From e392e6af27ef56681a8d56967cc560b35b640f77 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Fri, 4 May 2018 11:18:09 +0100 Subject: [PATCH 1/8] New Data Source: `azurerm_key_vault_secret` Fixes #606 --- azurerm/data_source_key_vault_secret.go | 81 +++++++++++++++++++ azurerm/data_source_key_vault_secret_test.go | 78 ++++++++++++++++++ azurerm/provider.go | 1 + website/azurerm.erb | 4 + website/docs/d/key_vault_secret.html.markdown | 44 ++++++++++ website/docs/r/key_vault_secret.html.markdown | 2 +- 6 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 azurerm/data_source_key_vault_secret.go create mode 100644 azurerm/data_source_key_vault_secret_test.go create mode 100644 website/docs/d/key_vault_secret.html.markdown diff --git a/azurerm/data_source_key_vault_secret.go b/azurerm/data_source_key_vault_secret.go new file mode 100644 index 000000000000..8874d6ed2e89 --- /dev/null +++ b/azurerm/data_source_key_vault_secret.go @@ -0,0 +1,81 @@ +package azurerm + +import ( + "fmt" + + "github.com/hashicorp/terraform/helper/schema" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" +) + +func dataSourceArmKeyVaultSecret() *schema.Resource { + return &schema.Resource{ + Read: dataSourceArmKeyVaultSecretRead, + + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + + "vault_uri": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + + "value": { + Type: schema.TypeString, + Computed: true, + Sensitive: true, + }, + + "content_type": { + Type: schema.TypeString, + Computed: true, + }, + + "version": { + Type: schema.TypeString, + Computed: true, + }, + + "tags": tagsForDataSourceSchema(), + }, + } +} + +func dataSourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) error { + client := meta.(*ArmClient).keyVaultManagementClient + ctx := meta.(*ArmClient).StopContext + + id, err := parseKeyVaultChildID(d.Id()) + if err != nil { + return err + } + + // we always want to get the latest version + resp, err := client.GetSecret(ctx, id.KeyVaultBaseUrl, id.Name, "") + if err != nil { + if utils.ResponseWasNotFound(resp.Response) { + d.SetId("") + return nil + } + return fmt.Errorf("Error making Read request on Azure KeyVault Secret %s: %+v", id.Name, err) + } + + // the version may have changed, so parse the updated id + respID, err := parseKeyVaultChildID(*resp.ID) + if err != nil { + return err + } + + d.Set("name", respID.Name) + d.Set("vault_uri", respID.KeyVaultBaseUrl) + d.Set("value", resp.Value) + d.Set("version", respID.Version) + d.Set("content_type", resp.ContentType) + + flattenAndSetTags(d, resp.Tags) + return nil +} diff --git a/azurerm/data_source_key_vault_secret_test.go b/azurerm/data_source_key_vault_secret_test.go new file mode 100644 index 000000000000..ecd84aed825a --- /dev/null +++ b/azurerm/data_source_key_vault_secret_test.go @@ -0,0 +1,78 @@ +package azurerm + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-website/ext/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" +) + +func TestAccDataSourceAzureRMKeyVaultSecret_basic(t *testing.T) { + dataSourceName := "data.azurerm_key_vault_secret.test" + + rString := acctest.RandString(8) + location := testLocation() + config := testAccDataSourceKeyVaultSecret_basic(rString, location) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(dataSourceName, "value", "rick-and-morty"), + resource.TestCheckResourceAttr(dataSourceName, "tags.%", "0"), + ), + }, + }, + }) +} + +func TestAccDataSourceAzureRMKeyVaultSecret_complete(t *testing.T) { + dataSourceName := "data.azurerm_key_vault_secret.test" + + rString := acctest.RandString(8) + location := testLocation() + config := testAccDataSourceKeyVaultSecret_complete(rString, location) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(dataSourceName, "value", ""), + resource.TestCheckResourceAttr(dataSourceName, "tags.