-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Resource: azurerm_kusto_database_principal #4414
Comments
After a first look at the Azure SDK for Go implementation, I'm more into an implementation that adds principals in the context of the resource resource "azurerm_kusto_database" "database" {
name = "my-kusto-database"
resource_group_name = "my-kusto-rg"
location = "northeurope"
cluster_name = azurerm_kusto_cluster.cluster.name
soft_delete_period = "P365D" # optional
hot_cache_period = "P31D" # optional
permissions = [{
name = "some_app_principal"
role = "Admin"
type = "App"
app_id = "some_guid_app_id"
fqn = "aadapp=some_guid_app_id"
}]
} @r0bnet Can you maybe give some feedback? |
Hey @jrauschenbusch, |
Ok, which presented option of @tracypholmes do you mean? I already started with the implementation of the dedicated resource based principal approach. A first insight was that it's not an dedicated principal which shall created but more a permission assignment which is applied for an already created/existing principal. Hence i think it should be better called The following 3 API methods must be sufficient to solve all aspects:
But maybe it's easier to solve than i think 🤷♂ |
Sorry, it was a mistake by me. I'm in favor of your first implementation to have a separate resource and not to add it to the database resource itself. Regarding the implementation you're probably right. You probably have to remove and set them new each time you update the resource (if the permissions changed). You might have no choice but to inline it. Forgot about this implementation detail you mentioned unfortunately. |
I've created a ticket on the azure-rest-api-specs repo to clarify the question why the API for permissions is not resource-based. Maybe there will be some feedback which helps to define which approach fits best. If the API stays as it is i would prefer the inlined design, as currently a permission is only uniquely identifiable via multiple properties (subscription, resourceGroup, kusto_cluster, kusto_database, role & fqn). Especially the required combination of |
Hey @r0bnet Although i think the Azure Kusto API for Database Permissions will not change that fast (or if ever) i tried to create an initial resource-based implementation: It's working. I've used the artificial id pattern as described in last post. Not that optimal, but i didn't found another way to solve the unique id problem. Maybe you can give some feedback about the implementation details. Interestingly enough, my API design questions regarding the list of required attributes in the azure-rest-api-specs repo is already implemented in some way, as correct values are only required for the FQN and Role attributes. Although all other values must be present in the HTTP request, they are apparently derived from the FQN in the Azure backend. |
@jrauschenbusch / @r0bnet - Are either of you working on this? I have a use case for this resource and can try implementing it if you haven't already. |
@Brunhil I started with a resource implementation (see my last posted link) But as there is no dedicated Kusto principal resource on the Azure API it’s hard to fit it to the concept of a terraform resource. The way with an artificial namespace is imho a little bit hacky. After having a first draft of a dedicated resource i think it would be better to use an embedded a principal attribute inside the kusto_database resource to be able to use the DB namespace to store the state. Regarding your question: I‘ll proceed on this after my honeymoon. Cheers from Maui 😊 |
As promised here the initial Usage:
As the implementation is based on the database resource, the diff of principalsToAdd and principalsToDelete has to be implemented in the database provider. Using a dedicated kusto principal resource, this would be totally handled by terraform. Maybe @Brunhil and @r0bnet can have a final look over both approaches to vote for the best of both:
or
|
Hey @jrauschenbusch, I'd like to throw my hat into this as well and suggest going with a separate resource even though the sdk/api isn't a perfect match for the Terraform model. We've done this type of setup before with other resources recently (see iothub_route). |
Hey @jrauschenbusch, how're we looking for this resource? I've got some time to work on it if you wanted an extra pair of hands |
Hey @mbfrahry, Thank you for driving this topic, and finally to a mergable state. Unfortunately, I did not have the time to continue. But I'm really glad that maybe it will be released with v1.40.0. |
Fixed via #5242 which will ship as a part of v1.40 in the near future |
This has been released in version 1.40.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 1.40.0"
}
# ... other configuration ... |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Community Note
Description
Currently there is no out-of-the-box solution to manage Kusto database principals within terraform. I suggest to add a new resource which enables this feature.
New or Affected Resource(s)
Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: