add back queue least priveledge and hook back into azure membrane.

nitrictech · Feb 5, 2024 · fb44a90 · fb44a90
1 parent 86aa686
commit fb44a90
Show file tree

Hide file tree

Showing 5 changed files with 159 additions and 2 deletions.
diff --git a/cloud/azure/cmd/runtime/main.go b/cloud/azure/cmd/runtime/main.go
@@ -26,6 +26,7 @@ import (
 
 	http_service "github.com/nitrictech/nitric/cloud/azure/runtime/gateway"
 	aztables_service "github.com/nitrictech/nitric/cloud/azure/runtime/keyvalue"
+	azqueue_service "github.com/nitrictech/nitric/cloud/azure/runtime/queue"
 	key_vault "github.com/nitrictech/nitric/cloud/azure/runtime/secret"
 	azblob_service "github.com/nitrictech/nitric/cloud/azure/runtime/storage"
 	event_grid "github.com/nitrictech/nitric/cloud/azure/runtime/topic"
@@ -67,6 +68,11 @@ func main() {
 		log.Default().Println("Failed to load storage plugin:", err.Error())
 	}
 
+	membraneOpts.QueuesPlugin, err = azqueue_service.New()
+	if err != nil {
+		log.Default().Println("Failed to load queue plugin:", err.Error())
+	}
+
 	membraneOpts.SecretManagerPlugin, err = key_vault.New()
 	if err != nil {
 		log.Default().Println("Failed to load secret plugin:", err.Error())

diff --git a/cloud/azure/deploy/deploy.go b/cloud/azure/deploy/deploy.go
@@ -64,6 +64,8 @@ type NitricAzurePulumiProvider struct {
 
 	buckets map[string]*storage.BlobContainer
 
+	queues map[string]*storage.Queue
+
 	principals map[resourcespb.ResourceType]map[string]*ServicePrincipal
 
 	containerApps map[string]*ContainerApp

diff --git a/cloud/azure/deploy/policy.go b/cloud/azure/deploy/policy.go
@@ -108,6 +108,21 @@ func (p *NitricAzurePulumiProvider) scopeFromResource(resource *deploymentspb.Re
 				bucket.Name,
 			),
 		}, nil
+	case resourcespb.ResourceType_Queue:
+		queue, ok := p.queues[resource.Id.Name]
+		if !ok {
+			return nil, fmt.Errorf("queue %s not found", resource.Id.Name)
+		}
+
+		return &resourceScope{
+			scope: pulumi.Sprintf(
+				"subscriptions/%s/resourceGroups/%s/providers/Microsoft.Storage/storageAccounts/%s/queueServices/default/queues/%s",
+				p.clientConfig.SubscriptionId,
+				p.resourceGroup.Name,
+				p.storageAccount.Name,
+				queue.Name,
+			),
+		}, nil
 	case resourcespb.ResourceType_Secret:
 		if p.keyVault == nil {
 			return nil, fmt.Errorf("secret %s not found", resource.Id.Name)

diff --git a/cloud/azure/deploy/queue.go b/cloud/azure/deploy/queue.go
@@ -1,11 +1,81 @@
 package deploy
 
