Update variable replacement during deserialization to use replacement settings class and add AKV replacement logic. (#2882)

## Why make this change?

Adds AKV variable replacement and expands our design for doing variable
replacements to be more extensible when new variable replacement logic
is added.

Closes #2708
Closes #2748
Related to #2863


## What is this change?

Change the way that variable replacement is handled to instead of simply
using a `bool` to indicate that we want env variable replacement, we add
a class which holds all of the replacement settings. This will hold
whether or not we will do replacement for each kind of variable that we
will handle replacement for during deserialization. We also include the
replacement failure mode, and put the logic for handling the
replacements into a strategy dictionary which pairs the replacement
variable type with the strategy for doing that replacement.

Because Azure Key Vault secret replacement requires having the retry and
connection settings in order to do the AKV replacement, we must do a
first pass where we only do non-AKV replacement and get the required
settings so that if AKV replacement is used we have the required
settings to do that replacement.

We also have to keep in mind that the legacy of the `Configuration
Controller` will ignore all variable replacement, so we construct the
replacement settings for this code path to not use any variable
replacement at all.


## How was this tested?

We have updated the logic for the tests to use the new system, however
manual testing using an actual AKV is still required.

## Sample Request(s)

- Example REST and/or GraphQL request to demonstrate modifications
- Example of CLI usage to demonstrate modifications

---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: Aniruddh Munde <[email protected]>

Author: 3 people

src/Cli.Tests/EndToEndTests.cs

@@ -116,10 +116,11 @@ public void TestInitializingRestAndGraphQLGlobalSettings()
         string[] args = { "init", "-c", TEST_RUNTIME_CONFIG_FILE, "--connection-string", SAMPLE_TEST_CONN_STRING, "--database-type", "mssql", "--rest.path", "/rest-api", "--rest.enabled", "false", "--graphql.path", "/graphql-api" };
         Program.Execute(args, _cliLogger!, _fileSystem!, _runtimeConfigLoader!);
 
+        DeserializationVariableReplacementSettings replacementSettings = new(azureKeyVaultOptions: null, doReplaceEnvVar: true, doReplaceAkvVar: true);
         Assert.IsTrue(_runtimeConfigLoader!.TryLoadConfig(
             TEST_RUNTIME_CONFIG_FILE,
             out RuntimeConfig? runtimeConfig,
-            replaceEnvVar: true));
+            replacementSettings: replacementSettings));
 
         SqlConnectionStringBuilder builder = new(runtimeConfig.DataSource.ConnectionString);
         Assert.AreEqual(ProductInfo.GetDataApiBuilderUserAgent(), builder.ApplicationName);
@@ -195,10 +196,11 @@ public void TestEnablingMultipleCreateOperation(CliBool isMultipleCreateEnabled,
 
         Program.Execute(args.ToArray(), _cliLogger!, _fileSystem!, _runtimeConfigLoader!);
 
+        DeserializationVariableReplacementSettings replacementSettings = new(azureKeyVaultOptions: null, doReplaceEnvVar: true, doReplaceAkvVar: true);
         Assert.IsTrue(_runtimeConfigLoader!.TryLoadConfig(
             TEST_RUNTIME_CONFIG_FILE,
             out RuntimeConfig? runtimeConfig,
-            replaceEnvVar: true));
+            replacementSettings: replacementSettings));
 
         Assert.IsNotNull(runtimeConfig);
         Assert.AreEqual(expectedDbType, runtimeConfig.DataSource.DatabaseType);

src/Cli.Tests/EnvironmentTests.cs

@@ -19,7 +19,13 @@ public class EnvironmentTests
     [TestInitialize]
     public void TestInitialize()
     {
-        StringJsonConverterFactory converterFactory = new(EnvironmentVariableReplacementFailureMode.Throw);
+        DeserializationVariableReplacementSettings replacementSettings = new(
+            azureKeyVaultOptions: null,
+            doReplaceEnvVar: true,
+            doReplaceAkvVar: false,
+            envFailureMode: EnvironmentVariableReplacementFailureMode.Throw);
+
+        StringJsonConverterFactory converterFactory = new(replacementSettings);
         _options = new()
         {
             PropertyNameCaseInsensitive = true

