feat(secret-manager): correct automatic/assume roles behavior, add information on deletion helper, copy updates

Author: TheoGrandin74

apps/console-v5/src/routes/_authenticated/organization/$organizationId/cluster/$clusterId/settings/addons.tsx

@@ -1,3 +1,4 @@
+import { type CheckedState } from '@radix-ui/react-checkbox'
 import { createFileRoute, useParams } from '@tanstack/react-router'
 import { type CloudProvider, type ClusterRegion, ServiceTypeEnum } from 'qovery-typescript-axios'
 import { useEffect, useMemo, useState } from 'react'
@@ -15,6 +16,7 @@ import { useUserRole } from '@qovery/shared/iam/feature'
 import {
   Badge,
   Button,
+  Checkbox,
   DropdownMenu,
   Icon,
   IconFlag,
@@ -189,6 +191,7 @@ function SecretManagerDeletionHelperModal({
 }) {
   const [selectedAction, setSelectedAction] = useState<DeletionAction | null>(null)
   const [targetId, setTargetId] = useState('')
+  const [autoDeployImpactedServices, setAutoDeployImpactedServices] = useState<CheckedState>(false)
 
   const hasOtherManagers = otherManagers.length > 0
   const hasMultipleManagers = otherManagers.length > 1
@@ -208,19 +211,19 @@ function SecretManagerDeletionHelperModal({
     Boolean(selectedAction) && (!hasMultipleManagers || selectedAction !== 'migrate' || Boolean(targetId))
 
   const cardBase =
-    'flex w-full items-center gap-3 rounded-lg bg-background p-3 text-left outline outline-1 focus:outline focus:outline-1 shadow-[0_0_4px_0_rgba(0,0,0,0.01),0_2px_3px_0_rgba(0,0,0,0.02)]'
+    'flex w-full items-center gap-3 rounded-lg bg-surface-neutral p-3 text-left outline outline-1 focus:outline focus:outline-1 shadow-[0_0_4px_0_rgba(0,0,0,0.01),0_2px_3px_0_rgba(0,0,0,0.02)]'
   const iconBase = 'flex h-10 w-10 items-center justify-center rounded-md'
 
   return (
     <div className="relative flex flex-col">
       <div className="px-5 pt-5">
-        <h2 className="text-lg font-medium text-neutral">Deletion helper</h2>
+        <h2 className="text-lg font-medium text-neutral">Choose how to handle existing secrets</h2>
         <p className="mt-1 text-sm text-neutral-subtle">
-          "{integration.name}" is currently used by {integration.usedByServices ?? 0} services. Choose what you want to
-          do with the linked external secrets before before deleting it.
+          "{integration.name}" is currently used by {integration.usedByServices ?? 0} services. To finalize the
+          deletion, you'll need to redeploy all impacted services before deploying your cluster.
         </p>
       </div>
-      <div className="flex flex-col gap-2 px-5 py-5">
+      <div className="flex flex-col gap-3 px-5 py-5">
         {hasOtherManagers && hasMultipleManagers ? (
           <div className="flex flex-col gap-0 rounded-lg border border-neutral bg-surface-neutral-subtle">
             <button
@@ -241,7 +244,7 @@ function SecretManagerDeletionHelperModal({
               >
                 <Icon iconName="right-left" className={selectedAction === 'migrate' ? 'text-brand' : undefined} />
               </div>
-              <div className="flex flex-col gap-1">
+              <div className="flex flex-col gap-0.5">
                 <span className="text-sm font-medium text-neutral">Migrate to another secret manager</span>
                 <span className="text-xs text-neutral-subtle">
                   Migration to one of your other secret manager detected
@@ -281,7 +284,7 @@ function SecretManagerDeletionHelperModal({
               >
                 <Icon iconName="right-left" className={selectedAction === 'migrate' ? 'text-brand' : undefined} />
               </div>
-              <div className="flex flex-col gap-1">
+              <div className="flex flex-col gap-0.5">
                 <span className="text-sm font-medium text-neutral">Migrate to detected secret manager</span>
                 <span className="text-xs text-neutral-subtle">References will point to "{otherManagers[0]?.name}"</span>
               </div>
@@ -305,7 +308,7 @@ function SecretManagerDeletionHelperModal({
           >
             <Icon iconName="link-broken" className={selectedAction === 'detach' ? 'text-brand' : undefined} />
           </div>
-          <div className="flex flex-col gap-1">
+          <div className="flex flex-col gap-0.5">
             <span className="text-sm font-medium text-neutral">Detach all references</span>
             <span className="text-xs text-neutral-subtle">Empty external secrets to be remapped later</span>
           </div>
@@ -327,11 +330,24 @@ function SecretManagerDeletionHelperModal({
           >
             <Icon iconName="lock-keyhole" className={selectedAction === 'convert' ? 'text-brand' : undefined} />
           </div>
-          <div className="flex flex-col gap-1">
+          <div className="flex flex-col gap-0.5">
             <span className="text-sm font-medium text-neutral">Convert to empty Qovery secrets</span>
             <span className="text-xs text-neutral-subtle">Conversion to empty qovery secrets for manual migration</span>
           </div>
         </button>
+
+        <div className="mt-1 flex items-start gap-2">
+          <Checkbox
+            id="auto-deploy-impacted-services"
+            name="auto-deploy-impacted-services"
+            checked={autoDeployImpactedServices}
+            onCheckedChange={setAutoDeployImpactedServices}
+            className="mt-0.5 shrink-0"
+          />
+          <label htmlFor="auto-deploy-impacted-services" className="text-sm text-neutral">
+            Automatically deploy impacted services
+          </label>
+        </div>
       </div>
       <div className="flex items-center justify-end gap-3 border-t border-neutral px-5 py-4">
         <Button type="button" variant="plain" color="neutral" size="lg" onClick={onClose}>

