Skip to content

fix: address some security concerns (ENG-5229) #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 12 commits into
base: main
Choose a base branch
from
Draft

fix: address some security concerns (ENG-5229) #11

wants to merge 12 commits into from

Conversation

howbazaar
Copy link
Contributor

@howbazaar howbazaar commented Jul 4, 2025
edited by jira bot
Loading

ENG-5229

what

Tightens up security access requirements.
Deploys the function directly using a zip file and terraform rather than shelling out.
Upgrades to python 3.12.

why

Why is this change being made?

testing

How was this change tested?

docs

Could this change benefit from a documentation update (either user-facing or internal)? If so, provide link to new docs or ticket to create them.

howbazaar
howbazaar commented Jul 9, 2025
View reviewed changes
function-app-v1/ProviderRelay/__init__.py Outdated
source = body["data"]["operationName"].split("/")[0]

try:
logging.info("Forwarding event to Stacklet")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I originally only changed these quotes to change the hash, but it became clear that the entire file had dos line endings, so fixed that.

@howbazaar howbazaar changed the title fix: address some security concerns fix: address some security concerns (ENG-5229) Jul 11, 2025
@wgrant wgrant mentioned this pull request Jul 23, 2025
Merged
@wgrant wgrant force-pushed the thumper/fix/some-security-concerns branch from 77c4776 to 07df4ae Compare July 23, 2025 09:58
@wgrant wgrant changed the base branch from main to wgrant/fix/cleanup July 23, 2025 09:59
wgrant added a commit that referenced this pull request Jul 23, 2025
@wgrant @howbazaar
chore: Miscellaneous cleanups and usability improvements (#12)
ca1c036 
### what

Various cleanups and usability improvements made while iterating on #11:

 * Allow hyphens in the prefix.
 * Allow customising the resource group name.
 * Provide a default resource group location.
* Allow Terraform to force-delete a non-empty resource group, since
Application Insights creates other resources automatically.
* Allow configuration of the subscription ID without setting
ARM_SUBSCRIPTION_ID.
* Create the app role assignment using an actual Terraform resource, not
a subprocess call.
 * Fix Application Insights plan noise.
 * Fix DOS line endings.

Upgrades will need to `terraform import
azuread_app_role_assignment.stacklet_app_role_assignment
/servicePrincipals/<SERVICE-PRINCIPAL-ID>/appRoleAssignedTo/<APP-ROLE-ASSIGNMENT-ID>`.
The service principal ID is the `object_id` field of
`azuread_service_principal.stacklet_sp[0]`, and you can find the role
assignment ID with `az rest --method GET --uri
"https://graph.microsoft.com/v1.0/servicePrincipals/<SERVICE-PRINCIPAL-ID>/appRoleAssignedTo"`.

### why

Iterating on changes was annoying. These changes were mostly originally
from #11.

### testing

On my test deployment.

---------

Co-authored-by: Tim Penhey <[email protected]>
Base automatically changed from wgrant/fix/cleanup to main July 23, 2025 21:11
@wgrant wgrant mentioned this pull request Jul 24, 2025
Merged
wgrant added a commit that referenced this pull request Jul 24, 2025
@wgrant @howbazaar
chore: Upgrade to Python 3.12 (ENG-5440) (#13)
106a1af 
[ENG-5440](https://stacklet.atlassian.net/browse/ENG-5440)

### what

Upgrade to Python 3.12, and upgrade other Python dependencies.

Also build and publish the function code using native Terraform
resources instead of execing the Azure CLI.

### why

The dependencies were out of date and holey.

And the Terraform was ugly and didn't no-op properly.

These changes were mostly adapted from #11.

### testing

Extensively on my and thumper's sandboxes.

[ENG-5440]:
https://stacklet.atlassian.net/browse/ENG-5440?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

---------

Co-authored-by: Tim Penhey <[email protected]>
@wgrant wgrant force-pushed the thumper/fix/some-security-concerns branch from 07df4ae to 199881b Compare July 25, 2025 05:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@howbazaar @wgrant