Add support for HDInsight Cluster with Enterprise Security Package #12866
Conversation
neil-yechenwei
changed the title
|
Thanks for this PR @neil-yechenwei! Since this is a pretty complicated scenario, can you add your tests to the examples folder so that customers can have a starting point for how to be successfully with these new properties? |
|
@grayzu , thanks for your comment. The example has been added. Thanks. |
There was a problem hiding this comment.
Hi @neil-yechenwei, thanks for this PR. This is mostly looking good. I've made some comments inline - there's also another PR #13011 which (if merged) will make for simpler configurations.
If you can look at the below, and the tests pass, this should be good to merge. Thanks!
internal/services/hdinsight/hdinsight_hadoop_cluster_resource.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_hbase_cluster_resource.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_interactive_query_cluster_resource.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_kafka_cluster_resource.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_spark_cluster_resource.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_hadoop_cluster_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_hbase_cluster_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_interactive_query_cluster_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_kafka_cluster_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/hdinsight/hdinsight_spark_cluster_resource_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
@neil-yechenwei Thanks for the changes. There are still some crash opportunities, noted below, but the main thing on further thought is that azurerm_active_directory_domain_service has a quota of 1 per tenant or per subscription, so we'll need a way of handling that when parallelizing tests, else it'll conflict with the test in the domainservices package.
internal/services/hdinsight/hdinsight_hadoop_cluster_resource_test.go
Outdated
Show resolved
Hide resolved
| principal_id = azurerm_user_assigned_identity.test.principal_id | ||
| } | ||
|
|
||
| resource "azurerm_active_directory_domain_service" "test" { |
There was a problem hiding this comment.
Whilst it should be fine to include an azurerm_active_directory_domain_service in this test, we'll probably have to think about scheduling and parallelization between this test and the test in the domainservices package - it's only possible to have a single domain service at any one time and they take quite a while to stand up and tear down.
There was a problem hiding this comment.
If it's possible, could you provide some suggestion on it? Thanks in advance.
There was a problem hiding this comment.
I've updated code for your concern. Hopes it's what you expect.
There was a problem hiding this comment.
Ah i see. Unfortunately I don't think we can consolidate the tests into one package - the tests really need to live with their respective resources.
I'm looking at the logistics of having a long-running domain service to try and compensate for the concurrency issue, but still working out how to make that work nicely with the domainservices tests themselves.
There was a problem hiding this comment.
OK. I separated them into their respective resources and updated TCs related with HDInsight Cluster ESP as parallel TCs. Maybe you have to update your test script in Teamcity to run DomainService's TCs and HDInsight Cluster ESP's TCs in parallel.
internal/services/hdinsight/hdinsight_interactive_query_cluster_resource.go
Show resolved
Hide resolved
internal/services/hdinsight/validate/hdinsight_cluster_ldaps_urls.go
Outdated
Show resolved
Hide resolved
neil-yechenwei
force-pushed
the
hdinsightwithaad
branch
from
ec8f8ef to
7ea70e2
Compare
|
@manicminer , kindly ping. May I ask is there any update for above issue? |
|
@manicminer, For this test issue, is it possible that we can skip these TCs and merge this PR first? Once you figure out this kind of test issue, then enable and update the TCs. |
|
@neil-yechenwei This is challenging because having a persistent AADDS resource will break the tests for that resource. We'll leave this as-is for now, and we'll resolve separately when it becomes a problem - but can we change the AADDS SKU in this tests to |
|
@manicminer , Sure. I've changed the AADDS SKU in TCs to Standard. Please have an another look. |
|
@neil-yechenwei I've refactored the tests a little with a template for the common AADDS configuration. Running the tests again now (expecting them to take around 5-6 hrs), if all goes well this should be good to merge 👍 |
|
This is a challenging one to test - a single AADDS test is flaky but 5 successive ones are very prone to failure. |
|
@manicminer , after checked test log you triggered, seems only one tc "testAccHDInsightInteractiveQueryCluster_securityProfile" is failed in teamcity. Per my understanding, I think it's not TF code issue. Hence I just now reran this test case and it can pass on my local. Below is the test result. Test Result: |
neil-yechenwei
force-pushed
the
hdinsightwithaad
branch
2 times, most recently
from
866c877 to
1ba88cf
Compare
|
@manicminer , after rerun the TCs in TeamCity, the failed test case "testAccHDInsightInteractiveQueryCluster_securityProfile" you encountered can pass now in TeamCity. So I think it's not TF code problem.
|
|
@manicminer , all TCs passed now in TeamCity after rerun. According to my observation, seems the test script in TeamCity would clean up the existing resources at some time every day. And as you can see, these test cases keep running around 11 hours. The execution duration is long. Probably you encountered the situation that the test script is deleting the existing resources regularly when one of these test cases is running. So one of them fail. Hence these test cases can pass after adjusting the execution time to avoid that time period of data cleaning.
|
There was a problem hiding this comment.
Hi @neil-yechenwei, thanks for re-running in TC. I agree this is likely to clash with the cleanup jobs due to the extended test duration. We'll likely have to revisit this to improve the stability whilst complying with the singular quota for AADDS, but in the meantime this should be good to merge 👍
|
This functionality has been released in v2.75.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Currently, TF HDInsight Cluster doesn't support to integrate with Enterprise Security Package (ESP). So I submitted this PR to implement it.
--- PASS: TestAccHDInsightHadoopCluster_securityProfile (1995.55s)
--- PASS: TestAccHDInsightSparkCluster_securityProfile (2476.50s)
--- PASS: TestAccHDInsightKafkaCluster_securityProfile (2082.18s)
--- PASS: TestAccHDInsightInteractiveQueryCluster_securityProfile (1806.02s)
--- PASS: TestAccHDInsightHBaseCluster_securityProfile (3006.68s)
API Reference:
https://github.com/Azure/azure-rest-api-specs/blob/a331a455fd31e022f8df07105058ae586a02ab03/specification/hdinsight/resource-manager/Microsoft.HDInsight/stable/2018-06-01-preview/cluster.json#L801
Overview:
https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds