Skip to content

Commit

Permalink
Query mode: Supports --arg-table and `--arg-authorization-scope-fil…
Browse files Browse the repository at this point in the history
…ter` (#565)

* Query mode: Supports `--arg-table` and `--arg-authorization-scope-filter`

* tidy

* CI: gosec

* Revert "CI: gosec"

This reverts commit c997280.
  • Loading branch information
magodo authored Sep 27, 2024
1 parent 6220065 commit 1c6fc07
Show file tree
Hide file tree
Showing 7 changed files with 97 additions and 43 deletions.
8 changes: 8 additions & 0 deletions command_before_func.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@ package main
import (
"fmt"
"os"
"slices"
"strings"

"github.com/Azure/aztfexport/internal/utils"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph"
"github.com/hashicorp/terraform-config-inspect/tfconfig"
"github.com/urfave/cli/v2"
)
Expand Down Expand Up @@ -113,6 +115,12 @@ func commandBeforeFunc(fset *FlagSet, mode Mode) func(ctx *cli.Context) error {
return fmt.Errorf("`--name` can't be specified for multi-resource mode")
}
}
case ModeQuery:
if fset.flagARGAuthorizationScopeFilter != "" {
if !slices.Contains(armresourcegraph.PossibleAuthorizationScopeFilterValues(), armresourcegraph.AuthorizationScopeFilter(fset.flagARGAuthorizationScopeFilter)) {
return fmt.Errorf("invalid value of `--arg-authorization-scope-filter`")
}
}
}

// Initialize output directory
Expand Down
22 changes: 16 additions & 6 deletions flag.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,12 +87,16 @@ type FlagSet struct {
// flagRecursive
// flagIncludeRoleAssignment
// flagIncludeResourceGroup
flagPattern string
flagRecursive bool
flagResName string
flagResType string
flagIncludeRoleAssignment bool
flagIncludeResourceGroup bool
// flagARGTable
// flagARGAuthorizationScopeFilter
flagPattern string
flagRecursive bool
flagResName string
flagResType string
flagIncludeRoleAssignment bool
flagIncludeResourceGroup bool
flagARGTable string
flagARGAuthorizationScopeFilter string
}

type Mode string
Expand Down Expand Up @@ -251,6 +255,12 @@ func (flag FlagSet) DescribeCLI(mode Mode) string {
if flag.flagIncludeResourceGroup {
args = append(args, "--include-resource-group=true")
}
if flag.flagARGTable != "" {
args = append(args, "--arg-table="+flag.flagARGTable)
}
if flag.flagARGAuthorizationScopeFilter != "" {
args = append(args, "--arg-authorization-scope-filter="+flag.flagARGAuthorizationScopeFilter)
}
}
return "aztfexport " + strings.Join(args, " ")
}
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.6.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1
github.com/charmbracelet/bubbles v0.14.0
github.com/charmbracelet/bubbletea v0.22.1
Expand All @@ -21,7 +22,7 @@ require (
github.com/hashicorp/terraform-json v0.22.1
github.com/hexops/gotextdiff v1.0.3
github.com/magodo/armid v0.0.0-20240524082432-7ce06ae46c33
github.com/magodo/azlist v0.0.0-20240903084323-b329fe33ce23
github.com/magodo/azlist v0.0.0-20240926110356-8798310310af
github.com/magodo/aztft v0.3.1-0.20240823092950-b8a7f3cdf3ae
github.com/magodo/slog2hclog v0.0.0-20240614031327-090ebd72a033
github.com/magodo/spinner v0.0.0-20240524082745-3a2305db1bdc
Expand Down Expand Up @@ -78,7 +79,6 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/paloaltonetworksngfw/armpanngfw v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/recoveryservices/armrecoveryservicesbackup v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/recoveryservices/armrecoveryservicessiterecovery v1.1.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.6.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armdeploymentscripts v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/securityinsights/armsecurityinsights/v2 v2.0.0-beta.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.0.0 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -231,8 +231,8 @@ github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69
github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
github.com/magodo/armid v0.0.0-20240524082432-7ce06ae46c33 h1:KmQ16pNsI7DaELU+CbqZKXVdvkE/YXqMH6LLkp6rw/Y=
github.com/magodo/armid v0.0.0-20240524082432-7ce06ae46c33/go.mod h1:rR8E7zfGMbmfnSQvrkFiWYdhrfTqsVSltelnZB09BwA=
github.com/magodo/azlist v0.0.0-20240903084323-b329fe33ce23 h1:99U0TtE+gi7EjXi3Lo6sKFReU2ID2f2wK2gCJSz8/Ow=
github.com/magodo/azlist v0.0.0-20240903084323-b329fe33ce23/go.mod h1:xefFDOxzRssOEjGoxvrO8jeTWlzHXbY6sCJYOt+Jh5k=
github.com/magodo/azlist v0.0.0-20240926110356-8798310310af h1:r55nPAyFztYNdXNVmZgNtDU6AbKbfdy/Cbg6xnOnidM=
github.com/magodo/azlist v0.0.0-20240926110356-8798310310af/go.mod h1:xefFDOxzRssOEjGoxvrO8jeTWlzHXbY6sCJYOt+Jh5k=
github.com/magodo/aztft v0.3.1-0.20240823092950-b8a7f3cdf3ae h1:+2PWj5sHws1EsOmStkdiMA5vjgchGGyasSfcNZ6Cbj4=
github.com/magodo/aztft v0.3.1-0.20240823092950-b8a7f3cdf3ae/go.mod h1:swhCPmbwehJXrVgu8SCr/XFb2e9tkgEp+Wnnv3K0ZsQ=
github.com/magodo/slog2hclog v0.0.0-20240614031327-090ebd72a033 h1:K2seYsMAzoICCLdDe7uU2WyaACLW+tvdTWG3QB+pyec=
Expand Down
45 changes: 26 additions & 19 deletions internal/meta/meta_query.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,20 @@ import (
"github.com/Azure/aztfexport/internal/resourceset"
"github.com/Azure/aztfexport/internal/tfaddr"
"github.com/Azure/aztfexport/pkg/config"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph"
"github.com/magodo/azlist/azlist"
)

