From b1ea360d2e1af5b4eaacee0d118997ca19a98e27 Mon Sep 17 00:00:00 2001
From: kt <kt@katbyte.me>
Date: Mon, 19 Nov 2018 17:40:54 -0800
Subject: [PATCH] add new certificate permissions to azurerm_key_vault & make
 key_permissions/secret_permissions optional

---
 .../helpers/azure/key_vault_access_policy.go  |  6 +-
 azurerm/resource_arm_key_vault.go             |  2 +
 azurerm/resource_arm_key_vault_test.go        | 56 +++++++++++++++++++
 3 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/azurerm/helpers/azure/key_vault_access_policy.go b/azurerm/helpers/azure/key_vault_access_policy.go
index 5f1ff0fa7550..bb14984191e1 100644
--- a/azurerm/helpers/azure/key_vault_access_policy.go
+++ b/azurerm/helpers/azure/key_vault_access_policy.go
@@ -15,6 +15,7 @@ func SchemaKeyVaultCertificatePermissions() *schema.Schema {
 		Elem: &schema.Schema{
 			Type: schema.TypeString,
 			ValidateFunc: validation.StringInSlice([]string{
+				string(keyvault.Backup),
 				string(keyvault.Create),
 				string(keyvault.Delete),
 				string(keyvault.Deleteissuers),
@@ -27,6 +28,7 @@ func SchemaKeyVaultCertificatePermissions() *schema.Schema {
 				string(keyvault.Manageissuers),
 				string(keyvault.Purge),
 				string(keyvault.Recover),
+				string(keyvault.Restore),
 				string(keyvault.Setissuers),
 				string(keyvault.Update),
 			}, true),
@@ -38,7 +40,7 @@ func SchemaKeyVaultCertificatePermissions() *schema.Schema {
 func SchemaKeyVaultKeyPermissions() *schema.Schema {
 	return &schema.Schema{
 		Type:     schema.TypeList,
-		Required: true,
+		Optional: true,
 		Elem: &schema.Schema{
 			Type: schema.TypeString,
 			ValidateFunc: validation.StringInSlice([]string{
@@ -67,7 +69,7 @@ func SchemaKeyVaultKeyPermissions() *schema.Schema {
 func SchemaKeyVaultSecretPermissions() *schema.Schema {
 	return &schema.Schema{
 		Type:     schema.TypeList,
-		Required: true,
+		Optional: true,
 		Elem: &schema.Schema{
 			Type: schema.TypeString,
 			ValidateFunc: validation.StringInSlice([]string{
diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go
index 39507f17111f..2208c5e4f365 100644
--- a/azurerm/resource_arm_key_vault.go
+++ b/azurerm/resource_arm_key_vault.go
@@ -31,9 +31,11 @@ func resourceArmKeyVault() *schema.Resource {
 		Read:   resourceArmKeyVaultRead,
 		Update: resourceArmKeyVaultCreateUpdate,
 		Delete: resourceArmKeyVaultDelete,
+
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
+
 		MigrateState:  resourceAzureRMKeyVaultMigrateState,
 		SchemaVersion: 1,
 
diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go
index 45bd8b5396c0..f3ab5528dd39 100644
--- a/azurerm/resource_arm_key_vault_test.go
+++ b/azurerm/resource_arm_key_vault_test.go
@@ -214,6 +214,31 @@ func TestAccAzureRMKeyVault_update(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVault_justCert(t *testing.T) {
+	resourceName := "azurerm_key_vault.test"
+	ri := acctest.RandInt()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMKeyVault_justCert(ri, testLocation()),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "access_policy.0.certificate_permissions.0", "get"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testCheckAzureRMKeyVaultDestroy(s *terraform.State) error {
 	client := testAccProvider.Meta().(*ArmClient).keyVaultClient
 	ctx := testAccProvider.Meta().(*ArmClient).StopContext
@@ -522,3 +547,34 @@ resource "azurerm_key_vault" "test" {
 }
 `, rInt, location, rInt)
 }
+
+func testAccAzureRMKeyVault_justCert(rInt int, location string) string {
+	return fmt.Sprintf(`
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_key_vault" "test" {
+  name                = "vault%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"
+
+  sku {
+    name = "premium"
+  }
+
+  access_policy {
+    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
+    object_id = "${data.azurerm_client_config.current.client_id}"
+
+    certificate_permissions = [
+      "get",
+    ]
+  }
+}
+`, rInt, location, rInt)
+}