From dcd1319e99accced317a8d91549c38edea21c419 Mon Sep 17 00:00:00 2001 From: Callum Date: Mon, 25 Nov 2024 22:18:27 +1100 Subject: [PATCH 01/11] Add AzureAD OAuth --- .../component/prometheus/remotewrite/types.go | 30 ++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/internal/component/prometheus/remotewrite/types.go b/internal/component/prometheus/remotewrite/types.go index 74dcf835d0..64d45b6902 100644 --- a/internal/component/prometheus/remotewrite/types.go +++ b/internal/component/prometheus/remotewrite/types.go @@ -280,9 +280,27 @@ func (m ManagedIdentityConfig) toPrometheusType() azuread.ManagedIdentityConfig } } +// Azure AD oauth +type AzureOAuthConfig struct { + // AzureADOAuth is the OAuth configuration that is being used to authenticate. + ClientID string `alloy:"client_id,attr"` + ClientSecret string `alloy:"client_secret,attr"` + TenantID string `alloy:"tenant_id,attr"` +} + +func (m AzureOAuthConfig) toPrometheusType() azuread.OAuthConfig { + return azuread.OAuthConfig{ + ClientID: m.ClientID, + ClientSecret: m.ClientSecret, + TenantID: m.TenantID, + } +} + type AzureADConfig struct { // ManagedIdentity is the managed identity that is being used to authenticate. - ManagedIdentity ManagedIdentityConfig `alloy:"managed_identity,block"` + ManagedIdentity ManagedIdentityConfig `alloy:"managed_identity,block,optional"` + // OAuth is the OAuth configuration that is being used to authenticate. + OAuth AzureOAuthConfig `alloy:"oauth,block,optional"` // Cloud is the Azure cloud in which the service is running. Example: AzurePublic/AzureGovernment/AzureChina. Cloud string `alloy:"cloud,attr,optional"` @@ -293,9 +311,11 @@ func (a *AzureADConfig) Validate() error { return fmt.Errorf("must provide a cloud in the Azure AD config") } - _, err := uuid.Parse(a.ManagedIdentity.ClientID) - if err != nil { - return fmt.Errorf("the provided Azure Managed Identity client_id provided is invalid") + if a.ManagedIdentity.ClientID != "" { + _, err := uuid.Parse(a.ManagedIdentity.ClientID) + if err != nil { + return fmt.Errorf("the provided Azure Managed Identity client_id provided is invalid") + } } return nil @@ -314,7 +334,9 @@ func (a *AzureADConfig) toPrometheusType() *azuread.AzureADConfig { } mangedIdentity := a.ManagedIdentity.toPrometheusType() + oauth := a.OAuth.toPrometheusType() return &azuread.AzureADConfig{ + OAuth: &oauth, ManagedIdentity: &mangedIdentity, Cloud: a.Cloud, } From 28fb9ddf0748891c3f647a9a638b8fef50e335c8 Mon Sep 17 00:00:00 2001 From: Callum Date: Mon, 25 Nov 2024 22:33:18 +1100 Subject: [PATCH 02/11] Update changelog and add docs --- CHANGELOG.md | 2 ++ .../prometheus/prometheus.remote_write.md | 8 +++++++- .../reference/components/oauth-block.md | 19 +++++++++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 docs/sources/shared/reference/components/oauth-block.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c325e6043..f400e9f2ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ Main (unreleased) ### Features +- Add `azuread.oauth` to `prometheus.remote_write` to support Azure AD authentication applicaion. (@callumau) + - Add `add_cloudwatch_timestamp` to `prometheus.exporter.cloudwatch` metrics. (@captncraig) - Add support to `prometheus.operator.servicemonitors` to allow `endpointslice` role. (@yoyosir) diff --git a/docs/sources/reference/components/prometheus/prometheus.remote_write.md b/docs/sources/reference/components/prometheus/prometheus.remote_write.md index d2614a2e52..8da4dccda2 100644 --- a/docs/sources/reference/components/prometheus/prometheus.remote_write.md +++ b/docs/sources/reference/components/prometheus/prometheus.remote_write.md @@ -54,7 +54,8 @@ endpoint > oauth2 | [oauth2][] | Configure OAuth2 for authenticating to the endp endpoint > oauth2 > tls_config | [tls_config][] | Configure TLS settings for connecting to the endpoint. | no endpoint > sigv4 | [sigv4][] | Configure AWS Signature Verification 4 for authenticating to the endpoint. | no endpoint > azuread | [azuread][] | Configure AzureAD for authenticating to the endpoint. | no -endpoint > azuread > managed_identity | [managed_identity][] | Configure Azure user-assigned managed identity. | yes +endpoint > azuread > managed_identity | [managed_identity][] | Configure Azure user-assigned managed identity. | no +endpoint > azuread > oauth | [oauth][] | Configure Azure application managed identity. | no endpoint > tls_config | [tls_config][] | Configure TLS settings for connecting to the endpoint. | no endpoint > queue_config | [queue_config][] | Configuration for how metrics are batched before sending. | no endpoint > metadata_config | [metadata_config][] | Configuration for how metric metadata is sent. | no @@ -72,6 +73,7 @@ basic_auth` refers to a `basic_auth` block defined inside an [sigv4]: #sigv4-block [azuread]: #azuread-block [managed_identity]: #managed_identity-block +[oauth]: #oauth-block [tls_config]: #tls_config-block [queue_config]: #queue_config-block [metadata_config]: #metadata_config-block @@ -151,6 +153,10 @@ metrics fails. {{< docs/shared lookup="reference/components/managed_identity-block.md" source="alloy" version="" >}} +### oauth block + +{{< docs/shared lookup="reference/components/oauth-block.md" source="alloy" version="" >}} + ### tls_config block {{< docs/shared lookup="reference/components/tls-config-block.md" source="alloy" version="" >}} diff --git a/docs/sources/shared/reference/components/oauth-block.md b/docs/sources/shared/reference/components/oauth-block.md new file mode 100644 index 0000000000..e4d177a369 --- /dev/null +++ b/docs/sources/shared/reference/components/oauth-block.md @@ -0,0 +1,19 @@ +--- +canonical: https://grafana.com/docs/alloy/latest/shared/reference/components/oauth-block/ +description: Shared content, oauth block +headless: true +--- + +Name | Type | Description | Default | Required +------------|----------|---------------------------------------------------------|---------|--------- +`client_id` | `string` | Client ID of the managed identity used to authenticate. | | yes +`client_secret` | `string` | Client secret of the managed identity used to authenticate. | | yes +`tenant_id` | `string` | Tenant ID of the managed identity used to authenticate. | | yes + +`client_id` should be a valid [UUID][] in one of the supported formats: +* `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` +* `urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` +* Microsoft encoding: `{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}` +* Raw hex encoding: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` + +[UUID]: https://en.wikipedia.org/wiki/Universally_unique_identifier From cd106a29fccd186dc8d29497f2715d18689641ea Mon Sep 17 00:00:00 2001 From: Callum Date: Tue, 26 Nov 2024 21:08:48 +1100 Subject: [PATCH 03/11] Add validation for azuread oauth and return nil --- .../component/prometheus/remotewrite/types.go | 48 +++++++++++++++---- 1 file changed, 39 insertions(+), 9 deletions(-) diff --git a/internal/component/prometheus/remotewrite/types.go b/internal/component/prometheus/remotewrite/types.go index 64d45b6902..49a6f63146 100644 --- a/internal/component/prometheus/remotewrite/types.go +++ b/internal/component/prometheus/remotewrite/types.go @@ -274,8 +274,12 @@ type ManagedIdentityConfig struct { ClientID string `alloy:"client_id,attr"` } -func (m ManagedIdentityConfig) toPrometheusType() azuread.ManagedIdentityConfig { - return azuread.ManagedIdentityConfig{ +func (m ManagedIdentityConfig) toPrometheusType() *azuread.ManagedIdentityConfig { + if m.ClientID == "" { + return nil + } + + return &azuread.ManagedIdentityConfig{ ClientID: m.ClientID, } } @@ -283,13 +287,17 @@ func (m ManagedIdentityConfig) toPrometheusType() azuread.ManagedIdentityConfig // Azure AD oauth type AzureOAuthConfig struct { // AzureADOAuth is the OAuth configuration that is being used to authenticate. - ClientID string `alloy:"client_id,attr"` - ClientSecret string `alloy:"client_secret,attr"` - TenantID string `alloy:"tenant_id,attr"` + ClientID string `alloy:"client_id,attr,optional"` + ClientSecret string `alloy:"client_secret,attr,optional"` + TenantID string `alloy:"tenant_id,attr,optional"` } -func (m AzureOAuthConfig) toPrometheusType() azuread.OAuthConfig { - return azuread.OAuthConfig{ +func (m AzureOAuthConfig) toPrometheusType() *azuread.OAuthConfig { + if m.ClientID == "" && m.ClientSecret == "" && m.TenantID == "" { + return nil + } + + return &azuread.OAuthConfig{ ClientID: m.ClientID, ClientSecret: m.ClientSecret, TenantID: m.TenantID, @@ -318,6 +326,28 @@ func (a *AzureADConfig) Validate() error { } } + if a.OAuth.ClientID != "" { + _, err := uuid.Parse(a.OAuth.ClientID) + if err != nil { + return fmt.Errorf("the provided Azure App Identity client_id provided is invalid") + } + } + + if a.OAuth.TenantID != "" { + _, err := uuid.Parse(a.OAuth.TenantID) + if err != nil { + return fmt.Errorf("the provided Azure App Identity tenant_id provided is invalid") + } + } + + if a.OAuth.ClientID == "" && a.ManagedIdentity.ClientID == "" { + return fmt.Errorf("either oauth or managed identity must be configured") + } + + if a.OAuth.ClientID != "" && a.ManagedIdentity.ClientID != "" { + return fmt.Errorf("at most oauth or managed identity must be configured for azuread") + } + return nil } @@ -336,8 +366,8 @@ func (a *AzureADConfig) toPrometheusType() *azuread.AzureADConfig { mangedIdentity := a.ManagedIdentity.toPrometheusType() oauth := a.OAuth.toPrometheusType() return &azuread.AzureADConfig{ - OAuth: &oauth, - ManagedIdentity: &mangedIdentity, + OAuth: oauth, + ManagedIdentity: mangedIdentity, Cloud: a.Cloud, } } From 88b461dd867d7f9cee6742013c447a3772cc592e Mon Sep 17 00:00:00 2001 From: Callum Date: Tue, 26 Nov 2024 21:09:08 +1100 Subject: [PATCH 04/11] Add azuread oauth tests --- .../prometheus/remotewrite/types_test.go | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/internal/component/prometheus/remotewrite/types_test.go b/internal/component/prometheus/remotewrite/types_test.go index 839141c38f..ce5e1e011f 100644 --- a/internal/component/prometheus/remotewrite/types_test.go +++ b/internal/component/prometheus/remotewrite/types_test.go @@ -161,6 +161,32 @@ func TestAlloyConfig(t *testing.T) { } }), }, + { + testName: "AzureAD_Oauth", + cfg: ` + endpoint { + url = "http://0.0.0.0:11111/api/v1/write" + + azuread { + cloud = "AzureChina" + oauth { + client_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000001" + client_secret = "00000000-0000-0000-0000-000000000002" + } + } + }`, + expectedCfg: expectedCfg(func(c *config.Config) { + c.RemoteWriteConfigs[0].AzureADConfig = &azuread.AzureADConfig{ + Cloud: "AzureChina", + OAuth: &azuread.OAuthConfig{ + ClientID: "00000000-0000-0000-0000-000000000000", + ClientSecret: "00000000-0000-0000-0000-000000000002", + TenantID: "00000000-0000-0000-0000-000000000001", + }, + } + }), + }, { testName: "SigV4_Defaults", cfg: ` @@ -223,6 +249,24 @@ func TestAlloyConfig(t *testing.T) { }`, errorMsg: "at most one of sigv4, azuread, basic_auth, oauth2, bearer_token & bearer_token_file must be configured", }, + { + testName: "TooManyAuthAzureAD", + cfg: ` + endpoint { + url = "http://0.0.0.0:11111/api/v1/write" + + sigv4 {} + azuread { + managed_identity { + client_id = "00000000-0000-0000-0000-000000000000" + } + oauth { + client_id = "00000000-0000-0000-0000-000000000000" + } + } + }`, + errorMsg: "at most oauth or managed identity must be configured for azuread", + }, { testName: "BadAzureClientId", cfg: ` From 1d7f39bdc58d62be4e408f1998f9dd73559bf37d Mon Sep 17 00:00:00 2001 From: Callum Date: Tue, 26 Nov 2024 21:09:14 +1100 Subject: [PATCH 05/11] update docs --- .../components/prometheus/prometheus.remote_write.md | 2 +- .../shared/reference/components/oauth-block.md | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/sources/reference/components/prometheus/prometheus.remote_write.md b/docs/sources/reference/components/prometheus/prometheus.remote_write.md index 8da4dccda2..cf0ab0e86e 100644 --- a/docs/sources/reference/components/prometheus/prometheus.remote_write.md +++ b/docs/sources/reference/components/prometheus/prometheus.remote_write.md @@ -55,7 +55,7 @@ endpoint > oauth2 > tls_config | [tls_config][] | Configure TLS settings for con endpoint > sigv4 | [sigv4][] | Configure AWS Signature Verification 4 for authenticating to the endpoint. | no endpoint > azuread | [azuread][] | Configure AzureAD for authenticating to the endpoint. | no endpoint > azuread > managed_identity | [managed_identity][] | Configure Azure user-assigned managed identity. | no -endpoint > azuread > oauth | [oauth][] | Configure Azure application managed identity. | no +endpoint > azuread > oauth | [oauth][] | Configure Azure application authenication. | no endpoint > tls_config | [tls_config][] | Configure TLS settings for connecting to the endpoint. | no endpoint > queue_config | [queue_config][] | Configuration for how metrics are batched before sending. | no endpoint > metadata_config | [metadata_config][] | Configuration for how metric metadata is sent. | no diff --git a/docs/sources/shared/reference/components/oauth-block.md b/docs/sources/shared/reference/components/oauth-block.md index e4d177a369..20879bed99 100644 --- a/docs/sources/shared/reference/components/oauth-block.md +++ b/docs/sources/shared/reference/components/oauth-block.md @@ -6,9 +6,9 @@ headless: true Name | Type | Description | Default | Required ------------|----------|---------------------------------------------------------|---------|--------- -`client_id` | `string` | Client ID of the managed identity used to authenticate. | | yes -`client_secret` | `string` | Client secret of the managed identity used to authenticate. | | yes -`tenant_id` | `string` | Tenant ID of the managed identity used to authenticate. | | yes +`client_id` | `string` | Client ID of the Microsoft authenication application used to authenticate. | | yes +`client_secret` | `string` | Client secret of the Microsoft authenication application used to authenticate. | | yes +`tenant_id` | `string` | Tenant ID of the Microsoft authenication application used to authenticate. | | yes `client_id` should be a valid [UUID][] in