Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add guards against using distinct subscriptions between owner and child resources #3546

Merged
merged 7 commits into from
Nov 23, 2023

Conversation

super-harsh
Copy link
Collaborator

Closes #3244

What this PR does / why we need it:

Adding check to match resource credential subscription with owner's subscription.

  • this PR contains tests

Copy link
Member

@theunrepentantgeek theunrepentantgeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

However, looks like Test_ConvertResourceToARMResource is failing in CI and I suspect that's related to this change. I'll review again once that's passing.

v2/internal/resolver/resolver_test.go Outdated Show resolved Hide resolved
@super-harsh super-harsh self-assigned this Nov 13, 2023
@super-harsh super-harsh added this to the v2.4.0 milestone Nov 13, 2023
@theunrepentantgeek theunrepentantgeek modified the milestones: v2.4.0, v2.5.0 Nov 14, 2023
Copy link
Member

@matthchr matthchr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some naming comments/minor refactoring suggestions, but LGTM overall

@@ -809,7 +810,7 @@ func (r *azureDeploymentReconcilerInstance) deleteResource(
return ctrl.Result{}, nil
}

err := checkSubscription(resourceID, r.ARMConnection.SubscriptionID()) // TODO: Possibly we should pass this in as a parameter?
err := r.checkSubscription(resourceID) // TODO: Possibly we should pass this in as a parameter?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: Probably can remove this TODO? I am not sure what it was referencing but the code seems OK to me now

@@ -261,6 +274,18 @@ func (h ResourceHierarchy) fullyQualifiedARMIDImpl(subscriptionID string, origin
}
}

func (h ResourceHierarchy) matchOwnerSubscription(subscriptionID string, ownerRID *arm.ResourceID) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor:

  1. This method doesn't need to be on ResourceHierarchy, as it doesn't seem to use h at all. It could just be a package scoped function.
  2. The name matchOwnerSubscription seems too specific to me. In reality this is just checking if the provided subscription matches the passed in ResourceID, so possibly we could rename to something like checkARMIDHasSubscription or checkARMIDMatchesSubscription or similar?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I like it. Considering to move the method into genruntime/arm_id.go for re-usability.

@@ -202,13 +219,9 @@ func (h ResourceHierarchy) fullyQualifiedARMIDImpl(subscriptionID string, origin
if err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you take the checkARMIDHasSubscription suggestion below, also consider renaming this armID variable to ownerARMID so the check reads: checkARMIDHasSubscription(subscriptionID, ownerARMID)

@codecov-commenter
Copy link

Codecov Report

Attention: 636 lines in your changes are missing coverage. Please review.

Comparison is base (ccf5aa7) 54.26% compared to head (b3d9ce9) 53.11%.
Report is 66 commits behind head on main.

Files Patch % Lines
...ization/v1api20220401/role_assignment_types_gen.go 53.40% 180 Missing and 32 partials ⚠️
.../v1api20200801preview/role_assignment_types_gen.go 38.09% 9 Missing and 4 partials ⚠️
...api/batch/v1api20210101/batch_account_types_gen.go 0.00% 7 Missing ⚠️
...api/datafactory/v1api20180601/factory_types_gen.go 0.00% 7 Missing ⚠️
...agement/v1api20220801/api_version_set_types_gen.go 0.00% 6 Missing ⚠️
...i/apimanagement/v1api20220801/backend_types_gen.go 0.00% 6 Missing ⚠️
...imanagement/v1api20220801/named_value_types_gen.go 0.00% 6 Missing ⚠️
...agement/v1api20220801/policy_fragment_types_gen.go 0.00% 6 Missing ⚠️
...pi/apimanagement/v1api20220801/policy_types_gen.go 0.00% 6 Missing ⚠️
...i/apimanagement/v1api20220801/product_types_gen.go 0.00% 6 Missing ⚠️
... and 76 more
Additional details and impacted files
@@             Coverage Diff             @@
##             main    #3546       +/-   ##
===========================================
- Coverage   54.26%   53.11%    -1.16%     
===========================================
  Files        1573     1286      -287     
  Lines      653617   402027   -251590     
===========================================
- Hits       354712   213538   -141174     
+ Misses     241328   157873    -83455     
+ Partials    57577    30616    -26961     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@super-harsh super-harsh added this pull request to the merge queue Nov 23, 2023
Merged via the queue into main with commit 9210c70 Nov 23, 2023
8 checks passed
@super-harsh super-harsh deleted the fix/check-subscription branch November 23, 2023 21:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
4 participants