Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additions to azurerm_key_vault #348

Merged
merged 3 commits into from
Sep 25, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions azurerm/data_source_arm_client_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ func dataSourceArmClientConfig() *schema.Resource {
Type: schema.TypeString,
Computed: true,
},
"service_principal_application_id": {
Type: schema.TypeString,
Computed: true,
},
"service_principal_object_id": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -54,6 +58,7 @@ func dataSourceArmClientConfigRead(d *schema.ResourceData, meta interface{}) err
d.Set("client_id", client.clientId)
d.Set("tenant_id", client.tenantId)
d.Set("subscription_id", client.subscriptionId)
d.Set("service_principal_application_id", *servicePrincipal.AppID)
d.Set("service_principal_object_id", *servicePrincipal.ObjectID)

return nil
Expand Down
1 change: 1 addition & 0 deletions azurerm/data_source_arm_client_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ func TestAccDataSourceAzureRMClientConfig_basic(t *testing.T) {
testAzureRMClientConfigAttr(dataSourceName, "client_id", clientId),
testAzureRMClientConfigAttr(dataSourceName, "tenant_id", tenantId),
testAzureRMClientConfigAttr(dataSourceName, "subscription_id", subscriptionId),
testAzureRMClientConfigGUIDAttr(dataSourceName, "service_principal_application_id"),
testAzureRMClientConfigGUIDAttr(dataSourceName, "service_principal_object_id"),
),
},
Expand Down
2 changes: 1 addition & 1 deletion azurerm/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,8 @@ func Provider() terraform.ResourceProvider {
"azurerm_app_service": resourceArmAppService(),
"azurerm_app_service_plan": resourceArmAppServicePlan(),
"azurerm_automation_account": resourceArmAutomationAccount(),
"azurerm_automation_runbook": resourceArmAutomationRunbook(),
"azurerm_automation_credential": resourceArmAutomationCredential(),
"azurerm_automation_runbook": resourceArmAutomationRunbook(),
"azurerm_automation_schedule": resourceArmAutomationSchedule(),
"azurerm_availability_set": resourceArmAvailabilitySet(),
"azurerm_cdn_endpoint": resourceArmCdnEndpoint(),
Expand Down
59 changes: 55 additions & 4 deletions azurerm/resource_arm_key_vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,34 @@ func resourceArmKeyVault() *schema.Resource {
Required: true,
ValidateFunc: validateUUID,
},
"application_id": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validateUUID,
},
"certificate_permissions": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.All),
string(keyvault.Create),
string(keyvault.Delete),
string(keyvault.Deleteissuers),
string(keyvault.Get),
string(keyvault.Getissuers),
string(keyvault.Import),
string(keyvault.List),
string(keyvault.Listissuers),
string(keyvault.Managecontacts),
string(keyvault.Manageissuers),
string(keyvault.Setissuers),
string(keyvault.Update),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if there's an array/slice of all permissions, so that we don't need to update this list after Azure introduces new ones. 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's exposed as a collection of Constants, so it might be hard in the short term - however we could ask the SDK team to expose that as a function?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up to you, it's no big deal - I just thought it may save us some pain/work in the future.
Feel free to 🚢 it as is.

}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
},
"key_permissions": {
Type: schema.TypeList,
Required: true,
Expand All @@ -105,7 +133,8 @@ func resourceArmKeyVault() *schema.Resource {
string(keyvault.KeyPermissionsUpdate),
string(keyvault.KeyPermissionsVerify),
string(keyvault.KeyPermissionsWrapKey),
}, false),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
},
"secret_permissions": {
Expand All @@ -119,7 +148,8 @@ func resourceArmKeyVault() *schema.Resource {
string(keyvault.SecretPermissionsGet),
string(keyvault.SecretPermissionsList),
string(keyvault.SecretPermissionsSet),
}, false),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
},
},
Expand Down Expand Up @@ -257,6 +287,12 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli
for _, policySet := range policies {
policyRaw := policySet.(map[string]interface{})

certificatePermissionsRaw := policyRaw["certificate_permissions"].([]interface{})
certificatePermissions := []keyvault.CertificatePermissions{}
for _, permission := range certificatePermissionsRaw {
certificatePermissions = append(certificatePermissions, keyvault.CertificatePermissions(permission.(string)))
}

keyPermissionsRaw := policyRaw["key_permissions"].([]interface{})
keyPermissions := []keyvault.KeyPermissions{}
for _, permission := range keyPermissionsRaw {
Expand All @@ -271,8 +307,9 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli

policy := keyvault.AccessPolicyEntry{
Permissions: &keyvault.Permissions{
Keys: &keyPermissions,
Secrets: &secretPermissions,
Certificates: &certificatePermissions,
Keys: &keyPermissions,
Secrets: &secretPermissions,
},
}