apps/console-v5/src/routes/_authenticated/organization/$organizationId/project/$projectId/environment/$environmentId/service/$serviceId/variables.tsx

@@ -32,6 +32,10 @@ function RouteComponent() {
     options: EXTERNAL_SECRETS_USE_CASES,
     defaultCaseId: 'filled',
   })
+  const hasClusterSecretManagerConfigured =
+    selectedCaseId === 'filled' ||
+    selectedCaseId === 'empty' ||
+    selectedCaseId === 'secret-manager-addon-not-redeployed'
 
   const { data: service } = useService({
     environmentId,
@@ -113,6 +117,7 @@ function RouteComponent() {
                     environmentId={environmentId}
                     serviceId={serviceId}
                     toasterCallback={toasterCallback}
+                    hasClusterSecretManagerConfigured={hasClusterSecretManagerConfigured}
                   />
                 )}
                 {activeTab === 'external-secrets' && (

libs/domains/clusters/feature/src/lib/secret-manager-modals/secret-manager-integration-modal.spec.tsx

@@ -0,0 +1,74 @@
+import { renderWithProviders, screen } from '@qovery/shared/util-tests'
+import {
+  SecretManagerIntegrationModal,
+  type SecretManagerIntegrationModalProps,
+} from './secret-manager-integration-modal'
+
+const defaultProps: SecretManagerIntegrationModalProps = {
+  option: {
+    value: 'aws-manager',
+    label: 'AWS Secret manager',
+    icon: 'AWS',
+    typeLabel: 'AWS Secret manager',
+  },
+  regionOptions: [{ label: 'Paris (eu-west-3)', value: 'eu-west-3' }],
+  clusterProvider: 'AWS',
+  onClose: jest.fn(),
+  onSubmit: jest.fn(),
+}
+
+const getAutomaticTab = () => {
+  const automaticIntegrationLabel = screen.getByText('Automatic integration')
+  return (automaticIntegrationLabel.closest('[aria-disabled="true"]') ??
+    automaticIntegrationLabel.closest('[aria-disabled]')) as HTMLElement
+}
+
+describe('SecretManagerIntegrationModal', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('should force static credentials when an automatic integration already exists', async () => {
+    const { userEvent } = renderWithProviders(
+      <SecretManagerIntegrationModal {...defaultProps} hasAwsAutomaticIntegrationConfigured />
+    )
+
+    expect(screen.getByLabelText('Authentication type')).toBeDisabled()
+    expect(screen.getByText('Static credentials')).toBeInTheDocument()
+
+    const automaticTab = getAutomaticTab()
+    expect(automaticTab).toHaveAttribute('aria-disabled')
+
+    await userEvent.hover(automaticTab)
+
+    expect(
+      (
+        await screen.findAllByText(
+          'Static credentials are the only available option while Automatic integration is configured'
+        )
+      ).length
+    ).toBeGreaterThan(0)
+  })
+
+  it('should force static credentials when an STS integration already exists', async () => {
+    const { userEvent } = renderWithProviders(
+      <SecretManagerIntegrationModal {...defaultProps} hasAwsManualStsIntegrationConfigured />
+    )
+
+    expect(screen.getByLabelText('Authentication type')).toBeDisabled()
+    expect(screen.getByText('Static credentials')).toBeInTheDocument()
+
+    const automaticTab = getAutomaticTab()
+    expect(automaticTab).toHaveAttribute('aria-disabled')
+
+    await userEvent.hover(automaticTab)
+
+    expect(
+      (
+        await screen.findAllByText(
+          'Static credentials are the only available option while Assume role integration is configured'
+        )
+      ).length
+    ).toBeGreaterThan(0)
+  })
+})

libs/domains/clusters/feature/src/lib/secret-manager-modals/secret-manager-integration-modal.tsx

@@ -37,9 +37,6 @@ type SecretManagerIntegrationFormValues = {
 const AUTOMATIC_INTEGRATION_DISABLED_TOOLTIP =
   'Automatic integration is unavailable because an STS manual integration is already configured.'
 
