Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DDO-3870] Azure account provisioning via propagation #minor #661

Merged
merged 45 commits into from
Oct 2, 2024

Conversation

jack-r-warren
Copy link
Contributor

@jack-r-warren jack-r-warren commented Sep 10, 2024

Ports broadinstitute/terra-privileged-user-sync into Sherlock.

The cronjob is responsible for basically four steps. In Sherlock each one is a separate propagation engine.

  1. Create the account in the non-B2C tenant -- new AzureAccountEngine
  2. Add the account to a permission group in the non-B2C tenant -- existing AzureGroupEngine
    • We've already replaced this by rolling out the break-glass capability
  3. Invite the account to the B2C tenant -- new AzureInvitedAccountEngine
    • Rather than having an account per-tenant, this is how we accomplish account per-environment
  4. Give the account an admin role in the B2C tenant -- new AzureDirectoryRoleEngine
    • Permission groups won't work in B2C so we have to grant the role directly

Splitting this across engines creates a few differences in behavior:

  • The existing cronjob has some logic to handle propagation delay on Azure's end between the steps. Sherlock will run them sequentially to be optimistic (see role_propagation's Init) but it doesn't explicitly handle cloud provider delay. This is okay because each engine instance does independent drift correction, so the state will be eventually consistent even in cases of extreme delay on Azure's end.
  • The existing cronjob uses Google Workspace as the source of truth. Sherlock uses itself.
  • The existing cronjob handles account suspension but not changes to other account fields like display name. Sherlock will manipulate these fields based on itself.

Despite using propagation engines, accounts will not be deleted when a Sherlock RoleAssignment is removed. Instead, the necessary engines will merely suspend the user and tolerate that going forward (so it won't keep trying to remove the same users over and over again).

Propagation also now supports per-propagator-instance dry-run, where mutation operations on the engine will be logged rather than called. This will help us roll out this capability while acceptably matching the existing cronjob's behavior.

Testing

Tests added where possible, but for propagation engines the actual behavior of the client libraries is something we only truly validate when running against the cloud. See below.

Risk

The risk in this PR comes from two places:

  1. The Azure client library's behavior has some unknowns around it. It's possible that propagation could fail (with no impact to other engines, but still)
  2. The behavior changes in Sherlock's implementation could cause some shift in accounts -- since Sherlock will be commandeering something managed by another tool, there may be a noticeable diff

Point 2 is heavily mitigated by the dry-run feature, but point 1 is complicated by the fact that we don't have a destructible set of Azure tenants to let this feature loose on.

If we enable this feature in dev Sherlock pointed just at dev Azure... Sherlock's own source of truth in dev is miles away from what the cronjob is used to using. The diff will be large and unrealistic. It will want to ban a bunch of actual accounts that people use on a day-to-day basis (just because no one uses Sherlock dev). We can dry-run, but there's a last mile that I think we may choose not to enable from Sherlock dev.

I think this may be an instance where it makes sense to rely on Sherlock's error recovery and engine segmentation to just... turn this on in prod. More specifically, my proposal:

  1. Sherlock dev dry-run against Azure dev
  2. Sherlock prod dry-run against Azure dev
  3. Sherlock prod run against Azure dev
  4. Sherlock prod dry-run against Azure prod
  5. Sherlock prod run against Azure prod

In other words, there's a AzureAccountEngine.Remove(user) method that I think we may not want to actually run from Sherlock dev -- because Sherlock dev will want to do it in an unrealistic and destructive way (because it, by nature, doesn't have prod's knowledge of DSPers). I think it's low risk for the first execution of that to be in prod, because even if it fails, none of the rest of Sherlock would be impacted.

