[HPR-1606] Add support specifying disk encryption set keys across replicated regions #371
Conversation
nywilken
changed the title
nywilken
force-pushed
the
nywilken/target-regions-for-sig
branch
3 times, most recently
from
1e4d28b to
89dcd8b
Compare
nywilken
changed the title
builder/azure/arm/builder.go
Outdated
| } | ||
|
|
||
| // TODO It would be better if validation could be handled in a central location |
There was a problem hiding this comment.
This code looks good but I wonder if we should add this validation to its own function or its own step, that way we could more easily unit test this logic in isolation, feel free to take that feedback or leave it, but I think it'd be good to add some sort of unit test coverage to ensure that we don't break the backwards compatibility you've established here in future updates to this code
There was a problem hiding this comment.
I moved this into config.go and added a few tests for it. Let me know what you think.
builder/azure/arm/builder.go
Outdated
| if foundMandatoryReplicationRegion == false { | ||
| b.config.SharedGalleryDestination.SigDestinationReplicationRegions = append(normalizedReplicationRegions, buildLocation) | ||
| // Validate target region settings; it can be the deprecated replicated_regsions attribute or multiple target_region blocks | ||
| if (len(b.config.SharedGalleryDestination.SigDestinationReplicationRegions) > 0) && (len(b.config.SharedGalleryDestination.SigDestinationTargetRegions) > 0) { |
There was a problem hiding this comment.
Could we check for this before we compute the regions? Like in the config validation we could just check if target_regions and replicated_regions are set together, that way we fail a bit earlier when the config is invalid, what do you think?
There was a problem hiding this comment.
Yeah we can do that. This checks seems like it is bit late!
There was a problem hiding this comment.
This largely LGTM, nice work on this issue Wilken, I left a thought about a block in builder.go I think we could break off into a function and unit test in isolation, but I'm happy to do that refactoring in a follow up PR if you'd prefer, lemme know what you think!
| @@ -1362,6 +1362,116 @@ func TestConfigShouldAcceptShallowReplicationWithWithUnsetReplicaCount(t *testin | |||
| t.Fatalf("expected config to accept shallow replication with unset replica count build: %v", err) | |||
| } | |||
| } | |||
|
|
|||
| func TestConfigValidateShallowReplicationRegion(t *testing.T) { | |||
There was a problem hiding this comment.
Awesome! thanks for adding these
| return nil, fmt.Errorf("when `use_shallow_replication` is enabled the value of `replicated_regions` must match the build region specified by `location` or match the region of `build_resource_group_name`.") | ||
|
|
||
| // Convert deprecated replication_regions to []TargetRegion | ||
| if len(b.config.SharedGalleryDestination.SigDestinationReplicationRegions) > 0 { |
There was a problem hiding this comment.
Not blocking and I think this could be done in a follow up PR but I think we should move this block as well, into a new function called ConvertReplicatedRegions in can still exist in the builder but that way we can unit test it in isolation so that we don't break backwards compatibility in the future with this unintentionally.
There was a problem hiding this comment.
FWIW I started down this path, as I agree this could help with testing but there is a bunch of nuance logic happening there that I wouldn't want to hide in a function. Breaking out the for loop is straight forward but we would run it after normalization. There are a few tests already that if given replication_regions asserts that the the correct number of target_regions are crated. If that helps.
There was a problem hiding this comment.
That makes sense, thanks for clarifying!
There was a problem hiding this comment.
I thought about how to move this stuff into a step_* but 😵 - maybe after a day something comes up. Thanks for this suggestion.
nywilken
force-pushed
the
nywilken/target-regions-for-sig
branch
from
78a0b7f to
1a207d9
Compare
nywilken
force-pushed
the
nywilken/target-regions-for-sig
branch
from
1a207d9 to
baf7527
Compare
As an alternative to specifying replication_regions for a Shared Image Gallery Destination, users can not use one or more `target_region` block attributes to define the target regions for a shared image version. The target_region block attribute supports the setting of individual disk encryption key id for multi-region replication of encrypted disks using CMKs. The `target_region` attribute is meant to replace the now deprecated `replication_regions` attribute. Internally, any values set for replication_regions will be transferred into a set of target_region blocks to provide the same level of functionality. The one difference being that Packer will no longer add a default entry for the SIG build location when using target_region blocks.
nywilken
force-pushed
the
nywilken/target-regions-for-sig
branch
from
baf7527 to
e7dc560
Compare
…licated regions (hashicorp#371) * Add support for target_region block in SharedImageGalleryDestination As an alternative to specifying replication_regions for a Shared Image Gallery Destination, users can not use one or more `target_region` block attributes to define the target regions for a shared image version. The target_region block supports attributes for setting individual disk encryption key id to support multi-region replication of encrypted disks using CMKs. The `target_region` block attribute is meant to replace the now deprecated `replication_regions` attributed. Internally, any values set for replication_regions will be transferred into a set of target_regions to provide the same level of functionality. The one difference being that Packer will no longer add a default entry for the SIG build location when using target_region blocks.
…licated regions (hashicorp#371) * Add support for target_region block in SharedImageGalleryDestination As an alternative to specifying replication_regions for a Shared Image Gallery Destination, users can not use one or more `target_region` block attributes to define the target regions for a shared image version. The target_region block supports attributes for setting individual disk encryption key id to support multi-region replication of encrypted disks using CMKs. The `target_region` block attribute is meant to replace the now deprecated `replication_regions` attributed. Internally, any values set for replication_regions will be transferred into a set of target_regions to provide the same level of functionality. The one difference being that Packer will no longer add a default entry for the SIG build location when using target_region blocks.
As an alternative to specifying replication_regions for a Shared Image
Gallery Destination, users can not use one or more
target_regionblockattributes to define the target regions for a shared image version. The
target_region block attribute supports the setting of individual disk
encryption key id for multi-region replication of encrypted
disks using CMKs.
The
target_regionattribute is meant to replace the now deprecatedreplication_regionsattribute. Internally, any values set forreplication_regions will be transferred into a set of target_region
blocks to provide the same level of functionality. The one difference being that
Packer will no longer add a default entry for the SIG build location
when using target_region blocks.
Closes: #264
Example Config