%", "1"), + resource.TestCheckResourceAttr(dataSourceName, "tags.hello", "world"), + ), + }, + }, + }) +} + +func testAccDataSourceKeyVaultSecret_basic(rString string, location string) string { + resource := testAccAzureRMKeyVaultSecret_basic(rString, location) + return fmt.Sprintf(` +%s + +data "azurerm_key_vault_secret" "test" { + name = "${azurerm_key_vault_secret.test.name}" + vault_uri = "${azurerm_key_vault_secret.test.vault_uri}" +} +`, resource) +} + +func testAccDataSourceKeyVaultSecret_complete(rString string, location string) string { + resource := testAccAzureRMKeyVaultSecret_complete(rString, location) + return fmt.Sprintf(` +%s + +data "azurerm_key_vault_secret" "test" { + name = "${azurerm_key_vault_secret.test.name}" + vault_uri = "${azurerm_key_vault_secret.test.vault_uri}" +} +`, resource) +} diff --git a/azurerm/provider.go b/azurerm/provider.go index 13388cb2e9a4..ca403dbd3efc 100644 --- a/azurerm/provider.go +++ b/azurerm/provider.go @@ -87,6 +87,7 @@ func Provider() terraform.ResourceProvider { "azurerm_eventhub_namespace": dataSourceEventHubNamespace(), "azurerm_image": dataSourceArmImage(), "azurerm_key_vault_access_policy": dataSourceArmKeyVaultAccessPolicy(), + "azurerm_key_vault_secret": dataSourceArmKeyVaultSecret(), "azurerm_managed_disk": dataSourceArmManagedDisk(), "azurerm_network_interface": dataSourceArmNetworkInterface(), "azurerm_network_security_group": dataSourceArmNetworkSecurityGroup(), diff --git a/website/azurerm.erb b/website/azurerm.erb index f52739eeb4cf..7ee9c3f247bc 100644 --- a/website/azurerm.erb +++ b/website/azurerm.erb @@ -67,6 +67,10 @@ azurerm_key_vault_access_policy + > + azurerm_key_vault_secret + + > azurerm_managed_disk diff --git a/website/docs/d/key_vault_secret.html.markdown b/website/docs/d/key_vault_secret.html.markdown new file mode 100644 index 000000000000..d19ff5a29665 --- /dev/null +++ b/website/docs/d/key_vault_secret.html.markdown @@ -0,0 +1,44 @@ +--- +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_key_vault_secret" +sidebar_current: "docs-azurerm-data-source-key-vault-secret" +description: |- + Returns information about the specified Key Vault Secret. + +--- + +# azurerm_key_vault_secret + +Returns information about the specified Key Vault Secret. + +## Example Usage + +```hcl +data "azurerm_key_vault_secret" "test" { + name = "secret-sauce" + vault_uri = "${azurerm_key_vault.test.vault_uri}" +} + +output "secret_value" { + value = "${data.azurerm_key_vault_secret.test.value}" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) Specifies the name of the Key Vault Secret. + +* `vault_uri` - (Required) Specifies the URI used to access the Key Vault instance, available on the `azurerm_key_vault` Data Source / Resource. + + +## Attributes Reference + +The following attributes are exported: + +* `id` - The Key Vault Secret ID. +* `value` - The value of the Key Vault Secret +* `version` - The current version of the Key Vault Secret. +* `content_type` - The content type for the Key Vault Secret. +* `tags` - Any tags assigned to this resource. diff --git a/website/docs/r/key_vault_secret.html.markdown b/website/docs/r/key_vault_secret.html.markdown index 1de6e5a2477c..ea8557b63635 100644 --- a/website/docs/r/key_vault_secret.html.markdown +++ b/website/docs/r/key_vault_secret.html.markdown @@ -7,7 +7,7 @@ description: |- --- -# azurerm\_key\_vault\_secret +# azurerm_key_vault_secret Manages a Key Vault Secret. From ce1ecee3434d5dcc434feee6c98d4f8ebef5979d Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Fri, 4 May 2018 11:20:04 +0100 Subject: [PATCH 2/8] Adding disclaimers about sensitive values in the state --- website/docs/d/key_vault_secret.html.markdown | 5 ++++- website/docs/r/key_vault_secret.html.markdown | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/website/docs/d/key_vault_secret.html.markdown b/website/docs/d/key_vault_secret.html.markdown index d19ff5a29665..0cc4685e48ba 100644 --- a/website/docs/d/key_vault_secret.html.markdown +++ b/website/docs/d/key_vault_secret.html.markdown @@ -11,12 +11,15 @@ description: |- Returns information about the specified Key Vault Secret. +~> **Note:** All arguments including the secret value will be stored in the raw state as plain-text. +[Read more about sensitive data in state](/docs/state/sensitive-data.html). + ## Example Usage ```hcl data "azurerm_key_vault_secret" "test" { name = "secret-sauce" - vault_uri = "${azurerm_key_vault.test.vault_uri}" + vault_uri = "https://rickslab.vault.azure.net/" } output "secret_value" { diff --git a/website/docs/r/key_vault_secret.html.markdown b/website/docs/r/key_vault_secret.html.markdown index ea8557b63635..54df8eb22a24 100644 --- a/website/docs/r/key_vault_secret.html.markdown +++ b/website/docs/r/key_vault_secret.html.markdown @@ -11,6 +11,9 @@ description: |- Manages a Key Vault Secret. +~> **Note:** All arguments including the secret value will be stored in the raw state as plain-text. +[Read more about sensitive data in state](/docs/state/sensitive-data.html). + ## Example Usage ```hcl From 2da35ab81cfb07f09478ff9513bfc6c52b47ab89 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Fri, 4 May 2018 11:50:06 +0100 Subject: [PATCH 3/8] New Data Source: `azurerm_key_vault --- azurerm/data_source_key_vault.go | 213 +++++++++++++++++++++++++ azurerm/data_source_key_vault_test.go | 90 +++++++++++ azurerm/import_arm_key_vault_test.go | 23 +++ azurerm/provider.go | 1 + azurerm/resource_arm_key_vault.go | 22 ++- azurerm/resource_arm_key_vault_test.go | 4 - website/azurerm.erb | 4 + website/docs/d/key_vault.html.markdown | 70 ++++++++ website/docs/r/key_vault.html.markdown | 10 +- 9 files changed, 420 insertions(+), 17 deletions(-) create mode 100644 azurerm/data_source_key_vault.go create mode 100644 azurerm/data_source_key_vault_test.go create mode 100644 website/docs/d/key_vault.html.markdown diff --git a/azurerm/data_source_key_vault.go b/azurerm/data_source_key_vault.go new file mode 100644 index 000000000000..46f868e72e79 --- /dev/null +++ b/azurerm/data_source_key_vault.go @@ -0,0 +1,213 @@ +package azurerm + +import ( + "fmt" + + "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2016-10-01/keyvault" + "github.com/hashicorp/terraform/helper/schema" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" +) + +func dataSourceArmKeyVault() *schema.Resource { + return &schema.Resource{ + Read: dataSourceArmKeyVaultRead, + + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validateKeyVaultName, + }, + + "resource_group_name": resourceGroupNameForDataSourceSchema(), + + "location": locationForDataSourceSchema(), + + "sku": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Computed: true, + }, + }, + }, + }, + + "vault_uri": { + Type: schema.TypeString, + Computed: true, + }, + + "tenant_id": { + Type: schema.TypeString, + Computed: true, + }, + + "access_policy": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "tenant_id": { + Type: schema.TypeString, + Computed: true, + }, + "object_id": { + Type: schema.TypeString, + Computed: true, + }, + "application_id": { + Type: schema.TypeString, + Computed: true, + }, + "certificate_permissions": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "key_permissions": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "secret_permissions": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + + "enabled_for_deployment": { + Type: schema.TypeBool, + Computed: true, + }, + + "enabled_for_disk_encryption": { + Type: schema.TypeBool, + Computed: true, + }, + + "enabled_for_template_deployment": { + Type: schema.TypeBool, + Computed: true, + }, + + "tags": tagsForDataSourceSchema(), + }, + } +} + +func dataSourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error { + client := meta.(*ArmClient).keyVaultClient + ctx := meta.(*ArmClient).StopContext + + id, err := parseAzureResourceID(d.Id()) + if err != nil { + return err + } + resGroup := id.ResourceGroup + name := id.Path["vaults"] + + resp, err := client.Get(ctx, resGroup, name) + if err != nil { + if utils.ResponseWasNotFound(resp.Response) { + d.SetId("") + return nil + } + return fmt.Errorf("Error making Read request on KeyVault %q: %+v", name, err) + } + + d.Set("name", resp.Name) + d.Set("resource_group_name", resGroup) + if location := resp.Location; location != nil { + d.Set("location", azureRMNormalizeLocation(*location)) + } + + if props := resp.Properties; props != nil { + d.Set("tenant_id", props.TenantID.String()) + d.Set("enabled_for_deployment", props.EnabledForDeployment) + d.Set("enabled_for_disk_encryption", props.EnabledForDiskEncryption) + d.Set("enabled_for_template_deployment", props.EnabledForTemplateDeployment) + if err := d.Set("sku", flattenKeyVaultDataSourceSku(props.Sku)); err != nil { + return fmt.Errorf("Error flattening `sku` for KeyVault %q: %+v", resp.Name, err) + } + if err := d.Set("access_policy", flattenKeyVaultDataSourceAccessPolicies(props.AccessPolicies)); err != nil { + return fmt.Errorf("Error flattening `access_policy` for KeyVault %q: %+v", resp.Name, err) + } + d.Set("vault_uri", props.VaultURI) + } + + flattenAndSetTags(d, resp.Tags) + + return nil +} + +func flattenKeyVaultDataSourceSku(sku *keyvault.Sku) []interface{} { + result := map[string]interface{}{ + "name": string(sku.Name), + } + + return []interface{}{result} +} + +func flattenKeyVaultDataSourceAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []interface{} { + result := make([]interface{}, 0, len(*policies)) + + if policies == nil { + return result + } + + for _, policy := range *policies { + policyRaw := make(map[string]interface{}) + + keyPermissionsRaw := make([]interface{}, 0) + secretPermissionsRaw := make([]interface{}, 0) + certificatePermissionsRaw := make([]interface{}, 0) + + if permissions := policy.Permissions; permissions != nil { + if keys := permissions.Keys; keys != nil { + for _, keyPermission := range *keys { + keyPermissionsRaw = append(keyPermissionsRaw, string(keyPermission)) + } + } + if secrets := permissions.Secrets; secrets != nil { + for _, secretPermission := range *secrets { + secretPermissionsRaw = append(secretPermissionsRaw, string(secretPermission)) + } + } + + if certificates := permissions.Certificates; certificates != nil { + for _, certificatePermission := range *certificates { + certificatePermissionsRaw = append(certificatePermissionsRaw, string(certificatePermission)) + } + } + } + + policyRaw["tenant_id"] = policy.TenantID.String() + if policy.ObjectID != nil { + policyRaw["object_id"] = *policy.ObjectID + } + if policy.ApplicationID != nil { + policyRaw["application_id"] = policy.ApplicationID.String() + } + policyRaw["key_permissions"] = keyPermissionsRaw + policyRaw["secret_permissions"] = secretPermissionsRaw + policyRaw["certificate_permissions"] = certificatePermissionsRaw + + result = append(result, policyRaw) + } + + return result +} diff --git a/azurerm/data_source_key_vault_test.go b/azurerm/data_source_key_vault_test.go new file mode 100644 index 000000000000..c200c66cf8b2 --- /dev/null +++ b/azurerm/data_source_key_vault_test.go @@ -0,0 +1,90 @@ +package azurerm + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" +) + +func TestAccDataSourceAzureRMKeyVault_basic(t *testing.T) { + dataSourceName := "data.azurerm_key_vault.test" + ri := acctest.RandInt() + location := testLocation() + config := testAccDataSourceAzureRMKeyVault_basic(ri, location) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultExists(dataSourceName), + resource.TestCheckResourceAttrSet(dataSourceName, "tenant_id"), + resource.TestCheckResourceAttrSet(dataSourceName, "sku.0.name"), + resource.TestCheckResourceAttrSet(dataSourceName, "access_policy.0.tenant_id"), + resource.TestCheckResourceAttrSet(dataSourceName, "access_policy.0.object_id"), + resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.key_permissions.0", "create"), + resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.secret_permissions.0", "set"), + resource.TestCheckResourceAttr(dataSourceName, "tags.%", "0"), + ), + }, + }, + }) +} + +func TestAccDataSourceAzureRMKeyVault_complete(t *testing.T) { + dataSourceName := "data.azurerm_key_vault.test" + ri := acctest.RandInt() + location := testLocation() + config := testAccDataSourceAzureRMKeyVault_complete(ri, location) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultExists(dataSourceName), + resource.TestCheckResourceAttrSet(dataSourceName, "tenant_id"), + resource.TestCheckResourceAttrSet(dataSourceName, "sku.0.name"), + resource.TestCheckResourceAttrSet(dataSourceName, "access_policy.0.tenant_id"), + resource.TestCheckResourceAttrSet(dataSourceName, "access_policy.0.object_id"), + resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.key_permissions.0", "create"), + resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.secret_permissions.0", "set"), + resource.TestCheckResourceAttr(dataSourceName, "tags.%", "1"), + resource.TestCheckResourceAttr(dataSourceName, "tags.environment", "Production"), + ), + }, + }, + }) +} + +func testAccDataSourceAzureRMKeyVault_basic(rInt int, location string) string { + resource := testAccAzureRMKeyVault_basic(rInt, location) + return fmt.Sprintf(` +%s + +data "azurerm_key_vault" "test" { + name = "${azurerm_key_vault.test.name}" + resource_group_name = "${azurerm_key_vault.test.resource_group_name}" +} +`, resource) +} + +func testAccDataSourceAzureRMKeyVault_complete(rInt int, location string) string { + resource := testAccAzureRMKeyVault_complete(rInt, location) + return fmt.Sprintf(` +%s + +data "azurerm_key_vault" "test" { + name = "${azurerm_key_vault.test.name}" + resource_group_name = "${azurerm_key_vault.test.resource_group_name}" +} +`, resource) +} diff --git a/azurerm/import_arm_key_vault_test.go b/azurerm/import_arm_key_vault_test.go index dd0fe04d39b3..5612b8a07a70 100644 --- a/azurerm/import_arm_key_vault_test.go +++ b/azurerm/import_arm_key_vault_test.go @@ -29,3 +29,26 @@ func TestAccAzureRMKeyVault_importBasic(t *testing.T) { }, }) } + +func TestAccAzureRMKeyVault_importComplete(t *testing.T) { + resourceName := "azurerm_key_vault.test" + + ri := acctest.RandInt() + config := testAccAzureRMKeyVault_complete(ri, testLocation()) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultDestroy, + Steps: []resource.TestStep{ + { + Config: config, + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} diff --git a/azurerm/provider.go b/azurerm/provider.go index ca403dbd3efc..28261b451d96 100644 --- a/azurerm/provider.go +++ b/azurerm/provider.go @@ -86,6 +86,7 @@ func Provider() terraform.ResourceProvider { "azurerm_dns_zone": dataSourceArmDnsZone(), "azurerm_eventhub_namespace": dataSourceEventHubNamespace(), "azurerm_image": dataSourceArmImage(), + "azurerm_key_vault": dataSourceArmKeyVault(), "azurerm_key_vault_access_policy": dataSourceArmKeyVaultAccessPolicy(), "azurerm_key_vault_secret": dataSourceArmKeyVaultSecret(), "azurerm_managed_disk": dataSourceArmManagedDisk(), diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go index 7691ee6abd52..2a30b0b92069 100644 --- a/azurerm/resource_arm_key_vault.go +++ b/azurerm/resource_arm_key_vault.go @@ -278,16 +278,22 @@ func resourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error { if location := resp.Location; location != nil { d.Set("location", azureRMNormalizeLocation(*location)) } - d.Set("tenant_id", resp.Properties.TenantID.String()) - d.Set("enabled_for_deployment", resp.Properties.EnabledForDeployment) - d.Set("enabled_for_disk_encryption", resp.Properties.EnabledForDiskEncryption) - d.Set("enabled_for_template_deployment", resp.Properties.EnabledForTemplateDeployment) - d.Set("sku", flattenKeyVaultSku(resp.Properties.Sku)) - d.Set("access_policy", flattenKeyVaultAccessPolicies(resp.Properties.AccessPolicies)) - d.Set("vault_uri", resp.Properties.VaultURI) - flattenAndSetTags(d, resp.Tags) + if props := resp.Properties; props != nil { + d.Set("tenant_id", props.TenantID.String()) + d.Set("enabled_for_deployment", props.EnabledForDeployment) + d.Set("enabled_for_disk_encryption", props.EnabledForDiskEncryption) + d.Set("enabled_for_template_deployment", props.EnabledForTemplateDeployment) + if err := d.Set("sku", flattenKeyVaultSku(props.Sku)); err != nil { + return fmt.Errorf("Error flattening `sku` for KeyVault %q: %+v", resp.Name, err) + } + if err := d.Set("access_policy", flattenKeyVaultAccessPolicies(props.AccessPolicies)); err != nil { + return fmt.Errorf("Error flattening `access_policy` for KeyVault %q: %+v", resp.Name, err) + } + d.Set("vault_uri", props.VaultURI) + } + flattenAndSetTags(d, resp.Tags) return nil } diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go index 15950a8cbbb1..e8f79974d29c 100644 --- a/azurerm/resource_arm_key_vault_test.go +++ b/azurerm/resource_arm_key_vault_test.go @@ -230,10 +230,6 @@ resource "azurerm_key_vault" "test" { "set", ] } - - tags { - environment = "Production" - } } `, rInt, location, rInt) } diff --git a/website/azurerm.erb b/website/azurerm.erb index 7ee9c3f247bc..c64b7cb41e93 100644 --- a/website/azurerm.erb +++ b/website/azurerm.erb @@ -63,6 +63,10 @@ azurerm_image + > + azurerm_key_vault + + > azurerm_key_vault_access_policy diff --git a/website/docs/d/key_vault.html.markdown b/website/docs/d/key_vault.html.markdown new file mode 100644 index 000000000000..57d529daee1e --- /dev/null +++ b/website/docs/d/key_vault.html.markdown @@ -0,0 +1,70 @@ +--- +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_key_vault" +sidebar_current: "docs-azurerm-data-source-key-vault-x" +description: |- + Gets information about a Key Vault. +--- + +# azurerm_key_vault + +Gets information about a Key Vault. + +## Example Usage + +```hcl +resource "azurerm_key_vault" "test" { + name = "mykeyvault" + resource_group_name = "some-resource-group" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) Specifies the name of the Key Vault. + +* `resource_group_name` - The name of the Resource Group in which the Key Vault exists. + +## Attributes Reference + +The following attributes are exported: + +* `id` - The Vault ID. + +* `vault_uri` - The URI of the vault for performing operations on keys and secrets. + +* `location` - The Azure Region in which the Key Vault exists + +* `sku` - A `sku` block as described below. + +* `tenant_id` - The Azure Active Directory Tenant ID used for authenticating requests to the Key Vault. + +* `access_policy` - One or more `access_policy` blocks as defined below. + +* `enabled_for_deployment` - Can Azure Virtual Machines retrieve certificates stored as secrets from the Key Vault? + +* `enabled_for_disk_encryption` - Can Azure Disk Encryption retrieve secrets from the Key Vault? + +* `enabled_for_template_deployment` - Can Azure Resource Manager retrieve secrets from the Key Vault? + +* `tags` - A mapping of tags assigned to the Key Vault. + +A `sku` block exports the following: + +* `name` - The name of the SKU used for this Key Vault. + +`access_policy` supports the following: + +* `tenant_id` - The Azure Active Directory Tenant ID used to authenticate requests for this Key Vault. + +* `object_id` - An Object ID of a User, Service Principal or Security Group. + +* `application_id` - The Object ID of a Azure Active Directory Application. + +* `certificate_permissions` - A list of certificate permissions applicable to this Access Policy. + +* `key_permissions` - A list of key permissions applicable to this Access Policy. + +* `secret_permissions` - A list of secret permissions applicable to this Access Policy.`set`. \ No newline at end of file diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown index 1a139de54abb..8075ec52c174 100644 --- a/website/docs/r/key_vault.html.markdown +++ b/website/docs/r/key_vault.html.markdown @@ -3,12 +3,12 @@ layout: "azurerm" page_title: "Azure Resource Manager: azurerm_key_vault" sidebar_current: "docs-azurerm-resource-key-vault-x" description: |- - Create a Key Vault. + Manages a Key Vault. --- -# azurerm\_key\_vault +# azurerm_key_vault -Create a Key Vault. +Manages a Key Vault. ## Example Usage @@ -54,14 +54,14 @@ resource "azurerm_key_vault" "test" { The following arguments are supported: -* `name` - (Required) Specifies the name of the Key Vault resource. Changing this +* `name` - (Required) Specifies the name of the Key Vault. Changing this forces a new resource to be created. * `location` - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. * `resource_group_name` - (Required) The name of the resource group in which to - create the namespace. Changing this forces a new resource to be created. + create the Key Vault. Changing this forces a new resource to be created. * `sku` - (Required) An SKU block as described below. From f303b2a64b3cca1955ccbbba73422fc18bbdd238 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Fri, 4 May 2018 12:38:00 +0100 Subject: [PATCH 4/8] Prefixing the Data Source names with "Data Source" --- website/docs/d/key_vault.html.markdown | 2 +- website/docs/d/key_vault_secret.html.markdown | 2 +- website/docs/d/public_ips.html.markdown | 2 +- website/docs/d/recovery_services_vault.markdown | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/website/docs/d/key_vault.html.markdown b/website/docs/d/key_vault.html.markdown index 57d529daee1e..812b0faa2d64 100644 --- a/website/docs/d/key_vault.html.markdown +++ b/website/docs/d/key_vault.html.markdown @@ -6,7 +6,7 @@ description: |- Gets information about a Key Vault. --- -# azurerm_key_vault +# Data Source: azurerm_key_vault Gets information about a Key Vault. diff --git a/website/docs/d/key_vault_secret.html.markdown b/website/docs/d/key_vault_secret.html.markdown index 0cc4685e48ba..30b9670df968 100644 --- a/website/docs/d/key_vault_secret.html.markdown +++ b/website/docs/d/key_vault_secret.html.markdown @@ -7,7 +7,7 @@ description: |- --- -# azurerm_key_vault_secret +# Data Source: azurerm_key_vault_secret Returns information about the specified Key Vault Secret. diff --git a/website/docs/d/public_ips.html.markdown b/website/docs/d/public_ips.html.markdown index 09051f11cc99..d2fbeb9c1aca 100644 --- a/website/docs/d/public_ips.html.markdown +++ b/website/docs/d/public_ips.html.markdown @@ -6,7 +6,7 @@ description: |- Provides a list of public IP addresses. --- -# azurerm_public_ips +# Data Source: azurerm_public_ips Use this data source to access a filtered list of Public IP Addresses diff --git a/website/docs/d/recovery_services_vault.markdown b/website/docs/d/recovery_services_vault.markdown index 3a29a6824ccb..96c5267d7d9b 100644 --- a/website/docs/d/recovery_services_vault.markdown +++ b/website/docs/d/recovery_services_vault.markdown @@ -6,7 +6,7 @@ description: |- Get information about the specified Recovery Services Vault. --- -# azurerm_recovery_services_vault +# Data Source: azurerm_recovery_services_vault Use this data source to access the properties of an Recovery Services Vault. From a7c1b74664ed63600216de92c02362a3c527b8e2 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Sun, 6 May 2018 05:50:07 -0700 Subject: [PATCH 5/8] Setting the ID's for the Data Sources --- azurerm/data_source_key_vault.go | 14 ++++++-------- azurerm/data_source_key_vault_secret.go | 12 ++++++------ 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/azurerm/data_source_key_vault.go b/azurerm/data_source_key_vault.go index 46f868e72e79..8687e7eb78ad 100644 --- a/azurerm/data_source_key_vault.go +++ b/azurerm/data_source_key_vault.go @@ -113,14 +113,10 @@ func dataSourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error { client := meta.(*ArmClient).keyVaultClient ctx := meta.(*ArmClient).StopContext - id, err := parseAzureResourceID(d.Id()) - if err != nil { - return err - } - resGroup := id.ResourceGroup - name := id.Path["vaults"] + name := d.Get("name").(string) + resourceGroup := d.Get("resource_group_name").(string) - resp, err := client.Get(ctx, resGroup, name) + resp, err := client.Get(ctx, resourceGroup, name) if err != nil { if utils.ResponseWasNotFound(resp.Response) { d.SetId("") @@ -129,8 +125,10 @@ func dataSourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error making Read request on KeyVault %q: %+v", name, err) } + d.SetId(*resp.ID) + d.Set("name", resp.Name) - d.Set("resource_group_name", resGroup) + d.Set("resource_group_name", resourceGroup) if location := resp.Location; location != nil { d.Set("location", azureRMNormalizeLocation(*location)) } diff --git a/azurerm/data_source_key_vault_secret.go b/azurerm/data_source_key_vault_secret.go index 8874d6ed2e89..569266942b62 100644 --- a/azurerm/data_source_key_vault_secret.go +++ b/azurerm/data_source_key_vault_secret.go @@ -49,19 +49,17 @@ func dataSourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) e client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - id, err := parseKeyVaultChildID(d.Id()) - if err != nil { - return err - } + name := d.Get("name").(string) + vaultUri := d.Get("vault_uri").(string) // we always want to get the latest version - resp, err := client.GetSecret(ctx, id.KeyVaultBaseUrl, id.Name, "") + resp, err := client.GetSecret(ctx, vaultUri, name, "") if err != nil { if utils.ResponseWasNotFound(resp.Response) { d.SetId("") return nil } - return fmt.Errorf("Error making Read request on Azure KeyVault Secret %s: %+v", id.Name, err) + return fmt.Errorf("Error making Read request on Azure KeyVault Secret %s: %+v", name, err) } // the version may have changed, so parse the updated id @@ -70,6 +68,8 @@ func dataSourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) e return err } + d.SetId(*resp.ID) + d.Set("name", respID.Name) d.Set("vault_uri", respID.KeyVaultBaseUrl) d.Set("value", resp.Value) From 29a4aeef317ff2515363e586c810501eea07d7e8 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Sun, 6 May 2018 06:28:12 -0700 Subject: [PATCH 6/8] Fixing the test expectation --- azurerm/data_source_key_vault_secret_test.go | 2 +- azurerm/data_source_key_vault_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/azurerm/data_source_key_vault_secret_test.go b/azurerm/data_source_key_vault_secret_test.go index ecd84aed825a..29d7204b85e4 100644 --- a/azurerm/data_source_key_vault_secret_test.go +++ b/azurerm/data_source_key_vault_secret_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/hashicorp/terraform-website/ext/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" ) diff --git a/azurerm/data_source_key_vault_test.go b/azurerm/data_source_key_vault_test.go index c200c66cf8b2..d2881e3e799c 100644 --- a/azurerm/data_source_key_vault_test.go +++ b/azurerm/data_source_key_vault_test.go @@ -55,8 +55,8 @@ func TestAccDataSourceAzureRMKeyVault_complete(t *testing.T) { resource.TestCheckResourceAttrSet(dataSourceName, "sku.0.name"), resource.TestCheckResourceAttrSet(dataSourceName, "access_policy.0.tenant_id"), resource.TestCheckResourceAttrSet(dataSourceName, "access_policy.0.object_id"), - resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.key_permissions.0", "create"), - resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.secret_permissions.0", "set"), + resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.key_permissions.0", "get"), + resource.TestCheckResourceAttr(dataSourceName, "access_policy.0.secret_permissions.0", "get"), resource.TestCheckResourceAttr(dataSourceName, "tags.%", "1"), resource.TestCheckResourceAttr(dataSourceName, "tags.environment", "Production"), ), From 04c98459f9848224cf9ca8005011835104c2ac59 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Thu, 10 May 2018 13:56:35 -0700 Subject: [PATCH 7/8] Returning an error message when the Key Vault / Key Vault Secret don't exist --- azurerm/data_source_key_vault.go | 3 +-- azurerm/data_source_key_vault_secret.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/azurerm/data_source_key_vault.go b/azurerm/data_source_key_vault.go index 8687e7eb78ad..3107545aba0e 100644 --- a/azurerm/data_source_key_vault.go +++ b/azurerm/data_source_key_vault.go @@ -119,8 +119,7 @@ func dataSourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error { resp, err := client.Get(ctx, resourceGroup, name) if err != nil { if utils.ResponseWasNotFound(resp.Response) { - d.SetId("") - return nil + return fmt.Errorf("KeyVault %q (Resource Group %q) does not exist", name, resourceGroup) } return fmt.Errorf("Error making Read request on KeyVault %q: %+v", name, err) } diff --git a/azurerm/data_source_key_vault_secret.go b/azurerm/data_source_key_vault_secret.go index 569266942b62..63962141d532 100644 --- a/azurerm/data_source_key_vault_secret.go +++ b/azurerm/data_source_key_vault_secret.go @@ -56,8 +56,7 @@ func dataSourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) e resp, err := client.GetSecret(ctx, vaultUri, name, "") if err != nil { if utils.ResponseWasNotFound(resp.Response) { - d.SetId("") - return nil + return fmt.Errorf("KeyVault Secret %q (KeyVault URI %q) does not exist", name, vaultUri) } return fmt.Errorf("Error making Read request on Azure KeyVault Secret %s: %+v", name, err) } From 681109010e5e11eb6f25e44a2705c9b337053364 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Thu, 10 May 2018 13:58:59 -0700 Subject: [PATCH 8/8] Making the documentation consistent --- website/docs/d/key_vault.html.markdown | 12 ++++++++---- website/docs/d/key_vault_secret.html.markdown | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/website/docs/d/key_vault.html.markdown b/website/docs/d/key_vault.html.markdown index 812b0faa2d64..0c9a73e88b47 100644 --- a/website/docs/d/key_vault.html.markdown +++ b/website/docs/d/key_vault.html.markdown @@ -13,10 +13,14 @@ Gets information about a Key Vault. ## Example Usage ```hcl -resource "azurerm_key_vault" "test" { +data "azurerm_key_vault" "test" { name = "mykeyvault" resource_group_name = "some-resource-group" } + +output "vault_uri" { + value = "${data.azurerm_key_vault.test.vault_uri}" +} ``` ## Argument Reference @@ -25,7 +29,7 @@ The following arguments are supported: * `name` - (Required) Specifies the name of the Key Vault. -* `resource_group_name` - The name of the Resource Group in which the Key Vault exists. +* `resource_group_name` - (Required) The name of the Resource Group in which the Key Vault exists. ## Attributes Reference @@ -35,7 +39,7 @@ The following attributes are exported: * `vault_uri` - The URI of the vault for performing operations on keys and secrets. -* `location` - The Azure Region in which the Key Vault exists +* `location` - The Azure Region in which the Key Vault exists. * `sku` - A `sku` block as described below. @@ -67,4 +71,4 @@ A `sku` block exports the following: * `key_permissions` - A list of key permissions applicable to this Access Policy. -* `secret_permissions` - A list of secret permissions applicable to this Access Policy.`set`. \ No newline at end of file +* `secret_permissions` - A list of secret permissions applicable to this Access Policy. \ No newline at end of file diff --git a/website/docs/d/key_vault_secret.html.markdown b/website/docs/d/key_vault_secret.html.markdown index 30b9670df968..2274b34ca7fa 100644 --- a/website/docs/d/key_vault_secret.html.markdown +++ b/website/docs/d/key_vault_secret.html.markdown @@ -41,7 +41,7 @@ The following arguments are supported: The following attributes are exported: * `id` - The Key Vault Secret ID. -* `value` - The value of the Key Vault Secret +* `value` - The value of the Key Vault Secret. * `version` - The current version of the Key Vault Secret. * `content_type` - The content type for the Key Vault Secret. * `tags` - Any tags assigned to this resource.