Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Locks in AzureRM #23

Closed
hashibot opened this issue Jun 13, 2017 · 9 comments · Fixed by #575
Closed

Locks in AzureRM #23

hashibot opened this issue Jun 13, 2017 · 9 comments · Fixed by #575
Assignees

Comments

@hashibot
Copy link

This issue was originally opened by @AMMullan as hashicorp/terraform#9768. It was migrated here as part of the provider split. The original body of the issue is below.


Hi,

I can't see any option for setting Locks on resources, i.e. we want to have a Resource Group in Azure for networking components and have it Locked so only Owners can manage it but Terraform doesn't seem to have this feature?

REST API documentation is here: https://azure.microsoft.com/en-gb/documentation/articles/resource-group-lock-resources/

Terraform Version

Terraform v0.7.7

Affected Resource(s)

  • azurerm_resource_group
  • any other resource that has the Locks options

Expected Behavior

Create locks for whichever resources need them.

@marsher
Copy link

marsher commented Jun 20, 2017

Is there any update on this resource?
Looks like Azure/azure-sdk-for-go#440 fixed issues preventing this, as mentioned in hashicorp/terraform#9768

@satishmohan
Copy link

Hi,
It would be good to have support for this - wondering if we can this fixed?

Thanks
Satish

@aarondav
Copy link

+1

@whytoe
Copy link
Contributor

whytoe commented Oct 16, 2017

@tombuildsstuff Can you take a peek at this, it appears to be in a stale state? You have been greatly helpful in the past 🥇

@thepaddon
Copy link

Us too; I would like the option to lock the RG and public IPs as our supplier needs to whitelist if they change. Locking would prevent accidental destruction

@retheshnair
Copy link

We will like have this feature soon .

@tombuildsstuff tombuildsstuff self-assigned this Nov 18, 2017
tombuildsstuff added a commit that referenced this issue Nov 18, 2017
Note: As the Subscription specific Locks will break other tests; these tests need to be run individually.
As such I've introduced the `TF_ACC_SUBSCRIPTION_PARALLEL_LOCK`  environment variable for this purpose.

Tests pass:

```
$ TF_ACC_SUBSCRIPTION_PARALLEL_LOCK=1 acctests azurerm TestAccAzureRMManagementLock_
=== RUN   TestAccAzureRMManagementLock_importResourceGroupReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_importResourceGroupReadOnlyBasic (61.52s)
=== RUN   TestAccAzureRMManagementLock_importResourceGroupReadOnlyComplete
--- PASS: TestAccAzureRMManagementLock_importResourceGroupReadOnlyComplete (58.75s)
=== RUN   TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteBasic (53.38s)
=== RUN   TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteComplete
--- PASS: TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteComplete (46.87s)
=== RUN   TestAccAzureRMManagementLock_importPublicIPCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_importPublicIPCanNotDeleteBasic (80.46s)
=== RUN   TestAccAzureRMManagementLock_importPublicIPReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_importPublicIPReadOnlyBasic (68.53s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_resourceGroupReadOnlyBasic (61.24s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupReadOnlyComplete
--- PASS: TestAccAzureRMManagementLock_resourceGroupReadOnlyComplete (64.10s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_resourceGroupCanNotDeleteBasic (72.49s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupCanNotDeleteComplete
--- PASS: TestAccAzureRMManagementLock_resourceGroupCanNotDeleteComplete (113.71s)
=== RUN   TestAccAzureRMManagementLock_publicIPReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_publicIPReadOnlyBasic (64.05s)
=== RUN   TestAccAzureRMManagementLock_publicIPCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_publicIPCanNotDeleteBasic (94.53s)
=== RUN   TestAccAzureRMManagementLock_subscriptionReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_subscriptionReadOnlyBasic (17.98s)
=== RUN   TestAccAzureRMManagementLock_subscriptionCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_subscriptionCanNotDeleteBasic (15.20s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm    872.839s
```

Fixes #23
@tombuildsstuff
Copy link
Contributor

👋 everybody

I had a couple of hours to spare this morning - so I've added support for Management Locks in PR #575 - which supports Locks at the Subscription, Resource Group and Resource levels.

