hashicorp · manicminer · Sep 21, 2023 · Feb 7, 2023 · Feb 14, 2023 · Feb 17, 2023
@@ -8,6 +8,9 @@ class ClientConfiguration(var clientId: String,
                           val clientSecretAlt: String,
                           val subscriptionIdAlt : String,
                           val subscriptionIdDevTest : String,
+                          val tenantIdAlt : String,
+                          val subscriptionIdAltTenant : String,
+                          val principalIdAltTenant : String,
                           val vcsRootId : String,
                           val enableTestTriggersGlobally : Boolean) {
 }
@@ -16,10 +19,10 @@ class LocationConfiguration(var primary : String, var secondary : String, var te
 }
 
 fun ParametrizedWithType.ConfigureAzureSpecificTestParameters(environment: String, config: ClientConfiguration, locationsForEnv: LocationConfiguration, useAltSubscription: Boolean = false, useDevTestSubscription: Boolean = false) {
-    hiddenPasswordVariable("env.ARM_CLIENT_ID", config.clientId, "The ID of the Service Principal used for Testing")
-    hiddenPasswordVariable("env.ARM_CLIENT_ID_ALT", config.clientIdAlt, "The ID of the Alternate Service Principal used for Testing")
-    hiddenPasswordVariable("env.ARM_CLIENT_SECRET", config.clientSecret, "The Client Secret of the Service Principal used for Testing")
-    hiddenPasswordVariable("env.ARM_CLIENT_SECRET_ALT", config.clientSecretAlt, "The Client Secret of the Alternate Service Principal used for Testing")
+    hiddenPasswordVariable("env.ARM_CLIENT_ID", config.clientId, "The Client ID of the Application used for Testing")
+    hiddenPasswordVariable("env.ARM_CLIENT_ID_ALT", config.clientIdAlt, "The Client ID of the Alternate Application used for Testing")
+    hiddenPasswordVariable("env.ARM_CLIENT_SECRET", config.clientSecret, "The Client Secret of the Application used for Testing")
+    hiddenPasswordVariable("env.ARM_CLIENT_SECRET_ALT", config.clientSecretAlt, "The Client Secret of the Alternate Application used for Testing")
     hiddenVariable("env.ARM_ENVIRONMENT", environment, "The Azure Environment in which the tests are running")
     hiddenVariable("env.ARM_PROVIDER_DYNAMIC_TEST", "%b".format(locationsForEnv.rotate), "Should tests rotate between the supported regions?")
     if (useAltSubscription) {
@@ -33,6 +36,9 @@ fun ParametrizedWithType.ConfigureAzureSpecificTestParameters(environment: Strin
         hiddenPasswordVariable("env.ARM_SUBSCRIPTION_ID_ALT", config.subscriptionIdAlt, "The ID of the Alternate Azure Subscription used for Testing")
     }
     hiddenPasswordVariable("env.ARM_TENANT_ID", config.tenantId, "The ID of the Azure Tenant used for Testing")
+    hiddenPasswordVariable("env.ARM_TENANT_ID_ALT", config.tenantIdAlt, "The ID of the Secondary Azure Tenant used for Testing")
+    hiddenPasswordVariable("env.ARM_SUBSCRIPTION_ID_ALT_TENANT", config.subscriptionIdAltTenant, "The ID of the Azure Subscription attached to the Secondary Azure Tenant used for Testing")
+    hiddenPasswordVariable("env.ARM_PRINCIPAL_ID_ALT_TENANT", config.principalIdAltTenant, "The Object ID of the Service Principal in the Secondary Azure Tenant representing the Application used for Testing")
     hiddenVariable("env.ARM_TEST_LOCATION", locationsForEnv.primary, "The Primary region which should be used for testing")
     hiddenVariable("env.ARM_TEST_LOCATION_ALT", locationsForEnv.secondary, "The Secondary region which should be used for testing")
     hiddenVariable("env.ARM_TEST_LOCATION_ALT2", locationsForEnv.tertiary, "The Tertiary region which should be used for testing")

@@ -11,9 +11,12 @@ var tenantId = DslContext.getParameter("tenantId", "")
 var environment = DslContext.getParameter("environment", "public")
 var clientIdAlt = DslContext.getParameter("clientIdAlt", "")
 var clientSecretAlt = DslContext.getParameter("clientSecretAlt", "")
+var tenantIdAlt = DslContext.getParameter("tenantIdAlt", "")
+var subscriptionIdAltTenant = DslContext.getParameter("subscriptionIdAltTenant", "")
+var principalIdAltTenant = DslContext.getParameter("principalIdAltTenant", "")
 var vcsRootId = DslContext.getParameter("vcsRootId", "TF_HashiCorp_AzureRM_Repository")
 var enableTestTriggersGlobally = DslContext.getParameter("enableTestTriggersGlobally", "true").equals("true", ignoreCase = true)
 
