azurerm_api_management: make certificate_password optional (#11139)

Couldn't find an issue for this when looking, but my guess is that a lot (including me) uses a workaround and setting password to empty string when importing certificates that doesn't have a password.

Certificate added for testdata is just a base64 encoded x509 from the pfx that is used.

azurerm/internal/services/apimanagement/api_management_resource.go

@@ -221,7 +221,7 @@ func resourceApiManagementService() *schema.Resource {
 
 						"certificate_password": {
 							Type:      schema.TypeString,
-							Required:  true,
+							Optional:  true,
 							Sensitive: true,
 						},
 
@@ -1111,13 +1111,15 @@ func expandAzureRmApiManagementCertificates(d *schema.ResourceData) *[]apimanage
 		config := v.(map[string]interface{})
 
 		certBase64 := config["encoded_certificate"].(string)
-		certificatePassword := config["certificate_password"].(string)
 		storeName := apimanagement.StoreName(config["store_name"].(string))
 
 		cert := apimanagement.CertificateConfiguration{
-			EncodedCertificate:  utils.String(certBase64),
-			CertificatePassword: utils.String(certificatePassword),
-			StoreName:           storeName,
+			EncodedCertificate: utils.String(certBase64),
+			StoreName:          storeName,
+		}
+
+		if certPassword := config["certificate_password"]; certPassword != nil {
+			cert.CertificatePassword = utils.String(certPassword.(string))
 		}
 
 		results = append(results, cert)

azurerm/internal/services/apimanagement/api_management_resource_test.go

@@ -810,6 +810,16 @@ resource "azurerm_api_management" "test" {
     store_name           = "Root"
   }
 
+  certificate {
+    encoded_certificate = filebase64("testdata/api_management_api_test.cer")
+    store_name          = "Root"
+  }
+
+  certificate {
+    encoded_certificate = filebase64("testdata/api_management_api_test.cer")
+    store_name          = "CertificateAuthority"
+  }
+
   protocols {
     enable_http2 = true
   }

azurerm/internal/services/apimanagement/testdata/api_management_api_test.cer

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZoCCQCMdt7DvygPtDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBh
+cGkudGVycmFmb3JtLmlvMB4XDTE4MDcwNTEwMzMzMFoXDTI4MDcwMjEwMzMzMFow
+GzEZMBcGA1UEAwwQYXBpLnRlcnJhZm9ybS5pbzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAKQW332Ol28CsidAheD1aL9Ul8JWnKLdaVxKZ3ssl5CXjPDO
+mM7IXk0SgbQnUC8lIlPFZiDGbQ1sB6OTMun6ZZ4ipLp80dtl0roCLtCnDQOBGzCN
+ArCYAoXRurjkXEY7tpD0wwtU72+37h3HQ4g0VS6VItJCqJ9QADV+HO2ZWuZTez70
+MhoL6OLfZP7HGYdJDKgfEVNF5XlbVzNAGkDIJFdhjNxyGGu5Nfsm1pfQhAyunkk7
+JVamjUg5IojRdo63IS9wwzMOdeGSAbBcsJfYeCfVg2kupR8q0TmZ+x93RmmOlbSi
+66kEYxRzZ9YCQeHJmn1YfJ92BpCUiy9A6Z1iaKUCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAJ7JhlecP7J48wI2QHTMbAMkkWBv/iWq1/QIF4ugH3Zb5PorOv+NfhQ0L
+lWiw/SzN8Ae95vUixAGYHMSa28oumM5K1OsqKEkVIo1AoBH8nBz+VcTpRD/mHXot
+AHPAZt9j5LqeHX+enR6RbINAf3jn+YU3MdVe0MsADdFASVDfjmQP2R7o9aJb/QqO
+g3bZBWsiBDEISfyaH2+pgUM7wtwEoFWmEMlgjLK1MRBs1cDZXqnHaCd/rs+NmWV9
+naEu7x5fyQOk4HozkpweR+Jx1sBlTRsa49/qSHt/6ULKfO01/cTs4iF71ykXPbh3
+Kj9cI2uo9aYtXkxkhKrGyUpA7FJqWw==
+-----END CERTIFICATE-----

website/docs/r/api_management.html.markdown

@@ -104,12 +104,11 @@ A `additional_location` block supports the following:
 
 A `certificate` block supports the following:
 
-* `encoded_certificate` - (Required) The Base64 Encoded PFX Certificate.
-
-* `certificate_password` - (Required) The password for the certificate.
+* `encoded_certificate` - (Required) The Base64 Encoded PFX or Base64 Encoded X.509 Certificate.
 
 * `store_name` - (Required) The name of the Certificate Store where this certificate should be stored. Possible values are `CertificateAuthority` and `Root`.
 
+* `certificate_password` - (Optional) The password for the certificate.
 
 ---