Skip to content

Add secret scopes support in assets bundling#2744

Merged
anton-107 merged 40 commits intomainfrom
anton-107/secret-scopes
May 14, 2025
Merged

Add secret scopes support in assets bundling#2744
anton-107 merged 40 commits intomainfrom
anton-107/secret-scopes

Conversation

@anton-107
Copy link
Copy Markdown
Contributor

@anton-107 anton-107 commented Apr 22, 2025
edited
Loading

Changes

  1. Defined SecretScope as a new resource
  2. Added SecretScope into supported resource types
  3. Generated docs and schema

Why

This change allows users to define secret scopes as part of their assets bundle:

...
resources:
  ...
  secret_scopes:
    my_secret_scope:
      name: my_secret_scope
   ...

Setting custom ACL is supported via permissions field:

resources:
  secret_scopes:
    my_secret_scope:
      name: my_secret_scope
      permissions:
        - user_name: admins
          level: WRITE
        - user_name: users
          level: READ

Tests

  1. Added acceptance tests for secret scope deployments and binding
  2. Added unit tests

@anton-107 anton-107 temporarily deployed to test-trigger-is April 22, 2025 11:18 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 1f5b1ec to bac1861 Compare April 23, 2025 12:42
@anton-107 anton-107 temporarily deployed to test-trigger-is April 23, 2025 12:42 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is April 23, 2025 15:41 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 5021a64 to 939be8d Compare April 25, 2025 13:58
@anton-107 anton-107 temporarily deployed to test-trigger-is April 25, 2025 13:58 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is April 25, 2025 15:03 — with GitHub Actions Inactive
pietern
pietern reviewed Apr 29, 2025
View reviewed changes
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 0866f1e to 582c555 Compare May 1, 2025 15:03
@anton-107 anton-107 temporarily deployed to test-trigger-is May 1, 2025 15:03 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 1, 2025 15:06 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 51b5162 to 33e7575 Compare May 2, 2025 13:39
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 13:39 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 14:30 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 14:56 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 2, 2025 15:27 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 09:37 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 11:03 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 11:42 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 12:35 — with GitHub Actions Inactive
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 6ad0889 to 413ad92 Compare May 6, 2025 13:03
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 13:03 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 13:26 — with GitHub Actions Inactive
@anton-107 anton-107 marked this pull request as ready for review May 6, 2025 13:29
@anton-107 anton-107 requested a review from pietern May 6, 2025 13:56
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 15:25 — with GitHub Actions Inactive
@anton-107 anton-107 temporarily deployed to test-trigger-is May 6, 2025 15:27 — with GitHub Actions Inactive
anton-107 and others added 21 commits May 14, 2025 11:57
@anton-107
make schema
d7e1ceb
@anton-107
add a test for a secret scope backed by azure keyvault
8a7b1cc
@anton-107
add a test for a setting top level permissions to a secret scope
bcafeaa
@anton-107
sort requests output to make the permissions test deterministic
9453ec9
@anton-107
disable local-only tests in the cloud; make cloud test deterministic
9c03d00
@anton-107
add enum values for resource.SecretScopePermissionLevel in jsonschema
c8b70a0
@anton-107
minor cleanup: remove debug line and fix spelling in the comment
6abed4e
@anton-107
drop the initial_manage_principal field from SecretScope struct
e8491c5
@anton-107
make schema
9668d17
@anton-107
make docs; fix lint
e53d070
@anton-107
add fields descriptions to the annotations.yml
f6cfd0a
@anton-107
make schema
77dd526
@anton-107 @shreyas-goenka
Update bundle/config/resources/secret_scope.go
c8b49be 
Co-authored-by: shreyas-goenka <88374338+shreyas-goenka@users.noreply.github.com>
@anton-107
add secret_scopes to the allow list for run_as
ecc1e07
@anton-107
add fields directly to SecretScope struct without embedding *workspac…
66b9260 
…e.SecretScope
@anton-107
change the annotation for service_principal_name field for the secret…
54fc36f 
… scope resource
@anton-107
add a comment on using list api to check if a scope exists
c920f61
@anton-107
fix NEXT_CHANGELOG.md bullet formatting
ecb90df
@anton-107
add a comment on inlining fields to SecretScope struct
ed2979a
@anton-107
make schema
056a1cf
@anton-107
fix bundle name in bundle/deployment/bind/secret-scope acc test
fe13c7e
@anton-107 anton-107 force-pushed the anton-107/secret-scopes branch from 3b30e52 to fe13c7e Compare May 14, 2025 10:00
@anton-107 anton-107 temporarily deployed to test-trigger-is May 14, 2025 10:00 — with GitHub Actions Inactive
@anton-107 anton-107 added this pull request to the merge queue May 14, 2025
Merged via the queue into main with commit b14d81c May 14, 2025
10 checks passed
@anton-107 anton-107 deleted the anton-107/secret-scopes branch May 14, 2025 10:57
deco-sdk-tagging bot added a commit that referenced this pull request May 14, 2025
@deco-sdk-tagging
[Release] Release v0.252.0
eb427dd 
## Release v0.252.0

### Dependency updates
* Upgraded Go SDK to 0.69.0 ([#2867](#2867))
* Upgraded to TF provider 1.79.0 ([#2869](#2869))

### Bundles
* Remove unused fields from resources.models schema: creation\_timestamp, last\_updated\_timestamp, latest\_versions and user\_id. Using them now raises a warning ([#2828](#2828)).
* Preserve folder structure for app source code in bundle generate ([#2848](#2848))
* Fix normalising requirements file path in dependencies section ([#2861](#2861))
* Fix default-python template not to add environments when serverless=yes and include\_python=no ([#2866](#2866))
* Fix handling of Unicode characters in Python support ([#2873](#2873))
* Add support for secret scopes in DABs ([#2744](#2744))
* Make `artifacts.*.type` optional in bundle JSON schema ([#2881](#2881))
* Fix support for `spot_bid_max_price` field in Python support ([#2883](#2883))
denik
denik reviewed Jun 26, 2025
View reviewed changes
bundle/deploy/terraform/convert.go
}
}
for _, src := range config.Resources.SecretScopes {
if src.ModifiedStatus == "" {
Copy link
Copy Markdown
Contributor

@denik denik Jun 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other resources (except for apps) also check that ID is empty string. If you don't check it, the resource is always incorrectly marked as "created" even though it is not.

@alexlatchford alexlatchford mentioned this pull request Mar 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pietern pietern pietern approved these changes

@denik denik denik left review comments

@shreyas-goenka shreyas-goenka shreyas-goenka left review comments

@andrewnester andrewnester Awaiting requested review from andrewnester andrewnester is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@anton-107 @pietern @denik @shreyas-goenka