Skip to content

Commit

Permalink
Adding a State Migration for Key Vault
Browse files Browse the repository at this point in the history
  • Loading branch information
tombuildsstuff committed Oct 4, 2017
1 parent 531ef1e commit 37c49e6
Show file tree
Hide file tree
Showing 3 changed files with 532 additions and 0 deletions.
2 changes: 2 additions & 0 deletions azurerm/resource_arm_key_vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ func resourceArmKeyVault() *schema.Resource {
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
MigrateState: resourceAzureRMKeyVaultMigrateState,
SchemaVersion: 1,

Schema: map[string]*schema.Schema{
"name": {
Expand Down
167 changes: 167 additions & 0 deletions azurerm/resource_arm_key_vault_migration.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
package azurerm

import (
"fmt"
"log"
"strings"

"github.com/Azure/azure-sdk-for-go/arm/keyvault"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/terraform"
)

func resourceAzureRMKeyVaultMigrateState(v int, is *terraform.InstanceState, meta interface{}) (*terraform.InstanceState, error) {
switch v {
case 0:
log.Println("[INFO] Found AzureRM Key Vault State v0; migrating to v1")
return migrateAzureRMKeyVaultStateV0toV1(is)
default:
return is, fmt.Errorf("Unexpected schema version: %d", v)
}
}

func migrateAzureRMKeyVaultStateV0toV1(is *terraform.InstanceState) (*terraform.InstanceState, error) {
if is.Empty() {
log.Println("[DEBUG] Empty InstanceState; nothing to migrate.")
return is, nil
}

log.Printf("[DEBUG] ARM Key Vault Attributes before Migration: %#v", is.Attributes)

err := migrateAzureRMKeyVaultStateV0toV1AccessPolicies(is)
if err != nil {
return nil, err
}

log.Printf("[DEBUG] ARM Key Vault Attributes after State Migration: %#v", is.Attributes)

return is, nil
}

func migrateAzureRMKeyVaultStateV0toV1AccessPolicies(is *terraform.InstanceState) error {
keyVaultSchema := resourceArmKeyVault().Schema
reader := &schema.MapFieldReader{
Schema: keyVaultSchema,
Map: schema.BasicMapReader(is.Attributes),
}

// parse and update the existing data
result, err := reader.ReadField([]string{"access_policy"})
if err != nil {
return err
}

inputAccessPolicies := result.Value.([]interface{})

if len(inputAccessPolicies) == 0 {
return nil
}

outputAccessPolicies := make([]interface{}, 0)
for _, accessPolicy := range inputAccessPolicies {
policy := accessPolicy.(map[string]interface{})

if v, ok := policy["certificate_permissions"]; ok {
inputCertificatePermissions := v.([]interface{})
outputCertificatePermissions := make([]string, 0)
for _, p := range inputCertificatePermissions {
permission := p.(string)
if strings.ToLower(permission) == "all" {
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Create))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Delete))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Deleteissuers))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Get))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Getissuers))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Import))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.List))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Listissuers))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Managecontacts))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Manageissuers))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Setissuers))
outputCertificatePermissions = append(outputCertificatePermissions, string(keyvault.Update))
break
}
}

if len(outputCertificatePermissions) > 0 {
policy["certificate_permissions"] = outputCertificatePermissions
}
}

if v, ok := policy["key_permissions"]; ok {
inputKeyPermissions := v.([]interface{})
outputKeyPermissions := make([]string, 0)
for _, p := range inputKeyPermissions {
permission := p.(string)
if strings.ToLower(permission) == "all" {
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsBackup))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsCreate))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsDecrypt))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsDelete))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsEncrypt))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsGet))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsImport))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsList))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsPurge))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsRecover))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsRestore))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsSign))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsUnwrapKey))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsUpdate))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsVerify))
outputKeyPermissions = append(outputKeyPermissions, string(keyvault.KeyPermissionsWrapKey))
break
}
}

if len(outputKeyPermissions) > 0 {
policy["key_permissions"] = outputKeyPermissions
}
}

if v, ok := policy["secret_permissions"]; ok {
inputSecretPermissions := v.([]interface{})
outputSecretPermissions := make([]string, 0)
for _, p := range inputSecretPermissions {
permission := p.(string)
if strings.ToLower(permission) == "all" {
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsBackup))
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsDelete))
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsGet))
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsList))
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsPurge))
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsRecover))
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsRestore))
outputSecretPermissions = append(outputSecretPermissions, string(keyvault.SecretPermissionsSet))
break
}
}

if len(outputSecretPermissions) > 0 {
policy["secret_permissions"] = outputSecretPermissions
}
}

outputAccessPolicies = append(outputAccessPolicies, policy)
}

// remove the existing fields
for k := range is.Attributes {
if strings.HasPrefix(k, "access_policy.") {
delete(is.Attributes, k)
}
}

// write this out
writer := schema.MapFieldWriter{
Schema: keyVaultSchema,
}
if err := writer.WriteField([]string{"access_policy"}, outputAccessPolicies); err != nil {
return err
}
for k, v := range writer.Map() {
is.Attributes[k] = v
}

return nil
}
Loading

0 comments on commit 37c49e6

Please sign in to comment.