azurerm_batch_account - allow versionless keys for CMK

internal/services/batch/batch_account_data_source.go

@@ -81,7 +81,7 @@ func dataSourceBatchAccount() *pluginsdk.Resource {
 						"key_vault_key_id": {
 							Type:         pluginsdk.TypeString,
 							Required:     true,
-							ValidateFunc: keyVaultValidate.NestedItemId,
+							ValidateFunc: keyVaultValidate.NestedItemIdWithOptionalVersion,
 						},
 					},
 				},

internal/services/batch/batch_account_data_source_test.go

@@ -63,15 +63,32 @@ func TestAccBatchAccountDataSource_userSubscription(t *testing.T) {
 	})
 }
 
-func TestAccBatchAccountDataSource_cmk(t *testing.T) {
+func TestAccBatchAccountDataSource_cmkVersionedKey(t *testing.T) {
 	data := acceptance.BuildTestData(t, "data.azurerm_batch_account", "test")
 	r := BatchAccountDataSource{}
 
 	tenantID := os.Getenv("ARM_TENANT_ID")
 
 	data.DataSourceTest(t, []acceptance.TestStep{
 		{
-			Config: r.cmkData(data, tenantID),
+			Config: r.cmkVersionedKeyData(data, tenantID),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("location").HasValue(azure.NormalizeLocation(data.Locations.Primary)),
+				check.That(data.ResourceName).Key("encryption.0.key_vault_key_id").IsSet(),
+			),
+		},
+	})
+}
+
+func TestAccBatchAccountDataSource_cmkVersionlessKey(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_batch_account", "test")
+	r := BatchAccountDataSource{}
+
+	tenantID := os.Getenv("ARM_TENANT_ID")
+
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: r.cmkVersionlessKeyData(data, tenantID),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).Key("location").HasValue(azure.NormalizeLocation(data.Locations.Primary)),
 				check.That(data.ResourceName).Key("encryption.0.key_vault_key_id").IsSet(),
@@ -213,7 +230,7 @@ data "azurerm_batch_account" "test" {
 `, data.RandomInteger, data.Locations.Primary, data.RandomString, tenantID, tenantID, subscriptionID, data.RandomString)
 }
 
-func (BatchAccountDataSource) cmkData(data acceptance.TestData, tenantID string) string {
+func (BatchAccountDataSource) cmkVersionedKeyData(data acceptance.TestData, tenantID string) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {
@@ -228,26 +245,26 @@ data "azurerm_client_config" "current" {
 }
 
 resource "azurerm_resource_group" "test" {
-  name     = "testaccRG-batch-%d"
-  location = "%s"
+  name     = "testaccRG-batch-%[1]d"
+  location = "%[2]s"
 }
 
 resource "azurerm_storage_account" "test" {
-  name                     = "testaccsa%s"
+  name                     = "testaccsa%[3]s"
   resource_group_name      = azurerm_resource_group.test.name
   location                 = azurerm_resource_group.test.location
   account_tier             = "Standard"
   account_replication_type = "LRS"
 }
 
 resource "azurerm_user_assigned_identity" "test" {
-  name                = "acctest%s"
+  name                = "acctest%[3]s"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
 }
 
 resource "azurerm_batch_account" "test" {
-  name                                = "testaccbatch%s"
+  name                                = "testaccbatch%[3]s"
   resource_group_name                 = azurerm_resource_group.test.name
   location                            = azurerm_resource_group.test.location
   pool_allocation_mode                = "BatchService"
@@ -264,20 +281,20 @@ resource "azurerm_batch_account" "test" {
 }
 
 resource "azurerm_key_vault" "test" {
-  name                            = "batchkv%s"
-  location                        = "${azurerm_resource_group.test.location}"
-  resource_group_name             = "${azurerm_resource_group.test.name}"
+  name                            = "batchkv%[3]s"
+  location                        = azurerm_resource_group.test.location
+  resource_group_name             = azurerm_resource_group.test.name
   enabled_for_disk_encryption     = true
   enabled_for_deployment          = true
   enabled_for_template_deployment = true
   purge_protection_enabled        = true
-  tenant_id                       = "%s"
+  tenant_id                       = "%[4]s"
 
   sku_name = "standard"
 
   access_policy {
-    tenant_id = "%s"
-    object_id = "${data.azurerm_client_config.current.object_id}"
+    tenant_id = "%[4]s"
+    object_id = data.azurerm_client_config.current.object_id
 
     key_permissions = [
       "Get",
@@ -291,8 +308,8 @@ resource "azurerm_key_vault" "test" {
   }
 
   access_policy {
-    tenant_id = "%s"
-    object_id = "${azurerm_user_assigned_identity.test.principal_id}"
+    tenant_id = "%[4]s"
+    object_id = azurerm_user_assigned_identity.test.principal_id
 
     key_permissions = [
       "Get",
@@ -303,8 +320,8 @@ resource "azurerm_key_vault" "test" {
 }
 
 resource "azurerm_key_vault_key" "test" {
-  name         = "enckey%d"
-  key_vault_id = "${azurerm_key_vault.test.id}"
+  name         = "enckey%[1]d"
+  key_vault_id = azurerm_key_vault.test.id
   key_type     = "RSA"
   key_size     = 2048
 
@@ -319,9 +336,122 @@ resource "azurerm_key_vault_key" "test" {
 }
 
 data "azurerm_batch_account" "test" {
-  name                = "${azurerm_batch_account.test.name}"
-  resource_group_name = "${azurerm_resource_group.test.name}"
+  name                = azurerm_batch_account.test.name
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+`, data.RandomInteger, data.Locations.Primary, data.RandomString, tenantID)
+}
+
+func (BatchAccountDataSource) cmkVersionlessKeyData(data acceptance.TestData, tenantID string) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy       = false
+      purge_soft_deleted_keys_on_destroy = false
+    }
+  }
+}
+
+data "azurerm_client_config" "current" {
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "testaccRG-batch-%[1]d"
+  location = "%[2]s"
+}
+
+resource "azurerm_storage_account" "test" {
+  name                     = "testaccsa%[3]s"
+  resource_group_name      = azurerm_resource_group.test.name
+  location                 = azurerm_resource_group.test.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_user_assigned_identity" "test" {
+  name                = "acctest%[3]s"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+}
+
+resource "azurerm_batch_account" "test" {
+  name                                = "testaccbatch%[3]s"
+  resource_group_name                 = azurerm_resource_group.test.name
+  location                            = azurerm_resource_group.test.location
+  pool_allocation_mode                = "BatchService"
+  storage_account_id                  = azurerm_storage_account.test.id
+  storage_account_authentication_mode = "StorageKeys"
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.test.id]
+  }
+
+  encryption {
+    key_vault_key_id = azurerm_key_vault_key.test.versionless_id
+  }
+}
+
+resource "azurerm_key_vault" "test" {
+  name                            = "batchkv%[3]s"
+  location                        = azurerm_resource_group.test.location
+  resource_group_name             = azurerm_resource_group.test.name
+  enabled_for_disk_encryption     = true
+  enabled_for_deployment          = true
+  enabled_for_template_deployment = true
+  purge_protection_enabled        = true
+  tenant_id                       = "%[4]s"
+
+  sku_name = "standard"
+
+  access_policy {
+    tenant_id = "%[4]s"
+    object_id = data.azurerm_client_config.current.object_id
+
+    key_permissions = [
+      "Get",
+      "Create",
+      "Delete",
+      "WrapKey",
+      "UnwrapKey",
+      "GetRotationPolicy",
+      "SetRotationPolicy",
+    ]
+  }
+
+  access_policy {
+    tenant_id = "%[4]s"
+    object_id = azurerm_user_assigned_identity.test.principal_id
+
+    key_permissions = [
+      "Get",
+      "WrapKey",
+      "UnwrapKey"
+    ]
+  }
+}
+
+resource "azurerm_key_vault_key" "test" {
+  name         = "enckey%[1]d"
+  key_vault_id = azurerm_key_vault.test.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+data "azurerm_batch_account" "test" {
+  name                = azurerm_batch_account.test.name
+  resource_group_name = azurerm_resource_group.test.name
 }
 
-`, data.RandomInteger, data.Locations.Primary, data.RandomString, data.RandomString, data.RandomString, data.RandomString, tenantID, tenantID, tenantID, data.RandomInteger)
+`, data.RandomInteger, data.Locations.Primary, data.RandomString, tenantID)
 }

internal/services/batch/batch_account_resource.go

@@ -159,7 +159,7 @@ func resourceBatchAccount() *pluginsdk.Resource {
 						"key_vault_key_id": {
 							Type:         pluginsdk.TypeString,
 							Required:     true,
-							ValidateFunc: keyVaultValidate.NestedItemId,
+							ValidateFunc: keyVaultValidate.NestedItemIdWithOptionalVersion,
 						},
 					},
 				},