 import (
+	"github.com/nitrictech/nitric/cloud/azure/deploy/utils"
 	deploymentspb "github.com/nitrictech/nitric/core/pkg/proto/deployments/v1"
+	"github.com/pulumi/pulumi-azure-native-sdk/storage"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
 func (a *NitricAzurePulumiProvider) Queue(ctx *pulumi.Context, parent pulumi.Resource, name string, config *deploymentspb.Queue) error {
-	// No-op for Azure
-	return nil
+	var err error
+	opts := []pulumi.ResourceOption{pulumi.Parent(parent)}
+
+	a.queues[name], err = storage.NewQueue(ctx, utils.ResourceName(ctx, name, utils.StorageQueueRT), &storage.QueueArgs{
+		AccountName:       a.storageAccount.Name,
+		ResourceGroupName: a.resourceGroup.Name,
+	}, opts...)
+
+	return err
 }
+
+// Copyright 2021 Nitric Technologies Pty Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// package queue
+
+// import (
+// 	"github.com/nitrictech/nitric/cloud/azure/deploy/utils"
+// 	"github.com/pulumi/pulumi-azure-native-sdk/resources"
+// 	"github.com/pulumi/pulumi-azure-native-sdk/storage"
+// 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+// )
+
+// // Topics
+// type AzureStorageQueue struct {
+// 	pulumi.ResourceState
+
+// 	Name          string
+// 	Account       *storage.StorageAccount
+// 	ResourceGroup *resources.ResourceGroup
+// 	Queue         *storage.Queue
+// }
+
+// type AzureStorageQueueArgs struct {
+// 	Account       *storage.StorageAccount
+// 	ResourceGroup *resources.ResourceGroup
+// }
+
+// func NewAzureStorageQueue(ctx *pulumi.Context, name string, args *AzureStorageQueueArgs, opts ...pulumi.ResourceOption) (*AzureStorageQueue, error) {
+// 	res := &AzureStorageQueue{
+// 		Name:          name,
+// 		Account:       args.Account,
+// 		ResourceGroup: args.ResourceGroup,
+// 	}
+
+// 	err := ctx.RegisterComponentResource("nitric:queue:AzureStorageQueue", name, res, opts...)
+// 	if err != nil {
+// 		return nil, err
+// 	}
+
+// 	res.Queue, err = storage.NewQueue(ctx, utils.ResourceName(ctx, name, utils.StorageQueueRT), &storage.QueueArgs{
+// 		AccountName:       args.Account.Name,
+// 		ResourceGroupName: args.ResourceGroup.Name,
+// 	})
+// 	if err != nil {
+// 		return nil, err
+// 	}
+
+// 	return res, nil
+// }
diff --git a/cloud/azure/deploy/roles.go b/cloud/azure/deploy/roles.go
@@ -57,6 +57,70 @@ var roleDefinitions = map[resourcespb.Action]RoleDefinition{
 			"/",
 		}),
 	},
+	resourcespb.Action_QueueList: {
+		Description: pulumi.String("queue list access"),
+		Permissions: authorization.PermissionArray{
+			authorization.PermissionArgs{
+				Actions: pulumi.StringArray{
+					pulumi.String("Microsoft.Storage/storageAccounts/queueServices/queues/read"),
+				},
+				DataActions: pulumi.StringArray{},
+				NotActions:  pulumi.StringArray{},
+			},
+		},
+		AssignableScopes: pulumi.ToStringArray([]string{
+			"/",
+		}),
+	},
+	resourcespb.Action_QueueDetail: {
+		Description: pulumi.String("queue detail access"),
+		Permissions: authorization.PermissionArray{
+			authorization.PermissionArgs{
+				Actions: pulumi.StringArray{
+					pulumi.String("Microsoft.Storage/storageAccounts/queueServices/queues/read"),
+				},
+				DataActions: pulumi.StringArray{},
+				NotActions:  pulumi.StringArray{},
+			},
+		},
+		AssignableScopes: pulumi.ToStringArray([]string{
+			"/",
+		}),
+	},
+	resourcespb.Action_QueueSend: {
+		Description: pulumi.String("queue send access"),
+		Permissions: authorization.PermissionArray{
+			authorization.PermissionArgs{
+				Actions: pulumi.StringArray{},
+				DataActions: pulumi.StringArray{
+					pulumi.String("Microsoft.Storage/storageAccounts/queueServices/queues/messages/write"),
+				},
+				NotActions: pulumi.StringArray{},
+			},
+		},
+		AssignableScopes: pulumi.ToStringArray([]string{
+			"/",
+		}),
+	},
+	resourcespb.Action_QueueReceive: {
+		Description: pulumi.String("queue receive access"),
+		Permissions: authorization.PermissionArray{
+			authorization.PermissionArgs{
+				Actions: pulumi.StringArray{
+					pulumi.String("Microsoft.Storage/storageAccounts/queueServices/queues/read"),
+				},
+				DataActions: pulumi.StringArray{
+					pulumi.String("Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"),
+					pulumi.String("Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete"),
+					// pulumi.String("Microsoft.Storage/storageAccounts/queueServices/queues/messages/update"),
+				},
+				NotActions: pulumi.StringArray{},
+			},
+		},
+		AssignableScopes: pulumi.ToStringArray([]string{
+			"/",
+		}),
+	},
 	resourcespb.Action_KeyValueStoreWrite: {
 		Description: pulumi.String("keyvalue write access"),
 		Permissions: authorization.PermissionArray{