|
1 | | -# Microsoft Graph API Function Examples |
| 1 | +# Approval Function Examples |
2 | 2 |
|
3 | | -This directory contains practical examples that demonstrate the function-msgraph capabilities for querying Microsoft Graph API. |
| 3 | +This directory contains examples demonstrating the function-approve capabilities for implementing approval workflows in Crossplane. |
4 | 4 |
|
5 | 5 | ## Prerequisites |
6 | 6 |
|
7 | 7 | To run these examples, you need: |
8 | 8 |
|
9 | 9 | 1. The Crossplane CLI installed |
10 | | -2. Valid Azure credentials with Microsoft Graph API permissions: |
11 | | - - User.Read.All (for user validation) |
12 | | - - Group.Read.All (for group operations) |
13 | | - - Application.Read.All (for service principal details) |
| 10 | +2. function-approve built and available |
14 | 11 |
|
15 | | -## Update Credentials |
| 12 | +## Understanding the Approval Function |
16 | 13 |
|
17 | | -Before running any examples, update `secrets/azure-creds.yaml` with your valid Azure credentials: |
| 14 | +The approval function provides a controlled way to manage changes to Crossplane resources, requiring manual approval before changes are applied. This is useful for scenarios where you want to review changes before they are applied to your infrastructure. |
18 | 15 |
|
19 | | -```yaml |
20 | | -apiVersion: v1 |
21 | | -kind: Secret |
22 | | -metadata: |
23 | | - name: azure-account-creds |
24 | | -type: Opaque |
25 | | -stringData: |
26 | | - credentials: | |
27 | | - { |
28 | | - "clientId": "your-client-id", |
29 | | - "clientSecret": "your-client-secret", |
30 | | - "tenantId": "your-tenant-id", |
31 | | - "subscriptionId": "your-subscription-id" |
32 | | - } |
33 | | -``` |
34 | | -
|
35 | | -## Core Examples |
36 | | -
|
37 | | -### 1. User Validation |
38 | | -
|
39 | | -Validate if specified Azure AD users exist: |
40 | | -
|
41 | | -```shell |
42 | | -crossplane render xr.yaml user-validation-example.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
43 | | -``` |
44 | | - |
45 | | -Dynamic `usersRef` variations: |
46 | | - |
47 | | -```shell |
48 | | -crossplane render xr.yaml user-validation-example-status-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
49 | | -``` |
50 | | - |
51 | | -```shell |
52 | | -crossplane render xr.yaml user-validation-example-context-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc --extra-resources=envconfig.yaml |
53 | | -``` |
54 | | - |
55 | | -```shell |
56 | | -crossplane render xr.yaml user-validation-example-spec-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
57 | | -``` |
58 | | - |
59 | | -### 2. Group Membership |
60 | | - |
61 | | -Get all members of a specified Azure AD group: |
62 | | - |
63 | | -```shell |
64 | | -crossplane render xr.yaml group-membership-example.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
65 | | -``` |
| 16 | +The function works by: |
| 17 | +1. Computing a hash of specified data in your composite resource |
| 18 | +2. Checking if the hash has changed since the last approved version |
| 19 | +3. Pausing reconciliation if changes are detected and approval is needed |
| 20 | +4. Resuming reconciliation once changes are approved |
66 | 21 |
|
67 | | -Dynamic `groupRef` variations: |
| 22 | +## Running the Examples |
68 | 23 |
|
69 | | -```shell |
70 | | -crossplane render xr.yaml group-membership-example-status-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
71 | | -``` |
| 24 | +### Basic Example with Pause Annotation |
72 | 25 |
|
73 | | -```shell |
74 | | -crossplane render xr.yaml group-membership-example-context-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc --extra-resources=envconfig.yaml |
75 | | -``` |
| 26 | +The default behavior uses the `crossplane.io/paused` annotation to pause reconciliation: |
76 | 27 |
|
77 | 28 | ```shell |
78 | | -crossplane render xr.yaml group-membership-example-spec-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
| 29 | +crossplane render xr.yaml composition.yaml functions.yaml |
79 | 30 | ``` |
80 | 31 |
|
81 | | -### 3. Group Object IDs |
