Skip to content

Commit

Permalink
New Resource: azurerm_azuread_service_principal_password
Browse files Browse the repository at this point in the history
Tests pass:

```
$ acctests azurerm TestAccAzureRMActiveDirectoryServicePrincipalPassword_

=== RUN   TestAccAzureRMActiveDirectoryServicePrincipalPassword_basic
--- PASS: TestAccAzureRMActiveDirectoryServicePrincipalPassword_basic (36.08s)
=== RUN   TestAccAzureRMActiveDirectoryServicePrincipalPassword_customKeyId
--- PASS: TestAccAzureRMActiveDirectoryServicePrincipalPassword_customKeyId (26.22s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	62.335s
```
  • Loading branch information
tombuildsstuff committed Jul 16, 2018
1 parent cb94176 commit 0e8c24e
Show file tree
Hide file tree
Showing 11 changed files with 533 additions and 5 deletions.
1 change: 0 additions & 1 deletion azurerm/data_source_azuread_application.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ func dataSourceArmAzureADApplication() *schema.Resource {
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
// TODO: customizeDiff for validation of either name or object_id.

Schema: map[string]*schema.Schema{
"object_id": {
Expand Down
1 change: 0 additions & 1 deletion azurerm/data_source_azuread_service_principal.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ func dataSourceArmActiveDirectoryServicePrincipal() *schema.Resource {
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
// TODO: customiseDiff to ensure either `object_id` or `display_name` or `application_id` is set

Schema: map[string]*schema.Schema{
"object_id": {
Expand Down
21 changes: 21 additions & 0 deletions azurerm/helpers/validate/uuid.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package validate

import (
"fmt"

"github.com/hashicorp/go-uuid"
)

func UUID(i interface{}, k string) (_ []string, errors []error) {
v, ok := i.(string)
if !ok {
errors = append(errors, fmt.Errorf("expected type of %q to be string", k))
return
}

if _, err := uuid.ParseUUID(v); err != nil {
errors = append(errors, fmt.Errorf("%q isn't a valid UUID (%q): %+v", k, v, err))
}

return
}
37 changes: 37 additions & 0 deletions azurerm/helpers/validate/uuid_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
package validate

import "testing"

func TestUUID(t *testing.T) {
cases := []struct {
Input string
Errors int
}{
{
Input: "",
Errors: 1,
},
{
Input: "hello-world",
Errors: 1,
},
{
Input: "00000000-0000-111-0000-000000000000",
Errors: 1,
},
{
Input: "00000000-0000-0000-0000-000000000000",
Errors: 0,
},
}

for _, tc := range cases {
t.Run(tc.Input, func(t *testing.T) {
_, errors := UUID(tc.Input, "test")

if len(errors) != tc.Errors {
t.Fatalf("Expected UUID to have %d not %d errors for %q", tc.Errors, len(errors), tc.Input)
}
})
}
}
1 change: 1 addition & 0 deletions azurerm/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ func Provider() terraform.ResourceProvider {
ResourcesMap: map[string]*schema.Resource{
"azurerm_azuread_application": resourceArmActiveDirectoryApplication(),
"azurerm_azuread_service_principal": resourceArmActiveDirectoryServicePrincipal(),
"azurerm_azuread_service_principal_password": resourceArmActiveDirectoryServicePrincipalPassword(),
"azurerm_application_gateway": resourceArmApplicationGateway(),
"azurerm_application_insights": resourceArmApplicationInsights(),
"azurerm_application_security_group": resourceArmApplicationSecurityGroup(),
Expand Down
4 changes: 3 additions & 1 deletion azurerm/resource_arm_azuread_service_principal.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package azurerm

import (
"fmt"

"log"

"github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
Expand All @@ -11,6 +10,8 @@ import (
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
)

var servicePrincipalResourceName = "azurerm_service_principal"

func resourceArmActiveDirectoryServicePrincipal() *schema.Resource {
return &schema.Resource{
Create: resourceArmActiveDirectoryServicePrincipalCreate,
Expand Down Expand Up @@ -72,6 +73,7 @@ func resourceArmActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta
if err != nil {
if utils.ResponseWasNotFound(app.Response) {
log.Printf("[DEBUG] Service Principal with Object ID %q was not found - removing from state!", objectId)
d.SetId("")
return nil
}
return fmt.Errorf("Error retrieving Service Principal ID %q: %+v", objectId, err)
Expand Down
241 changes: 241 additions & 0 deletions azurerm/resource_arm_azuread_service_principal_password.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,241 @@
package azurerm

import (
"fmt"
"log"
"strings"
"time"

"github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
"github.com/Azure/go-autorest/autorest/date"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/terraform/helper/schema"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
)

func resourceArmActiveDirectoryServicePrincipalPassword() *schema.Resource {
return &schema.Resource{
Create: resourceArmActiveDirectoryServicePrincipalPasswordCreate,
Read: resourceArmActiveDirectoryServicePrincipalPasswordRead,
Delete: resourceArmActiveDirectoryServicePrincipalPasswordDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},

Schema: map[string]*schema.Schema{
"service_principal_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validate.UUID,
},

"key_id": {
Type: schema.TypeString,
Optional: true,
Computed: true,
ForceNew: true,
ValidateFunc: validate.UUID,
},

"value": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
Sensitive: true,
},

"start_date": {
Type: schema.TypeString,
Optional: true,
Computed: true,
ForceNew: true,
ValidateFunc: validate.RFC3339Time,
},

