mirror of
https://github.com/bartvdbraak/keyweave.git
synced 2025-04-28 15:21:21 +00:00
feat: e2e test for firewalled kv
This commit is contained in:
parent
c885abd540
commit
cde1d2207c
2 changed files with 65 additions and 12 deletions
25
.github/workflows/e2e.yml
vendored
25
.github/workflows/e2e.yml
vendored
|
|
@ -5,7 +5,7 @@ permissions:
|
|||
contents: read
|
||||
|
||||
env:
|
||||
VAULT_NAME: bvdbkeyweavetweukvt1
|
||||
VAULT_NAME: bvdbkeyweavetweukvt{0}
|
||||
|
||||
on:
|
||||
push:
|
||||
|
|
@ -63,7 +63,7 @@ jobs:
|
|||
- name: Use Keyweave with No Access Policies
|
||||
run: |
|
||||
chmod +x ./artifact/keyweave
|
||||
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
|
||||
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
||||
|
||||
get-test:
|
||||
name: Tests with Get access
|
||||
|
|
@ -80,7 +80,7 @@ jobs:
|
|||
- name: Use Keyweave with Only Get Access Policy
|
||||
run: |
|
||||
chmod +x ./artifact/keyweave
|
||||
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
|
||||
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
||||
|
||||
list-test:
|
||||
name: Tests with List access
|
||||
|
|
@ -97,7 +97,7 @@ jobs:
|
|||
- name: Use Keyweave with Only List Access Policy
|
||||
run: |
|
||||
chmod +x ./artifact/keyweave
|
||||
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
|
||||
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
||||
|
||||
get-list-test:
|
||||
name: Tests with Get and List access
|
||||
|
|
@ -114,24 +114,27 @@ jobs:
|
|||
- name: Use Keyweave with both Get and List Access Policies
|
||||
run: |
|
||||
chmod +x ./artifact/keyweave
|
||||
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
|
||||
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
||||
|
||||
- name: Use Keyweave with a filter
|
||||
run: |
|
||||
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --filter "filter"
|
||||
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --filter "filter"
|
||||
|
||||
- name: Use Keyweave with a complex file path
|
||||
run: |
|
||||
mkdir -p "user/projects/project 1/src/lib"
|
||||
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --output "user/projects/project 1/src/lib/.env"
|
||||
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "user/projects/project 1/src/lib/.env"
|
||||
|
||||
- name: Use Keyweave with a non-existent Key Vault
|
||||
run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}1234
|
||||
run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}1234
|
||||
|
||||
- name: Use Keyweave with a firewalled Key Vault
|
||||
run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '2') }}
|
||||
|
||||
- name: Use Keyweave with a no permissions
|
||||
run: |
|
||||
mkdir -p "user/projects/project 1/src/lib"
|
||||
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --output "/.env"
|
||||
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "/.env"
|
||||
|
||||
- uses: azure/login@v1
|
||||
with:
|
||||
|
|
@ -139,7 +142,7 @@ jobs:
|
|||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.OTHER_SUBSCRIPTION_ID }}
|
||||
- name: Use Keyweave while logged into other Subscription
|
||||
run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
|
||||
run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
||||
|
||||
# - uses: azure/login@v1
|
||||
# with:
|
||||
|
|
@ -147,4 +150,4 @@ jobs:
|
|||
# tenant-id: ${{ secrets.OTHER_TENANT_ID }}
|
||||
# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
# - name: Use Keyweave while logged into other Azure Tenant
|
||||
# run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
|
||||
# run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
||||
|
|
@ -53,7 +53,43 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
|
|||
}
|
||||
|
||||
/*
|
||||
Diagnostic Settings for Key Vault
|
||||
Key Vault
|
||||
*/
|
||||
|
||||
resource keyVaultWithFirewall 'Microsoft.KeyVault/vaults@2023-02-01' = {
|
||||
name: replace(toLower(format(nameFormat, 'KVT', 2)), '-', '')
|
||||
location: location
|
||||
tags: tags
|
||||
properties: {
|
||||
sku: {
|
||||
family: 'A'
|
||||
name: 'standard'
|
||||
}
|
||||
tenantId: tenant().tenantId
|
||||
enableSoftDelete: true
|
||||
enablePurgeProtection: true
|
||||
accessPolicies: accessPolicies
|
||||
networkAcls: {
|
||||
defaultAction: 'Deny'
|
||||
ipRules: []
|
||||
}
|
||||
}
|
||||
resource testSecret 'secrets' = {
|
||||
name: 'testSecret'
|
||||
properties: {
|
||||
value: 'testSecretValue'
|
||||
}
|
||||
}
|
||||
resource filterTestSecret 'secrets' = {
|
||||
name: 'filterTestSecret'
|
||||
properties: {
|
||||
value: 'filterTestSecretValue'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
Diagnostic Settings for Key Vaults
|
||||
*/
|
||||
|
||||
resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
|
||||
|
|
@ -69,3 +105,17 @@ resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-
|
|||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource keyVaultWithFirewallDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
|
||||
name: 'keyVaultLogging'
|
||||
scope: keyVaultWithFirewall
|
||||
properties: {
|
||||
workspaceId: _logAnalyticsWorkspace.id
|
||||
logs: [
|
||||
{
|
||||
category: 'AuditEvent'
|
||||
enabled: true
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue