New resource: azurerm_user_assigned_identity + enabled UserAssigned identity for VM and VMSS

[logachev]

Implementing feature mentioned in the feature request: #1377

[tombuildsstuff]

Hey @logachev

Thanks for this PR - apologies for the delayed review here!

I've taken a look through and left some comments inline, but this is off to a good start; if we can fix up the comments we should be able to run the tests and get this merged :)

Thanks!

[tombuildsstuff]

given this is a new Resource Provider, can we also ensure this is registered when the AzureRM Provider is initialized? This can be done by adding Microsoft.ManagedIdentity (which is case sensitive) to this list

[tombuildsstuff]

can we remove name, resource_group_name and location here? these outputs can be implied as they're arguments

[logachev]

Removed. Seems like there are two styles in .markdown files: some list arguments as attributes and some don't.

[tombuildsstuff]

rather than using a variable, can we add an example name here? e.g. search-api

[tombuildsstuff]

can we make this acctest%d rather than test - this'll help to prevent conflicts between acceptance test runs by appending the unique ID to the end

[tombuildsstuff]

minor we can remove the word Template from the end of this method name

[logachev]

I removed it from new functions, but there are a lot of functions in this file following this pattern..

[tombuildsstuff]

can we remove this?

[logachev]

(see above reply)

[tombuildsstuff]

can we remove this check? if the ID doesn't match we'll get an error in the CRUD methods

[tombuildsstuff]

we need to ensure result["identity_ids"] is set all the time? this ensures we can still detect empty changes; the simplest way to do this is to make this:

identity_ids := make([]string, 0)
if identity.IdentityIds != nil {
  for _, id := range *identity.IdentityIds {
    identity_ids = append(identity_ids, id)
  }
}
result["identity_ids"] = identity_ids

[tombuildsstuff]

we can make this:

identityType = compute.ResourceIdentityType(identity["type"].(string))

[logachev]

I had what you advice in the first version. The problem with this was the fact that ResourceIdentityType is just a string. So, compute.ResourceIdentityType(identity["type"].(string) persists letters case.

As a result, identityType might be equal to userIdentity and it doesn't match compute.ResourceIdentityTypeUserAssigned string UserIdentity. So, you have to remember about this when you compare it later in code.

I think it's better to converge them during initialization, but I'd like to hear your recommendation.

[tombuildsstuff]

That's fine - in this case we can ensure the case matches the Constants/Enum's by updating the validation function / removing the Diff Suppress function, which will allow us to parse this directly:

ValidateFunc: validation.StringInSlice([]string{
 # ..
}, false)

[tombuildsstuff]

(as above)

[logachev]

See above reply..

[logachev]

@tombuildsstuff thank you for the review!
I left a few replies to your comments to figure out the best way to address them and addressed remaining feedback.

[tombuildsstuff]

hey @logachev

Thanks for pushing those changes - I've left a couple of comments (which I'm going to push a commit for, I hope you don't mind!) - but this otherwise LGTM 👍

Thanks!

[tombuildsstuff]

🤦‍♂️ sorry I was thinking one thing and wrote another - can we name this variable name, to match the other resources? The name of the resource itself is fine :)

[tombuildsstuff]

that makes sense in some scenarios, but would cause an error when running terraform plan (when this is outside of the users control, for instance if Azure returns a different schema than is defined, it shouldn't break Terraform) - as such we need to not return an error here, can update this using the code sample you posted?

[tombuildsstuff]

I'd missed there wasn't an Import test for this (these are tracked in a separate file) - I've included this in the commit (but here's an example); these verify the state set via d.Set matches the configuration used to create it (by creating the resource, then removing it from the state, then running terraform import and ensuring the config matches the state)

[tombuildsstuff]

rather than using the VMSS CheckDestroy function - I'm going to push a commit to use one specific for User Assigned Identities (this ensures that when the resource is destroyed by Terraform, it's not lingering around)

[tombuildsstuff]

User Assigned Identities tests pass:

acctests azurerm TestAccAzureRMUserAssignedIdentity_
=== RUN   TestAccAzureRMUserAssignedIdentity_importBasic
--- PASS: TestAccAzureRMUserAssignedIdentity_importBasic (80.67s)
=== RUN   TestAccAzureRMUserAssignedIdentity_basic
--- PASS: TestAccAzureRMUserAssignedIdentity_basic (78.45s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	159.156s

[tombuildsstuff]

VM tests pass:

VM Scale Set tests pass:

[logachev]

@tombuildsstuff Your changes look good.
Sorry, I missed import tests and didn't notice destroy function is not some generic function.
Thank you for your assistance!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!