-var clientConfig = ClientConfiguration(clientId, clientSecret, subscriptionId, tenantId, clientIdAlt, clientSecretAlt, subscriptionIdAlt, subscriptionIdDevTest, vcsRootId, enableTestTriggersGlobally)
+var clientConfig = ClientConfiguration(clientId, clientSecret, subscriptionId, tenantId, clientIdAlt, clientSecretAlt, subscriptionIdAlt, subscriptionIdDevTest, tenantIdAlt, subscriptionIdAltTenant, principalIdAltTenant, vcsRootId, enableTestTriggersGlobally)
 
 project(AzureRM(environment, clientConfig))
@@ -8,5 +8,5 @@ package tests
 import ClientConfiguration
 
 fun TestConfiguration() : ClientConfiguration {
-    return ClientConfiguration("clientId", "clientSecret", "subscriptionId", "tenantId", "clientIdAlt", "clientSecretAlt", "subscriptionIdAlt", "subscriptionIdDevTest", "vcsRootId", true)
+    return ClientConfiguration("clientId", "clientSecret", "subscriptionId", "tenantId", "clientIdAlt", "clientSecretAlt", "subscriptionIdAlt", "subscriptionIdDevTest", "tenantIdAlt", "subscriptionIdAltTenant", "principalIdAltTenant", "vcsRootId", true)
 }
@@ -136,7 +136,7 @@ func (td TestData) providers() map[string]func() (*schema.Provider, error) {
 func (td TestData) externalProviders() map[string]resource.ExternalProvider {
 	return map[string]resource.ExternalProvider{
 		"azuread": {
-			VersionConstraint: "=2.8.0",
+			VersionConstraint: "=2.38.0",
 			Source:            "registry.terraform.io/hashicorp/azuread",
 		},
 		"time": {

@@ -50,13 +50,22 @@ func resourceStorageAccountCustomerManagedKey() *pluginsdk.Resource {
 			"key_vault_id": {
 				// TODO: should this be split into two resources, since Key Vault and Managed HSM behave subtly differently in places already
 				Type:     pluginsdk.TypeString,
-				Required: true,
+				Optional: true,
 				ValidateFunc: validation.Any(
 					// Storage Account Customer Managed Keys support both Key Vault and Key Vault Managed HSM keys:
 					// https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
 					commonids.ValidateKeyVaultID,
 					managedhsms.ValidateManagedHSMID,
 				),
+				ExactlyOneOf: []string{"key_vault_id", "key_vault_uri"},
+			},
+
+			"key_vault_uri": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.IsURLWithHTTPS,
+				ExactlyOneOf: []string{"key_vault_id", "key_vault_uri"},
+				Computed:     true,
 			},
 
 			"key_name": {
@@ -76,6 +85,13 @@ func resourceStorageAccountCustomerManagedKey() *pluginsdk.Resource {
 				Optional:     true,
 				ValidateFunc: commonids.ValidateUserAssignedIdentityID,
 			},
+
+			"federated_identity_client_id": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.IsUUID,
+				RequiredWith: []string{"user_assigned_identity_id"},
+			},
 		},
 	}
 }
@@ -113,37 +129,46 @@ func resourceStorageAccountCustomerManagedKeyCreateUpdate(d *pluginsdk.ResourceD
 		}
 	}
 
-	keyVaultID, err := commonids.ParseKeyVaultID(d.Get("key_vault_id").(string))
-	if err != nil {
-		return err
-	}
-	keyVault, err := vaultsClient.Get(ctx, *keyVaultID)
-	if err != nil {
-		return fmt.Errorf("retrieving Key Vault %q (Resource Group %q): %+v", keyVaultID.VaultName, keyVaultID.ResourceGroupName, err)
-	}
+	keyVaultURI := ""
+	if keyVaultURIRaw := d.Get("key_vault_uri").(string); keyVaultURIRaw != "" {
+		keyVaultURI = keyVaultURIRaw
+	} else {
+		keyVaultID, err := commonids.ParseKeyVaultID(d.Get("key_vault_id").(string))
+		if err != nil {
+			return err
+		}
+
+		keyVault, err := vaultsClient.Get(ctx, *keyVaultID)
+		if err != nil {
+			return fmt.Errorf("retrieving Key Vault %q (Resource Group %q): %+v", keyVaultID.VaultName, keyVaultID.ResourceGroupName, err)
+		}
 
