New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add secure() for secrets #3589
Add secure() for secrets #3589
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good but also would be considered a breaking change for any existing templates leveraging the secrets parameter.
We should at least do a pass on any of our known Todo templates to validate nothing is breaking.
@v-xuto - Can you please search the templates published at awesome-azd for container apps that use secrets to see how big of a breaking change this would be? |
@jongio @wbreza , templates are not automatically updated to the latest bits from /core templates. For what I've seen, folks would only try to update individual modules when there's an error of there is a required version update for the smart-defaults. Is that enough data to lower the relevance of the breaking changes effects on /core modules? |
It might be good to check for secrets usage just to make sure there aren't any there that are using current secrets, since they result in security alerts. But agree that I don't particularly think it should block if it doesnt affect TODO (which I didnt see evidence of, but worth checking again!) |
Yes, just a scan to see if they are using and warn them as a courtesy. @v-xuto please...
|
|
@wbreza thoughts on that error? |
Should really be fixed now |
@v-jiaodi , can you try again? (You might need to |
@vhvb1989 Now it can work normally. |
@jongio For related todo templates( |
@rajeshkamal5050 - It would be good to include this in breaking changes list with instructions on how to implement with the new method. Pamela is that something you can write up? |
Suggested for releasse notes- Breaking change, made to improve security: The |
@pamelafox FYI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for submitting this change!
@weikanglim Ah yeah, my placeholders were misleading. Updated suggested text to look more like a real diff (such as Azure-Samples/langfuse-on-azure@105148f) |
This PR makes it so that you can securely pass secrets into the container-app modules, by wrapping it in a secure() decorator. Unfortunately, we can't mark arrays as
@secure
, so you have to instead pass in an object of the secret key/values, and we turn that back into the expected array format.Note that I haven't tested these exact modules since I'm working off a fork of the modules (my use case isn't compatible with the azd modules.. will file an issue about that).
You can see my change here, which works:
Azure-Samples/langfuse-on-azure#9
I don't think any of the TODO templates utilize secrets for container apps, so not sure there's a test to do on the azd template side.