feat: use cli-extension-iac [IAC-3213] #5730
Conversation
sergiu-snyk
force-pushed
the
feat/IAC-3213/cli-extension-iac
branch
4 times, most recently
from
6ed4749 to
40b2247
Compare
sergiu-snyk
force-pushed
the
feat/IAC-3213/cli-extension-iac
branch
3 times, most recently
from
522620c to
5f07b9b
Compare
| @@ -151,7 +151,8 @@ $(BUILD_DIR)/$(V2_EXECUTABLE_NAME): $(BUILD_DIR) $(SRCS) generate-ls-protocol-me | |||
| @echo "$(LOG_PREFIX) Building ( $(BUILD_DIR)/$(V2_EXECUTABLE_NAME) )" | |||
| @echo "$(LOG_PREFIX) LDFLAGS: $(LDFLAGS)" | |||
| @echo "$(LOG_PREFIX) GCFLAGS: $(GCFLAGS)" | |||
| @GOEXPERIMENT=$(FIPS_CRYPTO_BACKEND) GOOS=$(_GO_OS) GOARCH=$(GOARCH) $(GOCMD) build -tags=application -ldflags="$(LDFLAGS) -X github.com/snyk/snyk-ls/application/config.Version=$(LS_COMMIT_HASH) -X github.com/snyk/snyk-ls/application/config.LsProtocolVersion=$(LS_PROTOCOL_VERSION) -X main.internalOS=$(GOOS) -X github.com/snyk/cli/cliv2/internal/embedded/cliv1.snykCLIVersion=$(CLI_V1_VERSION_TAG)" $(GCFLAGS) -o $(BUILD_DIR)/$(V2_EXECUTABLE_NAME) $(WORKING_DIR)/cmd/cliv2/*.go | |||
| @echo "$(LOG_PREFIX) IAC_RULES_URL: $(IAC_RULES_URL)" | |||
| @GOEXPERIMENT=$(FIPS_CRYPTO_BACKEND) GOOS=$(_GO_OS) GOARCH=$(GOARCH) $(GOCMD) build -tags=application -ldflags="$(LDFLAGS) -X github.com/snyk/snyk-ls/application/config.Version=$(LS_COMMIT_HASH) -X github.com/snyk/snyk-ls/application/config.LsProtocolVersion=$(LS_PROTOCOL_VERSION) -X main.internalOS=$(GOOS) -X github.com/snyk/cli/cliv2/internal/embedded/cliv1.snykCLIVersion=$(CLI_V1_VERSION_TAG) -X github.com/snyk/cli-extension-iac/internal/commands/iactest.internalRulesClientURL=$(IAC_RULES_URL)" $(GCFLAGS) -o $(BUILD_DIR)/$(V2_EXECUTABLE_NAME) $(WORKING_DIR)/cmd/cliv2/*.go | |||
There was a problem hiding this comment.
injected IAC_RULES_URL at build time as discussed with @PeterSchafer. This is for now an environment variable in the CLI project, but could be moved to a context if that's better.
There was a problem hiding this comment.
Yes, please move it to a context. The usage won't change though.
Thank you!
sergiu-snyk
force-pushed
the
feat/IAC-3213/cli-extension-iac
branch
2 times, most recently
from
5a241da to
6a1e8f9
Compare
sergiu-snyk
force-pushed
the
feat/IAC-3213/cli-extension-iac
branch
from
6a1e8f9 to
edda6f2
Compare
| @@ -91,7 +91,7 @@ describe('CLI Share Results', () => { | |||
|
|
|||
| it('forwards project tags', async () => { | |||
| const { exitCode } = await run( | |||
| 'snyk iac test ./iac/arm/rule_test.json --report --tags=foo=bar', | |||
| 'snyk iac test ./iac/arm/rule_test.json --report --project-tags=foo=bar', | |||
There was a problem hiding this comment.
--tags is an alias for --project-tags that should not be used, and is no longer supported. I don't consider this a breaking change, since it is undocumented in the command help, or any online documentation. In the very unlikely event anyone uses it, the command help should point them to use --project-tags
| @@ -11,7 +11,7 @@ type IacCloudContext = Pick< | |||
| >; | |||
|
|
|||
| export function getIacCloudContext( | |||
| testConfig: TestConfig, | |||
| testConfig: Partial<TestConfig>, | |||
There was a problem hiding this comment.
question: why not use snykCloudEnvironment?: string here instead of a partially applied interface? Makes it much clearer what the parameters are.
