Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Resource: Key Vault Access Policy #1149

Merged
merged 28 commits into from
Jul 9, 2018

Conversation

monkey-jeff
Copy link

@monkey-jeff monkey-jeff commented Apr 23, 2018

Hello everyone.

This is to address #754 which allows for separating our Key Vault Policies from the Key Vault Resource. This is also a feature I wanted as it allows me to pass in N number of policies for a Key Vault where N is not a constant. I can now add 'count' to the policy resource to create multiple at once.

The resource looks like below allowing you to update the policy of an existing policy.

resource "azurerm_key_vault_policy" "test" {
  vault_name                   = "NAME_OF_VAULT"
  vault_resource_group  = "RESOURCE_GROUP_OF_VAULT"

  object_id 		= "OBJECT_ID of service principal"
  tenant_id		= "TENANT_ID of service principal"
  application_id 	= "APPLICATION_ID if granting access to an application"

  key_permissions = [
    "create",
    "get"
  ]

  secret_permissions = [
    "get",
    "delete"
  ]
  certificate_permissions = [
    "create", 
    "delete"
  ]
}

This PR changes some behavior of the existing resrouce

  • Minimum Access Policy blocks in a key vault resource has been reduced to 0
  • Checking the access policies has been removed from the refresh of the Key Vault Resource (this is to prevent it from removing policies added by a policy resource object)

The way the new Key Vault resource interacts with these is as follows

  • If the object id / tenant id pair already exists in the access policy there will be no failure and in effect that resource will be imported into the terraform state (Hence the lacking of the ability to import since it already works seamlessly) //Question. Should I add something similar to this to the doc section explaining why there isn't an import?
  • If the access policy is removed outside of the terraform plan the refresh will want to add it back on a plan

I also moved the access policy definitions into its own file so there is a single place to update this.

Let me know what changes if any you guys would like me to make here. I do apologize if my go code is sloppy, this is my first time contributing to terraform and my first time writing in go, so I am sure there will be some issues to resolve.

-Jeff

@day-jeff
Copy link
Contributor

Reviewed and tested this code. The implementation is solid, and everything worked perfectly in my real-world test. Thanks for this!

@tombuildsstuff tombuildsstuff self-assigned this Apr 24, 2018
@@ -364,50 +298,11 @@ func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} {
return []interface{}{result}
}

func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []interface{} {
Copy link
Author

@monkey-jeff monkey-jeff Apr 25, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was removed due to it only being used in a refresh. Refresh the access policies on the key vault resource causes a fight between key vault and key vault policy over ownership of the resource (basically doing this during a keyvault refresh it wants to remove resources created by a key vault policy

I note this because the merge conflict is now due to content that has been changes in the function that I had removed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's intentional - we can instead make the field access_policy Optional + Computed - which means that the value will be used from the API unless it's set locally (in which case diff's will be detected)

@tiwood
Copy link
Contributor

tiwood commented May 2, 2018

Any updates on this? I have some use cases for this new resource type.

Thanks for your contribution.

@pixelicous
Copy link

This is cool! Looking forward to seeing it implemented as well

@metacpp metacpp added this to the Future milestone May 4, 2018
sophos-jeff and others added 2 commits May 4, 2018 14:40
WodansSon
WodansSon previously approved these changes May 4, 2018
@@ -76,7 +76,7 @@ func resourceArmKeyVault() *schema.Resource {
"access_policy": {
Type: schema.TypeList,
Optional: true,
MinItems: 1,
MinItems: 0,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it is optional, you might just remove this line (MinItems: 0).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed.

log.Printf("[INFO] preparing arguments for Azure ARM Policy: %s.", action)

name := d.Get("vault_name").(string)
//location := azureRMNormalizeLocation(d.Get("vault_location").(string))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it is not used, remove this line.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed


d.SetId(*read.ID)

return resourceArmKeyVaultRead(d, meta)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typically we don't read terraform resources after it is deleted, and we don't set its ID either.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a check that we aren't deleting it.

