#24087 : Return error when use_system_assigned_identity and user_assi…

…gned_identity_id are set in azurerm_recovery_services_vault resource (#24091)
hashicorp · Feb 26, 2024 · 6bc7eb0 · 6bc7eb0
1 parent 5db1ef3
commit 6bc7eb0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/internal/services/recoveryservices/recovery_services_vault_resource.go b/internal/services/recoveryservices/recovery_services_vault_resource.go
@@ -277,8 +277,12 @@ func resourceRecoveryServicesVaultCreate(d *pluginsdk.ResourceData, meta interfa
 	// `encryption` needs to be set before `cross_region_restore_enabled` is set. Or the service will return an error. "If CRR is enabled for the Vault, the storage state will be locked and it will interfere with further operations"
 	// recovery vault's encryption config cannot be set while creation, so a standalone update is required.
 	if _, ok := d.GetOk("encryption"); ok {
+		encryption, err := expandEncryption(d)
+		if err != nil {
+			return err
+		}
 		requireAdditionalUpdate = true
-		updatePatch.Properties.Encryption = expandEncryption(d)
+		updatePatch.Properties.Encryption = encryption
 	}
 
 	if requireAdditionalUpdate {
@@ -414,7 +418,10 @@ func resourceRecoveryServicesVaultUpdate(d *pluginsdk.ResourceData, meta interfa
 		VaultName:         id.VaultName,
 	}
 
-	encryption := expandEncryption(d)
+	encryption, err := expandEncryption(d)
+	if err != nil {
+		return err
+	}
 	existing, err := client.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("checking for presence of existing Recovery Service %s: %+v", id.String(), err)
@@ -800,14 +807,14 @@ func validateIdentityUpdate(origin identity.SystemAndUserAssignedMap, target ide
 	return true
 }
 
-func expandEncryption(d *pluginsdk.ResourceData) *vaults.VaultPropertiesEncryption {
+func expandEncryption(d *pluginsdk.ResourceData) (*vaults.VaultPropertiesEncryption, error) {
 	encryptionRaw := d.Get("encryption")
 	if encryptionRaw == nil {
-		return nil
+		return nil, nil
 	}
 	settings := encryptionRaw.([]interface{})
 	if len(settings) == 0 {
-		return nil
+		return nil, nil
 	}
 	encryptionMap := settings[0].(map[string]interface{})
 	keyUri := encryptionMap["key_id"].(string)
@@ -826,9 +833,12 @@ func expandEncryption(d *pluginsdk.ResourceData) *vaults.VaultPropertiesEncrypti
 		InfrastructureEncryption: &infraEncryptionState,
 	}
 	if v, ok := encryptionMap["user_assigned_identity_id"].(string); ok && v != "" {
+		if *encryption.KekIdentity.UseSystemAssignedIdentity {
+			return nil, fmt.Errorf(" `use_system_assigned_identity` must be disabled when `user_assigned_identity_id` is set.")
+		}
 		encryption.KekIdentity.UserAssignedIdentity = utils.String(v)
 	}
-	return encryption
+	return encryption, nil
 }
 
 func flattenVaultEncryption(model vaults.Vault) interface{} {

diff --git a/website/docs/r/recovery_services_vault.html.markdown b/website/docs/r/recovery_services_vault.html.markdown
@@ -86,7 +86,7 @@ An `encryption` block supports the following:
 
 * `user_assigned_identity_id` - (Optional) Specifies the user assigned identity ID to be used.
 
-* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`.
+* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`. Must be set to `false` when `user_assigned_identity_id` is set.
 
 !> **Note:** `use_system_assigned_identity` only be able to set to `false` for **new** vaults. Any vaults containing existing items registered or attempted to be registered to it are not supported. Details can be found in [the document](https://learn.microsoft.com/en-us/azure/backup/encryption-at-rest-with-cmk?tabs=portal#before-you-start)