hashicorp · katbyte · Oct 27, 2023 · Oct 19, 2023 · Aug 8, 2023 · Oct 19, 2023
@@ -10,6 +10,8 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-azure-helpers/lang/response"
+	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
+	"github.com/hashicorp/go-azure-helpers/resourcemanager/identity"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/eventhub/2022-01-01-preview/namespaces"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
@@ -84,6 +86,8 @@ func resourceEventHubNamespaceCustomerManagedKey() *pluginsdk.Resource {
 				Default:  false,
 				ForceNew: true,
 			},
+
+			"identity": commonschema.SystemOrUserAssignedIdentityOptional(),
 		},
 	}
 }
@@ -116,7 +120,6 @@ func resourceEventHubNamespaceCustomerManagedKeyCreateUpdate(d *pluginsdk.Resour
 	}
 
 	namespace := resp.Model
-
 	keySource := namespaces.KeySourceMicrosoftPointKeyVault
 	namespace.Properties.Encryption = &namespaces.Encryption{
 		KeySource: &keySource,
@@ -126,6 +129,29 @@ func resourceEventHubNamespaceCustomerManagedKeyCreateUpdate(d *pluginsdk.Resour
 	if err != nil {
 		return err
 	}
+
+	assignedIdentities, err := identity.ExpandSystemOrUserAssignedMap(d.Get("identity").([]interface{}))
+	if err != nil {
+		return fmt.Errorf("expanding `identity`: %+v", err)
+	}
+
+	if assignedIdentities.Type == identity.TypeUserAssigned {
+		if len(assignedIdentities.IdentityIds) != 1 {
+			return fmt.Errorf("exactly one identity_ids is required if identity type is UserAssigned")
+		}
+
+		userAssignedIdentity, err := checkUserManagedIdentityIsAssignedToParentEventHub(assignedIdentities.IdentityIds, namespace.Identity.IdentityIds)
+		if err != nil {
+			return err
+		}
+
+		for i := 0; i < len(*keyVaultProps); i++ {
+			(*keyVaultProps)[i].Identity = &namespaces.UserAssignedIdentityProperties{
+				UserAssignedIdentity: userAssignedIdentity,
+			}
+		}
+	}
+
 	namespace.Properties.Encryption.KeyVaultProperties = keyVaultProps
 	namespace.Properties.Encryption.RequireInfrastructureEncryption = utils.Bool(d.Get("infrastructure_encryption_enabled").(bool))
 
@@ -174,14 +200,17 @@ func resourceEventHubNamespaceCustomerManagedKeyRead(d *pluginsdk.ResourceData,
 
 		d.Set("key_vault_key_ids", keyVaultKeyIds)
 		d.Set("infrastructure_encryption_enabled", props.Encryption.RequireInfrastructureEncryption)
+
+		if err := d.Set("identity", getUserManagedIdentity(props.Encryption)); err != nil {
+			return fmt.Errorf("setting `identity`: %+v", err)
+		}
 	}
 
 	return nil
 }
 
 func resourceEventHubNamespaceCustomerManagedKeyDelete(d *pluginsdk.ResourceData, meta interface{}) error {
-	log.Printf(`[INFO] Customer Managed Keys cannot be removed from EventHub Namespaces once added. To remove the Customer Managed Key delete and recreate the parent EventHub Namespace")
-`)
+	log.Printf(`[INFO] Customer Managed Keys cannot be removed from EventHub Namespaces once added. To remove the Customer Managed Key delete and recreate the parent EventHub Namespace`)
 	return nil
 }
 
@@ -208,8 +237,31 @@ func expandEventHubNamespaceKeyVaultKeyIds(input []interface{}) (*[]namespaces.K
 	return &results, nil
 }
 
-func flattenEventHubNamespaceKeyVaultKeyIds(input *namespaces.Encryption) ([]interface{}, error) {
-	results := make([]interface{}, 0)
+// Get the user managed id for the custom key if one exists
+func getUserManagedIdentity(input *namespaces.Encryption) *[]interface{} {
+	if input == nil || input.KeyVaultProperties == nil {
+		return nil
+	}
+
+	// we can only have a single managed id, so just take the first one and call it a day
+	for _, item := range *input.KeyVaultProperties {
+		if item.Identity != nil {
+			return &[]interface{}{
+				map[string]interface{}{
+					"type":         "UserAssigned",
+					"identity_ids": []string{*item.Identity.UserAssignedIdentity},
+					"principal_id": "",
+					"tenant_id":    "",
+				},
+			}
+		}
+	}
+
+	return nil
+}
+
+func flattenEventHubNamespaceKeyVaultKeyIds(input *namespaces.Encryption) ([]string, error) {
+	results := make([]string, 0)
 	if input == nil || input.KeyVaultProperties == nil {
 		return results, nil
 	}
@@ -240,3 +292,21 @@ func flattenEventHubNamespaceKeyVaultKeyIds(input *namespaces.Encryption) ([]int
 
 	return results, nil
 }
+
+// Check if the same identity has been assigned to the parent EventHub. Returns the first ID if valid, else return a nice error if it isn't.
+//
+// This resource can only utilize a single Managed Identity
+func checkUserManagedIdentityIsAssignedToParentEventHub(userAssignedIdentities map[string]identity.UserAssignedIdentityDetails, eventHubIdentities map[string]identity.UserAssignedIdentityDetails) (*string, error) {
+	userAssignedIdentity := ""
+	for k := range userAssignedIdentities {
+		userAssignedIdentity = k
+	}
+
+	for item := range eventHubIdentities {
+		if item == userAssignedIdentity {
+			return &userAssignedIdentity, nil
+		}
+	}
+
+	return nil, fmt.Errorf("user managed identity '%s' must also be assigned to the parent event hub", userAssignedIdentity)
+}
@@ -33,6 +33,21 @@ func TestAccEventHubNamespaceCustomerManagedKey_basic(t *testing.T) {
 	})
 }
 
+func TestAccEventHubNamespaceCustomerManagedKey_withUserAssignedIdentity(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_eventhub_namespace_customer_managed_key", "test")
+	r := EventHubNamespaceCustomerManagedKeyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withUserAssignedIdentity(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccEventHubNamespaceCustomerManagedKey_requiresImport(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_eventhub_namespace_customer_managed_key", "test")
 	r := EventHubNamespaceCustomerManagedKeyResource{}
@@ -129,6 +144,22 @@ resource "azurerm_eventhub_namespace_customer_managed_key" "test" {
 `, r.template(data))
 }
 
+func (r EventHubNamespaceCustomerManagedKeyResource) withUserAssignedIdentity(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_eventhub_namespace_customer_managed_key" "test" {
+  eventhub_namespace_id = azurerm_eventhub_namespace.test.id
+  key_vault_key_ids     = [azurerm_key_vault_key.test.id]
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.test.id]
+  }
+}
+`, r.templateWithUserAssignedIdentity(data))
+}
+
 func (r EventHubNamespaceCustomerManagedKeyResource) update(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
@@ -262,3 +293,95 @@ resource "azurerm_key_vault_key" "test" {
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomString, data.RandomString)
 }
+
+func (r EventHubNamespaceCustomerManagedKeyResource) templateWithUserAssignedIdentity(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy       = false
+      purge_soft_deleted_keys_on_destroy = false
+    }
+  }
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-namespacecmk-%d"
+  location = "%s"
+}
+
+resource "azurerm_eventhub_cluster" "test" {
+  name                = "acctest-cluster-%d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  sku_name            = "Dedicated_1"
+}
+
+resource "azurerm_user_assigned_identity" "test" {
+  location            = azurerm_resource_group.test.location
+  name                = "acctest-identity-%s"
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_eventhub_namespace" "test" {
+  name                 = "acctest-namespace-%d"
+  location             = azurerm_resource_group.test.location
+  resource_group_name  = azurerm_resource_group.test.name
+  sku                  = "Standard"
+  dedicated_cluster_id = azurerm_eventhub_cluster.test.id
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.test.id]
+  }
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_key_vault" "test" {
+  name                     = "acctestkv%s"
+  location                 = azurerm_resource_group.test.location
+  resource_group_name      = azurerm_resource_group.test.name
+  tenant_id                = data.azurerm_client_config.current.tenant_id
+  sku_name                 = "standard"
+  purge_protection_enabled = true
+}
+
+resource "azurerm_key_vault_access_policy" "test" {
+  key_vault_id = azurerm_key_vault.test.id
+  tenant_id    = azurerm_user_assigned_identity.test.tenant_id
+  object_id    = azurerm_user_assigned_identity.test.principal_id
+
+  key_permissions = ["Get", "UnwrapKey", "WrapKey", "GetRotationPolicy"]
+}
+
+resource "azurerm_key_vault_access_policy" "test2" {
+  key_vault_id = azurerm_key_vault.test.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Create",
+    "Delete",
+    "Get",
+    "List",
+    "Purge",
+    "Recover",
+    "GetRotationPolicy"
+  ]
+}
+
+resource "azurerm_key_vault_key" "test" {
+  name         = "acctestkvkey%s"
+  key_vault_id = azurerm_key_vault.test.id
+  key_type     = "RSA"
+  key_size     = 2048
+  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
+
+  depends_on = [
+    azurerm_key_vault_access_policy.test,
+    azurerm_key_vault_access_policy.test2,
+  ]
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomString, data.RandomInteger, data.RandomString, data.RandomString)
+}