type MetaQuery struct {
baseMeta
argPredicate string
recursiveQuery bool
resourceNamePrefix string
resourceNameSuffix string
includeRoleAssignment bool
includeResourceGroup bool
argPredicate string
recursiveQuery bool
resourceNamePrefix string
resourceNameSuffix string
includeRoleAssignment bool
includeResourceGroup bool
argTable string
argAuthenticationScopeFilter armresourcegraph.AuthorizationScopeFilter
}

func NewMetaQuery(cfg config.Config) (*MetaQuery, error) {
Expand All @@ -28,11 +31,13 @@ func NewMetaQuery(cfg config.Config) (*MetaQuery, error) {
}

meta := &MetaQuery{
baseMeta: *baseMeta,
argPredicate: cfg.ARGPredicate,
recursiveQuery: cfg.RecursiveQuery,
includeRoleAssignment: cfg.IncludeRoleAssignment,
includeResourceGroup: cfg.IncludeResourceGroup,
baseMeta: *baseMeta,
argPredicate: cfg.ARGPredicate,
recursiveQuery: cfg.RecursiveQuery,
includeRoleAssignment: cfg.IncludeRoleAssignment,
includeResourceGroup: cfg.IncludeResourceGroup,
argTable: cfg.ARGTable,
argAuthenticationScopeFilter: armresourcegraph.AuthorizationScopeFilter(cfg.ARGAuthorizationScopeFilter),
}
meta.resourceNamePrefix, meta.resourceNameSuffix = resourceNamePattern(cfg.ResourceNamePattern)

Expand Down Expand Up @@ -99,14 +104,16 @@ func (meta *MetaQuery) ListResource(ctx context.Context) (ImportList, error) {

