Add Azure Key Vault settings source #272

AndreuCodina · 2024-04-21T09:49:45Z

Add Azure Key Vault settings source.

Doubt: Where should I add the required Python packages (azure-keyvault-secrets==4.8.0 and azure-identity==1.16.0) to use AzureKeyVaultSettingsSource?

This is the infrastructure:

resource "azurerm_resource_group" "pydantic" {
  name     = "pydantic"
  location = "northeurope"
}

resource "azurerm_key_vault" "pydantic" {
  name                          = "kv-pydantic"
  resource_group_name           = "pydantic"
  location                      = "northeurope"
  tenant_id                     = data.azuread_client_config.current.tenant_id
  sku_name                      = "standard"
  soft_delete_retention_days    = 7
  purge_protection_enabled      = false
  enable_rbac_authorization     = true
  public_network_access_enabled = true
}

resource "azurerm_key_vault_secret" "sql_server__password_pydantic" {
  name         = "SQL-SERVER--PASSWORD"
  value        = "SqlServerPassword"
  key_vault_id = azurerm_key_vault.pydantic.id
}

resource "azurerm_key_vault_secret" "my_password_pydantic" {
  name         = "MY-PASSWORD"
  value        = "MyPassword"
  key_vault_id = azurerm_key_vault.pydantic.id
}

Closes #143

hramezani · 2024-04-21T13:10:33Z

Thanks @AndreuCodina for this PR.

Doubt: Where should I add the required Python packages (azure-keyvault-secrets==4.8.0 and azure-identity==1.16.0) to use AzureKeyVaultSettingsSource?

It has to be added to optional dependencies section

Also, I can't see any test added here. You need to add some tests

AndreuCodina · 2024-04-21T14:49:08Z

Thanks @AndreuCodina for this PR.

Doubt: Where should I add the required Python packages (azure-keyvault-secrets==4.8.0 and azure-identity==1.16.0) to use AzureKeyVaultSettingsSource?

It has to be added to optional dependencies section

Also, I can't see any test added here. You need to add some tests

How do I make the imports in code? I've created the function import_azure_key_vault, but I'm getting mypy pydantic_settings pydantic_settings/sources.py:14: error: Cannot find implementation or library stub for module named "azure.core.credentials" [import-not-found]

hramezani · 2024-04-24T08:48:26Z

You need to update the requirements by running make refresh-lockfiles command

AndreuCodina · 2024-04-24T18:09:20Z

You need to update the requirements by running make refresh-lockfiles command

$ make refresh-lockfiles
`make: *** No rule to make target 'refresh-lockfiles'.  Stop.`

hramezani · 2024-04-25T07:34:01Z

Please refresh your fork. this command was added recently

requirements/linting.txt

hramezani · 2024-04-28T15:23:46Z

pydantic_settings/sources.py

+        field_value: Any | None = None
+
+        # It's not possible to use underscores in Azure Key Vault
+        secret_name = field_name.replace('_', '-')


I think you need to use _extract_field_info to respect the field alias if defined.

This is complex and I don't see the point in aliasing secret names. Can we iterate in the next version?

This is the basic functionality that we already have in all of the source classes.

You need to move the _extract_field_info to PydanticBaseSettingsSource class and then call it here. it returns a list of tuples that contain field_key, env_name and value_is_complex. you can use the env_name to fetch the value from key vault . there are some use-cases of _extract_field_info in the code, you can check them as well.

pydantic_settings/sources.py

requirements/pyproject.txt

requirements/testing.txt

hramezani · 2024-04-28T15:31:19Z

tests/test_sources.py

+            AzureKeyVaultSettings, 'https://my-resource.vault.azure.net/', DefaultAzureCredential()
+        )
+
+        obj.get_field_value(field=FieldInfo(), field_name='sqlserverpassword')


Don't we need any assertion here?

The method is just a mocked HTTP call to an API. I think I can't test anything more. The reliable test is the Jupyter notebook I'm executing against my Azure infrastructure.

You can test the returned value from the mocked method.

I think it would be good to have a complete test like other tests. I mean having a settings model that uses the AzureKeyVaultSettingsSource.

def test_azure_key_vault_settings_source(): class AzureKeyVaultSettings(BaseSettings): my_password: str sql_server__password: str @classmethod def settings_customise_sources( cls, settings_cls: type[BaseSettings], init_settings: PydanticBaseSettingsSource, env_settings: PydanticBaseSettingsSource, dotenv_settings: PydanticBaseSettingsSource, file_secret_settings: PydanticBaseSettingsSource, ) -> tuple[PydanticBaseSettingsSource, ...]: return ( AzureKeyVaultSettingsSource( settings_cls, os.environ['KEY_VAULT__URL'], DefaultAzureCredential() ), ) with mocker.patch(f'{MODULE}.SecretClient.get_secret', return_value=<return value>): settings = AzureKeyVaultSettings() assert settings.my_password == ... assert settings.sql_server__password == ...```

hramezani · 2024-04-30T21:22:21Z

tests/test_sources.py

+            AzureKeyVaultSettings, 'https://my-resource.vault.azure.net/', DefaultAzureCredential()
+        )
+
+        obj()


Here as well, you can test the mocked function return value

…ings-source

AndreuCodina added 3 commits April 21, 2024 09:37

Add Azure Key Vault settings source

8cab66d

Add Azure Key Vault settings source

ab2c17f

Add Azure Key Vault settings source

192da43

AndreuCodina added 6 commits April 21, 2024 14:08

Add optional dependencies

8202ebe

Fix lint errors

357df2b

Fix lint error

30681de

Fix mypy errors

468a55b

Imports inside a function

221731f

Fix lint errors

92b6c34

AndreuCodina added 6 commits April 27, 2024 11:16

Merge branch 'main' into feature/azure-key-vault-source-settings-source

3e74b93

make refresh-lockfiles

574debf

make refresh-lockfiles

9452ba3

Add unit tests

df7e900

Fix lint errors

be0e201

Merge branch 'main' into feature/azure-key-vault-source-settings-source

9d08fa1