There was a problem hiding this comment.
You're right. IDK why didn't consider it.
| import { getFlag } from '../index'; | ||
| import { IaCTestFlags } from '../local-execution/types'; | ||
| import { findAndLoadPolicy } from '../../../../../lib/policy'; | ||
| import { assertIacV2Options } from './assert-iac-options'; | ||
| import { addIacAnalytics } from '../../../../../lib/iac/test/v2/analytics'; |
There was a problem hiding this comment.
note: the analytics here will be deprecated at some point in favour of instrumentation data in Go, the analytics payload constructed via addIacAnalytics can be preserved when we eventually migrate, but any dashboards/monitoring reliant on these analytics might be impacted. Just something to be aware of.
| ): Promise<TestOutput> { | ||
| const results = await readJson(outputFilePath); | ||
|
|
||
| return mapSnykIacTestOutputToTestOutput(results); |
There was a problem hiding this comment.
suggestion: now that we support Error Catalog errors, this is a good opportunity to update the errors thrown by mapSnykIacTestOutputToTestOutput() to more specific Error Catalog errors (if applicable)
There was a problem hiding this comment.
That's something we considered, but for now we haven't identified good candidates for more specific errors (errors that would benefit from providing more context in form of external links), and we use some of the existing ones (those related to invalid flags). The error specific details for the generic IaC failure error should be good enough.
|
question: how will the file reading/writing behave for multiple concurrent reads/writes? It doesn't look like it's tested? |
| @@ -151,7 +151,8 @@ $(BUILD_DIR)/$(V2_EXECUTABLE_NAME): $(BUILD_DIR) $(SRCS) generate-ls-protocol-me | |||
| @echo "$(LOG_PREFIX) Building ( $(BUILD_DIR)/$(V2_EXECUTABLE_NAME) )" | |||
| @echo "$(LOG_PREFIX) LDFLAGS: $(LDFLAGS)" | |||
| @echo "$(LOG_PREFIX) GCFLAGS: $(GCFLAGS)" | |||
| @GOEXPERIMENT=$(FIPS_CRYPTO_BACKEND) GOOS=$(_GO_OS) GOARCH=$(GOARCH) $(GOCMD) build -tags=application -ldflags="$(LDFLAGS) -X github.com/snyk/snyk-ls/application/config.Version=$(LS_COMMIT_HASH) -X github.com/snyk/snyk-ls/application/config.LsProtocolVersion=$(LS_PROTOCOL_VERSION) -X main.internalOS=$(GOOS) -X github.com/snyk/cli/cliv2/internal/embedded/cliv1.snykCLIVersion=$(CLI_V1_VERSION_TAG)" $(GCFLAGS) -o $(BUILD_DIR)/$(V2_EXECUTABLE_NAME) $(WORKING_DIR)/cmd/cliv2/*.go | |||
| @echo "$(LOG_PREFIX) IAC_RULES_URL: $(IAC_RULES_URL)" | |||
There was a problem hiding this comment.
Question: What is the developer experience when this Environment Variable is not specified? Is it worth to explicitly warn when it is empty?
Nitpick: Maybe move this to where LS version: is printed 😄
There was a problem hiding this comment.
This is the error I see, right now.
Can we make the test a bit more descriptive and actionable? I'm worried about all the asks we will be getting because someone is using a dev CLI without the URL set.
There was a problem hiding this comment.
Yes, good points. I think we should actually fail the build if that bundle is not provided, wdyt?
There was a problem hiding this comment.
Maybe we fail the command execution instead?!
There was a problem hiding this comment.
It fails right now, doesn't it? Just that the message is not very actionable. like you said.
There was a problem hiding this comment.
yes, it fails, but it seems to do a lot of things until it fails with the message right now. So a proposal could be to do a check for the variable and fail early and actionable. Does this make sense?
There was a problem hiding this comment.
Gotcha! Makes sense!
You mean the file provided via It is essentially the same mechanism that the existing |
Pull Request Submission Checklist
What does this PR do?
Enables the new IaC CLI extension that replaces
snyk-iac-test.A couple of acceptance tests exercising invalid flags for command
snyk iac testhad to be modified due to the default CLI invalid flag behavior for extensions.A cleanup PR for the snyk-iac-test binary will follow after we release this and if no problems reported.
Where should the reviewer start?
How should this be manually tested?
Acceptance tests cover the IaC functionality. But to run manually use
snyk iac test.