Thanks!

@retheshnair
Copy link

Great @tombuildsstuff . you are always there to help. wonderful ..

sebastus added a commit to sebastus/terraform-provider-azurerm that referenced this issue Dec 8, 2017
* Provision sample for ASP.NET on azure_rm_app_service

* Added vnet datasource

* add identity property to vm

* refactor, tests and docs

* added vnet_peering

* changing to TypeMap

* Updating the Provider block

* Variable consistency and removing unused variables

* Changed to azure_virtual_network, added crash control and added documentation.

* vmss: Support for updating the customData field

Fixes hashicorp#61
Fixes hashicorp#490

* Updating to include hashicorp#559

* Support for Auto Inflating

```
$ acctests azurerm TestAccAzureRMEventHubNamespace_maximumThroughputUnits
=== RUN   TestAccAzureRMEventHubNamespace_maximumThroughputUnits
--- PASS: TestAccAzureRMEventHubNamespace_maximumThroughputUnits (202.41s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm    202.432s
```

* New Resource: `azurerm_network_watcher`

```
$ acctests azurerm TestAccAzureRMNetworkWatcher_
=== RUN   TestAccAzureRMNetworkWatcher_importBasic
--- PASS: TestAccAzureRMNetworkWatcher_importBasic (75.79s)
=== RUN   TestAccAzureRMNetworkWatcher_importComplete
--- PASS: TestAccAzureRMNetworkWatcher_importComplete (69.85s)
=== RUN   TestAccAzureRMNetworkWatcher_basic
--- PASS: TestAccAzureRMNetworkWatcher_basic (69.62s)
=== RUN   TestAccAzureRMNetworkWatcher_complete
--- PASS: TestAccAzureRMNetworkWatcher_complete (72.16s)
=== RUN   TestAccAzureRMNetworkWatcher_update
--- PASS: TestAccAzureRMNetworkWatcher_update (81.75s)
=== RUN   TestAccAzureRMNetworkWatcher_disappears
--- PASS: TestAccAzureRMNetworkWatcher_disappears (94.38s)
PASS
ok
```

* Updating to include hashicorp#569

* Hotfix: upgrade packages under go-autorest to be v9.4.1.

Intergrate with latest version of go-autorest to read access tokens through new way
customized through environment variable. The old behavior on local shell will be kept.

Notice: for Azure Cloud Shell user, please make sure that they're using latest patched
provider.

* Vendoring the Locks SDK

* New Resource: `azurerm_management_lock`

Note: As the Subscription specific Locks will break other tests; these tests need to be run individually.
As such I've introduced the `TF_ACC_SUBSCRIPTION_PARALLEL_LOCK`  environment variable for this purpose.

Tests pass:

```
$ TF_ACC_SUBSCRIPTION_PARALLEL_LOCK=1 acctests azurerm TestAccAzureRMManagementLock_
=== RUN   TestAccAzureRMManagementLock_importResourceGroupReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_importResourceGroupReadOnlyBasic (61.52s)
=== RUN   TestAccAzureRMManagementLock_importResourceGroupReadOnlyComplete
--- PASS: TestAccAzureRMManagementLock_importResourceGroupReadOnlyComplete (58.75s)
=== RUN   TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteBasic (53.38s)
=== RUN   TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteComplete
--- PASS: TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteComplete (46.87s)
=== RUN   TestAccAzureRMManagementLock_importPublicIPCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_importPublicIPCanNotDeleteBasic (80.46s)
=== RUN   TestAccAzureRMManagementLock_importPublicIPReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_importPublicIPReadOnlyBasic (68.53s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_resourceGroupReadOnlyBasic (61.24s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupReadOnlyComplete
--- PASS: TestAccAzureRMManagementLock_resourceGroupReadOnlyComplete (64.10s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_resourceGroupCanNotDeleteBasic (72.49s)
=== RUN   TestAccAzureRMManagementLock_resourceGroupCanNotDeleteComplete
--- PASS: TestAccAzureRMManagementLock_resourceGroupCanNotDeleteComplete (113.71s)
=== RUN   TestAccAzureRMManagementLock_publicIPReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_publicIPReadOnlyBasic (64.05s)
=== RUN   TestAccAzureRMManagementLock_publicIPCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_publicIPCanNotDeleteBasic (94.53s)
=== RUN   TestAccAzureRMManagementLock_subscriptionReadOnlyBasic
--- PASS: TestAccAzureRMManagementLock_subscriptionReadOnlyBasic (17.98s)
=== RUN   TestAccAzureRMManagementLock_subscriptionCanNotDeleteBasic
--- PASS: TestAccAzureRMManagementLock_subscriptionCanNotDeleteBasic (15.20s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm    872.839s
```

