment #
 ###################################
+SAK_STORAGE_ACCOUNT=pctapisstagingsa
+SAK_RESOURCE_GROUP=pct-apis-westeurope-staging_rg
 
 if [[ -z ${TERRAFORM_DIR} ]]; then
     echo "Must pass in TERRAFORM_DIR with -t"
@@ -91,6 +112,18 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
 
     if [[ "${SKIP_TF}" != 1 ]]; then
         echo "Deploying infrastructure with Terraform..."
+
+        echo "Enabling shared key access for storage account..."
+        # Terraform isn't able to read all resources from a storage account if shared key access is disabled
+        # so while we're deploying, we need to enable it. Since we haven't run TF yet, we don't have the name of the account
+        # so they are hardcoded here. This is a temporary workaround until this is resolved
+        # https://github.com/hashicorp/terraform-provider-azurerm/issues/25218
+        az storage account update \
+            --name ${SAK_STORAGE_ACCOUNT} \
+            --resource-group ${SAK_RESOURCE_GROUP} \
+            --allow-shared-key-access true \
+            --output none
+
         terraform init --upgrade
 
         if [ "${PLAN_ONLY}" ]; then

diff --git a/deployment/terraform/resources/aks.tf b/deployment/terraform/resources/aks.tf
@@ -26,6 +26,10 @@ resource "azurerm_kubernetes_cluster" "pc" {
     vm_size        = "Standard_DS2_v2"
     node_count     = var.aks_node_count
     vnet_subnet_id = azurerm_subnet.node_subnet.id
+
+    upgrade_settings {
+      max_surge = "10%"
+    }
   }
 
   identity {

diff --git a/deployment/terraform/resources/providers.tf b/deployment/terraform/resources/providers.tf
@@ -1,4 +1,4 @@
-provider azurerm {
+provider "azurerm" {
   features {}
   use_oidc = true
 }
@@ -9,9 +9,9 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.97.1"
+      version = "3.108.0"
     }
   }
 }
 
-data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "current" {}
diff --git a/deployment/terraform/resources/storage_account.tf b/deployment/terraform/resources/storage_account.tf
@@ -6,8 +6,21 @@ resource "azurerm_storage_account" "pc" {
   account_replication_type        = "LRS"
   min_tls_version                 = "TLS1_2"
   allow_nested_items_to_be_public = false
+
+  # Disabling shared access keys breaks terraform's ability to do subsequent
+  # resource fetching during terraform plan. As a result, this property is
+  # ignored and managed outside of this apply session, via the deploy script.
+  # https://github.com/hashicorp/terraform-provider-azurerm/issues/25218
+
+  # shared_access_key_enabled = false
+  lifecycle {
+    ignore_changes = [
+      shared_access_key_enabled,
+    ]
+  }
 }
 
+
 # Tables
 
 resource "azurerm_storage_table" "collectionconfig" {

diff --git a/pccommon/tests/config/test_table_service.py b/pccommon/tests/config/test_table_service.py
@@ -0,0 +1,29 @@
+import pytest
+
+from pccommon.tables import TableService
+
+
+def test_table_service_azurite() -> None:
+    with TableService.from_environment(
+        account_name="devstoreaccount1",
+        table_name="testtable",
+        account_url="http://azurite:10002",
+    ) as table:
+        assert table
+        assert table.table_name == "testtable"
+        assert table.account_name == "devstoreaccount1"
+
+
+def test_table_service_fails_without_azurite() -> None:
+    with pytest.raises(ValueError) as excinfo:
+        with TableService.from_environment(
+            account_name="devstoreaccount1",
+            table_name="testtable",
+            account_url="https://devstoreaccount1.table.core.windows.net",
+        ) as _:
+            pass
+
+    assert str(excinfo.value) == (
+        "Non-azurite account url provided. "
+        "Account keys can only be used with Azurite emulator."
+    )