-const STATIC_CREDENTIALS_DISABLED_TOOLTIP =
-  'Static credentials are the only available option while automatic integration is configured'
-
 export interface SecretManagerIntegrationModalProps {
   option: SecretManagerOption
   regionOptions: Array<{ label: string; value: string; icon?: JSX.Element }>
@@ -65,15 +62,25 @@ export function SecretManagerIntegrationModal({
 }: SecretManagerIntegrationModalProps) {
   const isAwsCluster = clusterProvider === 'AWS'
   const isAwsIntegration = option.icon === 'AWS'
-  const isAwsAutomaticIntegrationBlockedByExistingRoleArn =
-    isAwsCluster && isAwsIntegration && hasAwsManualStsIntegrationConfigured
-  const isAwsStaticCredentialsBlockedByExistingAutomatic =
-    isAwsCluster && isAwsIntegration && hasAwsAutomaticIntegrationConfigured
+  const hasConfiguredAwsAutomaticIntegration = isAwsCluster && isAwsIntegration && hasAwsAutomaticIntegrationConfigured
+  const hasConfiguredAwsManualStsIntegration = isAwsCluster && isAwsIntegration && hasAwsManualStsIntegrationConfigured
+  const blockedAwsIntegrationLabel = hasConfiguredAwsAutomaticIntegration
+    ? 'Automatic'
+    : hasConfiguredAwsManualStsIntegration
+      ? 'Assume role'
+      : undefined
+  const isEditingAwsManualStsIntegration =
+    mode === 'edit' && initialValues?.authentication === 'Manual' && initialValues?.authType === 'sts'
+  const shouldForceStaticCredentials = Boolean(blockedAwsIntegrationLabel) && !isEditingAwsManualStsIntegration
+  const shouldForceStsCredentials = isEditingAwsManualStsIntegration
+  const showAutomaticTabFirst = !blockedAwsIntegrationLabel
+  const disabledIntegrationTooltip =
+    shouldForceStaticCredentials && blockedAwsIntegrationLabel
+      ? `Static credentials are the only available option while ${blockedAwsIntegrationLabel} integration is configured`
+      : AUTOMATIC_INTEGRATION_DISABLED_TOOLTIP
 
   const [activeTab, setActiveTab] = useState<IntegrationTab>(() =>
-    initialValues?.authentication === 'Manual' || isAwsAutomaticIntegrationBlockedByExistingRoleArn
-      ? 'manual'
-      : 'automatic'
+    initialValues?.authentication === 'Manual' || Boolean(blockedAwsIntegrationLabel) ? 'manual' : 'automatic'
   )
   const methods = useForm<SecretManagerIntegrationFormValues>({
     mode: 'onChange',
@@ -90,13 +97,13 @@ export function SecretManagerIntegrationModal({
 
   const authenticationOptions = useMemo(
     () =>
-      isAwsStaticCredentialsBlockedByExistingAutomatic
+      shouldForceStaticCredentials
         ? [{ label: 'Static credentials', value: 'static' }]
         : [
             { label: 'Assume role via STS', value: 'sts' },
             { label: 'Static credentials', value: 'static' },
           ],
-    [isAwsStaticCredentialsBlockedByExistingAutomatic]
+    [shouldForceStaticCredentials]
   )
 
   const authenticationType = methods.watch('authenticationType')
@@ -107,9 +114,6 @@ export function SecretManagerIntegrationModal({
   const isManualOnlyGcpIntegration = isGcpSecretManagerOnAws
   const isManualOnlyAwsIntegration = isAwsSecretManagerOnGcp
   const isGcpManualTabOnGcpSecretManager = option.value === 'gcp-secret' && isGcpCluster && activeTab === 'manual'
-  const shouldForceStaticCredentials = isAwsStaticCredentialsBlockedByExistingAutomatic
-  const shouldForceStsCredentials = isAwsAutomaticIntegrationBlockedByExistingRoleArn
-  const showAutomaticTabFirst = !isAwsAutomaticIntegrationBlockedByExistingRoleArn
   const { getRootProps, getInputProps, isDragActive } = useDropzone({
     multiple: false,
     accept: { 'application/json': ['.json'] },
@@ -331,7 +335,7 @@ bash -s -- $GOOGLE_CLOUD_PROJECT qovery_role qovery-service-account"
 
