Skip to content

Commit

Permalink
#24087: Throw an error rather a silent update as per review
Browse files Browse the repository at this point in the history
  • Loading branch information
@harshavmb
harshavmb committed Feb 21, 2024
1 parent d0d5848 commit 822daeb
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 8 deletions.
23 changes: 16 additions & 7 deletions internal/services/recoveryservices/recovery_services_vault_resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,9 +261,13 @@ func resourceRecoveryServicesVaultCreate(d *pluginsdk.ResourceData, meta interfa
// `encryption` needs to be set before `cross_region_restore_enabled` is set. Or the service will return an error. "If CRR is enabled for the Vault, the storage state will be locked and it will interfere with further operations"
// recovery vault's encryption config cannot be set while creation, so a standalone update is required.
if _, ok := d.GetOk("encryption"); ok {
encryption, err := expandEncryption(d)
if err != nil {
return err
}
err = client.UpdateThenPoll(ctx, id, vaults.PatchVault{
Properties: &vaults.VaultProperties{
Encryption: expandEncryption(d),
Encryption: encryption,
},
})
if err != nil {
Expand Down Expand Up @@ -396,7 +400,10 @@ func resourceRecoveryServicesVaultUpdate(d *pluginsdk.ResourceData, meta interfa
VaultName: id.VaultName,
}

encryption := expandEncryption(d)
encryption, err := expandEncryption(d)
if err != nil {
return err
}
existing, err := client.Get(ctx, id)
if err != nil {
return fmt.Errorf("checking for presence of existing Recovery Service %s: %+v", id.String(), err)
Expand Down Expand Up @@ -760,14 +767,14 @@ func validateIdentityUpdate(origin identity.SystemAndUserAssignedMap, target ide
return true
}

func expandEncryption(d *pluginsdk.ResourceData) *vaults.VaultPropertiesEncryption {
func expandEncryption(d *pluginsdk.ResourceData) (*vaults.VaultPropertiesEncryption, error) {
encryptionRaw := d.Get("encryption")
if encryptionRaw == nil {
return nil
return nil, nil
}
settings := encryptionRaw.([]interface{})
if len(settings) == 0 {
return nil
return nil, nil
}
encryptionMap := settings[0].(map[string]interface{})
keyUri := encryptionMap["key_id"].(string)
Expand All @@ -787,9 +794,11 @@ func expandEncryption(d *pluginsdk.ResourceData) *vaults.VaultPropertiesEncrypti
}
if v, ok := encryptionMap["user_assigned_identity_id"].(string); ok && v != "" {
encryption.KekIdentity.UserAssignedIdentity = utils.String(v)
encryption.KekIdentity.UseSystemAssignedIdentity = utils.Bool(false)
if *encryption.KekIdentity.UseSystemAssignedIdentity {
return nil, fmt.Errorf("`use_system_assigned_identity` must not be set to `true` when `user_assigned_identity_id` is passed")
}
}
return encryption
return encryption, nil
}

func flattenVaultEncryption(model vaults.Vault) interface{} {
Expand Down
2 changes: 1 addition & 1 deletion website/docs/r/recovery_services_vault.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ An `encryption` block supports the following:

* `user_assigned_identity_id` - (Optional) Specifies the user assigned identity ID to be used.

* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`. When `user_assigned_identity_id` is set, this flag is set to `false`.
* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`. When `user_assigned_identity_id` is set, this flag is set must be set to `false`.

!> **Note:** `use_system_assigned_identity` only be able to set to `false` for **new** vaults. Any vaults containing existing items registered or attempted to be registered to it are not supported. Details can be found in [the document](https://learn.microsoft.com/en-us/azure/backup/encryption-at-rest-with-cmk?tabs=portal#before-you-start)

Expand Down

0 comments on commit 822daeb

Please sign in to comment.