Adds CMK for CosmosDB Account

[petems]

• Closes Support for CosmosDB encryption with CMK #7798

[jackofallops]

Hi @petems - Thanks for this PR, looks off to a good start.

My understanding is that the key_vault_key_id property can be changed / updated, so I think we'd need to remove the ForceNew and include it in the update. As it stands, I believe it will remove the key from the account was otherwise updated? Could you add a test that covers the new property also?

Thanks!

[katbyte]

Adding to @jackofallops's comment, could we also add a test that updates the key_vault_key_id

[petems]

My understanding is that the key_vault_key_id property can be changed / updated, so I think we'd need to remove the ForceNew and include it in the update. As it stands, I believe it will remove the key from the account was otherwise updated? Could you add a test that covers the new property also?

Currently the key_vault_key_uri cannot be changed in the API, its only possible on new resources, which is why I set it to ForceNew:

Code="BadRequest" Message="Updating KeyVaultKeyUri is not supported\r\nActivityId: 5f367e7d-92ee-42a7-966b-fb12e53ab69a, Microsoft.Azure.Documents.Common/2.11.0"

See Azure/azure-rest-api-specs#10323

But I will add a test for it overall

[petems]

@katbyte @jackofallops I've created a test using a key vault example from a different test, can I get some 👀 on it? And run it as an acc-test if it looks correct?

[petems]

Just did a manual test, and this config works for me now:

provider "azurerm" {
  features {}
}
resource "azurerm_resource_group" "test" {
  name     = "acctestRG-cosmos-123456"
  location = "West US 2"
}

data "azurerm_client_config" "current" {}

data "azuread_service_principal" "cosmosdb" {
  display_name = "Azure Cosmos DB"
}

resource "azurerm_key_vault" "test" {
  name                = "acctestkeyvault123456789"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"

  purge_protection_enabled = true
  soft_delete_enabled      = true

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "list",
      "create",
      "delete",
      "get",
      "update",
    ]

    secret_permissions = [
      "get",
      "delete",
      "set",
    ]
  }

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azuread_service_principal.cosmosdb.id

    key_permissions = [
      "list",
      "create",
      "delete",
      "get",
      "update",
      "unwrapKey",
      "wrapKey",
    ]

    secret_permissions = [
      "get",
      "delete",
      "set",
    ]
  }
}

resource "azurerm_key_vault_key" "test" {
  name         = "examplekey123456"
  key_vault_id = azurerm_key_vault.test.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

resource "azurerm_cosmosdb_account" "test" {
  name                = "acctest-ca-123456"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  offer_type          = "Standard"
  kind                = "MongoDB"
  key_vault_key_uri   = "${azurerm_key_vault.test.vault_uri}keys/${azurerm_key_vault_key.test.name}/"
  consistency_policy {
    consistency_level = "Strong"
  }
  geo_location {
    location          = azurerm_resource_group.test.location
    failover_priority = 0
  }
}

Will fix the test to use this

[katbyte]

Thanks @petems - aside from a couple comments this LGTM

[petems]

@katbyte All good to merge? I dont have button rights 😄

Outdated

[katbyte]

LGTM 👍

[jackofallops]

Tests passing (1 fail transient, unrelated)

[ghost]

This has been released in version 2.36.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.36.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!