Throw error explicitly

hashicorp · Nov 12, 2022 · b149c02 · b149c02
1 parent 0aaff13
commit b149c02
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 9 deletions.
diff --git a/internal/services/keyvault/key_vault_key_resource.go b/internal/services/keyvault/key_vault_key_resource.go
@@ -357,8 +357,11 @@ func resourceKeyVaultKeyCreate(d *pluginsdk.ResourceData, meta interface{}) erro
 	}
 
 	if v, ok := d.GetOk("rotation_policy"); ok {
-		if _, err := client.UpdateKeyRotationPolicy(ctx, *keyVaultBaseUri, name, expandKeyVaultKeyRotationPolicy(v)); err != nil {
-			return fmt.Errorf("Creating Key Rotation Policy: %+v", err)
+		if respPolicy, err := client.UpdateKeyRotationPolicy(ctx, *keyVaultBaseUri, name, expandKeyVaultKeyRotationPolicy(v)); err != nil {
+			if utils.ResponseWasForbidden(respPolicy.Response) {
+				return fmt.Errorf("current client lacks permissions to create Key Rotation Policy, please update this as described here: %s (Key %q of Key Vault %q in Vault at url %q): %v", "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#example-usage", name, *keyVaultId, *keyVaultBaseUri, err)
+			}
+			return fmt.Errorf("creating Key Rotation Policy: %+v", err)
 		}
 	}
 
@@ -436,7 +439,10 @@ func resourceKeyVaultKeyUpdate(d *pluginsdk.ResourceData, meta interface{}) erro
 	}
 
 	if v, ok := d.GetOk("rotation_policy"); ok {
-		if _, err := client.UpdateKeyRotationPolicy(ctx, id.KeyVaultBaseUrl, id.Name, expandKeyVaultKeyRotationPolicy(v)); err != nil {
+		if respPolicy, err := client.UpdateKeyRotationPolicy(ctx, id.KeyVaultBaseUrl, id.Name, expandKeyVaultKeyRotationPolicy(v)); err != nil {
+			if utils.ResponseWasForbidden(respPolicy.Response) {
+				return fmt.Errorf("current client lacks permissions to update Key Rotation Policy, please update this as described here: %s (Key %q of Key Vault %q in Vault at url %q): %v", "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#example-usage", id.Name, *keyVaultId, id.KeyVaultBaseUrl, err)
+			}
 			return fmt.Errorf("Creating Key Rotation Policy: %+v", err)
 		}
 	}
@@ -583,12 +589,12 @@ func resourceKeyVaultKeyRead(d *pluginsdk.ResourceData, meta interface{}) error
 
 	respPolicy, err := client.GetKeyRotationPolicy(ctx, id.KeyVaultBaseUrl, id.Name)
 	if err != nil {
-		// If client is not authorized the policy or it was not found:
-		// - we don't try to set it, just ignore it
-		if utils.ResponseWasForbidden(respPolicy.Response) || utils.ResponseWasNotFound(respPolicy.Response) {
+		// If client is not authorized the policy:
+		if utils.ResponseWasForbidden(respPolicy.Response) {
+			return fmt.Errorf("current client lacks permissions to read Key Rotation Policy, please update this as described here: %s (Key %q of Key Vault %q in Vault at url %q): %v", "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#example-usage", id.Name, *keyVaultId, id.KeyVaultBaseUrl, err)
+		} else if utils.ResponseWasNotFound(respPolicy.Response) {
 			return tags.FlattenAndSet(d, resp.Tags)
-		}
-		if !utils.ResponseWasNotFound(respPolicy.Response) {
+		} else {
 			return err
 		}
 	}

diff --git a/internal/services/keyvault/key_vault_key_resource_test.go b/internal/services/keyvault/key_vault_key_resource_test.go
@@ -726,6 +726,7 @@ resource "azurerm_key_vault_access_policy" "test" {
     "Purge",
     "Recover",
     "Update",
+    "GetRotationPolicy",
   ]
 
   secret_permissions = [
@@ -791,6 +792,7 @@ resource "azurerm_key_vault_access_policy" "test" {
     "Purge",
     "Recover",
     "Update",
+    "GetRotationPolicy",
   ]
 
   secret_permissions = [

diff --git a/website/docs/r/key_vault_key.html.markdown b/website/docs/r/key_vault_key.html.markdown
@@ -13,6 +13,8 @@ Manages a Key Vault Key.
 
 ## Example Usage
 
+~> **Note:** To use this resource, your client should have RBAC roles with permissions like `Key Vault Crypto Officer` or `Key Vault Administrator` or an assigned Key Vault Access Policy with permissions `Create`,`Delete`,`Get`,`Purge`,`Recover`,`Update` and `GetRotationPolicy` for keys without Rotation Policy. Include `SetRotationPolicy` for keys with Rotation Policy.
+
 ~> **Note:** the Azure Provider includes a Feature Toggle which will purge a Key Vault Key resource on destroy, rather than the default soft-delete. See [`purge_soft_deleted_keys_on_destroy`](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block#purge_soft_deleted_keys_on_destroy) for more information.
 
 ```hcl
@@ -37,9 +39,13 @@ resource "azurerm_key_vault" "example" {
 
     key_permissions = [
       "Create",
+      "Delete",
       "Get",
       "Purge",
-      "Recover"
+      "Recover",
+      "Update",
+      "GetRotationPolicy",
+      "SetRotationPolicy"
     ]
 
     secret_permissions = [
@@ -62,6 +68,15 @@ resource "azurerm_key_vault_key" "generated" {
     "verify",
     "wrapKey",
   ]
+
+  rotation_policy {
+    automatic {
+      time_before_expiry = "P30D"
+    }
+
+    expire_after         = "P90D"
+    notify_before_expiry = "P29D"
+  }
 }
 ```