Run Azure functional tests locally against OS-process Radius

[sylvainsf]

Description

Adds a workflow for running the corerp/cloud Azure functional tests against a local OS-process Radius stack (make debug-start) using the host's az login credentials, with no service-principal/workload-identity registration required.

Highlights

• New build/scripts/azure-local-testenv.sh orchestrator with setup, run, teardown, all sub-commands. run and all accept passthrough go test flags (e.g. -run, -v).
• Auto-recovery: run rebuilds state from the newest radlocal-${USER}-* resource group when the state file is missing (e.g. after make debug-stop), and re-applies the Azure scope on the default rad environment that debug-start wipes.
• Orphan GC: teardown --all-orphans deletes every radlocal-${USER}-* RG and stops the tf-module-server port-forward.
• tf-module-server bootstrap: deploys the in-cluster nginx test module server and port-forwards it to localhost:8999 automatically when not already reachable.
• Terraform Azure provider falls back to use_cli = true when no Azure credential is registered with UCP (404), letting the host RP's az login session authenticate. CI workload-identity path is unchanged. See pkg/recipes/terraform/config/providers/azure.go.
• build/scripts/start-radius.sh exports TERRAFORM_TEST_GLOBAL_DIR so the RP no longer tries to write to read-only /terraform.
• AWS-required tests skip cleanly via t.Skip when AWS env vars are unset; private-git redis test skips when GH_TOKEN is unset.
• recipe_terraform_test.go now derives the resource ID from the active workspace scope so it works against any RG (CI's kind-radius and local debug's default).

Type of change

• This pull request fixes a bug in Radius and has an approved issue (issue link required).
• This pull request adds or changes features of Radius and has an approved issue (issue link required).
• This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Auto-generated summary

How tested

Full corerp/cloud/... suite green locally with the new orchestrator:

Test	Status
Test_AzureConnections	PASS
Test_ACI	PASS
Test_TerraformRecipe_AzureResourceGroup	PASS
AWS-only tests (Test_AWS_*, Test_Extender_RecipeAWS_LogGroup, Test_AWSRedeploy*)	SKIP (no AWS creds)
Test_TerraformPrivateGitModule_KubernetesRedis	SKIP (no GH_TOKEN)
Test_Storage, Test_PersistentVolume	SKIP (issue #7853, pre-existing)

./build/scripts/azure-local-testenv.sh run -v
# EXIT=0

Unit tests for the changed terraform provider package also pass:

go test ./pkg/recipes/terraform/config/providers/... -count=1

Documentation

Updated docs/contributing/contributing-code/contributing-code-debugging/radius-os-processes-debugging.md with new sections on:

• Re-running individual tests via azure-local-testenv.sh run -run …
• Cleaning up orphaned resource groups with teardown --all-orphans
• tf-module-server bootstrap behavior
• Terraform recipes falling back to Azure CLI credentials

Backwards compatibility

• CI path unchanged: workload-identity / service-principal credentials registered with rad credential register azure … continue to work exactly as before.
• The use_cli = true fallback only activates when UCP returns 404 for the credential lookup (i.e. no credential ever registered).

---

Background notes

The two local working-notes documents below (kept in .copilot-tracking/,
which is gitignored) drove the changes in this PR. Highlights inlined here
since the files don't ship with the repo.

From noncloud-debug-learnings.md (noncloud session that uncovered the validation race & TF dir bug)

Big-impact items also landing in this PR:

• Validation read-after-write race — test/validation/shared.go now uses
  direct GetEnvironment/GetApplication instead of paginated ListByScope
  • linear search. CI doesn't hit it because each job uses a fresh env; local
    long-lived debug-start env exposes the UCP list-lag race and turns the
    cloud suite flaky on retries.
• TERRAFORM_TEST_GLOBAL_DIR export in start-radius.sh — RP otherwise
  tries to write to read-only /terraform on the host and every terraform
  recipe fails locally.
• gotestsum --jsonfile overwrite in build/test.mk — recursive =
  with $@ so each target gets its own JSONL instead of clobbering a shared
  file (essential for triaging multi-package cloud runs).

Other fixes from that session shipped in the noncloud PR (engine panic loop
in pkg/recipes/engine/engine.go, HTTP body re-read in
pkg/azure/clientv2/unfold.go, cleanup descending-index in
test/rp/rptest.go, debug-install-flux automation) and are not in this PR.