one of the supported formats: * `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` @@ -16,4 +16,10 @@ Name | Type | Description * Microsoft encoding: `{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}` * Raw hex encoding: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` +`tenant_id` should be a valid [UUID][] in one of the supported formats: +* `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` +* `urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` +* Microsoft encoding: `{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}` +* Raw hex encoding: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` + [UUID]: https://en.wikipedia.org/wiki/Universally_unique_identifier From b1101bc53e23df86a0c0006eecd0e9a652981b44 Mon Sep 17 00:00:00 2001 From: Callum Date: Tue, 26 Nov 2024 21:30:07 +1100 Subject: [PATCH 06/11] Add conversion --- .../internal/prometheusconvert/component/remote_write.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/converter/internal/prometheusconvert/component/remote_write.go b/internal/converter/internal/prometheusconvert/component/remote_write.go index ca634423cd..e00543a79e 100644 --- a/internal/converter/internal/prometheusconvert/component/remote_write.go +++ b/internal/converter/internal/prometheusconvert/component/remote_write.go @@ -134,5 +134,10 @@ func toAzureAD(azureADConfig *azuread.AzureADConfig) *remotewrite.AzureADConfig ManagedIdentity: remotewrite.ManagedIdentityConfig{ ClientID: azureADConfig.ManagedIdentity.ClientID, }, + OAuth: remotewrite.AzureOAuthConfig{ + ClientID: azureADConfig.OAuth.ClientID, + ClientSecret: azureADConfig.OAuth.ClientSecret, + TenantID: azureADConfig.OAuth.TenantID, + }, } } From 85bf9f736304a7b35935c870af419f73f749a528 Mon Sep 17 00:00:00 2001 From: Callum Date: Wed, 27 Nov 2024 22:48:40 +1100 Subject: [PATCH 07/11] fix remote write converter --- .../component/prometheus/remotewrite/types.go | 68 ++++++++++--------- .../component/remote_write.go | 25 +++++-- 2 files changed, 55 insertions(+), 38 deletions(-) diff --git a/internal/component/prometheus/remotewrite/types.go b/internal/component/prometheus/remotewrite/types.go index 49a6f63146..a546e2cb1b 100644 --- a/internal/component/prometheus/remotewrite/types.go +++ b/internal/component/prometheus/remotewrite/types.go @@ -287,9 +287,9 @@ func (m ManagedIdentityConfig) toPrometheusType() *azuread.ManagedIdentityConfig // Azure AD oauth type AzureOAuthConfig struct { // AzureADOAuth is the OAuth configuration that is being used to authenticate. - ClientID string `alloy:"client_id,attr,optional"` - ClientSecret string `alloy:"client_secret,attr,optional"` - TenantID string `alloy:"tenant_id,attr,optional"` + ClientID string `alloy:"client_id,attr"` + ClientSecret string `alloy:"client_secret,attr"` + TenantID string `alloy:"tenant_id,attr"` } func (m AzureOAuthConfig) toPrometheusType() *azuread.OAuthConfig { @@ -319,34 +319,40 @@ func (a *AzureADConfig) Validate() error { return fmt.Errorf("must provide a cloud in the Azure AD config") } - if a.ManagedIdentity.ClientID != "" { - _, err := uuid.Parse(a.ManagedIdentity.ClientID) - if err != nil { - return fmt.Errorf("the provided Azure Managed Identity client_id provided is invalid") - } - } - - if a.OAuth.ClientID != "" { - _, err := uuid.Parse(a.OAuth.ClientID) - if err != nil { - return fmt.Errorf("the provided Azure App Identity client_id provided is invalid") - } - } - - if a.OAuth.TenantID != "" { - _, err := uuid.Parse(a.OAuth.TenantID) - if err != nil { - return fmt.Errorf("the provided Azure