Add a custom resource for blob container legal holds (#3079)

Azure Storage supports [Legal holds for immutable blob data](https://learn.microsoft.com/en-us/azure/storage/blobs/immutable-legal-hold-overview). The Azure Native provider didn't include this functionality because it's based on a POST API. Due to the heterogenous design of POST APIs, we cannot include them automatically. This PR adds a custom resource adding legal holds. It makes use of the new `AzureClient` from #3062 to make POST requests directly using the built-in provider functionality, without using yet another Azure SDK. An e2e test is also added. Resolves #2840
pulumi · Feb 18, 2024 · e9e5694 · e9e5694
1 parent bf5537c
commit e9e5694
Show file tree

Hide file tree

Showing 26 changed files with 1,790 additions and 40 deletions.
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -221,6 +221,7 @@ jobs:
       # This is essentially just copying files from bin to the provider folder
       - name: Prebuild provider prerequisites
         run: |
+          make prebuild
           make --touch codegen schema
           make provider_prebuild
 
@@ -255,12 +256,12 @@ jobs:
       - name: Prerequisites artifact restore
         uses: ./.github/actions/prerequisites-artifact-restore
 
-      - name: Mark prerequisites as up-to-date
-        # Don't include provider as that's the bit we're going to rebuild
-        run: make --touch codegen schema
-
-      - name: Ensure provider build prerequisites
-        run: make provider_prebuild
+      - name: Prerequisites
+        run: |
+          make prebuild
+          # Don't include provider as that's the bit we're going to rebuild
+          make --touch codegen schema
+          make provider_prebuild
 
       - name: Build dist packages
         run: make dist --jobs=2

diff --git a/.gitignore b/.gitignore
@@ -19,6 +19,7 @@ provider/cmd/**/schema-full.json
 provider/cmd/**/metadata-compact.json
 provider/cmd/**/*.gz
 provider/**/testdata/rapid
+provider/pkg/versionLookup/v*-lock.json
 **/version.txt
 **/nuget
 **/dist

diff --git a/Makefile b/Makefile
@@ -58,6 +58,9 @@ install_provider: .make/install_provider
 .PHONY: provider_prebuild
 provider_prebuild: .make/provider_prebuild
 
+.PHONY: prebuild
+prebuild: .make/prebuild
+
 # We don't include v2 here yet as this is executed on the nightly updates
 .PHONY: schema generate_schema generate_docs
 schema: bin/schema-full.json
@@ -224,7 +227,7 @@ dist/docs-schema.json: bin/schema-full.json
 	mkdir -p dist
 	yarn schema implode --cwd bin/schema --outFile dist/docs-schema.json
 
-bin/$(CODEGEN): bin/pulumictl .make/provider_mod_download provider/cmd/$(CODEGEN)/* $(PROVIDER_PKG)
+bin/$(CODEGEN): bin/pulumictl .make/prebuild .make/provider_mod_download provider/cmd/$(CODEGEN)/* $(PROVIDER_PKG)
 	cd provider && go build -o $(WORKING_DIR)/bin/$(CODEGEN) $(VERSION_FLAGS) $(PROJECT)/v2/provider/cmd/$(CODEGEN)
 
 # Writes schema-full.json and metadata-compact.json to bin/
@@ -236,7 +239,7 @@ bin/schema-full.json bin/metadata-compact.json &: bin/$(CODEGEN) $(SPECS) azure-
 provider/cmd/pulumi-resource-azure-native/schema.json: bin/$(CODEGEN) $(SPECS) versions/v1-lock.json versions/v2-config.yaml versions/v2-removed-resources.json
 	bin/$(CODEGEN) docs $(VERSION_GENERIC)
 
-bin/$(LOCAL_PROVIDER_FILENAME): bin/pulumictl .make/provider_mod_download provider/cmd/$(PROVIDER)/*.go .make/provider_prebuild $(PROVIDER_PKG)
+bin/$(LOCAL_PROVIDER_FILENAME): bin/pulumictl .make/prebuild .make/provider_mod_download provider/cmd/$(PROVIDER)/*.go .make/provider_prebuild $(PROVIDER_PKG)
 	cd provider && \
 		CGO_ENABLED=0 go build -o $(WORKING_DIR)/bin/$(LOCAL_PROVIDER_FILENAME) $(VERSION_FLAGS) $(PROJECT)/v2/provider/cmd/$(PROVIDER)
 
@@ -245,7 +248,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64
 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64
 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64
 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64
-bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/pulumictl .make/provider_mod_download provider/cmd/$(PROVIDER)/*.go .make/provider_prebuild $(PROVIDER_PKG)
+bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/pulumictl .make/provider_mod_download .make/prebuild provider/cmd/$(PROVIDER)/*.go .make/provider_prebuild $(PROVIDER_PKG)
 	@# check the TARGET is set
 	test $(TARGET)
 	cd provider && \
@@ -276,7 +279,11 @@ dist/pulumi-azure-native_$(VERSION_GENERIC)_checksums.txt: dist/$(PROVIDER)-v$(P
 	cd provider && go mod download
 	@touch $@
 
-.make/provider_prebuild: bin/schema-full.json bin/metadata-compact.json
+.make/prebuild:
+	@# For API version lookups at run time
+	cp versions/v2-lock.json provider/pkg/versionLookup/
+
+.make/provider_prebuild: .make/prebuild bin/schema-full.json bin/metadata-compact.json versions/v2-lock.json
 	cp bin/schema-full.json provider/cmd/$(PROVIDER)
 	cp bin/metadata-compact.json provider/cmd/$(PROVIDER)
 	@touch $@

diff --git a/examples/blobcontainer-legalhold/2-update-legalhold/index.ts b/examples/blobcontainer-legalhold/2-update-legalhold/index.ts
@@ -0,0 +1,33 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as resources from "@pulumi/azure-native/resources";
+import * as storage from "@pulumi/azure-native/storage";
+
+// Create an Azure Resource Group
+const resourceGroup = new resources.ResourceGroup("resourceGroup");
+
+// Create an Azure resource (Storage Account)
+const storageAccount = new storage.StorageAccount("sa", {
+    resourceGroupName: resourceGroup.name,
+    sku: {
+        name: storage.SkuName.Standard_LRS,
+    },
+    kind: storage.Kind.StorageV2,
+});
+
+const container = new storage.BlobContainer("container", {
+    resourceGroupName: resourceGroup.name,
+    accountName: storageAccount.name,
+    containerName: "lhcontainer",
+});
+
+const legalHold = new storage.BlobContainerLegalHold("legalHold", {
+    resourceGroupName: resourceGroup.name,
+    accountName: storageAccount.name,
+    containerName: container.name,
+    tags: ["tag1", "different"],
+    allowProtectedAppendWritesAll: true,
+});
+
+export const containerName = container.name;
+export const accountName = storageAccount.name;
+export const resourceGroupName = resourceGroup.name;
diff --git a/examples/blobcontainer-legalhold/Pulumi.yaml b/examples/blobcontainer-legalhold/Pulumi.yaml
@@ -0,0 +1,2 @@
+name: legalhold
+runtime: nodejs
diff --git a/examples/blobcontainer-legalhold/index.ts b/examples/blobcontainer-legalhold/index.ts
@@ -0,0 +1,33 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as resources from "@pulumi/azure-native/resources";
+import * as storage from "@pulumi/azure-native/storage";
+
+// Create an Azure Resource Group
+const resourceGroup = new resources.ResourceGroup("resourceGroup");
+
+// Create an Azure resource (Storage Account)
+const storageAccount = new storage.StorageAccount("sa", {
+    resourceGroupName: resourceGroup.name,
+    sku: {
+        name: storage.SkuName.Standard_LRS,
+    },
+    kind: storage.Kind.StorageV2,
+});
+
+const container = new storage.BlobContainer("container", {
+    resourceGroupName: resourceGroup.name,
+    accountName: storageAccount.name,
+    containerName: "lhcontainer",
+});
+
+const legalHold = new storage.BlobContainerLegalHold("legalHold", {
+    resourceGroupName: resourceGroup.name,
+    accountName: storageAccount.name,
+    containerName: container.name,
+    tags: ["tag1", "tag2"],
+    allowProtectedAppendWritesAll: false,
+});
+
+export const containerName = container.name;
+export const accountName = storageAccount.name;
+export const resourceGroupName = resourceGroup.name;
diff --git a/examples/blobcontainer-legalhold/package.json b/examples/blobcontainer-legalhold/package.json
@@ -0,0 +1,11 @@
+{
+    "name": "azure-native-keyvault",
+    "version": "0.1.0",
+    "devDependencies": {
+        "@types/node": "latest"
+    },
+    "dependencies": {
+        "@pulumi/pulumi": "^3.0.0",
+        "@pulumi/azure-native": "^2.0.0"
+    }
+}
diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go
@@ -275,6 +275,23 @@ func TestAccKeyVaultAccessPoliciesTs(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
+func TestAccBlobContainerLegalHold(t *testing.T) {
+	skipIfShort(t)
+	test := getJSBaseOptions(t).
+		With(integration.ProgramTestOptions{
+			Dir:                  filepath.Join(getCwd(t), "blobcontainer-legalhold"),
+			ExpectRefreshChanges: false,
+			EditDirs: []integration.EditDir{
+				{
+					Dir:      filepath.Join("blobcontainer-legalhold", "2-update-legalhold"),
+					Additive: true,
+				},
+			},
+		})
+
+	integration.ProgramTest(t, &test)
+}
+
 func getJSBaseOptions(t *testing.T) integration.ProgramTestOptions {
 	base := getBaseOptions(t)
 	baseJS := base.With(integration.ProgramTestOptions{

diff --git a/provider/cmd/pulumi-resource-azure-native/schema.json b/provider/cmd/pulumi-resource-azure-native/schema.json