src/Cli/ConfigGenerator.cs

@@ -2701,9 +2701,10 @@ private static bool TryUpdateConfiguredAzureKeyVaultOptions(
                 // Azure Key Vault Endpoint
                 if (options.AzureKeyVaultEndpoint is not null)
                 {
+                    // Ensure endpoint flag is marked user provided so converter writes it.
                     updatedAzureKeyVaultOptions = updatedAzureKeyVaultOptions is not null
-                        ? updatedAzureKeyVaultOptions with { Endpoint = options.AzureKeyVaultEndpoint }
-                        : new AzureKeyVaultOptions { Endpoint = options.AzureKeyVaultEndpoint };
+                        ? updatedAzureKeyVaultOptions with { Endpoint = options.AzureKeyVaultEndpoint, UserProvidedEndpoint = true }
+                        : new AzureKeyVaultOptions(endpoint: options.AzureKeyVaultEndpoint);
                     _logger.LogInformation("Updated RuntimeConfig with azure-key-vault.endpoint as '{endpoint}'", options.AzureKeyVaultEndpoint);
                 }
 
@@ -2712,7 +2713,7 @@ private static bool TryUpdateConfiguredAzureKeyVaultOptions(
                 {
                     updatedRetryPolicyOptions = updatedRetryPolicyOptions is not null
                         ? updatedRetryPolicyOptions with { Mode = options.AzureKeyVaultRetryPolicyMode.Value, UserProvidedMode = true }
-                        : new AKVRetryPolicyOptions { Mode = options.AzureKeyVaultRetryPolicyMode.Value, UserProvidedMode = true };
+                        : new AKVRetryPolicyOptions(mode: options.AzureKeyVaultRetryPolicyMode.Value);
                     _logger.LogInformation("Updated RuntimeConfig with azure-key-vault.retry-policy.mode as '{mode}'", options.AzureKeyVaultRetryPolicyMode.Value);
                 }
 
@@ -2727,7 +2728,7 @@ private static bool TryUpdateConfiguredAzureKeyVaultOptions(
 
                     updatedRetryPolicyOptions = updatedRetryPolicyOptions is not null
                         ? updatedRetryPolicyOptions with { MaxCount = options.AzureKeyVaultRetryPolicyMaxCount.Value, UserProvidedMaxCount = true }
-                        : new AKVRetryPolicyOptions { MaxCount = options.AzureKeyVaultRetryPolicyMaxCount.Value, UserProvidedMaxCount = true };
+                        : new AKVRetryPolicyOptions(maxCount: options.AzureKeyVaultRetryPolicyMaxCount.Value);
                     _logger.LogInformation("Updated RuntimeConfig with azure-key-vault.retry-policy.max-count as '{maxCount}'", options.AzureKeyVaultRetryPolicyMaxCount.Value);
                 }
 
@@ -2742,7 +2743,7 @@ private static bool TryUpdateConfiguredAzureKeyVaultOptions(
 
                     updatedRetryPolicyOptions = updatedRetryPolicyOptions is not null
                         ? updatedRetryPolicyOptions with { DelaySeconds = options.AzureKeyVaultRetryPolicyDelaySeconds.Value, UserProvidedDelaySeconds = true }
-                        : new AKVRetryPolicyOptions { DelaySeconds = options.AzureKeyVaultRetryPolicyDelaySeconds.Value, UserProvidedDelaySeconds = true };
+                        : new AKVRetryPolicyOptions(delaySeconds: options.AzureKeyVaultRetryPolicyDelaySeconds.Value);
                     _logger.LogInformation("Updated RuntimeConfig with azure-key-vault.retry-policy.delay-seconds as '{delaySeconds}'", options.AzureKeyVaultRetryPolicyDelaySeconds.Value);
                 }
 