App Identity tenant_id provided is invalid") - } - } - - if a.OAuth.ClientID == "" && a.ManagedIdentity.ClientID == "" { - return fmt.Errorf("either oauth or managed identity must be configured") - } - - if a.OAuth.ClientID != "" && a.ManagedIdentity.ClientID != "" { - return fmt.Errorf("at most oauth or managed identity must be configured for azuread") - } + _, err := uuid.Parse(a.ManagedIdentity.ClientID) + if err != nil { + return fmt.Errorf("the provided Azure Managed Identity client_id provided is invalid") + } + + // Validate OAuth if it is provided + // if a.OAuth != "" { + // if a.OAuth.TenantID == "" { + // return fmt.Errorf("OAuth TenantID must not be empty") + // } + // if a.OAuth.ClientSecret == "" { + // return fmt.Errorf("OAuth ClientSecret must not be empty") + // } + // } + + // // Validate ManagedIdentity if it is provided + // if a.ManagedIdentity != nil { + // if a.ManagedIdentity.ClientID == "" { + // return fmt.Errorf("ManagedIdentity ClientID must not be empty") + // } + // } + + // // Validate OAuth if it is provided + // if a.OAuth != nil { + // if a.OAuth.ClientID == "" { + // return fmt.Errorf("OAuth ClientID must not be empty") + // } + // if a.OAuth.TenantID == "" { + // return fmt.Errorf("OAuth TenantID must not be empty") + // } + // if a.OAuth.ClientSecret == "" { + // return fmt.Errorf("OAuth ClientSecret must not be empty") + // } + // } return nil } diff --git a/internal/converter/internal/prometheusconvert/component/remote_write.go b/internal/converter/internal/prometheusconvert/component/remote_write.go index e00543a79e..691ec70c63 100644 --- a/internal/converter/internal/prometheusconvert/component/remote_write.go +++ b/internal/converter/internal/prometheusconvert/component/remote_write.go @@ -129,15 +129,26 @@ func toAzureAD(azureADConfig *azuread.AzureADConfig) *remotewrite.AzureADConfig return nil } - return &remotewrite.AzureADConfig{ - Cloud: azureADConfig.Cloud, - ManagedIdentity: remotewrite.ManagedIdentityConfig{ - ClientID: azureADConfig.ManagedIdentity.ClientID, - }, - OAuth: remotewrite.AzureOAuthConfig{ + var oauth remotewrite.AzureOAuthConfig + var managedIdentity remotewrite.ManagedIdentityConfig + + if azureADConfig.OAuth != nil { + oauth = remotewrite.AzureOAuthConfig{ ClientID: azureADConfig.OAuth.ClientID, ClientSecret: azureADConfig.OAuth.ClientSecret, TenantID: azureADConfig.OAuth.TenantID, - }, + } + } + + if azureADConfig.ManagedIdentity != nil { + managedIdentity = remotewrite.ManagedIdentityConfig{ + ClientID: azureADConfig.ManagedIdentity.ClientID, + } + } + + return &remotewrite.AzureADConfig{ + Cloud: azureADConfig.Cloud, + ManagedIdentity: managedIdentity, + OAuth: oauth, } } From ba66b2ae1df5967343d99f7e026aa51f2013b2ca Mon Sep 17 00:00:00 2001 From: Callum Date: Wed, 27 Nov 2024 22:48:57 +1100 Subject: [PATCH 08/11] add extra remotewrite test for oauth --- .../testdata/prom_remote_write.alloy | 20 +++++++++++++++++++ .../testdata/prom_remote_write.yaml | 10 ++++++++++ 2 files changed, 30 insertions(+) diff --git a/internal/converter/internal/staticconvert/testdata/prom_remote_write.alloy b/internal/converter/internal/staticconvert/testdata/prom_remote_write.alloy index 2d341fed6a..08f0269909 100644 --- a/internal/converter/internal/staticconvert/testdata/prom_remote_write.alloy +++ b/internal/converter/internal/staticconvert/testdata/prom_remote_write.alloy @@ -109,3 +109,23 @@ prometheus.remote_write "metrics_test7_azuread_explicit" { } } } + +prometheus.remote_write "metrics_test8_azuread_appauth" { + endpoint { + name = "test8_azuread_appauth-1654c7" + url = "http://localhost:9012/api/prom/push" + + queue_config { } + + metadata_config { } + + azuread { + oauth { + client_id = "00000000-0000-0000-0000-000000000000" + client_secret = "fake_client_secret" + tenant_id = "00000000-0000-0000-0000-000000000000" + } + cloud = "AzureGovernment" + } + } +} diff --git a/internal/converter/internal/staticconvert/testdata/prom_remote_write.yaml b/internal/converter/internal/staticconvert/testdata/prom_remote_write.yaml index ef548902cc..2e521f31e0 100644 --- a/internal/converter/internal/staticconvert/testdata/prom_remote_write.yaml +++ b/internal/converter/internal/staticconvert/testdata/prom_remote_write.yaml @@ -42,3 +42,13 @@ metrics: cloud: AzureGovernment managed_identity: client_id: 00000000-0000-0000-0000-000000000000 + - name: "test8_azuread_appauth" + remote_write: + - url: http://localhost:9012/api/prom/push + azuread: + cloud: AzureGovernment + oauth: + client_id: 00000000-0000-0000-0000-000000000000 + client_secret: fake_client_secret + tenant_id: 00000000-0000-0000-0000-000000000000 + From 80864f4934c0260a629b29542399dda266e79635 Mon Sep 17 00:00:00 2001 From: Callum <96725140+callumau@users.noreply.github.com> Date: Thu, 28 Nov 2024 18:13:41 +1100 Subject: [PATCH 09/11] Update docs/sources/shared/reference/components/oauth-block.md Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com> --- .../sources/shared/reference/components/oauth-block.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/sources/shared/reference/components/oauth-block.md b/docs/sources/shared/reference/components/oauth-block.md index 20879bed99..3e2e951831 100644 --- a/docs/sources/shared/reference/components/oauth-block.md +++ b/docs/sources/shared/reference/components/oauth-block.md @@ -4,11 +4,11 @@ description: Shared content, oauth block headless: true --- -Name | Type | Description | Default | Required -------------|----------|---------------------------------------------------------|---------|--------- -`client_id` | `string` | Client ID of the Microsoft authenication application used to authenticate. | | yes -`client_secret` | `string` | Client secret of the Microsoft authenication application used to authenticate. | | yes -`tenant_id` | `string` | Tenant ID of the Microsoft authenication application used to authenticate. | | yes +Name | Type | Description | Default | Required +----------------|----------|---------------------------------------------------------------------------------|---------|--------- +`client_id` | `string` | Client ID of the Microsoft authentication application used to authenticate. | | yes +`client_secret` | `string` | Client secret of the Microsoft authentication application used to authenticate. | | yes +`tenant_id` | `string` | Tenant ID of the Microsoft authentication application used to authenticate. | | yes `client_id` should be a valid [UUID][] in one of the supported formats: * `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` From 5eb8a0774cca90c0391f355a1a5b97638593744c Mon Sep 17 00:00:00 2001 From: Callum Date: Thu, 28 Nov 2024 19:09:55 +1100 Subject: [PATCH 10/11] add new tests --- .../prometheus/remotewrite/types_test.go | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/internal/component/prometheus/remotewrite/types_test.go b/internal/component/prometheus/remotewrite/types_test.go index ce5e1e011f..5f2885067e 100644 --- a/internal/component/prometheus/remotewrite/types_test.go +++ b/internal/component/prometheus/remotewrite/types_test.go @@ -262,6 +262,8 @@ func