Ability to use ESC environments with tests

[rshade]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I would love the ability to use esc environments with pulumitest. This would allow me to use the current environments I have for AWS/Azure/Google and not manage env-vars.

Affected area/feature

[danielrbradley]

This would be great to flesh out with some example use-cases, perhaps with some ideal example code.

Currently, I'd assume that any cloud configuration would be set up external to the test execution rather than depending on access to a specific environment within the test itself. For example you might run the pulumitest via the command:

esc run myorg/myproject/test go test ...

[rshade]

Tested @danielrbradley's solution and it worked great. Feel free to close, I can't add the labels that pulumi-bot wants.

[danielrbradley]

I’ve reopened this because I think this should be two easy pieces to use together.

The behaviour we’d like to achieve is:

• Just use ENV vars for a service if they’re already configured
• If no configuration present, try to fetch a named environment from ESC if we’re authenticated

This would enable the use cases of:

• CI leverages ESC instead of GHA secrets
• Pulumi employees running tests without local setup requirements - with exactly the same configuration as CI for reliable repros - just by being logged in to the Pulumi service org.
• Anyone else running the test by specifying their own env vars to the testing process or by mirroring the required environment in their own Pulumi org

A dumb version of the code that could be written in a test helper to do this could look like:

	// Prefer local env, but fallback to pulumi env if accessible.
	azureDevopsToken, found := os.LookupEnv("AZDO_PERSONAL_ACCESS_TOKEN")
	if !found {
		t.Log("AZDO_PERSONAL_ACCESS_TOKEN not found, attempting to load from pulumi env")
		client := esc.NewClient() // Use the default config like the CLI - using any available credentials.
		if client.IsAuthenticated() {
			env, _, err := client.GetEnvironment(context.Background(), "pulumi", "providers", "azuredevops")
			require.NoError(t, err)
			values := env.GetValues()
			if values.EnvironmentVariables != nil {
				pulumiEnv := *env.GetValues().EnvironmentVariables
				azureDevopsToken = pulumiEnv["AZDO_PERSONAL_ACCESS_TOKEN"]
			}
		}
	}

Things that are missing for this right now:

• The ESC SDK doesn’t make it easy to configure the auth. It doesn’t have any integration with local ~/.pulumi/credentials.json or our standard PULUMI_ACCESS_TOKEN - we’d have to write that ourselves
• Checking if we’re authenticated or if an environment is accessible is not easy
• The concept of a “current org” doesn’t seem to exist in ESC, but does in the ~/.pulumi/config.json so would need more plumbing to make it use the “local default org” to allow other people to mirror the required project/environment

There’s definitely parts of this that should be done in the main SDK - like having sensible defaults for loading credentials. But I think it’s possibly doable within or adjacent to the pulumitest library. Something like this perhaps where the first argument is the project/env-name followed by the required variables for this provider:

pt := pulumitest.NewPulumiTest(t, path.Join("test-programs", "my-test"),
		opttest.RequireEnv("providers/azuredevops", "AZDO_PERSONAL_ACCESS_TOKEN", "AZDO_ORG_SERVICE_URL"))