@@ -2757,7 +2758,7 @@ private static bool TryUpdateConfiguredAzureKeyVaultOptions(
 
                     updatedRetryPolicyOptions = updatedRetryPolicyOptions is not null
                         ? updatedRetryPolicyOptions with { MaxDelaySeconds = options.AzureKeyVaultRetryPolicyMaxDelaySeconds.Value, UserProvidedMaxDelaySeconds = true }
-                        : new AKVRetryPolicyOptions { MaxDelaySeconds = options.AzureKeyVaultRetryPolicyMaxDelaySeconds.Value, UserProvidedMaxDelaySeconds = true };
+                        : new AKVRetryPolicyOptions(maxDelaySeconds: options.AzureKeyVaultRetryPolicyMaxDelaySeconds.Value);
                     _logger.LogInformation("Updated RuntimeConfig with azure-key-vault.retry-policy.max-delay-seconds as '{maxDelaySeconds}'", options.AzureKeyVaultRetryPolicyMaxDelaySeconds.Value);
                 }
 
@@ -2772,16 +2773,17 @@ private static bool TryUpdateConfiguredAzureKeyVaultOptions(
 
                     updatedRetryPolicyOptions = updatedRetryPolicyOptions is not null
                         ? updatedRetryPolicyOptions with { NetworkTimeoutSeconds = options.AzureKeyVaultRetryPolicyNetworkTimeoutSeconds.Value, UserProvidedNetworkTimeoutSeconds = true }
-                        : new AKVRetryPolicyOptions { NetworkTimeoutSeconds = options.AzureKeyVaultRetryPolicyNetworkTimeoutSeconds.Value, UserProvidedNetworkTimeoutSeconds = true };
+                        : new AKVRetryPolicyOptions(networkTimeoutSeconds: options.AzureKeyVaultRetryPolicyNetworkTimeoutSeconds.Value);
                     _logger.LogInformation("Updated RuntimeConfig with azure-key-vault.retry-policy.network-timeout-seconds as '{networkTimeoutSeconds}'", options.AzureKeyVaultRetryPolicyNetworkTimeoutSeconds.Value);
                 }
 
-                // Update Azure Key Vault options with retry policy if retry policy was modified
+                // Update Azure Key Vault options with retry policy if modified
                 if (updatedRetryPolicyOptions is not null)
                 {
+                    // Ensure outer AKV object marks retry policy as user provided so it serializes.
                     updatedAzureKeyVaultOptions = updatedAzureKeyVaultOptions is not null
-                        ? updatedAzureKeyVaultOptions with { RetryPolicy = updatedRetryPolicyOptions }
-                        : new AzureKeyVaultOptions { RetryPolicy = updatedRetryPolicyOptions };
+                        ? updatedAzureKeyVaultOptions with { RetryPolicy = updatedRetryPolicyOptions, UserProvidedRetryPolicy = true }
+                        : new AzureKeyVaultOptions(retryPolicy: updatedRetryPolicyOptions);
                 }
 
                 // Update runtime config if Azure Key Vault options were modified

src/Cli/Exporter.cs

@@ -44,7 +44,8 @@ public static bool Export(ExportOptions options, ILogger logger, FileSystemRunti
             }
 
             // Load the runtime configuration from the file
-            if (!loader.TryLoadConfig(runtimeConfigFile, out RuntimeConfig? runtimeConfig, replaceEnvVar: true))
+            DeserializationVariableReplacementSettings replacementSettings = new(azureKeyVaultOptions: null, doReplaceEnvVar: true, doReplaceAkvVar: true);
+            if (!loader.TryLoadConfig(runtimeConfigFile, out RuntimeConfig? runtimeConfig, replacementSettings: replacementSettings))
             {
                 logger.LogError("Failed to read the config file: {0}.", runtimeConfigFile);
                 return false;

src/Config/Azure.DataApiBuilder.Config.csproj

@@ -15,6 +15,7 @@
 
   <ItemGroup>
       <PackageReference Include="Azure.Identity" />
+      <PackageReference Include="Azure.Security.KeyVault.Secrets" />
       <PackageReference Include="Microsoft.AspNetCore.Authorization" />
       <PackageReference Include="Microsoft.IdentityModel.Protocols" />
       <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />

src/Config/Converters/AKVRetryPolicyOptionsConverterFactory.cs

@@ -12,9 +12,9 @@ namespace Azure.DataApiBuilder.Config.Converters;
 /// </summary>
 internal class AKVRetryPolicyOptionsConverterFactory : JsonConverterFactory
 {
-    // Determines whether to replace environment variable with its
-    // value or not while deserializing.
-    private bool _replaceEnvVar;
+    // Settings for variable replacement during deserialization.
+    // Currently allows for Azure Key Vault (via @akv('secret-name')) and Environment Variable replacement.
+    private readonly DeserializationVariableReplacementSettings? _replacementSettings;
 
     /// <inheritdoc/>
     public override bool CanConvert(Type typeToConvert)
@@ -25,34 +25,34 @@ public override bool CanConvert(Type typeToConvert)
     /// <inheritdoc/>
     public override JsonConverter? CreateConverter(Type typeToConvert, JsonSerializerOptions options)
     {
-        return new AKVRetryPolicyOptionsConverter(_replaceEnvVar);
+        return new AKVRetryPolicyOptionsConverter(_replacementSettings);
     }
 
-    /// <param name="replaceEnvVar">Whether to replace environment variable with its
-    /// value or not while deserializing.</param>
-    internal AKVRetryPolicyOptionsConverterFactory(bool replaceEnvVar)
+    /// <param name="replacementSettings">Settings for variable replacement during deserialization.
+    /// If null, no variable replacement will be performed.</param>
+    internal AKVRetryPolicyOptionsConverterFactory(DeserializationVariableReplacementSettings? replacementSettings = null)
     {
-        _replaceEnvVar = replaceEnvVar;
+        _replacementSettings = replacementSettings;
     }
 
     private class AKVRetryPolicyOptionsConverter : JsonConverter<AKVRetryPolicyOptions>
     {
-        // Determines whether to replace environment variable with its
-        // value or not while deserializing.
-        private bool _replaceEnvVar;
+        // Settings for variable replacement during deserialization.
+        // Currently allows for Azure Key Vault (via @akv('<secret>')) and Environment Variable replacement.
+        private readonly DeserializationVariableReplacementSettings? _replacementSettings;
 
-        /// <param name="replaceEnvVar">Whether to replace environment variable with its
-        /// value or not while deserializing.</param>
-        public AKVRetryPolicyOptionsConverter(bool replaceEnvVar)
+        /// <param name="replacementSettings">Settings for variable replacement during deserialization.
+        /// If null, no variable replacement will be performed.</param>
+        public AKVRetryPolicyOptionsConverter(DeserializationVariableReplacementSettings? replacementSettings)
         {
-            _replaceEnvVar = replaceEnvVar;
+            _replacementSettings = replacementSettings;
         }
 
         /// <summary>
         /// Defines how DAB reads AKV Retry Policy options and defines which values are
         /// used to instantiate those options.
         /// </summary>
-        /// <exception cref="JsonException">Thrown when improperly formatted cache options are provided.</exception>
+        /// <exception cref="JsonException">Thrown when improperly formatted retry policy options are provided.</exception>
         public override AKVRetryPolicyOptions? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
         {
             if (reader.TokenType is JsonTokenType.StartObject)
@@ -82,7 +82,7 @@ public AKVRetryPolicyOptionsConverter(bool replaceEnvVar)
                             }
                             else
                             {
-                                mode = EnumExtensions.Deserialize<AKVRetryPolicyMode>(reader.DeserializeString(_replaceEnvVar)!);
+                                mode = EnumExtensions.Deserialize<AKVRetryPolicyMode>(reader.DeserializeString(_replacementSettings)!);
                             }
 
