Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_mysql_flexible_server - support geo_backup_key_vault_key_id and geo_backup_user_assigned_identity_id #20796

Merged
merged 6 commits into from
Mar 21, 2023
Merged

azurerm_mysql_flexible_server - support geo_backup_key_vault_key_id and geo_backup_user_assigned_identity_id #20796

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
160b42b
fix mysql
neil-yechenwei Mar 6, 2023
236a2a4
update code
neil-yechenwei Mar 6, 2023
34c6740
update code
neil-yechenwei Mar 8, 2023
75b65e6
update code
neil-yechenwei Mar 10, 2023
08e28a7
update code
neil-yechenwei Mar 10, 2023
97b9cfd
Update internal/services/mysql/mysql_flexible_server_resource_test.go
katbyte Mar 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .teamcity/components/settings.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ var serviceTestConfigurationOverrides = mapOf(
"mssql" to testConfiguration(locationOverride = LocationConfiguration("westeurope", "francecentral", "eastus2", false), useDevTestSubscription = true),

// MySQL has quota available in certain locations
"mysql" to testConfiguration(locationOverride = LocationConfiguration("westeurope", "francecentral", "eastus2", false), useDevTestSubscription = true),
"mysql" to testConfiguration(locationOverride = LocationConfiguration("westeurope", "northeurope", "eastus2", false), useDevTestSubscription = true),

// netapp has a max of 10 accounts and the max capacity of pool is 25 TiB per subscription so lets limit it to 1 to account for broken ones, run Monday, Wednesday, Friday
"netapp" to testConfiguration(parallelism = 1, daysOfWeek = "2,4,6", locationOverride = LocationConfiguration("westeurope", "eastus2", "westus2", false), useDevTestSubscription = true),
Expand Down
45 changes: 42 additions & 3 deletions internal/services/mysql/mysql_flexible_server_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,20 @@ func resourceMysqlFlexibleServer() *pluginsdk.Resource {
Optional: true,
ValidateFunc: commonids.ValidateUserAssignedIdentityID,
},
"geo_backup_key_vault_key_id": {
Type: pluginsdk.TypeString,
Optional: true,
ValidateFunc: keyVaultValidate.NestedItemIdWithOptionalVersion,
RequiredWith: []string{
"identity",
"customer_managed_key.0.geo_backup_user_assigned_identity_id",
},
},
"geo_backup_user_assigned_identity_id": {
Type: pluginsdk.TypeString,
Optional: true,
ValidateFunc: commonids.ValidateUserAssignedIdentityID,
},
},
},
},
Expand Down Expand Up @@ -930,9 +944,23 @@ func expandFlexibleServerDataEncryption(input []interface{}) *servers.DataEncryp

det := servers.DataEncryptionTypeAzureKeyVault
dataEncryption := servers.DataEncryption{
Type: &det,
PrimaryKeyURI: utils.String(v["key_vault_key_id"].(string)),
PrimaryUserAssignedIdentityId: utils.String(v["primary_user_assigned_identity_id"].(string)),
Type: &det,
}

if keyVaultKeyId := v["key_vault_key_id"].(string); keyVaultKeyId != "" {
dataEncryption.PrimaryKeyURI = utils.String(keyVaultKeyId)
}

if primaryUserAssignedIdentityId := v["primary_user_assigned_identity_id"].(string); primaryUserAssignedIdentityId != "" {
dataEncryption.PrimaryUserAssignedIdentityId = utils.String(primaryUserAssignedIdentityId)
}

if geoBackupKeyVaultKeyId := v["geo_backup_key_vault_key_id"].(string); geoBackupKeyVaultKeyId != "" {
dataEncryption.GeoBackupKeyURI = utils.String(geoBackupKeyVaultKeyId)
}

if geoBackupUserAssignedIdentityId := v["geo_backup_user_assigned_identity_id"].(string); geoBackupUserAssignedIdentityId != "" {
dataEncryption.GeoBackupUserAssignedIdentityId = utils.String(geoBackupUserAssignedIdentityId)
}

return &dataEncryption
Expand All @@ -955,6 +983,17 @@ func flattenFlexibleServerDataEncryption(de *servers.DataEncryption) ([]interfac
item["primary_user_assigned_identity_id"] = parsed.ID()
}

if de.GeoBackupKeyURI != nil {
item["geo_backup_key_vault_key_id"] = *de.GeoBackupKeyURI
}
if identity := de.GeoBackupUserAssignedIdentityId; identity != nil {
parsed, err := commonids.ParseUserAssignedIdentityIDInsensitively(*identity)
if err != nil {
return nil, fmt.Errorf("parsing %q: %+v", *identity, err)
}
item["geo_backup_user_assigned_identity_id"] = parsed.ID()
}

return []interface{}{item}, nil
}

Expand Down
95 changes: 94 additions & 1 deletion internal/services/mysql/mysql_flexible_server_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,21 @@ func TestAccMySqlFlexibleServer_updateToCustomerManagedKey(t *testing.T) {
})
}

func TestAccMySqlFlexibleServer_enableGeoRedundantBackup(t *testing.T) {
katbyte marked this conversation as resolved.
Show resolved Hide resolved
data := acceptance.BuildTestData(t, "azurerm_mysql_flexible_server", "test")
r := MySqlFlexibleServerResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.enableGeoRedundantBackup(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep("administrator_password"),
})
}

func (MySqlFlexibleServerResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
id, err := servers.ParseFlexibleServerID(state.ID)
if err != nil {
Expand Down Expand Up @@ -1021,7 +1036,7 @@ resource "azurerm_key_vault_access_policy" "client" {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id

key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy"]
}

resource "azurerm_key_vault_key" "test" {
Expand Down Expand Up @@ -1080,3 +1095,81 @@ resource "azurerm_mysql_flexible_server" "test" {
}
`, r.cmkTemplate(data), data.RandomInteger)
}

func (r MySqlFlexibleServerResource) enableGeoRedundantBackup(data acceptance.TestData) string {
return fmt.Sprintf(`
%s

resource "azurerm_resource_group" "test2" {
name = "acctestRG-mysql2-%d"
location = "%s"
}

resource "azurerm_user_assigned_identity" "test2" {
name = "acctestmi%s"
location = azurerm_resource_group.test2.location
resource_group_name = azurerm_resource_group.test2.name
}

resource "azurerm_key_vault" "test2" {
name = "acctestkv2%s"
location = azurerm_resource_group.test2.location
resource_group_name = azurerm_resource_group.test2.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}

resource "azurerm_key_vault_access_policy" "server2" {
key_vault_id = azurerm_key_vault.test2.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.test2.principal_id

key_permissions = ["Get", "List", "WrapKey", "UnwrapKey"]
}

resource "azurerm_key_vault_access_policy" "client2" {
key_vault_id = azurerm_key_vault.test2.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id

key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy"]
}

resource "azurerm_key_vault_key" "test2" {
name = "test2"
key_vault_id = azurerm_key_vault.test2.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]

depends_on = [
azurerm_key_vault_access_policy.client2,
azurerm_key_vault_access_policy.server2,
]
}

resource "azurerm_mysql_flexible_server" "test" {
name = "acctest-fs-%d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
administrator_login = "_admin_Terraform_892123456789312"
administrator_password = "QAZwsx123"
sku_name = "B_Standard_B1s"
zone = "2"
geo_redundant_backup_enabled = true

identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.test.id, azurerm_user_assigned_identity.test2.id]
}

customer_managed_key {
key_vault_key_id = azurerm_key_vault_key.test.id
primary_user_assigned_identity_id = azurerm_user_assigned_identity.test.id
geo_backup_key_vault_key_id = azurerm_key_vault_key.test2.id
geo_backup_user_assigned_identity_id = azurerm_user_assigned_identity.test2.id
}
}
`, r.cmkTemplate(data), data.RandomInteger, data.Locations.Secondary, data.RandomString, data.RandomString, data.RandomInteger)
}
6 changes: 5 additions & 1 deletion website/docs/r/mysql_flexible_server.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,11 @@ A `customer_managed_key` block supports the following:

* `primary_user_assigned_identity_id` - (Optional) Specifies the primary user managed identity id for a Customer Managed Key. Should be added with `identity_ids`.

~> **NOTE:** This is required when `type` is set to `UserAssigned` or `SystemAssigned, UserAssigned`.
* `geo_backup_key_vault_key_id` - (Optional) The ID of the geo backup Key Vault Key. It can't cross region and need Customer Managed Key in same region as geo backup.

* `geo_backup_user_assigned_identity_id` - (Optional) The geo backup user managed identity id for a Customer Managed Key. Should be added with `identity_ids`. It can't cross region and need identity in same region as geo backup.

~> **NOTE:** `primary_user_assigned_identity_id` or `geo_backup_user_assigned_identity_id` is required when `type` is set to `UserAssigned` or `SystemAssigned, UserAssigned`.

---

Expand Down