azurerm_key_vault_managed_hardware_security_module - support for ac…

…tivating an HSM through `security_domain_key_vault_certificate_ids` (#22162) Co-authored-by: xuwu1 <xuwu1@microsoft.com>
hashicorp · Jun 26, 2023 · 397035c · 397035c
1 parent e14001f
commit 397035c
Show file tree

Hide file tree

Showing 9 changed files with 415 additions and 15 deletions.
diff --git a/internal/clients/builder.go b/internal/clients/builder.go
@@ -109,6 +109,11 @@ func Build(ctx context.Context, builder ClientBuilder) (*Client, error) {
 		return nil, fmt.Errorf("building account: %+v", err)
 	}
 
+	managedHSMAuth, err := auth.NewAuthorizerFromCredentials(ctx, *builder.AuthConfig, builder.AuthConfig.Environment.ManagedHSM)
+	if err != nil {
+		return nil, fmt.Errorf("unable to build authorizer for Managed HSM API: %+v", err)
+	}
+
 	client := Client{
 		Account: account,
 	}
@@ -117,6 +122,7 @@ func Build(ctx context.Context, builder ClientBuilder) (*Client, error) {
 		Authorizers: &common.Authorizers{
 			BatchManagement: batchManagementAuth,
 			KeyVault:        keyVaultAuth,
+			ManagedHSM:      managedHSMAuth,
 			ResourceManager: resourceManagerAuth,
 			Storage:         storageAuth,
 			Synapse:         synapseAuth,
@@ -133,6 +139,7 @@ func Build(ctx context.Context, builder ClientBuilder) (*Client, error) {
 
 		BatchManagementAuthorizer: authWrapper.AutorestAuthorizer(batchManagementAuth),
 		KeyVaultAuthorizer:        authWrapper.AutorestAuthorizer(keyVaultAuth).BearerAuthorizerCallback(),
+		ManagedHSMAuthorizer:      authWrapper.AutorestAuthorizer(managedHSMAuth).BearerAuthorizerCallback(),
 		ResourceManagerAuthorizer: authWrapper.AutorestAuthorizer(resourceManagerAuth),
 		StorageAuthorizer:         authWrapper.AutorestAuthorizer(storageAuth),
 		SynapseAuthorizer:         authWrapper.AutorestAuthorizer(synapseAuth),

diff --git a/internal/common/client_options.go b/internal/common/client_options.go
@@ -23,6 +23,7 @@ import (
 type Authorizers struct {
 	BatchManagement auth.Authorizer
 	KeyVault        auth.Authorizer
+	ManagedHSM      auth.Authorizer
 	ResourceManager auth.Authorizer
 	Storage         auth.Authorizer
 	Synapse         auth.Authorizer
@@ -58,6 +59,7 @@ type ClientOptions struct {
 	AttestationAuthorizer     autorest.Authorizer
 	BatchManagementAuthorizer autorest.Authorizer
 	KeyVaultAuthorizer        autorest.Authorizer
+	ManagedHSMAuthorizer      autorest.Authorizer
 	ResourceManagerAuthorizer autorest.Authorizer
 	StorageAuthorizer         autorest.Authorizer
 	SynapseAuthorizer         autorest.Authorizer

diff --git a/internal/services/keyvault/client/client.go b/internal/services/keyvault/client/client.go
@@ -11,6 +11,9 @@ type Client struct {
 	ManagedHsmClient *managedhsms.ManagedHsmsClient
 	ManagementClient *dataplane.BaseClient
 	VaultsClient     *vaults.VaultsClient
+
+	MHSMSDClient   *dataplane.HSMSecurityDomainClient
+	MHSMRoleClient *dataplane.RoleDefinitionsClient
 }
 
 func NewClient(o *common.ClientOptions) *Client {
@@ -21,11 +24,20 @@ func NewClient(o *common.ClientOptions) *Client {
 	o.ConfigureClient(&managementClient.Client, o.KeyVaultAuthorizer)
 
 	vaultsClient := vaults.NewVaultsClientWithBaseURI(o.ResourceManagerEndpoint)
+
+	sdClient := dataplane.NewHSMSecurityDomainClient()
+	o.ConfigureClient(&sdClient.Client, o.ManagedHSMAuthorizer)
+
+	mhsmRoleDefineClient := dataplane.NewRoleDefinitionsClient()
+	o.ConfigureClient(&mhsmRoleDefineClient.Client, o.ManagedHSMAuthorizer)
+
 	o.ConfigureClient(&vaultsClient.Client, o.ResourceManagerAuthorizer)
 
 	return &Client{
 		ManagedHsmClient: &managedHsmClient,
 		ManagementClient: &managementClient,
 		VaultsClient:     &vaultsClient,
+		MHSMSDClient:     &sdClient,
+		MHSMRoleClient:   &mhsmRoleDefineClient,
 	}
 }
diff --git a/internal/services/keyvault/custompollers/hsm_download_poller.go b/internal/services/keyvault/custompollers/hsm_download_poller.go
@@ -0,0 +1,44 @@
+package custompollers
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/hashicorp/go-azure-sdk/sdk/client/pollers"
+	kv74 "github.com/tombuildsstuff/kermit/sdk/keyvault/7.4/keyvault"
+)
+
+var _ pollers.PollerType = &hsmDownloadPoller{}
+
+func NewHSMDownloadPoller(client *kv74.HSMSecurityDomainClient, baseUrl string) *hsmDownloadPoller {
+	return &hsmDownloadPoller{
+		client:  client,
+		baseUrl: baseUrl,
+	}
+}
+
+type hsmDownloadPoller struct {
+	client  *kv74.HSMSecurityDomainClient
+	baseUrl string
+}
+
+func (p *hsmDownloadPoller) Poll(ctx context.Context) (*pollers.PollResult, error) {
+	res, err := p.client.DownloadPending(ctx, p.baseUrl)
+	if err != nil {
+		return nil, fmt.Errorf("waiting for Security Domain to download failed within %s: %+v", p.baseUrl, err)
+	}
+
+	if res.Status == kv74.OperationStatusSuccess {
+		return &pollers.PollResult{
+			Status:       pollers.PollingStatusSucceeded,
+			PollInterval: 10 * time.Second,
+		}, nil
+	}
+
+	// Processing
+	return &pollers.PollResult{
+		Status:       pollers.PollingStatusInProgress,
+		PollInterval: 10 * time.Second,
+	}, nil
+}