TestAlloyConfig(t *testing.T) { } oauth { client_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000001" + client_secret = "00000000-0000-0000-0000-000000000002" } } }`, @@ -281,6 +283,37 @@ func TestAlloyConfig(t *testing.T) { }`, errorMsg: "the provided Azure Managed Identity client_id provided is invalid", }, + { + testName: "BadAzureOAuthClientId", + cfg: ` + endpoint { + url = "http://0.0.0.0:11111/api/v1/write" + + azuread { + oauth { + client_id = "bad_client_id" + tenant_id = "00000000-0000-0000-0000-000000000001" + client_secret = "00000000-0000-0000-0000-000000000002" + } + } + }`, + errorMsg: "the provided Azure Application Identity client_id provided is invalid", + }, + { + testName: "MissingAzureOAuthTenantId", + cfg: ` + endpoint { + url = "http://0.0.0.0:11111/api/v1/write" + + azuread { + oauth { + client_id = "bad_client_id" + client_secret = "00000000-0000-0000-0000-000000000002" + } + } + }`, + errorMsg: "missing required attribute \"tenant_id\"", + }, { // Make sure the squashed HTTPClientConfig Validate function is being utilized correctly testName: "BadBearerConfig", From 8824f740a7537955899b171b5acd174d89234990 Mon Sep 17 00:00:00 2001 From: Callum Date: Thu, 28 Nov 2024 19:10:15 +1100 Subject: [PATCH 11/11] fix validation on remotewrite --- .../component/prometheus/remotewrite/types.go | 48 +++++++------------ 1 file changed, 17 insertions(+), 31 deletions(-) diff --git a/internal/component/prometheus/remotewrite/types.go b/internal/component/prometheus/remotewrite/types.go index a546e2cb1b..aac4313617 100644 --- a/internal/component/prometheus/remotewrite/types.go +++ b/internal/component/prometheus/remotewrite/types.go @@ -319,40 +319,26 @@ func (a *AzureADConfig) Validate() error { return fmt.Errorf("must provide a cloud in the Azure AD config") } - _, err := uuid.Parse(a.ManagedIdentity.ClientID) - if err != nil { - return fmt.Errorf("the provided Azure Managed Identity client_id provided is invalid") + // Ensure both Managed Identity and OAuth are not provided + if a.ManagedIdentity != (ManagedIdentityConfig{}) && a.OAuth != (AzureOAuthConfig{}) { + return fmt.Errorf("at most oauth or managed identity must be configured for azuread") + } + + // Validate Managed Identity if it is provided + if (a.ManagedIdentity != ManagedIdentityConfig{}) { + _, err := uuid.Parse(a.ManagedIdentity.ClientID) + if err != nil { + return fmt.Errorf("the provided Azure Managed Identity client_id provided is invalid") + } } // Validate OAuth if it is provided - // if a.OAuth != "" { - // if a.OAuth.TenantID == "" { - // return fmt.Errorf("OAuth TenantID must not be empty") - // } - // if a.OAuth.ClientSecret == "" { - // return fmt.Errorf("OAuth ClientSecret must not be empty") - // } - // } - - // // Validate ManagedIdentity if it is provided - // if a.ManagedIdentity != nil { - // if a.ManagedIdentity.ClientID == "" { - // return fmt.Errorf("ManagedIdentity ClientID must not be empty") - // } - // } - - // // Validate OAuth if it is provided - // if a.OAuth != nil { - // if a.OAuth.ClientID == "" { - // return fmt.Errorf("OAuth ClientID must not be empty") - // } - // if a.OAuth.TenantID == "" { - // return fmt.Errorf("OAuth TenantID must not be empty") - // } - // if a.OAuth.ClientSecret == "" { - // return fmt.Errorf("OAuth ClientSecret must not be empty") - // } - // } + if (a.OAuth != AzureOAuthConfig{}) { + _, err := uuid.Parse(a.OAuth.ClientID) + if err != nil { + return fmt.Errorf("the provided Azure Application Identity client_id provided is invalid") + } + } return nil }