Update variable replacement during deserialization to use replacement settings class and add AKV replacement logic. #2882
Conversation
| { | ||
| Assert.IsTrue(RuntimeConfigLoader.TryParseConfig( | ||
| GetModifiedJsonString(repValues, @"""postgresql"""), out expectedConfig, replaceEnvVar: replaceEnvVar), | ||
| GetModifiedJsonString(repValues, @"""postgresql"""), out expectedConfig, replacementSettings: new DeserializationVariableReplacementSettings(azureKeyVaultOptions: null, doReplaceEnvVar: replaceEnvVar, doReplaceAKVVar: true)), |
There was a problem hiding this comment.
We should add similar tests for AKV replacement checks
src/Service.Tests/UnitTests/PostgreSqlQueryExecutorUnitTests.cs
Outdated
Show resolved
Hide resolved
aaronburtle
requested review from
Alekhya-Polavarapu,
neeraj-sharma2592,
rusamant,
sourabh1007 and
vadeveka
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the configuration deserialization system to introduce Azure Key Vault (AKV) variable replacement support alongside environment variable replacement. The key change is replacing individual boolean parameters (replaceEnvVar, replacementFailureMode) with a unified DeserializationVariableReplacementSettings object that encapsulates all variable replacement configuration, including the new AKV functionality.
- Introduces
DeserializationVariableReplacementSettingsclass to centralize variable replacement configuration - Adds Azure Key Vault secret resolution support with configurable retry policies
- Updates all JSON converters and configuration loading methods to use the new settings object
Reviewed Changes
Copilot reviewed 33 out of 33 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
src/Config/DeserializationVariableReplacementSettings.cs |
New class that encapsulates variable replacement logic for both environment variables and Azure Key Vault secrets |
src/Config/RuntimeConfigLoader.cs |
Updated to use new settings object and extract AKV options with two-pass parsing |
src/Config/Converters/StringJsonConverterFactory.cs |
Refactored to use pluggable replacement strategies from settings object |
src/Config/Converters/*ConverterFactory.cs |
Updated multiple converter factories to accept DeserializationVariableReplacementSettings instead of boolean parameters |
src/Config/ObjectModel/AzureKeyVaultOptions.cs |
Added constructor and flags to track user-provided properties |
src/Directory.Packages.props |
Added Azure.Security.KeyVault.Secrets package dependency |
src/Service/Controllers/ConfigurationController.cs |
Updated Initialize call with new settings object |
| Test files | Updated test code to use new settings object instead of boolean parameters |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/Config/Converters/DatasourceHealthOptionsConvertorFactory.cs
Outdated
Show resolved
Hide resolved
src/Config/Converters/DatasourceHealthOptionsConvertorFactory.cs
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| ExportGraphQL(options, runtimeConfig, fileSystem, loader, logger).Wait(); | ||
| isSuccess = true; | ||
| break; | ||
| if (runtimeConfig is not null) |
There was a problem hiding this comment.
Why this change? The fact that TryLoadConfig returned true means runtimeConfig is going to be not null. Why do we need to check again here?
|
|
||
| SqlConnectionStringBuilder builder = new(runtimeConfig.DataSource.ConnectionString); | ||
| Assert.AreEqual(ProductInfo.GetDataApiBuilderUserAgent(), builder.ApplicationName); | ||
| if (runtimeConfig is not null) |
There was a problem hiding this comment.
Same here, we are already Assert for true above. If the assert fails, it will error out. so runtimeConfig can never be null here.
|
|
||
| using System.Text.Json; | ||
| using System.Text.Json.Serialization; | ||
| using Azure.DataApiBuilder.Config.ObjectModel; |
There was a problem hiding this comment.