"end_date": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validate.RFC3339Time,
},
},
}
}

func resourceArmActiveDirectoryServicePrincipalPasswordCreate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient).servicePrincipalsClient
ctx := meta.(*ArmClient).StopContext

objectId := d.Get("service_principal_id").(string)
value := d.Get("value").(string)
// errors will be handled by the validation
endDate, _ := time.Parse(time.RFC3339, d.Get("end_date").(string))

var keyId string
if v, ok := d.GetOk("key_id"); ok {
keyId = v.(string)
} else {
kid, err := uuid.GenerateUUID()
if err != nil {
return err
}

keyId = kid
}

credential := graphrbac.PasswordCredential{
KeyID: utils.String(keyId),
Value: utils.String(value),
EndDate: &date.Time{Time: endDate},
}

if v, ok := d.GetOk("start_date"); ok {
// errors will be handled by the validation
startDate, _ := time.Parse(time.RFC3339, v.(string))
credential.StartDate = &date.Time{Time: startDate}
}

azureRMLockByName(objectId, servicePrincipalResourceName)
defer azureRMUnlockByName(objectId, servicePrincipalResourceName)

existingCredentials, err := client.ListPasswordCredentials(ctx, objectId)
if err != nil {
return fmt.Errorf("Error Listing Password Credentials for Service Principal %q: %+v", objectId, err)
}

updatedCredentials := make([]graphrbac.PasswordCredential, 0)
if existingCredentials.Value != nil {
updatedCredentials = *existingCredentials.Value
}

updatedCredentials = append(updatedCredentials, credential)

parameters := graphrbac.PasswordCredentialsUpdateParameters{
Value: &updatedCredentials,
}
_, err = client.UpdatePasswordCredentials(ctx, objectId, parameters)
if err != nil {
return fmt.Errorf("Error creating Password Credential %q for Service Principal %q: %+v", keyId, objectId, err)
}

d.SetId(fmt.Sprintf("%s/%s", objectId, keyId))

return resourceArmActiveDirectoryServicePrincipalPasswordRead(d, meta)
}

func resourceArmActiveDirectoryServicePrincipalPasswordRead(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient).servicePrincipalsClient
ctx := meta.(*ArmClient).StopContext

id := strings.Split(d.Id(), "/")
if len(id) != 2 {
return fmt.Errorf("ID should be in the format {objectId}/{keyId} - but got %q", d.Id())
}

objectId := id[0]
keyId := id[1]

// ensure the parent Service Principal exists
servicePrincipal, err := client.Get(ctx, objectId)
if err != nil {
// the parent Service Principal has been removed - skip it
if utils.ResponseWasNotFound(servicePrincipal.Response) {
log.Printf("[DEBUG] Service Principal with Object ID %q was not found - removing from state!", objectId)
d.SetId("")
return nil
}
return fmt.Errorf("Error retrieving Service Principal ID %q: %+v", objectId, err)
}

credentials, err := client.ListPasswordCredentials(ctx, objectId)
if err != nil {
return fmt.Errorf("Error Listing Password Credentials for Service Principal with Object ID %q: %+v", objectId, err)
}

var credential *graphrbac.PasswordCredential
for _, c := range *credentials.Value {
if c.KeyID == nil {
continue
}

if *c.KeyID == keyId {
credential = &c
break
}
}

if credential == nil {
log.Printf("[DEBUG] Service Principal Password %q (Object ID %q) was not found - removing from state!", keyId, objectId)
d.SetId("")
return nil
}

// value is available in the SDK but isn't returned from the API
d.Set("key_id", credential.KeyID)
d.Set("service_principal_id", objectId)

if endDate := credential.EndDate; endDate != nil {
d.Set("end_date", endDate.Format(time.RFC3339))
}

if startDate := credential.StartDate; startDate != nil {
d.Set("start_date", startDate.Format(time.RFC3339))
}

return nil
}

func resourceArmActiveDirectoryServicePrincipalPasswordDelete(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient).servicePrincipalsClient
ctx := meta.(*ArmClient).StopContext

id := strings.Split(d.Id(), "/")
if len(id) != 2 {
return fmt.Errorf("ID should be in the format {objectId}/{keyId} - but got %q", d.Id())
}

objectId := id[0]
keyId := id[1]

azureRMLockByName(objectId, servicePrincipalResourceName)
defer azureRMUnlockByName(objectId, servicePrincipalResourceName)

// ensure the parent Service Principal exists
servicePrincipal, err := client.Get(ctx, objectId)
if err != nil {
// the parent Service Principal was removed - skip it
if utils.ResponseWasNotFound(servicePrincipal.Response) {
return nil
}

return fmt.Errorf("Error retrieving Service Principal ID %q: %+v", objectId, err)
}

existing, err := client.ListPasswordCredentials(ctx, objectId)
if err != nil {
return fmt.Errorf("Error Listing Password Credentials for Service Principal with Object ID %q: %+v", objectId, err)
}

updatedCredentials := make([]graphrbac.PasswordCredential, 0)
for _, credential := range *existing.Value {
if credential.KeyID == nil {
continue
}

if *credential.KeyID != keyId {
updatedCredentials = append(updatedCredentials, credential)
}
}

parameters := graphrbac.PasswordCredentialsUpdateParameters{
Value: &updatedCredentials,
}
_, err = client.UpdatePasswordCredentials(ctx, objectId, parameters)
if err != nil {
return fmt.Errorf("Error removing Password %q from Service Principal %q: %+v", keyId, objectId, err)
}

return nil
}
Loading

0 comments on commit 0e8c24e

Please sign in to comment.