Fix Terraform recipe failure when resource has no application property

[Copilot]

Description

generateSecretSuffix in the Kubernetes backend unconditionally calls resources.Parse(resourceRecipe.ApplicationID). When a resource has no application property (only environment), ApplicationID is "", and resources.Parse("") returns '' is not a valid resource id.

Bicep recipes already handle this correctly because the recipe context builder (recipecontext/context.go) and config loader (configloader/environment.go) both guard on ApplicationID != "" before parsing. The Terraform backend was the only callsite missing this guard.

Fix: Skip parsing ApplicationID when empty, and exclude the app name component from the hash input string entirely. When an application is set, the hash input is envName-appName-resourceID; when it is not set, the hash input is envName-resourceID (no empty segment or double dash).

// Before: always parses, fails on ""
parsedAppID, err := resources.Parse(resourceRecipe.ApplicationID)
inputString := fmt.Sprintf("%s-%s-%s", envName, appName, resourceID)

// After: only parse when set, and exclude from hash input when empty
appName := ""
if resourceRecipe.ApplicationID != "" {
    parsedAppID, err := resources.Parse(resourceRecipe.ApplicationID)
    appName = parsedAppID.Name()
}
if appName != "" {
    inputString = fmt.Sprintf("%s-%s-%s", envName, appName, resourceID)
} else {
    inputString = fmt.Sprintf("%s-%s", envName, resourceID)
}

Added a corresponding unit test (Test_GenerateSecretSuffix_empty_appid).

Type of change

• This pull request fixes a bug in Radius and has an approved issue (issue link required).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

Unit Tests

    2 files  ±0    420 suites  ±0   6m 53s ⏱️ +10s
5 023 tests +1  5 021 ✅ +1  2 💤 ±0  0 ❌ ±0 
6 050 runs  +1  6 048 ✅ +1  2 💤 ±0  0 ❌ ±0 

Results for commit a033cbb. ± Comparison against base commit 073b796.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.21%. Comparing base (073b796) to head (a033cbb).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11834      +/-   ##
==========================================
+ Coverage   51.20%   51.21%   +0.01%     
==========================================
  Files         715      715              
  Lines       45074    45081       +7     
==========================================
+ Hits        23079    23090      +11     
+ Misses      19798    19796       -2     
+ Partials     2197     2195       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	a033cbb
Unique ID	funcf05ea649f4
Image tag	pr-funcf05ea649f4

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-funcf05ea649f4
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-funcf05ea649f4
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-funcf05ea649f4
• controller test image location: ghcr.io/radius-project/dev/controller:pr-funcf05ea649f4
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-funcf05ea649f4
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[Copilot]

Pull request overview

Fixes a Terraform (Kubernetes backend) failure when a recipe resource is environment-scoped and therefore has an empty ApplicationID. The change aligns the Terraform backend behavior with existing guards in the recipe context builder/config loader by skipping ApplicationID parsing when it’s empty, and it adds a unit test to cover the scenario.

Changes:

• Guard resources.Parse(resourceRecipe.ApplicationID) behind ApplicationID != "" to avoid parsing an empty resource ID.
• Exclude the application name segment from the secret-suffix hash input when no application is set (use envName-resourceID instead of envName--resourceID).
• Add a unit test validating secret suffix generation when ApplicationID is empty.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
pkg/recipes/terraform/config/backends/kubernetes.go	Skips parsing empty ApplicationID and adjusts hash input format accordingly.
pkg/recipes/terraform/config/backends/kubernetes_test.go	Adds coverage for generateSecretSuffix when ApplicationID is empty.