               if (shouldForceStaticCredentials) {
                 return (
-                  <Tooltip content={STATIC_CREDENTIALS_DISABLED_TOOLTIP}>
+                  <Tooltip content={disabledIntegrationTooltip}>
                     <div className="w-full">{authenticationTypeSelect}</div>
                   </Tooltip>
                 )
@@ -552,7 +556,7 @@ bash -s -- $GOOGLE_CLOUD_PROJECT qovery_role qovery-service-account"
                     <Icon iconName="hammer" iconStyle="regular" />
                     Manual integration
                   </Navbar.Item>
-                  <Tooltip content={AUTOMATIC_INTEGRATION_DISABLED_TOOLTIP}>
+                  <Tooltip content={disabledIntegrationTooltip}>
                     <Navbar.Item
                       id="automatic"
                       aria-disabled

libs/domains/environments/feature/src/lib/create-clone-environment-modal/create-clone-environment-modal.tsx

@@ -109,10 +109,10 @@ function CloneMigrationHelperModal({
   return (
     <div className="relative flex flex-col">
       <div className="px-5 pt-5">
-        <h2 className="text-lg font-medium text-neutral">Migration helper</h2>
+        <h2 className="text-lg font-medium text-neutral">Choose how to migrate existing secrets</h2>
         <p className="mt-1 text-sm text-neutral-subtle">
           You’re about to clone a environment that contains external secrets from a secret manager on a new cluster.
-          Please choose you’re preferred options.
+          Please choose your preferred options.
         </p>
       </div>
       <div className="flex flex-col gap-2 px-5 py-5">
@@ -141,7 +141,7 @@ function CloneMigrationHelperModal({
                     className={selectedAction === 'migrate' ? 'text-brand' : undefined}
                   />
                 </div>
-                <div className="flex flex-col gap-1">
+                <div className="flex flex-col gap-0.5">
                   <span className="text-sm font-medium text-neutral">Migrate to another secret manager</span>
                   <span className="text-xs text-neutral-subtle">
                     Migration to one of your other secret manager detected
@@ -168,7 +168,7 @@ function CloneMigrationHelperModal({
               <div className={`${iconBase} bg-surface-neutral-component`}>
                 <Icon iconName="right-left" iconStyle="regular" />
               </div>
-              <div className="flex flex-col gap-1">
+              <div className="flex flex-col gap-0.5">
                 <span className="text-sm font-medium text-neutral">Migrate to another secret manager</span>
                 <span className="text-xs text-neutral-subtle">
                   Migration to one of your other secret manager detected
@@ -197,7 +197,7 @@ function CloneMigrationHelperModal({
                 className={selectedAction === 'migrate' ? 'text-brand' : undefined}
               />
             </div>
-            <div className="flex flex-col gap-1">
+            <div className="flex flex-col gap-0.5">
               <span className="text-sm font-medium text-neutral">Migrate to detected secret manager</span>
               <span className="text-xs text-neutral-subtle">
                 Migration to “
@@ -227,7 +227,7 @@ function CloneMigrationHelperModal({
               className={selectedAction === 'detach' ? 'text-brand' : undefined}
             />
           </div>
-          <div className="flex flex-col gap-1">
+          <div className="flex flex-col gap-0.5">
             <span className="text-sm font-medium text-neutral">Detach all references</span>
             <span className="text-xs text-neutral-subtle">Empty external secrets to be remapped later</span>
           </div>
@@ -253,7 +253,7 @@ function CloneMigrationHelperModal({
               className={selectedAction === 'convert' ? 'text-brand' : undefined}
             />
           </div>
-          <div className="flex flex-col gap-1">
+          <div className="flex flex-col gap-0.5">
             <span className="text-sm font-medium text-neutral">Convert to empty Qovery secrets</span>
             <span className="text-xs text-neutral-subtle">Conversion to empty qovery secrets for manual migration</span>
           </div>
@@ -314,7 +314,7 @@ function CloneMigrationTableModal({
   return (
     <div className="relative flex flex-col">
       <div className="px-5 pt-5">
-        <h2 className="text-lg font-medium text-neutral">Migration helper</h2>
+        <h2 className="text-lg font-medium text-neutral">Choose how to migrate existing secrets</h2>
         <p className="mt-1 text-sm text-neutral-subtle">
           You’re about to clone a environment that contains external secrets from a secret manager on a new cluster. For
           each detected secret manager please choose you’re preferred option.