From local-functional-tests-design.md (cloud-test design — this PR)

Design that this PR implements, with one notable deviation:

• Go control plane (UCP, ARP, dynamic-rp, controller) already falls back
  to azidentity.NewAzureCLICredential when ARM_AUTH_METHOD is unset — no
  changes needed there, confirmed by this PR.
• Deployment engine — the design proposed swapping to a -debug DE image
  with az CLI pre-installed and bind-mounting ~/.azure into the
  container. This PR takes a simpler path: terraform recipes fall back to
  use_cli = true in pkg/recipes/terraform/config/providers/azure.go, and
  the host RP's az login session authenticates ARM calls directly. No DE
  image swap, no k3d volume mount, no hostPath.
• Credential feature-gate — design called out
  validation.AssertCredentialExists skipping cloud tests when no UCP
  credential is registered. azure-local-testenv.sh setup registers a
  placeholder WI credential to satisfy this; actual auth still flows through
  the host's az login.
• Open questions from the design resolved: macOS Docker Desktop
  bind-mount semantics for ~/.azure are now moot (no mount needed); the
  -debug DE image dependency on azure-octo/deployment-engine#519 is
  dropped.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

View full job summary

[Copilot]

Pull request overview

Adds a local-dev workflow to run the corerp/cloud Azure functional tests against an OS-process Radius debug stack using ambient az login credentials (no UCP-registered Azure credential required), plus supporting tweaks to tests, tooling, and docs.

Changes:

• Introduces build/scripts/azure-local-testenv.sh + new make test-functional-azure-local* targets to provision/execute/cleanup an ephemeral Azure test environment.
• Updates Terraform Azure provider config generation to fall back to Azure CLI auth (use_cli = true) when no Radius-managed credential exists (incl. 404 lookup).
• Improves local/CI test ergonomics (scope-derived resource IDs, skip behavior when secrets/creds are absent) and documents the workflow.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
test/validation/shared.go	Adds a local-dev escape hatch env var to bypass UCP credential presence checks in tests.
test/functional-portable/corerp/cloud/resources/recipe_terraform_test.go	Uses active workspace scope for resource IDs; skips private-git test when GH_TOKEN is unset.
test/functional-portable/corerp/cloud/resources/extender_test.go	Switches AWS env-var precheck from failing to skipping.
test/createAzureTestResources.bicep	Parameterizes Cosmos account name to avoid global-name collisions in parallel/local runs.
pkg/recipes/terraform/config/providers/azure.go	Treats 404/missing creds as “no creds” and explicitly enables Azure CLI auth fallback.
docs/contributing/contributing-code/contributing-code-debugging/radius-os-processes-debugging.md	Documents running DE locally and the new local Azure functional test workflow.
build/test.mk	Adds test-functional-azure-local* make targets that wrap the new orchestrator script.
build/scripts/start-radius.sh	Sets a writable Terraform global cache dir for OS-process runs.
build/scripts/ensure-encryption-key.sh	Ensures the encryption key Secret exists for the k3d debug stack (Helm-less path).
build/scripts/azure-local-testenv.sh	New orchestrator for setup/run/teardown of local Azure functional test environment + tf-module-server bootstrap.
build/debug.mk	Improves k3d cluster handling; supports reusing an external local Deployment Engine on port 5017; ensures encryption key secret exists.

[github-actions]

Unit Tests

    2 files  ±  0    435 suites  +12   7m 22s ⏱️ -1s
5 252 tests +115  5 249 ✅ +114  3 💤 +1  0 ❌ ±0 
6 374 runs  +199  6 371 ✅ +198  3 💤 +1  0 ❌ ±0 

Results for commit 605e862. ± Comparison against base commit 9017ff2.

This pull request removes 3 and adds 118 tests. Note that renamed tests count towards both.

github.com/radius-project/radius/pkg/cli/cmd/app/graph ‑ Test_providerFromID
github.com/radius-project/radius/pkg/cli/cmd/app/graph ‑ Test_providerFromID/parse_invalid_resource_ID
github.com/radius-project/radius/pkg/cli/cmd/app/graph ‑ Test_providerFromID/parse_valid_resource_ID