Fixes hashicorp#23

* Updating to include hashicorp#573

* Updating to include hashicorp#571

* Adding validation for the locks name

Tests:
```
$ acctests azurerm TestValidateManagementLockName
=== RUN   TestValidateManagementLockName
--- PASS: TestValidateManagementLockName (0.00s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm    0.020s
```

* Linting

* Updating to include hashicorp#575

* Updating the changelog for consistency

* removed tabs, used spaces

* add test for issue hashicorp#450

* Updated the way user agent string gets assigned.

* Changed code to make it more readable.

* pr tweaks

* Avoid out of index errors when flattening image data disks.

* Updating to include hashicorp#587

* Updating to include hashicorp#589

* Conditional loading of the Subscription ID / Tenant ID / Environment

* Refactoring the provider block to support determining the TenantID/Environment from the SubscriptionID

Splitting out the authentication logic into a helpers folder
Also adding unit tests for these - which pass:

```
$ go test . -v
=== RUN   TestAzureFindValidAccessTokenForTenant_InvalidDate
--- PASS: TestAzureFindValidAccessTokenForTenant_InvalidDate (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_Expired
2017/11/30 15:02:01 [DEBUG] Token "7cabcf30-8dca-43f9-91e6-fd56dfb8632f" has expired
--- PASS: TestAzureFindValidAccessTokenForTenant_Expired (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ExpiringIn
--- PASS: TestAzureFindValidAccessTokenForTenant_ExpiringIn (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain
2017/11/30 15:02:01 [DEBUG] Resource "https://portal.azure.com/" isn't a management domain
--- PASS: TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_DifferentTenant
2017/11/30 15:02:01 [DEBUG] Resource "https://management.core.windows.net/" isn't for the correct Tenant
--- PASS: TestAzureFindValidAccessTokenForTenant_DifferentTenant (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell
--- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI
--- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_NoTokens
--- PASS: TestAzureFindValidAccessTokenForTenant_NoTokens (0.00s)
=== RUN   TestAzureCLIProfileFindDefaultSubscription
--- PASS: TestAzureCLIProfileFindDefaultSubscription (0.00s)
=== RUN   TestAzureCLIProfileFindSubscription
--- PASS: TestAzureCLIProfileFindSubscription (0.00s)
=== RUN   TestAzurePopulateSubscriptionFromCLIProfile_Missing
--- PASS: TestAzurePopulateSubscriptionFromCLIProfile_Missing (0.00s)
=== RUN   TestAzurePopulateSubscriptionFromCLIProfile_NoDefault
--- PASS: TestAzurePopulateSubscriptionFromCLIProfile_NoDefault (0.00s)
=== RUN   TestAzurePopulateSubscriptionFromCLIProfile_Default
--- PASS: TestAzurePopulateSubscriptionFromCLIProfile_Default (0.00s)
=== RUN   TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Empty
--- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Empty (0.00s)
=== RUN   TestAzurePopulateTenantAndEnvironmentFromCLIProfile_MissingSubscription
--- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_MissingSubscription (0.00s)
=== RUN   TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateEnvironment
--- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateEnvironment (0.00s)
=== RUN   TestAzurePopulateTenantAndEnvironmentFromCLIProfile_NormaliseAndPopulateEnvironment
--- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_NormaliseAndPopulateEnvironment (0.00s)
=== RUN   TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateTenantId
--- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateTenantId (0.00s)
=== RUN   TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Complete
--- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Complete (0.00s)
=== RUN   TestAzurePopulateFromAccessToken_Missing
--- PASS: TestAzurePopulateFromAccessToken_Missing (0.00s)
=== RUN   TestAzurePopulateFromAccessToken_Exists
--- PASS: TestAzurePopulateFromAccessToken_Exists (0.00s)
=== RUN   TestAzureEnvironmentNames
--- PASS: TestAzureEnvironmentNames (0.00s)
=== RUN   TestAzureValidateBearerAuth
--- PASS: TestAzureValidateBearerAuth (0.00s)
=== RUN   TestAzureValidateServicePrincipal
--- PASS: TestAzureValidateServicePrincipal (0.00s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/authentication    0.012s
```

* Fixing the build

* Remove the field marked as "Removed" according to hashicorp#572.

* Upgrading to v11.2.2-beta of the Azure SDK for Go

* Updating to include hashicorp#593

* Fixing the Management Lock validation

* Adding a default value for the identity field

* Updating to include hashicorp#482

* Updating to include hashicorp#574

* Adding settings to the hash

Test passes:

```
$ acctests azurerm TestAccAzureRMVirtualMachineScaleSet_extensionUpdate
=== RUN   TestAccAzureRMVirtualMachineScaleSet_extensionUpdate
--- PASS: TestAccAzureRMVirtualMachineScaleSet_extensionUpdate (593.13s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm    593.153s
```

* Updating to include hashicorp#609

* Local Network Gateways: support for BGP Settings

```
$ acctests azurerm TestAccAzureRMLocalNetworkGateway_
=== RUN   TestAccAzureRMLocalNetworkGateway_importBasic
--- PASS: TestAccAzureRMLocalNetworkGateway_importBasic (82.23s)
=== RUN   TestAccAzureRMLocalNetworkGateway_basic
--- PASS: TestAccAzureRMLocalNetworkGateway_basic (81.29s)
=== RUN   TestAccAzureRMLocalNetworkGateway_disappears
--- PASS: TestAccAzureRMLocalNetworkGateway_disappears (79.17s)
=== RUN   TestAccAzureRMLocalNetworkGateway_bgpSettings
--- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettings (78.70s)
=== RUN   TestAccAzureRMLocalNetworkGateway_bgpSettingsDisable
--- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettingsDisable (96.18s)
=== RUN   TestAccAzureRMLocalNetworkGateway_bgpSettingsEnable
--- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettingsEnable (97.39s)
=== RUN   TestAccAzureRMLocalNetworkGateway_bgpSettingsComplete
--- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettingsComplete (79.68s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm    594.680s
```

* Refactoring

* Adding an import test for BGP Settings:

```
$ acctests azurerm TestAccAzureRMLocalNetworkGateway_importBGPSettingsComplete
=== RUN   TestAccAzureRMLocalNetworkGateway_importBGPSettingsComplete
--- PASS: TestAccAzureRMLocalNetworkGateway_importBGPSettingsComplete (80.96s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm    80.987s
```

* Splitting the data source out into it's own step

* Minor refactoring

* Updating to include hashicorp#533

* Exporting the Default Hostname field

* Updating the App Service example to be complete

This removes support for Publishing, since the SCM URL's aren't consistent across Sovereign Clouds (China/Germany/Govt etc)
Switches to using the new `default_site_hostname` field introduced in hashicorp#612 rather than assuming what it is

* Updating to include hashicorp#594

* Updating to include hashicorp#611

* Updating to include hashicorp#612

* Remove leading line break from key_vault_key docs

Leading line break causes page metadata to be ignored.
@ghost
Copy link

ghost commented Apr 1, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants