From 1a05434127e9df7a0e8dd12b5423e07965faf3ff Mon Sep 17 00:00:00 2001
From: Thomas Kappler <tkappler@pulumi.com>
Date: Tue, 6 Aug 2024 21:29:59 +0200
Subject: [PATCH] Run the KV test with client cert auth

---
 .github/workflows/build-test.yml          |  8 ++++++++
 examples/examples_nodejs_keyvault_test.go | 17 +++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 25aa9079b1a1..05cf0a2402eb 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -35,6 +35,7 @@ env:
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e # "Travis CI"
   ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_CLIENT_CERTIFICATE_PASSWORD_FOR_TEST: ${{ secrets.ARM_CLIENT_CERTIFICATE_PASSWORD }}
   ARM_ENVIRONMENT: public
   ARM_LOCATION: westus2
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
@@ -190,11 +191,18 @@ jobs:
         with:
           language: ${{ matrix.language }}
 
+      - name: Write client certificate
+        # The provider wants the cert as a path to a cert file but GH secrets can only be strings.
+        # We store the base64-encoded cert as a secret, decode it here, and write it out to a file.
+        run: |
+          echo "${{ secrets.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx"
+
       - name: Run tests
         if: ${{ ! inputs.short_test }}
         env:
           # specifying this id will cause the OIDC test(s) to run against this AD application
           OIDC_ARM_CLIENT_ID: ${{ inputs.oidc_arm_client_id }}
+          ARM_CLIENT_CERTIFICATE_PATH_FOR_TEST: "${{ runner.temp }}/azure-client-certificate.pfx"
         run: |
           set -euo pipefail
           cd examples && go test -v -json -cover -timeout 2h -tags=${{ matrix.language }} -skip TestPulumiExamples -parallel 16 . 2>&1 | tee /tmp/gotest.log | gotestfmt
diff --git a/examples/examples_nodejs_keyvault_test.go b/examples/examples_nodejs_keyvault_test.go
index c7809187d99d..e63c99f21ea8 100644
--- a/examples/examples_nodejs_keyvault_test.go
+++ b/examples/examples_nodejs_keyvault_test.go
@@ -69,3 +69,20 @@ func TestAccKeyVaultTs_OICDExplicit(t *testing.T) {
 
 	integration.ProgramTest(t, &test)
 }
+
+func TestAccKeyVaultTs_ClientCert(t *testing.T) {
+	skipIfShort(t)
+
+	test := getJSBaseOptions(t).
+		With(integration.ProgramTestOptions{
+			Dir: filepath.Join(getCwd(t), "keyvault"),
+			Env: []string{
+				"ARM_CLIENT_CERTIFICATE_PATH=" + os.Getenv("ARM_CLIENT_CERTIFICATE_PATH_FOR_TEST"),
+				"ARM_CLIENT_CERTIFICATE_PASSWORD=" + os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD_FOR_TEST"),
+				// Make sure we test the client cert path
+				"ARM_CLIENT_SECRET=",
+			},
+		})
+
+	integration.ProgramTest(t, &test)
+}