}

if action != keyvault.Remove {
d.SetId(*read.ID)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if action != keyvault.Remove {
  d.SetId(*read.ID)
  return resourceArmKeyVaultRead(d, meta)
} else {
  return nil
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, fixed

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can actually make this:

if d.IsNewResource() {
  d.SetID(*read.ID)
}

since the ID won't change post-creation

JunyiYi
JunyiYi previously approved these changes May 10, 2018
@monkey-jeff
Copy link
Author

monkey-jeff commented May 16, 2018

Is there anything I need to do here right now? Have 2 approvals and a couple of pending. Sorry this is my first PR against terraform. Just curious as to what the normal process is from here as the CONTRIBUTING.md is a bit vague around this point of the process.

Also thanks for looking this over as well as the great platform/product that is terraform!

-Jeff

@achandmsft
Copy link
Contributor

@tombuildsstuff could you please merge?

@tiwood
Copy link
Contributor

tiwood commented Jul 4, 2018

I'm really desperate to get this functionality, is there a way to help or do we just need to wait for the reviews?

@monkey-jeff
Copy link
Author

I think at this point it is waiting for reviews. It is not a small PR so it would take a little bit longer...hopefully tom and kat can get to it soon, but they are both very busy and have a lot to review....best think you can do is upvote this PR in my opinion.

@day-jeff
Copy link
Contributor

day-jeff commented Jul 5, 2018

@tiwood: Another option is to clone and build Jeff's branch: sophos-jeff:feature/key_vault_policy

@tombuildsstuff
Copy link
Contributor

@sophos-jeff apologies for the delayed re-review here; I'm still trying to catch up from a few weeks AFK - I'll be taking another look through this shortly :)

@tombuildsstuff tombuildsstuff removed the request for review from metacpp July 6, 2018 11:38
@tombuildsstuff tombuildsstuff modified the milestones: Future, Soon Jul 6, 2018
Ensuring we only lock on the Key Vault name, since the access policy doesn't matter for locking purposes if we lock on the entire KeyVault

```
$ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_

=== RUN   TestAccAzureRMKeyVaultAccessPolicy_basic
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_basic (222.29s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_multiple
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_multiple (228.28s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_update
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_update (238.59s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	689.209s
```
Tests pass:

```
$ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_import

=== RUN   TestAccAzureRMKeyVaultAccessPolicy_importBasic
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_importBasic (225.81s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_importMultiple
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_importMultiple (218.71s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	444.557s
```
@tombuildsstuff
Copy link
Contributor

@sophos-jeff I've been spending some time on this resource this afternoon testing this/working out what's needed to get this merged and have made a few commits (mostly fixing the locking/refactoring/tests) - I hope you don't mind but I'm going to push these so that we can run the tests.

Once the tests pass (which the Access Policy tests have locally) - we'll do some edge case testing (probably Monday) and then we should be good to merge this :)

@tombuildsstuff tombuildsstuff dismissed stale reviews from katbyte and themself July 6, 2018 16:28

changes have been pushed

@tombuildsstuff
Copy link
Contributor

Key Vault Access Policy Tests pass:

$ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_

=== RUN   TestAccAzureRMKeyVaultAccessPolicy_basic
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_basic (222.29s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_multiple
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_multiple (228.28s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_update
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_update (238.59s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	689.209s
$ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_import

=== RUN   TestAccAzureRMKeyVaultAccessPolicy_importBasic
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_importBasic (225.81s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_importMultiple
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_importMultiple (218.71s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	444.557s

@tombuildsstuff tombuildsstuff modified the milestones: Soon, 1.9.0 Jul 9, 2018
@tombuildsstuff
Copy link
Contributor

Ignoring an existing failing test in Key Vault - the tests pass:

screenshot 2018-07-09 at 09 57 54

Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now LGTM / seems fine with some edge-case testing 👍🏻

Thanks for this @sophos-jeff (hope you don't mind me pushing a few commits to finish this off!) :)

@monkey-jeff
Copy link
Author

Not at all Tom. Thanks for getting this merged :D Glad to see this feature available soon :D

@jmeisner3
Copy link

@sophos-jeff thanks a lot for working on this!

@pixelicous
Copy link

@tombuildsstuff Great work! This would be very useful to us and anyone else using azure, finally this is merged!! 😋 👍 🥇

@hashicorp hashicorp locked and limited conversation to collaborators Jul 29, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.