Expand All @@ -281,6 +318,11 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli
objectUUID := policyRaw["object_id"].(string)
policy.ObjectID = &objectUUID

if v := policyRaw["application_id"]; v != "" {
applicationUUID := uuid.FromStringOrNil(v.(string))
policy.ApplicationID = &applicationUUID
}

result = append(result, policy)
}

Expand All @@ -301,6 +343,11 @@ func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []int
for _, policy := range *policies {
policyRaw := make(map[string]interface{})

certificatePermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Keys))
for _, certificatePermission := range *policy.Permissions.Certificates {
certificatePermissionsRaw = append(certificatePermissionsRaw, string(certificatePermission))
}

keyPermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Keys))
for _, keyPermission := range *policy.Permissions.Keys {
keyPermissionsRaw = append(keyPermissionsRaw, string(keyPermission))
Expand All @@ -313,6 +360,10 @@ func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []int

policyRaw["tenant_id"] = policy.TenantID.String()
policyRaw["object_id"] = *policy.ObjectID
if policy.ApplicationID != nil {
policyRaw["application_id"] = policy.ApplicationID.String()
}
policyRaw["certificate_permissions"] = certificatePermissionsRaw
policyRaw["key_permissions"] = keyPermissionsRaw
policyRaw["secret_permissions"] = secretPermissionsRaw

Expand Down
65 changes: 65 additions & 0 deletions azurerm/resource_arm_key_vault_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,27 @@ func TestAccAzureRMKeyVault_basic(t *testing.T) {
})
}

func TestAccAzureRMKeyVault_complete(t *testing.T) {
resourceName := "azurerm_key_vault.test"
ri := acctest.RandInt()
config := testAccAzureRMKeyVault_complete(ri, testLocation())

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testCheckAzureRMKeyVaultDestroy,
Steps: []resource.TestStep{
{
Config: config,
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMKeyVaultExists(resourceName),
resource.TestCheckResourceAttrSet(resourceName, "access_policy.0.application_id"),
),
},
},
})
}

func TestAccAzureRMKeyVault_update(t *testing.T) {
ri := acctest.RandInt()
resourceName := "azurerm_key_vault.test"
Expand Down Expand Up @@ -257,3 +278,47 @@ resource "azurerm_key_vault" "test" {
}
`, rInt, location, rInt)
}

func testAccAzureRMKeyVault_complete(rInt int, location string) string {
return fmt.Sprintf(`
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "test" {
name = "acctestRG-%d"
location = "%s"
}
resource "azurerm_key_vault" "test" {
name = "vault%d"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
sku {
name = "premium"
}
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.client_id}"
application_id = "${data.azurerm_client_config.current.service_principal_application_id}"
certificate_permissions = [
"get",
]
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
}
tags {
environment = "Production"
}
}
`, rInt, location, rInt)
}
3 changes: 2 additions & 1 deletion website/docs/d/client_config.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ There are no arguments available for this data source.
* `client_id` is set to the Azure Client ID (Application Object ID).
* `tenant_id` is set to the Azure Tenant ID.
* `subscription_id` is set to the Azure Subscription ID.
* `service_principal_application_id` is the Service Principal Application ID.
* `service_principal_object_id` is the Service Principal Object ID.

~> **Note:** To better understand "application" and "service principal", please read
~> **Note:** To better understand "application" and "service principal", please read
[Application and service principal objects in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-objects).
5 changes: 5 additions & 0 deletions website/docs/r/key_vault.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,11 @@ The following arguments are supported:
group in the Azure Active Directory tenant for the vault. The object ID must
be unique for the list of access policies.

* `application_id` - (Optional) The object ID of an Application in Azure Active Directory.

* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from
the following: `All`, `Create`, `Delete`, `Deleteissuers`, `Get`, `Getissuers`, `Import`, `List`, `Listissuers`, `Managecontacts`, `Manageissuers`, `Setissuers` and `Update`.

* `key_permissions` - (Required) List of key permissions, must be one or more from
the following: `all`, `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`,
`import`, `list`, `restore`, `sign`, `unwrapKey`, `update`, `verify`, `wrapKey`.
Expand Down