Add NSP + Storage + KeyVault deployment E2E test by eerhardt · Pull Request #16027 · microsoft/aspire

eerhardt · 2026-04-10T03:16:58Z

Description

Adds a new deployment end-to-end test that validates the Azure Network Security Perimeter (NSP) feature added in #15711.

The test:

Creates a project using the Starter App (ASP.NET Core/React) template
Adds an Azure Container Apps environment for deployment
Adds Azure Storage (with Blobs) and Azure Key Vault resources
Creates a Network Security Perimeter with an inbound access rule allowing the current Azure subscription
Associates both Storage and Key Vault with the NSP using WithNetworkSecurityPerimeter
Wires the ASP.NET Core backend (ApiService) to connect to both Storage Blobs and Key Vault via WithReference
Deploys to Azure using aspire deploy
Verifies the deployed endpoints respond successfully (proving the NSP allows connectivity)

This provides end-to-end coverage for the NSP feature, verifying that:

The NSP Bicep infrastructure provisions correctly
The subscription-level access rule allows the deployed Container Apps to communicate with the NSP-protected PaaS resources
The application can successfully connect to both Storage and Key Vault through the perimeter

Checklist

Is this feature complete?
- Yes. Ready to ship.
- No. Follow-up changes expected.
Are you including unit tests for the changes and scenario tests if relevant?
- Yes
- No
Did you add public API?
- Yes
- No
Does the change make any security assumptions or guarantees?
- Yes
- No
Does the change require an update in our Aspire docs?
- Yes
- No

Adds a new deployment test that: - Uses the Starter App (ASP.NET Core/React) template - Adds Azure Container Apps environment - Adds Azure Storage (with Blobs) and Azure Key Vault - Creates a Network Security Perimeter (NSP) with a subscription-level inbound access rule for the current Azure subscription - Associates both Storage and Key Vault with the NSP - Wires the ASP.NET Core backend (ApiService) to connect to both Storage Blobs and Key Vault - Deploys to Azure and verifies the endpoints work This tests the end-to-end NSP flow added in PR microsoft#15711. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-10T03:17:09Z

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16027

Or

Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16027"

eerhardt · 2026-04-10T03:17:19Z

/deployment-test

github-actions · 2026-04-10T03:19:04Z

🚀 Deployment tests starting on PR #16027...

This will deploy to real Azure infrastructure. Results will be posted here when complete.

View workflow run

github-actions · 2026-04-10T03:21:18Z

🚀 Deployment tests starting on PR #16027...

This will deploy to real Azure infrastructure. Results will be posted here when complete.

View workflow run

Copilot

Pull request overview

Adds a new Azure deployment end-to-end test to validate Network Security Perimeter (NSP) behavior with Azure Storage (Blobs) and Azure Key Vault when deployed via aspire deploy, using the Starter App (ASP.NET Core/React) template.

Changes:

Introduces a new E2E deployment test that provisions ACA + Storage + Key Vault + NSP and validates external endpoints are reachable post-deploy.
Updates the generated AppHost to associate Storage and Key Vault with an NSP and adds subscription-based inbound access rules.
Updates the generated ApiService to register Blob and Key Vault clients and wires those resources via WithReference.

… prompt The az network perimeter list command can prompt to install an extension, causing the terminal to hang. Remove this non-essential verification step - NSP provisioning is already verified by the PIPELINE SUCCEEDED output. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-10T04:09:04Z

🚀 Deployment tests starting on PR #16027...

This will deploy to real Azure infrastructure. Results will be posted here when complete.

View workflow run

github-actions · 2026-04-10T04:48:42Z

❌ Deployment E2E Tests failed — 20 passed, 10 failed, 0 cancelled

View test results and recordings

View workflow run

Test	Result	Recording
Deployment.EndToEnd-VnetKeyVaultInfraDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-VnetSqlServerConnectivityDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AzureServiceBusDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AzureLogAnalyticsDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AcaCompactNamingDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-NspStorageKeyVaultDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AzureKeyVaultDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AzureContainerRegistryDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AzureStorageDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AzureEventHubsDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AzureAppConfigDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AuthenticationTests	✅ Passed
Deployment.EndToEnd-VnetStorageBlobConnectivityDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AcaCustomRegistryDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AcaDeploymentErrorOutputTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AcaStarterDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AksStarterWithRedisDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AcaExistingRegistryDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AksStarterDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-AppServiceReactDeploymentTests	✅ Passed	▶️ View Recording
Deployment.EndToEnd-VnetSqlServerInfraDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-TypeScriptVnetSqlServerInfraDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-VnetKeyVaultConnectivityDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-TypeScriptExpressDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-PythonFastApiDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-AcaCompactNamingUpgradeDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-VnetStorageBlobInfraDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-AppServicePythonDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-AcrPurgeTaskDeploymentTests	❌ Failed	▶️ View Recording
Deployment.EndToEnd-AcaManagedRedisDeploymentTests	❌ Failed	▶️ View Recording

radical · 2026-04-10T07:03:25Z

/create-issue

github-actions · 2026-04-10T07:04:23Z

Failed tests found on this PR:

/create-issue Aspire.Cli.EndToEnd.Tests.PsCommandTests.PsCommandListsRunningAppHost
/create-issue Aspire.Cli.EndToEnd.Tests.PsCommandTests.PsFormatJsonOutputsOnlyJsonToStdout

📋 /create-issue — Usage

Creates or updates a failing-test issue from CI failures.

/create-issue <test-name>
/create-issue <test-name> <pr|run|job-url>
/create-issue --test "<test-name>"
/create-issue --test "<test-name>" --url <pr|run|job-url>
/create-issue --test "<test-name>" --force-new

radical · 2026-04-10T07:05:11Z

/create-issue Aspire.Cli.EndToEnd.Tests.PsCommandTests.PsCommandListsRunningAppHost

github-actions · 2026-04-10T07:06:02Z

✅ Created failing-test issue #16035: #16035

To disable this test on your PR, comment:

/disable-test Aspire.Cli.EndToEnd.Tests.PsCommandTests.PsCommandListsRunningAppHost https://github.com/microsoft/aspire/issues/16035

Copilot AI review requested due to automatic review settings April 10, 2026 03:16

Copilot started reviewing on behalf of eerhardt April 10, 2026 03:18 View session

Copilot AI reviewed Apr 10, 2026

View reviewed changes

eerhardt had a problem deploying to deployment-testing April 10, 2026 03:27 — with GitHub Actions Error