func (meta MetaQuery) queryResourceSet(ctx context.Context, predicate string, recursive bool) (*resourceset.AzureResourceSet, error) {
opt := azlist.Option{
Logger: meta.logger.WithGroup("azlist"),
SubscriptionId: meta.subscriptionId,
Cred: meta.azureSDKCred,
ClientOpt: meta.azureSDKClientOpt,
Parallelism: meta.parallelism,
Recursive: recursive,
ExtensionResourceTypes: extBuilder{includeRoleAssignment: meta.includeRoleAssignment}.Build(),
IncludeResourceGroup: meta.includeResourceGroup,
Logger: meta.logger.WithGroup("azlist"),
SubscriptionId: meta.subscriptionId,
Cred: meta.azureSDKCred,
ClientOpt: meta.azureSDKClientOpt,
Parallelism: meta.parallelism,
Recursive: recursive,
IncludeResourceGroup: meta.includeResourceGroup,
ExtensionResourceTypes: extBuilder{includeRoleAssignment: meta.includeRoleAssignment}.Build(),
ARGTable: meta.argTable,
ARGAuthorizationScopeFilter: meta.argAuthenticationScopeFilter,
}
lister, err := azlist.NewLister(opt)
if err != nil {
Expand Down
26 changes: 20 additions & 6 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,18 @@ func main() {
Usage: "Include the resource groups that the exported resources belong to",
Destination: &flagset.flagIncludeResourceGroup,
},
&cli.StringFlag{
Name: "arg-table",
EnvVars: []string{"AZTFEXPORT_ARG_TABLE"},
Usage: `The Azure Resource Graph table name. Defaults to "Resources".`,
Destination: &flagset.flagARGTable,
},
&cli.StringFlag{
Name: "arg-authorization-scope-filter",
EnvVars: []string{"AZTFEXPORT_ARG_AUTHORIZATION_SCOPE_FILTER"},
Usage: `The Azure Resource Graph Authorization Scope Filter parameter. Possible values are: "AtScopeAndBelow", "AtScopeAndAbove", "AtScopeAboveAndBelow" and "AtScopeExact"`,
Destination: &flagset.flagARGAuthorizationScopeFilter,
},
}, resourceGroupFlags...)

mappingFileFlags := append([]cli.Flag{}, commonFlags...)
Expand Down Expand Up @@ -608,12 +620,14 @@ func main() {

// Initialize the config
cfg := config.Config{
CommonConfig: commonConfig,
ARGPredicate: predicate,
ResourceNamePattern: flagset.flagPattern,
RecursiveQuery: flagset.flagRecursive,
IncludeRoleAssignment: flagset.flagIncludeRoleAssignment,
IncludeResourceGroup: flagset.flagIncludeResourceGroup,
CommonConfig: commonConfig,
ARGPredicate: predicate,
ResourceNamePattern: flagset.flagPattern,
RecursiveQuery: flagset.flagRecursive,
IncludeRoleAssignment: flagset.flagIncludeRoleAssignment,
IncludeResourceGroup: flagset.flagIncludeResourceGroup,
ARGTable: flagset.flagARGTable,
ARGAuthorizationScopeFilter: flagset.flagARGAuthorizationScopeFilter,
}

return realMain(c.Context, cfg, flagset.flagNonInteractive, flagset.hflagMockClient, flagset.flagPlainUI, flagset.flagGenerateMappingFile, flagset.hflagProfile, flagset.DescribeCLI(ModeQuery), flagset.hflagTFClientPluginPath)
Expand Down
31 changes: 23 additions & 8 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,20 +112,35 @@ type Config struct {
// MappingFile specifies the path of mapping file, this indicates the map file mode.
MappingFile string

// ResourceNamePattern specifies the resource name pattern, this only applies to resource group mode, query mode and multi-resource mode.
/////////////////////////
// Scope: rg, res (multi), query

// ResourceNamePattern specifies the resource name pattern
ResourceNamePattern string

// RecursiveQuery specifies whether to recursively list the child/proxy resources of the ARG resulted resource list, this only applies to query mode.
RecursiveQuery bool
/////////////////////////
// Scope: rg, query

// IncludeRoleAssignment specifies whether to include the role assginments assigned to the exported resources
IncludeRoleAssignment bool

// TFResourceName specifies the TF resource name, this only applies to resource mode.
/////////////////////////
// Scope: res (single)

// TFResourceName specifies the TF resource name
TFResourceName string
// TFResourceName specifies the TF resource type (if empty, will try to deduce the type), this only applies to resource mode.
// TFResourceName specifies the TF resource type (if empty, will try to deduce the type)
TFResourceType string

// IncludeRoleAssignment specifies whether to include the role assginments assigned to the exported resources, this only applies to rg and query mode
IncludeRoleAssignment bool
/////////////////////////
// Scope: query

// IncludeResourceGroup specifies whether to include the resource groups that the exported resources belong to, this only applies to query mode
// RecursiveQuery specifies whether to recursively list the child/proxy resources of the ARG resulted resource list
RecursiveQuery bool
// IncludeResourceGroup specifies whether to include the resource groups that the exported resources belong to
IncludeResourceGroup bool
// ARGTable specifies the ARG table name, which defaults to the "Resources" table
ARGTable string
// ARGAuthorizationScopeFilter specifies the AuthorizationScopeFilter parameter. Possible values are: "AtScopeAndBelow", "AtScopeAndAbove", "AtScopeAboveAndBelow" and "AtScopeExact"
ARGAuthorizationScopeFilter string
}

0 comments on commit 1c6fc07

Please sign in to comment.