flowey_lib_common/
ado_task_azure_key_vault.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

//! ADO Task Wrapper: `AzureKeyVault@2`

use flowey::node::prelude::*;
use std::collections::BTreeMap;

flowey_request! {
    pub struct Request {
        /// Select the service connection for the Azure subscription containing the Azure Key Vault instance, or create a new connection.
        pub subscription: String,
        /// The name of the Azure Key Vault that contains the secrets to download.
        pub key_vault_name: String,
        /// Downloads the specified secret
        pub secret: String,
        /// Handle to the resolved secret
        pub resolved_secret: WriteVar<String>,
    }
}

new_flow_node!(struct Node);

impl FlowNode for Node {
    type Request = Request;

    fn imports(_ctx: &mut ImportCtx<'_>) {
        // no deps
    }

    fn emit(requests: Vec<Self::Request>, ctx: &mut NodeCtx<'_>) -> anyhow::Result<()> {
        let mut vaults_with_secrets: BTreeMap<_, BTreeMap<_, Vec<_>>> = BTreeMap::new();
        for Request {
            subscription,
            key_vault_name,
            secret,
            resolved_secret,
        } in requests
        {
            vaults_with_secrets
                .entry((subscription, key_vault_name))
                .or_default()
                .entry(secret)
                .or_default()
                .push(resolved_secret);
        }

        let vaults_with_secrets = vaults_with_secrets;

        // -- end of req processing -- //

        for ((subscription, key_vault_name), secrets_and_vars) in vaults_with_secrets {
            let secrets = secrets_and_vars
                .keys()
                .cloned()
                .collect::<Vec<_>>()
                .join(",");

            ctx.emit_ado_step(
                format!(
                    "Downloading secrets from key vault {}/{}",
                    subscription, key_vault_name
                ),
                move |ctx| {
                    let secrets_and_vars = secrets_and_vars.claim(ctx);

                    move |rt| {
                        for (secret, out_vars) in secrets_and_vars {
                            for var in out_vars {
                                rt.set_var(
                                    var,
                                    AdoRuntimeVar::dangerous_from_global(secret.clone(), true),
                                )
                            }
                        }

                        format!(
                            r#"
                                - task: AzureKeyVault@2
                                  inputs:
                                    azureSubscription: '{subscription}'
                                    KeyVaultName: '{key_vault_name}'
                                    SecretsFilter: '{secrets}'
                            "#
                        )
                    }
                },
            );
        }

        Ok(())
    }
}