Key vault add soft delete #1517
Conversation
There was a problem hiding this comment.
hey @janboll
Thanks for this PR :)
I've taken a look through and this mostly LGTM - if we can fix up the merge conflicts / comments then we should be able to run the tests and get this merged :)
Thanks!
| "enabled_for_soft_delete": { | ||
| Type: schema.TypeBool, | ||
| Optional: true, | ||
| ValidateFunc: validate.BoolIsTrue(), |
There was a problem hiding this comment.
given the code below ignores this if it's not set to true - I think we can safely remove this validation function? This allows users to define this variable optionally using a variable e.g.
resource "azurerm_key_vault" "test" {
count = 2
enabled_for_soft_delete = "${count.index == 0 ? true : false}"
}
There was a problem hiding this comment.
given the comment in the docs Once enabled you can not disable this setting anymore! can we add ForceNew: true here?
There was a problem hiding this comment.
I tried to use ForceNew, but changing from soft delete true to soft delete false yields following error:
azurerm_key_vault.test: Error updating Key Vault "vault5353625459524355837" (Resource Group "acctestRG-5353625459524355837"): keyvault.VaultsClient#CreateOrUpdate: Failure sending request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="ConflictError" Message="Exist soft deleted vault with the same name. "
On the other hand, switching soft delete on works in place without issue.
I thought about adding the purge to the delete function, but the PurgeDeleted function also has some limitations: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete. So this would potentially break as well.
I suspect that removing the validation function and adding ForceNew: true could not work due to the way soft deleted key vaults are handled on Azure side.
There was a problem hiding this comment.
I thought about adding the purge to the delete function, but the PurgeDeleted function also has some limitations: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete. So this would potentially break as well.
in which case I think we'd want to purge the Key Vault if it exists at deletion time, via an opt-in flag? If users don't opt-into that and delete a soft-deleted KeyVault then they'll get this error, at which point it's up to them to recover the vault and import it into Terraform's Statefile to be able to proceed. What do you think?
We have a similar opt-in property in the VM resource where we optionally delete the OS and Data Disks when the VM is deleted.
There was a problem hiding this comment.
This sounds like a good idea 👍 I added an option to toggle the purge behaviour and also updated the tests support this.
| "enabled_for_purge_protection": { | ||
| Type: schema.TypeBool, | ||
| Optional: true, | ||
| ValidateFunc: validate.BoolIsTrue(), |
There was a problem hiding this comment.
given the code below ignores this if it's not set to true - I think we can safely remove this validation function?
There was a problem hiding this comment.
given the comment in the docs Once enabled you can not disable this setting anymore! can we add ForceNew: true here?
| @@ -216,7 +220,7 @@ resource "azurerm_key_vault" "test" { | |||
|
|
|||
| sku { | |||
| name = "premium" | |||
| } | |||
| } | |||
There was a problem hiding this comment.
minor can we revert this?
| @@ -295,6 +305,9 @@ resource "azurerm_key_vault" "test" { | |||
| sku { | |||
| name = "premium" | |||
| } | |||
|
|
|||
| enabled_for_soft_delete = "True" | |||
| enabled_for_purge_protection = "True" | |||
There was a problem hiding this comment.
minor can we remove the quotes around these values?
| } | ||
| } | ||
|
|
||
| enabled_for_soft_delete = "True" |
There was a problem hiding this comment.
minor can we remove the quotes around this value?
| the key vault is enabled for soft delete. Once enabled you can not disable this setting anymore! | ||
|
|
||
| * `enabled_for_purge_protection` - (Optional) Boolean flag to specify whether | ||
| the key vault is enabled for purge protection. Once enabled you can not disable this setting anymore! |
There was a problem hiding this comment.
can we replace Once enabled you can not disable this setting anymore! with Changing this forces a new resource to be created.
| @@ -136,6 +138,8 @@ func TestAccAzureRMKeyVault_update(t *testing.T) { | |||
| resource.TestCheckResourceAttr(resourceName, "enabled_for_deployment", "true"), | |||
| resource.TestCheckResourceAttr(resourceName, "enabled_for_disk_encryption", "true"), | |||
| resource.TestCheckResourceAttr(resourceName, "enabled_for_template_deployment", "true"), | |||
| resource.TestCheckResourceAttr(resourceName, "enabled_for_soft_delete", "true"), | |||
| resource.TestCheckResourceAttr(resourceName, "enabled_for_purge_protection", "false"), | |||
There was a problem hiding this comment.
given changing this value will force a new resource, it'll break this test - can we check for this value in a new test?
| @@ -102,6 +102,8 @@ func TestAccAzureRMKeyVault_complete(t *testing.T) { | |||
| Check: resource.ComposeTestCheckFunc( | |||
| testCheckAzureRMKeyVaultExists(resourceName), | |||
| resource.TestCheckResourceAttrSet(resourceName, "access_policy.0.application_id"), | |||
| resource.TestCheckResourceAttr(resourceName, "enabled_for_soft_delete", "true"), | |||
| resource.TestCheckResourceAttr(resourceName, "enabled_for_purge_protection", "true"), | |||
There was a problem hiding this comment.
rather than modifying this test - can we check these values in a new test?
There was a problem hiding this comment.
I created a seperate test for this: TestAccAzureRMKeyVault_enable_soft_delete
janboll
force-pushed
the
KeyVault-Add-SoftDelete
branch
from
c31abe7 to
b7c8110
Compare
…_schedule` resource
…e `azurerm_automation_schedule` resource
…roperties of the `azurerm_automation_schedule` resource
…n_schedule` in case of state change to remove
…te of the `azurerm_automation_schedule` resource
Syncing from TF
There's an extra underscore in the header/title, and it doesn't match the actual name of the resource.
docs/kubernetes_cluster: Fix inaccurate kube_config_raw description
…icorp#1706) * tokens invalid when az and terraform run on different timezones * tokens invalid when az and terraform run on different timezones More specifically, - adapt @tombuildsstuff's (thanks, that's better) stylistic requests.
…hicorp#1713) * update VMSS docs to include ip_forwarding (fixes hashicorp#1709) * Updating to include the default value
The options for `require_sni` were not indented/formatted consistently with the rest of the page
…sCaseDiff cleaning up some package tech debt
| * `enabled_for_soft_delete` - Is soft delete enabled on this Key Vault? | ||
|
|
||
| * `enabled_for_purge_protection` - Is purge protection enabled on this Key Vault? | ||
|
|
There was a problem hiding this comment.
You have updated the data source documentation but I did not see the data_source_key_vault.go in the PR, shouldn't also expose these new fields in the data source as well?
Fix some pointer references
Fix: Corrected regexp for eventhub name
* 🐛 (Network profile of AKS.) Remove client side validation for azure network plugin. Non-empty podCidr string validation for azure network plugin should be handled by ASK service. * 📝 (Network profile of AKS.) Add more explainations for network_profile. Add more explainations on default network_profile and `azure` specific validation requirement. * Updating to better match the other docs
…1789) * issues:1743 | Added support for EventHub compatible EndPoints and Paths * issues:1743 | Updated documentation for EventHub compatible EndPoints and Paths * Updating the documentation to list fields explicitly
|
I made a mistake while rebasing and broke the branch, will create a new one with reference to this one |
|
Opened a new PR, I am sorry for the mess :-( |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
Make it possible to enable soft delete via Terraform.
This would fix #1329.