Copy link

github-actions bot commented Sep 10, 2024

What's Changed


GET /api/roles/v3
Parameters:

Added: grantsDevAzureAccount in query

Added: grantsDevAzureDirectoryRoles in query

Added: grantsProdAzureAccount in query

Added: grantsProdAzureDirectoryRoles in query

Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Added property grantsDevAzureAccount (boolean)

    • Added property grantsDevAzureDirectoryRoles (boolean)

    • Added property grantsProdAzureAccount (boolean)

    • Added property grantsProdAzureDirectoryRoles (boolean)

POST /api/roles/v3
Request:

Changed content type : application/json

  • Added property grantsDevAzureAccount (boolean)

  • Added property grantsDevAzureDirectoryRoles (boolean)

  • Added property grantsProdAzureAccount (boolean)

  • Added property grantsProdAzureDirectoryRoles (boolean)

Return Type:

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Added property grantsDevAzureAccount (boolean)

    • Added property grantsDevAzureDirectoryRoles (boolean)

    • Added property grantsProdAzureAccount (boolean)

    • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/roles/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Added property grantsDevAzureAccount (boolean)

    • Added property grantsDevAzureDirectoryRoles (boolean)

    • Added property grantsProdAzureAccount (boolean)

    • Added property grantsProdAzureDirectoryRoles (boolean)

DELETE /api/roles/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Added property grantsDevAzureAccount (boolean)

    • Added property grantsDevAzureDirectoryRoles (boolean)

    • Added property grantsProdAzureAccount (boolean)

    • Added property grantsProdAzureDirectoryRoles (boolean)

PATCH /api/roles/v3/{selector}
Request:

Changed content type : application/json

  • Added property grantsDevAzureAccount (boolean)

  • Added property grantsDevAzureDirectoryRoles (boolean)

  • Added property grantsProdAzureAccount (boolean)

  • Added property grantsProdAzureDirectoryRoles (boolean)

Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Added property grantsDevAzureAccount (boolean)

    • Added property grantsDevAzureDirectoryRoles (boolean)

    • Added property grantsProdAzureAccount (boolean)

    • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/users/v3
Parameters:

Deleted: nameInferredFromGithub in query

Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
Will be set to true if the user account has no name and a GitHub account is linked.

Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Deleted property nameInferredFromGithub (boolean)

      Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
      Will be set to true if the user account has no name and a GitHub account is linked.

PUT /api/users/v3
Request:

Changed content type : application/json

  • Deleted property nameInferredFromGithub (boolean)

    Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
    Will be set to true if the user account has no name and a GitHub account is linked.

Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Deleted property nameInferredFromGithub (boolean)

      Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
      Will be set to true if the user account has no name and a GitHub account is linked.

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Deleted property nameInferredFromGithub (boolean)

      Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
      Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/users/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Deleted property nameInferredFromGithub (boolean)

      Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
      Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/app-versions/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

PUT /api/app-versions/v3
Return Type:

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/app-versions/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

PATCH /api/app-versions/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/chart-versions/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

PUT /api/chart-versions/v3
Return Type:

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/chart-versions/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

PATCH /api/chart-versions/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property authoredByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/clusters/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

POST /api/clusters/v3
Return Type:

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/clusters/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

DELETE /api/clusters/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

PATCH /api/clusters/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/environments/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property ownerInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

POST /api/environments/v3
Return Type:

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property ownerInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/environments/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property ownerInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

DELETE /api/environments/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property ownerInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

PATCH /api/environments/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property requiredRoleInfo (object)

      • Added property grantsDevAzureAccount (boolean)

      • Added property grantsDevAzureDirectoryRoles (boolean)

      • Added property grantsProdAzureAccount (boolean)

      • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property ownerInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/app-versions/procedures/v3/changelog
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property changelog (array)

      Changed items (object):

      • Changed property authoredByInfo (object)

        • Deleted property nameInferredFromGithub (boolean)

          Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
          Will be set to true if the user account has no name and a GitHub account is linked.

POST /api/changesets/procedures/v3/apply
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/changesets/procedures/v3/chart-release-history/{chart-release}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

POST /api/changesets/procedures/v3/plan
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

Changed response : 201 Created

Created

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

POST /api/changesets/procedures/v3/plan-and-apply
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

Changed response : 201 Created

Created

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/changesets/procedures/v3/version-history/{version-type}/{chart}/{version}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/changesets/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/changesets/v3/{id}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property appliedByInfo (object)

      • Deleted property nameInferredFromGithub (boolean)

        Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
        Will be set to true if the user account has no name and a GitHub account is linked.

