New resource azurerm_managed_disk_sas_token to manage disk exports

internal/services/compute/disk_export_resource.go

@@ -0,0 +1,137 @@
+package compute
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2021-07-01/compute"
+	"github.com/hashicorp/terraform-provider-azurerm/helpers/azure"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/services/compute/parse"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/suppress"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/timeouts"
+)
+
+func resourceDiskExport() *pluginsdk.Resource {
+
+	return &pluginsdk.Resource{
+		Create: resourceDiskExportCreateUpdate,
+		Read:   resourceDiskExportRead,
+		Update: resourceDiskExportCreateUpdate,
+		Delete: resourceDiskExportDelete,
+
+		Timeouts: &pluginsdk.ResourceTimeout{
+			Create: pluginsdk.DefaultTimeout(30 * time.Minute),
+			Read:   pluginsdk.DefaultTimeout(5 * time.Minute),
+			Update: pluginsdk.DefaultTimeout(30 * time.Minute),
+			Delete: pluginsdk.DefaultTimeout(30 * time.Minute),
+		},
+
+		Schema: map[string]*pluginsdk.Schema{
+			"managed_disk_id": {
+				Type:             pluginsdk.TypeString,
+				Required:         true,
+				DiffSuppressFunc: suppress.CaseDifference,
+				ValidateFunc:     azure.ValidateResourceID,
+			},
+
+			"duration_in_seconds": {
+				Type:     pluginsdk.TypeInt,
+				Required: true,
+			},
+
+			"access": {
+				Type:     pluginsdk.TypeString,
+				Optional: true,
+				Default:  "Read",
+			},
+
+			"sas_url": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ForceNew:     true,
+				Sensitive:    true,
+				ValidateFunc: validation.IsURLWithScheme([]string{"http", "https"}),
+			},
+		},
+	}
+
+}
+
+func resourceDiskExportCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
+	client := meta.(*clients.Client).Compute.DisksClient
+	ctx, cancel := timeouts.ForCreateUpdate(meta.(*clients.Client).StopContext, d)
+	defer cancel()
+
+	log.Printf("[INFO] preparing arguments for AzureRM Disk Export.")
+	managedDiskId := d.Get("managed_disk_id").(string)
+	durationInSeconds := int32(d.Get("duration_in_seconds").(int))
+	access := d.Get("access").(string)
+
+	parsedManagedDiskId, err := parse.ManagedDiskID(managedDiskId)
+	if err != nil {
+		return fmt.Errorf("parsing Managed Disk ID %q: %+v", parsedManagedDiskId.ID(), err)
+	}
+
+	diskName := parsedManagedDiskId.DiskName
+	resourceGroupName := parsedManagedDiskId.ResourceGroup
+
+	grantAccessData := compute.GrantAccessData{
+		Access:            compute.AccessLevel(access),
+		DurationInSeconds: &durationInSeconds,
+	}
+
+	// Request to Grant Access for Disk
+	diskGrantFuture, err := client.GrantAccess(ctx, resourceGroupName, diskName, grantAccessData)
+	if err != nil {
+		return fmt.Errorf("Error while granting access for disk export %q: %+v", parsedManagedDiskId.ID(), err)
+	}
+
+	// Wait until the Grant Request is complete
+	err = diskGrantFuture.WaitForCompletionRef(ctx, client.Client)
+	if err != nil {
+		return fmt.Errorf("Grant access operation failed %q (Resource Group %q): %+v", diskName, resourceGroupName, err)
+	}
+
+	// Fetch the SAS token from the response
+	diskGrantResponse, err := diskGrantFuture.Result(*client)
+	if err != nil {
+		return fmt.Errorf("Error while fetching the response %q: %+v", parsedManagedDiskId.ID(), err)
+	}
+
+	sasToken := *diskGrantResponse.AccessSAS
+	d.Set("sas_url", sasToken)
+	tokenHash := sha256.Sum256([]byte(sasToken))
+	d.SetId(hex.EncodeToString(tokenHash[:]))
+
+	return resourceDiskExportRead(d, meta)
+
+}
+
+func resourceDiskExportRead(d *pluginsdk.ResourceData, meta interface{}) error {
+	return nil
+}
+
+func resourceDiskExportDelete(d *pluginsdk.ResourceData, meta interface{}) error {
+	client := meta.(*clients.Client).Compute.DisksClient
+	ctx, cancel := timeouts.ForDelete(meta.(*clients.Client).StopContext, d)
+	defer cancel()
+
+	id, err := parse.ManagedDiskID(d.Get("managed_disk_id").(string))
+	if err != nil {
+		return err
+	}
+
+	future, err := client.RevokeAccess(ctx, id.ResourceGroup, id.DiskName)
+	if err != nil {
+		return err
+	}
+
+	return future.WaitForCompletionRef(ctx, client.Client)
+}

internal/services/compute/disk_export_resource_test.go

@@ -0,0 +1,49 @@
+package compute_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-provider-azurerm/internal/acceptance"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/acceptance/check"
+)
+
+type DiskExportResource struct{}
+
+func TestAccDiskExport_basic(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_disk_export", "test")
+
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: DiskExportResource{}.basic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("id").Exists(),
+			),
+		},
+	})
+}
+
+func (t DiskExportResource) basic(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-revokedisk-%d"
+  location = "%s"
+}
+resource "azurerm_managed_disk" "test" {
+  name                 = "acctestsads%s"
+  location             = azurerm_resource_group.test.location
+  resource_group_name  = azurerm_resource_group.test.name
+  storage_account_type = "Standard_LRS"
+  create_option        = "Empty"
+  disk_size_gb         = "1"
+}
+resource "azurerm_disk_export" "test" {
+  managed_disk_id     = azurerm_managed_disk.test.id
+  duration_in_seconds = 300
+  access              = "Read"
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomString)
+}

internal/services/compute/registration.go

@@ -67,6 +67,7 @@ func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
 		"azurerm_windows_virtual_machine":                resourceWindowsVirtualMachine(),
 		"azurerm_windows_virtual_machine_scale_set":      resourceWindowsVirtualMachineScaleSet(),
 		"azurerm_ssh_public_key":                         resourceSshPublicKey(),
+		"azurerm_disk_export":                            resourceDiskExport(),
 	}
 
 	return resources

website/docs/r/disk_export.html.markdown

@@ -0,0 +1,69 @@
+---
+subcategory: "Compute"
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_disk_export"
+description: |-
+  Manages a Disk Export.
+---
+
+# azurerm_disk_export
+
+Manages a Disk Export.
+
+Use this resource to obtain a Shared Access Signature (SAS Token) for an existing Managed Disk.
+
+Shared access signatures allow fine-grained, ephemeral access control to various aspects of Managed Disk similar to blob/storage account container.
+
+With the help of this resource, data from the disk can be copied from managed disk to a storage blob or to some other system without the need of azcopy.
+
+## Example Usage
+
+```hcl
+resource "azurerm_resource_group" "test" {
+  name     = "testrg"
+  location = "West Europe"
+}
+resource "azurerm_managed_disk" "test" {
+  name                 = "tst-disk-export"
+  location             = azurerm_resource_group.test.location
+  resource_group_name  = azurerm_resource_group.test.name
+  storage_account_type = "Standard_LRS"
+  create_option        = "Empty"
+  disk_size_gb         = "1"
+}
+resource "azurerm_disk_export" "test" {
+  managed_disk_id     = azurerm_managed_disk.test.id
+  duration_in_seconds = 300
+  access              = "Read"
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+* `managed_disk_id` - (Required) The ID of an existing Managed Disk which should be exported. Changing this forces a new resource to be created.
+
+* `duration_in_seconds` - (Required) The duration for which the export should be allowed. Should be greater than 30 seconds.
+
+* `access` - (Optional) The level of access required on the disk. Supported are Read, Write. Defaults to Read. 
+
+Refer to the [SAS creation reference from Azure](https://docs.microsoft.com/en-us/rest/api/compute/disks/grant-access)
+for additional details on the fields above.
+
+## Attributes Reference
+
+In addition to the Arguments listed above - the following Attributes are exported: 
+
+* `id` - The ID of the Disk Export resource.
+
+* `sas_url` - The computed Shared Access Signature (SAS) of the Managed Disk.
+
+## Timeouts
+
+The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions:
+
+* `create` - (Defaults to 30 minutes) Used when creating the Disk.
+* `read` - (Defaults to 5 minutes) Used when retrieving the Disk.
+* `update` - (Defaults to 30 minutes) Used when updating the Disk.
+* `delete` - (Defaults to 30 minutes) Used when deleting the Disk.