Storage Account: Add identity property #1323
Conversation
lstolyarov
changed the title
| @@ -495,6 +500,11 @@ func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) err | |||
| } | |||
| d.Set("account_kind", resp.Kind) | |||
|
|
|||
| log.Printf("[INFO] Identity is %q", resp.Identity) | |||
| if identity := resp.Identity; identity != nil { | |||
There was a problem hiding this comment.
@lstolyarov you'll want to use resp.[XX]Properties.Identity here - since the top level fields resp.Identity isn't guaranteed to have a value, unfortunately. These fields exist primarily for the older API's where the responses aren't guaranteed in the properties block in the JSON
There was a problem hiding this comment.
@tombuildsstuff what do you mean by [XX]Properties? There is an AccountProperties filed in resp but that does not have an Identity field
There was a problem hiding this comment.
@tombuildsstuff what do you mean by
[XX]Properties? There is anAccountPropertiesfiled inrespbut that does not have anIdentityfield
The properties field is prefixed with the name of the struct, so it's different (hence [XX]Properties, sorry I should have looked this up).
I don't see any option to enable this in the Portal - is this feature in Preview?
There was a problem hiding this comment.
Well it is not really a feature. This PR is to be able to extract the Object ID (or Principal ID as it is referred to in the SDK). I don't think there is any anyway to get this information out in the portal - it could be extracted with powershell.
There was a problem hiding this comment.
sorry, I was referring to pulling this out via the API/SDK - I'm not sure if you've seen it but the Azure Resources Explorer can be really helpful here.
In other API's (e.g. App Service) the identity block won't be returned from the API until it's enabled, which can be done by sending the following Request (in the Create/Update):
Identity: &storage.Identity{
Type: utils.String("SystemAssigned"),
},
Once the Identity's assigned, the identity block returned from the API SDK as Principal ID/Object ID. That said, given this isn't available in the Portal yet - and I can't see any reference to it online; I have a feeling this may be in Preview?
There was a problem hiding this comment.
Ok, that makes more sense now.
Thanks for the Azure Resources Explorer - its really useful.
I am not sure if it would technically count as a preview feature or not. My understanding that behind the scenes all resources have object ids and this is required as input for key vault. It is not really useful in the portal as when you enable storage account encryption and select the key vault you want to use that object id gets populated automatically.
|
Related issue: #658 |
lstolyarov
changed the title
There was a problem hiding this comment.
Hello @lstolyarov,
Thank you for opening this PR. It mostly LGTM and I've let a couple of comments inline. Once those are sorted I look forward to merging this for you 🙂
| } | ||
|
|
||
| result := make(map[string]interface{}) | ||
| result["type"] = *identity.Type |
There was a problem hiding this comment.
Could we also check identity.Type for nil?
|
|
||
| * `tenant_id` - The Tenant ID for the Service Principal associated with the Identity of this Storage Account. | ||
|
|
||
| -> You can access the Principal ID via `${azurerm_storage_account.test.identity.0.principal_id}` and the Tenant ID via `${azurerm_storage_account.test.identity.0.tenant_id}` |
There was a problem hiding this comment.
I don't think we need this? There is nothing special required to access these properties
There was a problem hiding this comment.
I think it is still useful for the user to be able to see an example on how to access the property. However, if you still think it's not required - I can remove it.
There was a problem hiding this comment.
Personally I think it should be removed but its very minor and not a blocker
|
|
||
| * `type` - (Required) Specifies the identity type of the Storage Account. At this time the only allowed value is `SystemAssigned`. | ||
|
|
||
| ~> The assigned `principal_id` and `tenant_id` can be retrieved after the Storage Account has been created. More details are available below. |
There was a problem hiding this comment.
Might it be worth explaining these properties won't be assigned until the identity type value is set to SystemAssigned ?
|
Any idea on when this will be released? |
There was a problem hiding this comment.
Hi @lstolyarov,
Thank you for the updates, this LGTM now however running the tests I am consistently getting this failure:
------- Stdout: -------
=== RUN TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity
--- FAIL: TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity (93.41s)
testing.go:513: Step 1 error: Check failed: Check 3/4 error: azurerm_storage_account.testsa: Attribute 'identity.0.principal_id' didn't match "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-4[a-fA-F0-9]{3}-[8|9|aA|bB][a-fA-F0-9]{3}-[a-fA-F0-9]{12}$", got ""
FAIL
Additionally, could you please merge/rebase to resolve the merge conflicts?
katbyte
changed the title
|
Hey @katbyte, This should be ready for another review now. Tests are passing & merge conflicts are resolved. |
Removed some lines that were accidentally merged back in.
fix go fmt issues
|
tests pass (failing ones are encryption and too many networks) |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
Hey @tombuildsstuff,
This PR adds the object id as an output of a storage account. At the moment
resp.Identityis returningnil. Any ideas why?