                             break;

src/Config/Converters/AzureKeyVaultOptionsConverterFactory.cs

@@ -0,0 +1,128 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Azure.DataApiBuilder.Config.ObjectModel;
+
+namespace Azure.DataApiBuilder.Config.Converters;
+
+/// <summary>
+/// Converter factory for AzureKeyVaultOptions that can optionally perform variable replacement.
+/// </summary>
+internal class AzureKeyVaultOptionsConverterFactory : JsonConverterFactory
+{
+    // Determines whether to replace environment variable with its
+    // value or not while deserializing.
+    private readonly DeserializationVariableReplacementSettings? _replacementSettings;
+
+    /// <param name="replacementSettings">How to handle variable replacement during deserialization.</param>
+    internal AzureKeyVaultOptionsConverterFactory(DeserializationVariableReplacementSettings? replacementSettings = null)
+    {
+        _replacementSettings = replacementSettings;
+    }
+
+    /// <inheritdoc/>
+    public override bool CanConvert(Type typeToConvert)
+    {
+        return typeToConvert.IsAssignableTo(typeof(AzureKeyVaultOptions));
+    }
+
+    /// <inheritdoc/>
+    public override JsonConverter? CreateConverter(Type typeToConvert, JsonSerializerOptions options)
+    {
+        return new AzureKeyVaultOptionsConverter(_replacementSettings);
+    }
+
+    private class AzureKeyVaultOptionsConverter : JsonConverter<AzureKeyVaultOptions>
+    {
+        // Determines whether to replace environment variable with its
+        // value or not while deserializing.
+        private readonly DeserializationVariableReplacementSettings? _replacementSettings;
+
+        /// <param name="replaceEnvVar">Whether to replace environment variable with its
+        /// value or not while deserializing.</param>
+        public AzureKeyVaultOptionsConverter(DeserializationVariableReplacementSettings? replacementSettings)
+        {
+            _replacementSettings = replacementSettings;
+        }
+
+        /// <summary>
+        /// Reads AzureKeyVaultOptions with optional variable replacement.
+        /// </summary>
+        public override AzureKeyVaultOptions? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+        {
+            if (reader.TokenType is JsonTokenType.Null)
+            {
+                return null;
+            }
+
+            if (reader.TokenType is JsonTokenType.StartObject)
+            {
+                string? endpoint = null;
+                AKVRetryPolicyOptions? retryPolicy = null;
+
+                while (reader.Read())
+                {
+                    if (reader.TokenType is JsonTokenType.EndObject)
+                    {
+                        return new AzureKeyVaultOptions(endpoint, retryPolicy);
+                    }
+
+                    string? property = reader.GetString();
+                    reader.Read();
+
+                    switch (property)
+                    {
+                        case "endpoint":
+                            if (reader.TokenType is JsonTokenType.String)
+                            {
+                                endpoint = reader.DeserializeString(_replacementSettings);
+                            }
+
+                            break;
+
+                        case "retry-policy":
+                            if (reader.TokenType is JsonTokenType.StartObject)
+                            {
+                                // Uses the AKVRetryPolicyOptionsConverter to read the retry-policy object.
+                                retryPolicy = JsonSerializer.Deserialize<AKVRetryPolicyOptions>(ref reader, options);
+                            }
+
+                            break;
+
+                        default:
+                            throw new JsonException($"Unexpected property {property}");
+                    }
+                }
+            }
+
+            throw new JsonException("Invalid AzureKeyVaultOptions format");
+        }
+
+        /// <summary>
+        /// When writing the AzureKeyVaultOptions back to a JSON file, only write the properties
+        /// if they are user provided. This avoids polluting the written JSON file with properties
+        /// the user most likely omitted when writing the original DAB runtime config file.
+        /// This Write operation is only used when a RuntimeConfig object is serialized to JSON.
+        /// </summary>
+        public override void Write(Utf8JsonWriter writer, AzureKeyVaultOptions value, JsonSerializerOptions options)
+        {
+            writer.WriteStartObject();
+
+            if (value?.UserProvidedEndpoint is true)
+            {
+                writer.WritePropertyName("endpoint");
+                JsonSerializer.Serialize(writer, value.Endpoint, options);
+            }
+
+            if (value?.UserProvidedRetryPolicy is true)
+            {
+                writer.WritePropertyName("retry-policy");
+                JsonSerializer.Serialize(writer, value.RetryPolicy, options);
+            }
+
+            writer.WriteEndObject();
+        }
+    }
+}