Comments (3)
cuu508
commented on June 8, 2024
Hello Thomas, can you describe a little more what issue you are hitting with the read-only/full API key schema differences?
The idea with the read-only keys is to not return any data that would allow altering the state of the checks. It is meant to be used in low-trust and no-trust environments, for example, for building status dashboards for unauthenticated users. The read-only responses must not contain check UUIDs, because with the knowledge of the UUID anybody could construct the full ping URL and mess with your monitoring.
from healthchecks.
ThomasKwan-shopline
commented on June 8, 2024
Sure,
As I mention before, we are using terraform with kristofferahl/healthchecksio for healthchecks.io iac which is suggest by healthchecks.io
In our use case, my company will run some custom pipeline for plan and apply terraform. Now only approved engineer can trigger those pipeline since it involve productoin env read-write api key and we dont want other engineer can use this key. However, it make approved engineer always need support other engineer to run the terraform plan.
To solve this problem, we hope to allow other engineer use the read-only api key for terraform plan, because they cannot modify any healthchecks.io resource by using read-only api key. By studying the terraform provider and healthchecks.io doc, I found it is impossible. because It missing two information, uuid and channels.
So we hope to have a new type of api key, that is read-only but have the same schema with read-write api key, so we can just easily to apply the new type api key to terraform and the problem solve.
some poc by using this terraform provider
Before test
Create a healthcheck by using terraform
Run terraform plan with read-write api key
TF_VAR_healthchecksio_api_key="<read-wirte api key>" TF_LOG="" terraform plan
healthchecksio_check.testing_healthcheck: Refreshing state... [id=<healthcheck id>]
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
Run terraform plan with read-only api key
TF_VAR_healthchecksio_api_key="<read-only api key>" terraform plan
healthchecksio_check.testing_healthcheck: Refreshing state... [id=<healthcheck id>]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:
# healthchecksio_check.testing_healthcheck has been deleted
- resource "healthchecksio_check" "testing_healthcheck" {
- id = "<healthcheck id>" -> null
name = "testing-check"
# (6 unchanged attributes hidden)
}
Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following
plan may include actions to undo or respond to these changes.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
+ create
Terraform will perform the following actions:
# healthchecksio_check.testing_healthcheck will be created
+ resource "healthchecksio_check" "testing_healthcheck" {
+ grace = 3600
+ id = (known after apply)
+ name = "testing-check"
+ pause_url = (known after apply)
+ ping_url = (known after apply)
+ schedule = "0 0 1 * *"
+ timezone = "UTC"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
~ testing_healthcheck_id = "<healthcheck id>" -> (known after apply)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform
apply" now.
---
from healthchecks.
cuu508
commented on June 8, 2024
Thanks for the explanation, I think I understand the issue you are facing now. And indeed it looks like a new type of API key would be required here. It's not just a matter of making the schemas of read-write and read-only API responses match. terraform plan needs to know check and channel UUIDs, but the read-only keys are specifically designed to not return them.
I'm currently not planning to work on this. I will reconsider if I see ongoing interest from multiple paying or would-be-paying users.
from healthchecks.
Related Issues (20)
- RP_ID can't be changed after initial deployment? HOT 2
- Unable to use different domains for web GUI and pings? HOT 2
- [Docker] replace pip with apt HOT 1
- Feature request: High-Availability HOT 2
- Alert gets sent even though check is OK HOT 2
- SITE_ROOT in local_settings.py HOT 2
- gotify integration should allow to set priorities
- Slack legacy webhook integration HOT 2
- Mute all checks while updating HOT 3
- Get informed if job run time is too short HOT 2
- Hi, how to fix this error ,please help me, whenever user register it gives: SMTPAuthenticationError at /accounts/register/ (535, b'Incorrect authentication data')
- [docker] .env includes DEBUG=False yet banner still states "Running in debug mode, do not use in production." HOT 2
- Slack integration - default integration name to channel name HOT 1
- Unexpected "down" after sending ping HOT 2
- Read only user can create project, can we have "true" read only users ? HOT 2
- Discord Webhook integration HOT 6
- Return UUID in "List Existing Checks" response
- check display
- Allow use of slugs for E-Mail pings
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from healthchecks.