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

GET /api/chart-releases/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property clusterInfo (object)

      • Changed property requiredRoleInfo (object)

        • Added property grantsDevAzureAccount (boolean)

        • Added property grantsDevAzureDirectoryRoles (boolean)

        • Added property grantsProdAzureAccount (boolean)

        • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Deleted property nameInferredFromGithub (boolean)

          Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
          Will be set to true if the user account has no name and a GitHub account is linked.

POST /api/chart-releases/v3
Return Type:

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Changed property clusterInfo (object)

      • Changed property requiredRoleInfo (object)

        • Added property grantsDevAzureAccount (boolean)

        • Added property grantsDevAzureDirectoryRoles (boolean)

        • Added property grantsProdAzureAccount (boolean)

        • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Deleted property nameInferredFromGithub (boolean)

          Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
          Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/chart-releases/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property clusterInfo (object)

      • Changed property requiredRoleInfo (object)

        • Added property grantsDevAzureAccount (boolean)

        • Added property grantsDevAzureDirectoryRoles (boolean)

        • Added property grantsProdAzureAccount (boolean)

        • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Deleted property nameInferredFromGithub (boolean)

          Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
          Will be set to true if the user account has no name and a GitHub account is linked.

DELETE /api/chart-releases/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property clusterInfo (object)

      • Changed property requiredRoleInfo (object)

        • Added property grantsDevAzureAccount (boolean)

        • Added property grantsDevAzureDirectoryRoles (boolean)

        • Added property grantsProdAzureAccount (boolean)

        • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Deleted property nameInferredFromGithub (boolean)

          Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
          Will be set to true if the user account has no name and a GitHub account is linked.

PATCH /api/chart-releases/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property clusterInfo (object)

      • Changed property requiredRoleInfo (object)

        • Added property grantsDevAzureAccount (boolean)

        • Added property grantsDevAzureDirectoryRoles (boolean)

        • Added property grantsProdAzureAccount (boolean)

        • Added property grantsProdAzureDirectoryRoles (boolean)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Deleted property nameInferredFromGithub (boolean)

          Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
          Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/chart-versions/procedures/v3/changelog
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property changelog (array)

      Changed items (object):

      • Changed property authoredByInfo (object)

        • Deleted property nameInferredFromGithub (boolean)

          Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
          Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/database-instances/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    Changed items (object):

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

      • Changed property appVersionInfo (object)

        • Changed property authoredByInfo (object)

          • Deleted property nameInferredFromGithub (boolean)

            Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
            Will be set to true if the user account has no name and a GitHub account is linked.

PUT /api/database-instances/v3
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

      • Changed property appVersionInfo (object)

        • Changed property authoredByInfo (object)

          • Deleted property nameInferredFromGithub (boolean)

            Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
            Will be set to true if the user account has no name and a GitHub account is linked.

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

      • Changed property appVersionInfo (object)

        • Changed property authoredByInfo (object)

          • Deleted property nameInferredFromGithub (boolean)

            Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
            Will be set to true if the user account has no name and a GitHub account is linked.

POST /api/database-instances/v3
Return Type:

Changed response : 201 Created

Created

  • Changed content type : application/json

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

      • Changed property appVersionInfo (object)

        • Changed property authoredByInfo (object)

          • Deleted property nameInferredFromGithub (boolean)

            Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
            Will be set to true if the user account has no name and a GitHub account is linked.

GET /api/database-instances/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

      • Changed property appVersionInfo (object)

        • Changed property authoredByInfo (object)

          • Deleted property nameInferredFromGithub (boolean)

            Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
            Will be set to true if the user account has no name and a GitHub account is linked.

DELETE /api/database-instances/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

      • Changed property appVersionInfo (object)

        • Changed property authoredByInfo (object)

          • Deleted property nameInferredFromGithub (boolean)

            Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
            Will be set to true if the user account has no name and a GitHub account is linked.