github.com/radius-project/radius/cmd/rad/cmd ‑ Test_wirePreviewSubcommand
github.com/radius-project/radius/cmd/rad/cmd ‑ Test_wirePreviewSubcommand/routes_to_legacy_runner_when_--preview_is_not_set
github.com/radius-project/radius/cmd/rad/cmd ‑ Test_wirePreviewSubcommand/routes_to_preview_runner_when_--preview_is_set
github.com/radius-project/radius/pkg/cli/cmd/app/delete/preview ‑ Test_CommandValidation
github.com/radius-project/radius/pkg/cli/cmd/app/delete/preview ‑ Test_Run
github.com/radius-project/radius/pkg/cli/cmd/app/delete/preview ‑ Test_Run/Failure:_ListAllResourceTypesNames_failure_surfaces_error
github.com/radius-project/radius/pkg/cli/cmd/app/delete/preview ‑ Test_Run/Failure:_child_resource_delete_failure_surfaces_error
github.com/radius-project/radius/pkg/cli/cmd/app/delete/preview ‑ Test_Run/Success:_--force_passes_force=true_to_child_resource_deletes
github.com/radius-project/radius/pkg/cli/cmd/app/delete/preview ‑ Test_Run/Success:_application_deleted_(no_resources)
github.com/radius-project/radius/pkg/cli/cmd/app/delete/preview ‑ Test_Run/Success:_application_deleted_with_cascade_resource_deletion
…

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

❌ Patch coverage is 62.27898% with 192 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.94%. Comparing base (9017ff2) to head (605e862).
⚠️ Report is 31 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/ucp/initializer/radius_core_openapi.go	55.23%	26 Missing and 21 partials ⚠️
pkg/cli/test_client_factory/radius_core.go	0.00%	40 Missing ⚠️
pkg/cli/cmd/app/delete/preview/delete.go	75.80%	17 Missing and 13 partials ⚠️
pkg/rp/util/registry.go	0.00%	16 Missing ⚠️
pkg/cli/cmd/app/show/preview/show.go	75.47%	8 Missing and 5 partials ⚠️
pkg/controller/reconciler/util.go	64.28%	5 Missing and 5 partials ⚠️
pkg/cli/cmd/app/list/preview/list.go	80.43%	6 Missing and 3 partials ⚠️
pkg/controller/reconciler/deployment_reconciler.go	60.86%	6 Missing and 3 partials ⚠️
pkg/ucp/initializer/service.go	70.00%	3 Missing and 3 partials ⚠️
pkg/cli/config.go	0.00%	3 Missing ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11904      +/-   ##
==========================================
+ Coverage   51.69%   51.94%   +0.24%     
==========================================
  Files         724      732       +8     
  Lines       45508    46334     +826     
==========================================
+ Hits        23525    24066     +541     
- Misses      19763    19970     +207     
- Partials     2220     2298      +78     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	605e862
Unique ID	func6de7d783f3
Image tag	pr-func6de7d783f3

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func6de7d783f3
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func6de7d783f3
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func6de7d783f3
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func6de7d783f3
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func6de7d783f3
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[lakshmimsft]

this will continue with success mesaage after all 3 retries fail. Should we put a warning message that Flux tests will not work as Flux source-controller failed to install after 3 attempts or we do a hard fail?

[lakshmimsft]

LoadConfiguration makes 2 calls to fetch environment and application. the 404 returned could be from application and this code will misinterpret it as env does not exist and vice versa. Is this change needed since I think ordering was addressed elsewhere in this PR ?

[lakshmimsft]

could we change this to,say, check type of resource instead.. this approach assumes tests have resources listed in a particular order which may/may not be correct now/in the future.

[lakshmimsft]

nit: comment is incorrect. strings.ReplaceAll() is a case-sensitive replacement...but since current is derived from resourceID, we should not have a case mismatch.

[lakshmimsft]

running this i hit an error with port already in use. should we consider updating this to get next available port if this is in use?

[lakshmimsft]

debug-publish-bicep-types is the last step of debug-start, and it hard-requires a standalone bicep on PATH. But bicep is not listed in the doc's "Required Tools" and not checked by debug-check-prereqs (which does check yq). Result: a fresh setup builds the entirestack, then fails at the very end.
Consider either we add bicep to debug-check-prereqs (fail fast, with the other tools) and to the doc prerequisites or have this step auto-install via az bicep install / rad bicep download.

[lakshmimsft]

Running the doc end-to-end requires three tools/conditions not in this list:

• yq — required and enforced by make debug-check-prereqs (debug.mk:174), but missing here.
• bicep — required by debug-publish-bicep-types (debug.mk:527), but missing here.
• PostgreSQL must be running (not just installed) before debug-start; the container/service has to be up or prereqs fail.

Please add these.