This seems to be an unnecessary using statement
| // value or not while deserializing. | ||
| private readonly DeserializationVariableReplacementSettings? _replacementSettings; | ||
|
|
||
| /// <param name="replaceEnvVar">Whether to replace environment variable with its |
There was a problem hiding this comment.
| /// <param name="replaceEnvVar">Whether to replace environment variable with its | |
| /// <param name="replacementSettings">Whether to replace environment variable with its |
| case "retry-policy": | ||
| if (reader.TokenType is JsonTokenType.StartObject) | ||
| { | ||
| // Pass the replaceEnvVar setting to the retry policy converter |
There was a problem hiding this comment.
how is this setting passed to the retry policy converter?
| // .* : any char except newline any number of times | ||
| // (?=\)) : look ahead for end char of ) | ||
| // This pattern greedy matches all characters that are not a part of @env() | ||
| // ie: @env('hello@env('goodbye')world') match: 'hello@env('goodbye')world' |
| { | ||
| // Need to remove the dependencies in startup on the RuntimeConfigProvider | ||
| // before we can have an ILogger here. | ||
| // before we can have anILogger here. |
There was a problem hiding this comment.
nit:
| // before we can have anILogger here. | |
| // before we can have an ILogger here. |
|
|
||
| if (!string.IsNullOrEmpty(json) && TryParseConfig(json, out RuntimeConfig, connectionString: _connectionString, replaceEnvVar: replaceEnvVar)) | ||
| // Use default replacement settings if none provided | ||
| replacementSettings ??= new DeserializationVariableReplacementSettings(azureKeyVaultOptions: null, doReplaceEnvVar: true, doReplaceAkvVar: true); |
There was a problem hiding this comment.
Default for this function was to keep replaceEnvVar to false. But, here I see it is true, why is this change needed and if needed, did we ensure all the callers are updated accordingly?
| _dataSourceNameToDataSource = _dataSourceNameToDataSource.Concat(config._dataSourceNameToDataSource).ToDictionary(kvp => kvp.Key, kvp => kvp.Value); | ||
| _entityNameToDataSourceName = _entityNameToDataSourceName.Concat(config._entityNameToDataSourceName).ToDictionary(kvp => kvp.Key, kvp => kvp.Value); | ||
| allEntities = allEntities.Concat(config.Entities.AsEnumerable()); | ||
| if (config is not null) |
There was a problem hiding this comment.
why do we need to check for config is not null when TryLoadConfig is true?
| { | ||
| string configJson = TestHelper.AddPropertiesToJson(TestHelper.BASE_CONFIG, entityJson); | ||
| RuntimeConfigLoader.TryParseConfig(configJson, out RuntimeConfig deserializedConfig, logger: null, GetConnectionStringFromEnvironmentConfig(environment: TestCategory.MSSQL)); | ||
| RuntimeConfigLoader.TryParseConfig( |
There was a problem hiding this comment.
for TryParseConfig, the default value of replaceEnvVar was false. But with the addition of the replacementSettings, the default value for this call ends up being true. This will break the previous assumptions. In case of refactors, the best idea is to maintain previous behavior to avoid regressions.
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
Why make this change?
Adds AKV variable replacement and expands our design for doing variable replacements to be more extensible when new variable replacement logic is added.
Closes #2708
Closes #2748
Related to #2863
What is this change?
Change the way that variable replacement is handled to instead of simply using a
boolto indicate that we want env variable replacement, we add a class which holds all of the replacement settings. This will hold whether or not we will do replacement for each kind of variable that we will handle replacement for during deserialization. We also include the replacement failure mode, and put the logic for handling the replacements into a strategy dictionary which pairs the replacement variable type with the strategy for doing that replacement.Because Azure Key Vault secret replacement requires having the retry and connection settings in order to do the AKV replacement, we must do a first pass where we only do non-AKV replacement and get the required settings so that if AKV replacement is used we have the required settings to do that replacement.
We also have to keep in mind that the legacy of the
Configuration Controllerwill ignore all variable replacement, so we construct the replacement settings for this code path to not use any variable replacement at all.How was this tested?
We have updated the logic for the tests to use the new system, however manual testing using an actual AKV is still required.
Sample Request(s)