PATCH /api/database-instances/v3/{selector}
Return Type:

Changed response : 200 OK

OK

  • Changed content type : application/json

    • Changed property chartReleaseInfo (object)

      • Changed property clusterInfo (object)

        • Changed property requiredRoleInfo (object)

          • Added property grantsDevAzureAccount (boolean)

          • Added property grantsDevAzureDirectoryRoles (boolean)

          • Added property grantsProdAzureAccount (boolean)

          • Added property grantsProdAzureDirectoryRoles (boolean)

      • Changed property appVersionInfo (object)

        • Changed property authoredByInfo (object)

          • Deleted property nameInferredFromGithub (boolean)

            Controls whether Sherlock should automatically update the user's name based on a connected GitHub identity.
            Will be set to true if the user account has no name and a GitHub account is linked.

Copy link

github-actions bot commented Sep 10, 2024

Published image from 42d9e00 (merge 3c87c00):

us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:v1.5.54-3c87c00
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:v1.5.54-3c87c00

Copy link

codecov bot commented Sep 10, 2024

Codecov Report

Attention: Patch coverage is 30.74324% with 410 lines in your changes missing coverage. Please review.

Project coverage is 67.72%. Comparing base (07afe85) to head (42d9e00).
Report is 19 commits behind head on main.

Files with missing lines Patch % Lines
...ation/propagation_engines/azure_invited_account.go 26.55% 130 Missing ⚠️
...e_propagation/propagation_engines/azure_account.go 24.28% 106 Missing ⚠️
...gation/propagation_engines/azure_directory_role.go 22.33% 80 Missing ⚠️
..._mocks/mock_may_be_present_while_removed_fields.go 34.69% 30 Missing and 2 partials ⚠️
...ole_propagation/propagation_engines/azure_group.go 0.00% 21 Missing ⚠️
...on/propagation_engines/google_cloud_folder_role.go 28.57% 20 Missing ⚠️
sherlock/internal/role_propagation/boot.go 0.00% 11 Missing ⚠️
...rlock/internal/role_propagation/propagator_init.go 75.00% 2 Missing and 1 partial ⚠️
.../internal/role_propagation/propagator_propagate.go 77.77% 1 Missing and 1 partial ⚠️
...suitability_synchronization/load_from_firecloud.go 33.33% 2 Missing ⚠️
... and 3 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #661      +/-   ##
==========================================
- Coverage   69.05%   67.72%   -1.33%     
==========================================
  Files         287      290       +3     
  Lines       13021    13498     +477     
==========================================
+ Hits         8992     9142     +150     
- Misses       3129     3454     +325     
- Partials      900      902       +2     
Files with missing lines Coverage Δ
sherlock/internal/api/sherlock/roles_v3.go 95.55% <100.00%> (+0.43%) ⬆️
sherlock/internal/api/sherlock/users_v3.go 100.00% <ø> (+13.72%) ⬆️
sherlock/internal/api/sherlock/users_v3_upsert.go 89.89% <ø> (-0.49%) ⬇️
sherlock/internal/models/role.go 63.46% <ø> (ø)
sherlock/internal/models/test_data.go 98.21% <100.00%> (+<0.01%) ⬆️
sherlock/internal/role_propagation/propagator.go 100.00% <ø> (+100.00%) ⬆️
...ation/propagator_calculate_alignment_operations.go 100.00% <100.00%> (ø)
...ernal/role_propagation/parallelizing_propagator.go 92.85% <0.00%> (ø)
sherlock/internal/role_propagation/propagate.go 32.85% <0.00%> (ø)
...ternal/suitability_synchronization/load_into_db.go 0.00% <0.00%> (ø)
... and 10 more

... and 2 files with indirect coverage changes

@jack-r-warren jack-r-warren marked this pull request as ready for review September 13, 2024 19:23
@jack-r-warren jack-r-warren requested a review from a team as a code owner September 13, 2024 19:23
Copy link
Contributor

@jyang-broad jyang-broad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:stamp:

@jack-r-warren jack-r-warren changed the title [DDO-3870] Azure account provisioning via propagation [DDO-3870] Azure account provisioning via propagation #minor Oct 2, 2024
Copy link

sonarqubecloud bot commented Oct 2, 2024

@jack-r-warren jack-r-warren merged commit 4895694 into main Oct 2, 2024
20 checks passed
@jack-r-warren jack-r-warren deleted the DDO-3870-azure-account-creation branch October 2, 2024 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants