Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Resource: Key Vault Access Policy #1149

Merged
merged 28 commits into from
Jul 9, 2018
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
223a5d8
Initial support for Azure Key Vault Policy resource
Apr 23, 2018
f8b19a5
Merge branch 'master' into feature/key_vault_policy
May 4, 2018
aae8844
Updated to fix the test broken from updating the source code. We don…
May 4, 2018
24df15d
Addressed PR comments
May 8, 2018
000963e
Return nil on a delete for the shared delete/update function
May 9, 2018
981dff0
Merge branch 'master' into feature/key_vault_policy
May 13, 2018
6490dad
Removed reference to old code
May 14, 2018
56dadaa
Starting to address PR comments
May 23, 2018
2422a1f
Starting to address PR comments
May 23, 2018
4638772
Working my way through the PR comments
May 25, 2018
2c81721
Fixed some of the tests
May 29, 2018
2813a05
Ran make fmt
May 29, 2018
e9d1989
Fixed website links
May 29, 2018
2e83293
Updated route test to fail
Jun 5, 2018
0484bcf
Updated to support importing an access policy
Jun 7, 2018
bc13b6d
Updated to support importing of the resource and some enhanced tests
Jun 8, 2018
cea6c60
Reverted route_test to not fail for this pr
Jun 8, 2018
ee1dcac
Working through pr comments
Jun 9, 2018
e3d2c3d
Merge branch 'master' into feature/key_vault_policy
Jun 9, 2018
4c618a2
Updated for PR comments as well as added several unittests for the ke…
Jun 22, 2018
7ac2e22
Merge branch 'master' into feature/key_vault_policy
Jun 29, 2018
17f46df
Ran make fmt
Jun 29, 2018
f500bab
Merge branch 'master' into feature/key_vault_policy
tombuildsstuff Jul 6, 2018
44b64a0
Refactoring the helpers into the `helpers/schema` folder
tombuildsstuff Jul 6, 2018
50e2837
Adding import tests / clarifying the import docs
tombuildsstuff Jul 6, 2018
0ea420a
Handling the case of an AppID and no AppID being specified / refactor…
tombuildsstuff Jul 9, 2018
56ae66b
Fixing the error message
tombuildsstuff Jul 9, 2018
aa2d2b0
Documentation fixes
tombuildsstuff Jul 9, 2018
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions azurerm/key_vault_policy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package azurerm

import (
"github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2016-10-01/keyvault"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
)

func keyPermissionsSchema() *schema.Schema {
return &schema.Schema{
Type: schema.TypeList,
Required: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.KeyPermissionsBackup),
string(keyvault.KeyPermissionsCreate),
string(keyvault.KeyPermissionsDecrypt),
string(keyvault.KeyPermissionsDelete),
string(keyvault.KeyPermissionsEncrypt),
string(keyvault.KeyPermissionsGet),
string(keyvault.KeyPermissionsImport),
string(keyvault.KeyPermissionsList),
string(keyvault.KeyPermissionsPurge),
string(keyvault.KeyPermissionsRecover),
string(keyvault.KeyPermissionsRestore),
string(keyvault.KeyPermissionsSign),
string(keyvault.KeyPermissionsUnwrapKey),
string(keyvault.KeyPermissionsUpdate),
string(keyvault.KeyPermissionsVerify),
string(keyvault.KeyPermissionsWrapKey),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
}
}

func secretPermissionsSchema() *schema.Schema {
return &schema.Schema{
Type: schema.TypeList,
Required: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.SecretPermissionsBackup),
string(keyvault.SecretPermissionsDelete),
string(keyvault.SecretPermissionsGet),
string(keyvault.SecretPermissionsList),
string(keyvault.SecretPermissionsPurge),
string(keyvault.SecretPermissionsRecover),
string(keyvault.SecretPermissionsRestore),
string(keyvault.SecretPermissionsSet),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
}
}

func certificatePermissionsSchema() *schema.Schema {
return &schema.Schema{
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.Create),
string(keyvault.Delete),
string(keyvault.Deleteissuers),
string(keyvault.Get),
string(keyvault.Getissuers),
string(keyvault.Import),
string(keyvault.List),
string(keyvault.Listissuers),
string(keyvault.Managecontacts),
string(keyvault.Manageissuers),
string(keyvault.Purge),
string(keyvault.Recover),
string(keyvault.Setissuers),
string(keyvault.Update),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
}
}
1 change: 1 addition & 0 deletions azurerm/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,7 @@ func Provider() terraform.ResourceProvider {
"azurerm_key_vault_certificate": resourceArmKeyVaultCertificate(),
"azurerm_key_vault_key": resourceArmKeyVaultKey(),
"azurerm_key_vault_secret": resourceArmKeyVaultSecret(),
"azurerm_key_vault_policy": resourceArmKeyVaultPolicy(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we rename this from azurerm_key_vault_policy -> azurerm_key_vault_access_policy? Policy's pretty generic as such I'm concerned this could conflict in the future

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually was expecting this one and told my team I didn't want to build support for this resource into anything until the review since I thought we would need to rename it. I really should have named this azurerm_key_vault_access_policy from the start. I apologize for not doing this.

"azurerm_kubernetes_cluster": resourceArmKubernetesCluster(),
"azurerm_lb": resourceArmLoadBalancer(),
"azurerm_lb_backend_address_pool": resourceArmLoadBalancerBackendAddressPool(),
Expand Down
124 changes: 3 additions & 121 deletions azurerm/resource_arm_key_vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ func resourceArmKeyVault() *schema.Resource {
"access_policy": {
Type: schema.TypeList,
Optional: true,

This comment was marked as outdated.

MinItems: 1,
MaxItems: 16,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
Expand All @@ -95,74 +94,9 @@ func resourceArmKeyVault() *schema.Resource {
Optional: true,
ValidateFunc: validateUUID,
},
"certificate_permissions": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.Create),
string(keyvault.Delete),
string(keyvault.Deleteissuers),
string(keyvault.Get),
string(keyvault.Getissuers),
string(keyvault.Import),
string(keyvault.List),
string(keyvault.Listissuers),
string(keyvault.Managecontacts),
string(keyvault.Manageissuers),
string(keyvault.Purge),
string(keyvault.Recover),
string(keyvault.Setissuers),
string(keyvault.Update),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
},
"key_permissions": {
Type: schema.TypeList,
Required: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.KeyPermissionsBackup),
string(keyvault.KeyPermissionsCreate),
string(keyvault.KeyPermissionsDecrypt),
string(keyvault.KeyPermissionsDelete),
string(keyvault.KeyPermissionsEncrypt),
string(keyvault.KeyPermissionsGet),
string(keyvault.KeyPermissionsImport),
string(keyvault.KeyPermissionsList),
string(keyvault.KeyPermissionsPurge),
string(keyvault.KeyPermissionsRecover),
string(keyvault.KeyPermissionsRestore),
string(keyvault.KeyPermissionsSign),
string(keyvault.KeyPermissionsUnwrapKey),
string(keyvault.KeyPermissionsUpdate),
string(keyvault.KeyPermissionsVerify),
string(keyvault.KeyPermissionsWrapKey),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
},
"secret_permissions": {
Type: schema.TypeList,
Required: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.SecretPermissionsBackup),
string(keyvault.SecretPermissionsDelete),
string(keyvault.SecretPermissionsGet),
string(keyvault.SecretPermissionsList),
string(keyvault.SecretPermissionsPurge),
string(keyvault.SecretPermissionsRecover),
string(keyvault.SecretPermissionsRestore),
string(keyvault.SecretPermissionsSet),
}, true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
},
},
"certificate_permissions": certificatePermissionsSchema(),
"key_permissions": keyPermissionsSchema(),
"secret_permissions": secretPermissionsSchema(),
},
},
},
Expand Down Expand Up @@ -283,7 +217,6 @@ func resourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error {
d.Set("enabled_for_disk_encryption", resp.Properties.EnabledForDiskEncryption)
d.Set("enabled_for_template_deployment", resp.Properties.EnabledForTemplateDeployment)
d.Set("sku", flattenKeyVaultSku(resp.Properties.Sku))
d.Set("access_policy", flattenKeyVaultAccessPolicies(resp.Properties.AccessPolicies))
d.Set("vault_uri", resp.Properties.VaultURI)

flattenAndSetTags(d, resp.Tags)
Expand Down Expand Up @@ -377,62 +310,11 @@ func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} {
return []interface{}{result}
}

func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []interface{} {
Copy link
Author

@monkey-jeff monkey-jeff Apr 25, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was removed due to it only being used in a refresh. Refresh the access policies on the key vault resource causes a fight between key vault and key vault policy over ownership of the resource (basically doing this during a keyvault refresh it wants to remove resources created by a key vault policy

I note this because the merge conflict is now due to content that has been changes in the function that I had removed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's intentional - we can instead make the field access_policy Optional + Computed - which means that the value will be used from the API unless it's set locally (in which case diff's will be detected)

result := make([]interface{}, 0, len(*policies))

if policies == nil {
return result
}

for _, policy := range *policies {
policyRaw := make(map[string]interface{})

keyPermissionsRaw := make([]interface{}, 0)
secretPermissionsRaw := make([]interface{}, 0)
certificatePermissionsRaw := make([]interface{}, 0)

if permissions := policy.Permissions; permissions != nil {
if keys := permissions.Keys; keys != nil {
for _, keyPermission := range *keys {
keyPermissionsRaw = append(keyPermissionsRaw, string(keyPermission))
}
}
if secrets := permissions.Secrets; secrets != nil {
for _, secretPermission := range *secrets {
secretPermissionsRaw = append(secretPermissionsRaw, string(secretPermission))
}
}

if certificates := permissions.Certificates; certificates != nil {
for _, certificatePermission := range *certificates {
certificatePermissionsRaw = append(certificatePermissionsRaw, string(certificatePermission))
}
}
}

policyRaw["tenant_id"] = policy.TenantID.String()
if policy.ObjectID != nil {
policyRaw["object_id"] = *policy.ObjectID
}
if policy.ApplicationID != nil {
policyRaw["application_id"] = policy.ApplicationID.String()
}
policyRaw["key_permissions"] = keyPermissionsRaw
policyRaw["secret_permissions"] = secretPermissionsRaw
policyRaw["certificate_permissions"] = certificatePermissionsRaw

result = append(result, policyRaw)
}

return result
}

func validateKeyVaultName(v interface{}, k string) (ws []string, errors []error) {
value := v.(string)
if matched := regexp.MustCompile(`^[a-zA-Z0-9-]{3,24}$`).Match([]byte(value)); !matched {
errors = append(errors, fmt.Errorf("%q may only contain alphanumeric characters and dashes and must be between 3-24 chars", k))
}

return
}

Expand Down
Loading