-	softDeleteEnabled := false
-	purgeProtectionEnabled := false
-	if model := keyVault.Model; model != nil {
-		if esd := model.Properties.EnableSoftDelete; esd != nil {
-			softDeleteEnabled = *esd
+		softDeleteEnabled := false
+		purgeProtectionEnabled := false
+		if model := keyVault.Model; model != nil {
+			if esd := model.Properties.EnableSoftDelete; esd != nil {
+				softDeleteEnabled = *esd
+			}
+			if epp := model.Properties.EnablePurgeProtection; epp != nil {
+				purgeProtectionEnabled = *epp
+			}
 		}
-		if epp := model.Properties.EnablePurgeProtection; epp != nil {
-			purgeProtectionEnabled = *epp
+		if !softDeleteEnabled || !purgeProtectionEnabled {
+			return fmt.Errorf("Key Vault %q (Resource Group %q) must be configured for both Purge Protection and Soft Delete", keyVaultID.VaultName, keyVaultID.ResourceGroupName)
 		}
-	}
-	if !softDeleteEnabled || !purgeProtectionEnabled {
-		return fmt.Errorf("Key Vault %q (Resource Group %q) must be configured for both Purge Protection and Soft Delete", keyVaultID.VaultName, keyVaultID.ResourceGroupName)
-	}
 
-	keyVaultBaseURL, err := keyVaultsClient.BaseUriForKeyVault(ctx, *keyVaultID)
-	if err != nil {
-		return fmt.Errorf("looking up Key Vault URI from %s: %+v", *keyVaultID, err)
+		keyVaultBaseURL, err := keyVaultsClient.BaseUriForKeyVault(ctx, *keyVaultID)
+		if err != nil {
+			return fmt.Errorf("looking up Key Vault URI from %s: %+v", *keyVaultID, err)
+		}
+
+		keyVaultURI = *keyVaultBaseURL
 	}
 
 	keyName := d.Get("key_name").(string)
 	keyVersion := d.Get("key_version").(string)
 	userAssignedIdentity := d.Get("user_assigned_identity_id").(string)
+	federatedIdentityClientID := d.Get("federated_identity_client_id").(string)
 
 	props := storage.AccountUpdateParameters{
 		AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{
@@ -163,12 +188,16 @@ func resourceStorageAccountCustomerManagedKeyCreateUpdate(d *pluginsdk.ResourceD
 				KeyVaultProperties: &storage.KeyVaultProperties{
 					KeyName:     utils.String(keyName),
 					KeyVersion:  utils.String(keyVersion),
-					KeyVaultURI: utils.String(*keyVaultBaseURL),
+					KeyVaultURI: utils.String(keyVaultURI),
 				},
 			},
 		},
 	}
 
+	if federatedIdentityClientID != "" {
+		props.Encryption.EncryptionIdentity.EncryptionFederatedIdentityClientID = utils.String(federatedIdentityClientID)
+	}
+
 	if _, err = storageClient.Update(ctx, id.ResourceGroupName, id.StorageAccountName, props); err != nil {
 		return fmt.Errorf("updating Customer Managed Key for %s: %+v", id, err)
 	}
@@ -226,28 +255,39 @@ func resourceStorageAccountCustomerManagedKeyRead(d *pluginsdk.ResourceData, met
 	}
 
 	userAssignedIdentity := ""
+	federatedIdentityClientID := ""
 	if props := encryption.EncryptionIdentity; props != nil {
 		if props.EncryptionUserAssignedIdentity != nil {
 			userAssignedIdentity = *props.EncryptionUserAssignedIdentity
 		}
+		if props.EncryptionFederatedIdentityClientID != nil {
+			federatedIdentityClientID = *props.EncryptionFederatedIdentityClientID
+		}
 	}
 
 	if keyVaultURI == "" {
 		return fmt.Errorf("retrieving %s: `properties.encryption.keyVaultProperties.keyVaultURI` was nil", id)
 	}
 
-	keyVaultID, err := keyVaultsClient.KeyVaultIDFromBaseUrl(ctx, resourcesClient, keyVaultURI)
-	if err != nil {
-		return fmt.Errorf("retrieving Key Vault ID from the Base URI %q: %+v", keyVaultURI, err)
-	}
-
 	// now we have the key vault uri we can look up the ID
 
+	// we can't look up the ID when using federated identity as the key will be under different tenant
+	keyVaultID := ""
+	if federatedIdentityClientID == "" {
+		tmpKeyVaultID, err := keyVaultsClient.KeyVaultIDFromBaseUrl(ctx, resourcesClient, keyVaultURI)
+		if err != nil {
+			return fmt.Errorf("retrieving Key Vault ID from the Base URI %q: %+v", keyVaultURI, err)
+		}
+		keyVaultID = *tmpKeyVaultID
+	}
+
 	d.Set("storage_account_id", id.ID())
 	d.Set("key_vault_id", keyVaultID)
+	d.Set("key_vault_uri", keyVaultURI)
 	d.Set("key_name", keyName)
 	d.Set("key_version", keyVersion)
 	d.Set("user_assigned_identity_id", userAssignedIdentity)
+	d.Set("federated_identity_client_id", federatedIdentityClientID)
 
 	return nil
 }