radius-project · lakshmimsft · Aug 30, 2024 · Aug 30, 2024 · Aug 30, 2024 · Aug 30, 2024
@@ -159,3 +159,49 @@ func TestSecretStoreConvertFromValidation(t *testing.T) {
 		require.ErrorAs(t, tc.err, &err)
 	}
 }
+
+func TestSecretStorefromSecretStoreDataTypeDataModel(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    datamodel.SecretType
+		expected *SecretStoreDataType
+	}{
+		{
+			name:     "Generic Secret Type",
+			input:    datamodel.SecretTypeGeneric,
+			expected: to.Ptr(SecretStoreDataTypeGeneric),
+		},
+		{
+			name:     "Certificate Secret Type",
+			input:    datamodel.SecretTypeCert,
+			expected: to.Ptr(SecretStoreDataTypeCertificate),
+		},
+		{
+			name:     "Basic Authentication Secret Type",
+			input:    datamodel.SecretTypeBasicAuthentication,
+			expected: to.Ptr(SecretStoreDataTypeBasicAuthentication),
+		},
+		{
+			name:     "Azure Workload Identity Secret Type",
+			input:    datamodel.SecretTypeAzureWorkloadIdentity,
+			expected: to.Ptr(SecretStoreDataTypeAzureWorkloadIdentity),
+		},
+		{
+			name:     "AWS IRSA Secret Type",
+			input:    datamodel.SecretTypeAWSIRSA,
+			expected: to.Ptr(SecretStoreDataTypeAwsIRSA),
+		},
+		{
+			name:     "None Secret Type",
+			input:    datamodel.SecretTypeNone,
+			expected: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := fromSecretStoreDataTypeDataModel(tt.input)
+			require.Equal(t, tt.expected, result)
+		})
+	}
+}
@@ -78,17 +78,17 @@ func getOrDefaultEncoding(t datamodel.SecretType, e datamodel.SecretValueEncodin
 	return e, err
 }
 
-// Define a map of required keys for each SecretType
-var requiredKeys = map[datamodel.SecretType][]string{
-	datamodel.SecretTypeBasicAuthentication:   {RequiredUsername, RequiredPassword},
-	datamodel.SecretTypeAzureWorkloadIdentity: {RequiredClientId, RequiredTenantId},
-	datamodel.SecretTypeAWSIRSA:               {RequiredRoleARN},
-}
-
 // ValidateAndMutateRequest checks the type and encoding of the secret store, and ensures that the secret store data is
 // valid and required keys are present for the secret type. If any of these checks fail, a BadRequestResponse is returned.
 func ValidateAndMutateRequest(ctx context.Context, newResource *datamodel.SecretStore, oldResource *datamodel.SecretStore, options *controller.Options) (rest.Response, error) {
+	// Define a map of required keys for each SecretType
+	var requiredKeys = map[datamodel.SecretType][]string{
+		datamodel.SecretTypeBasicAuthentication:   {UsernameKey, PasswordKey},
+		datamodel.SecretTypeAzureWorkloadIdentity: {ClientIdKey, TenantIdKey},
+		datamodel.SecretTypeAWSIRSA:               {RoleARNKey},
+	}
 	var err error
+
 	newResource.Properties.Type, err = getOrDefaultType(newResource.Properties.Type)
 	if err != nil {
 		return rest.NewBadRequestResponse(err.Error()), nil

@@ -20,10 +20,18 @@ const (
 	// ResourceTypeName is the resource type name for secret stores.
 	ResourceTypeName = "Applications.Core/secretStores"
 
-	// The following are possible required keys in a SecretStore depending on it's SecretType
-	RequiredUsername = "username"
-	RequiredPassword = "password"
-	RequiredClientId = "clientId"
-	RequiredTenantId = "tenantId"
-	RequiredRoleARN  = "roleARN"
+	// UsernameKey is a required key in a secret store when SecretType is Basic Authentication.
+	UsernameKey = "username"
+
+	// PasswordKey is a required key in a secret store when SecretType is Basic Authentication.
+	PasswordKey = "password"
+
+	// ClientIdKey is a required key in a secret store when SecretType is Azure Workload Identity.
+	ClientIdKey = "clientId"
+
+	// TenantIdKey is a required key in a secret store when SecretType is Azure workload Identity.
+	TenantIdKey = "tenantId"
+
+	// RoleARNKey is a required key in a  secret store when SecretType is AWS IRSA.
+	RoleARNKey = "roleARN"
 )
@@ -4356,7 +4356,7 @@
         },
         "env": {
           "$ref": "#/definitions/EnvironmentVariables",
-          "description": "Environment variables injected during recipe execution for the recipes in the environment."
+          "description": "Environment variables injected during recipe execution for the recipes in the environment, currently supported for Terraform recipes."
         },
         "envSecrets": {
           "type": "object",
@@ -4692,7 +4692,7 @@
           {
             "name": "awsIRSA",
             "value": "awsIRSA",
-            "description": "awsIRSA type is used to represent registry authentication using AWS IRSA(IAM Roles for Service accounts) and the secretstore resource is expected to have the keys 'roleARN'."
+            "description": "awsIRSA type is used to represent registry authentication using AWS IRSA (IAM Roles for Service accounts) and the secretstore resource is expected to have the key 'roleARN'."
           }
         ]
       }

@@ -79,7 +79,7 @@ model RecipeConfigProperties {
   @doc("Configuration for Terraform Recipes. Controls how Terraform plans and applies templates as part of Recipe deployment.")
   terraform?: TerraformConfigProperties;
 
-  @doc("Environment variables injected during recipe execution for the recipes in the environment.")
+  @doc("Environment variables injected during recipe execution for the recipes in the environment, currently supported for Terraform recipes.")
   env?: EnvironmentVariables;
 
   @doc("Environment variables containing sensitive information can be stored as secrets. The secrets are stored in Applications.Core/SecretStores resource.")

@@ -75,7 +75,7 @@ enum SecretStoreDataType {
   @doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.")
   azureWorkloadIdentity,
 
-  @doc("awsIRSA type is used to represent registry authentication using AWS IRSA(IAM Roles for Service accounts) and the secretstore resource is expected to have the keys 'roleARN'.")
+  @doc("awsIRSA type is used to represent registry authentication using AWS IRSA (IAM Roles for Service accounts) and the secretstore resource is expected to have the key 'roleARN'.")
   awsIRSA,
 }