| 32 | +### Example with Synced=False Condition |
82 | 33 |
|
83 | | -Get object IDs for specified Azure AD groups: |
| 34 | +This alternative approach uses the Synced=False condition instead of the pause annotation: |
84 | 35 |
|
85 | 36 | ```shell |
86 | | -crossplane render xr.yaml group-objectids-example.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
| 37 | +crossplane render xr.yaml composition.yaml functions.yaml |
87 | 38 | ``` |
88 | 39 |
|
89 | | -Dynamic `groupsRef` variations: |
90 | | - |
91 | | -```shell |
92 | | -crossplane render xr.yaml group-objectids-example-status-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
93 | | -``` |
94 | | - |
95 | | -```shell |
96 | | -crossplane render xr.yaml group-objectids-example-context-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc --extra-resources=envconfig.yaml |
97 | | -``` |
| 40 | +The `setSyncedFalse: true` option in the composition enables this behavior. |
98 | 41 |
|
99 | | -```shell |
100 | | -crossplane render xr.yaml group-objectids-example-spec-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
101 | | -``` |
| 42 | +## Configuration Options |
102 | 43 |
|
103 | | -### 4. Service Principal Details |
| 44 | +The function supports these configuration options: |
104 | 45 |
|
105 | | -Get details of specified service principals: |
| 46 | +- `dataField`: Specifies which field to monitor for changes (required) |
| 47 | +- `approvalField`: Status field to check for approval (default: "status.approved") |
| 48 | +- `oldHashField`: Where to store the approved hash (default: "status.oldHash") |
| 49 | +- `newHashField`: Where to store the current hash (default: "status.newHash") |
| 50 | +- `pauseAnnotation`: Annotation used to pause reconciliation (default: "crossplane.io/paused") |
| 51 | +- `detailedCondition`: Whether to include hash details in conditions (default: true) |
| 52 | +- `approvalMessage`: Custom message for approval required condition |
| 53 | +- `setSyncedFalse`: Use Synced=False condition instead of pause annotation (default: false) |
106 | 54 |
|
107 | | -```shell |
108 | | -crossplane render xr.yaml service-principal-example.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
109 | | -``` |
| 55 | +## Approval Workflow |
110 | 56 |
|
111 | | -Dynamic `servicePrinicpalsRef` variations: |
| 57 | +1. Make changes to the resource's spec |
| 58 | +2. The function detects changes and pauses reconciliation |
| 59 | +3. Review the changes through the resource's conditions |
| 60 | +4. Set the approval field (default: `status.approved: true`) |
| 61 | +5. The function detects approval and resumes reconciliation |
112 | 62 |
|
113 | | -```shell |
114 | | -crossplane render xr.yaml service-principal-example-status-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
115 | | -``` |
| 63 | +## Example With setSyncedFalse |
116 | 64 |
|
117 | | -```shell |
118 | | -crossplane render xr.yaml service-principal-example-context-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc --extra-resources=envconfig.yaml |
119 | | -``` |
| 65 | +In some environments, it may be preferable to use Synced=False condition instead of annotations. |
| 66 | +The `setSyncedFalse: true` option enables this alternative approach: |
120 | 67 |
|
121 | | -```shell |
122 | | -crossplane render xr.yaml service-principal-example-spec-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc |
123 | | -``` |
| 68 | +```yaml |
| 69 | +apiVersion: approve.fn.crossplane.io/v1alpha1 |
| 70 | +kind: Input |
| 71 | +dataField: "spec.resources" |
| 72 | +approvalField: "status.approved" |
| 73 | +newHashField: "status.newHash" |
| 74 | +oldHashField: "status.oldHash" |
| 75 | +detailedCondition: true |
| 76 | +approvalMessage: "Changes detected. Administrative approval required." |
| 77 | +setSyncedFalse: true |
| 78 | +``` |
| 79 | +
|
| 80 | +When enabled, this sets the Synced condition to False instead of adding the pause annotation, |
| 81 | +providing the same pause functionality through a different mechanism. |
0 commit comments