Fix - azurerm_api_management_named_value would not enforce `secret=…

…true` when using `value_from_key_vault` (#26150)

* fix: APIM named values must be secret when stored in KV

* test: add acceptance test for new validation enforcement

* Update internal/services/apimanagement/api_management_named_value_resource.go

Co-authored-by: stephybun <[email protected]>

* Update internal/services/apimanagement/api_management_named_value_resource_test.go

Co-authored-by: stephybun <[email protected]>

* fix: string syntax

* run tests

---------

Co-authored-by: stephybun <[email protected]>

internal/services/apimanagement/api_management_named_value_resource.go

@@ -73,6 +73,7 @@ func resourceApiManagementNamedValue() *pluginsdk.Resource {
 						},
 					},
 				},
+				RequiredWith: []string{"secret"},
 			},
 
 			"value": {
@@ -129,6 +130,10 @@ func resourceApiManagementNamedValueCreateUpdate(d *pluginsdk.ResourceData, meta
 		},
 	}
 
+	if parameters.Properties.KeyVault != nil && (parameters.Properties.Secret == nil || !*parameters.Properties.Secret) {
+		return fmt.Errorf("`secret` must be true when `value_from_key_vault` is set")
+	}
+
 	if v, ok := d.GetOk("value"); ok {
 		parameters.Properties.Value = pointer.To(v.(string))
 	}

internal/services/apimanagement/api_management_named_value_resource_test.go

@@ -6,6 +6,7 @@ package apimanagement_test
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
@@ -63,6 +64,18 @@ func TestAccApiManagementNamedValue_keyVaultSystemAssigned(t *testing.T) {
 	})
 }
 
+func TestAccApiManagementNamedValue_keyVaultInvalidSecretValue(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_api_management_named_value", "test")
+	r := ApiManagementNamedValueResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config:      r.keyVaultWithInvalidSecretValue(data),
+			ExpectError: regexp.MustCompile("`secret` must be true when `value_from_key_vault` is set"),
+		},
+	})
+}
+
 func TestAccApiManagementNamedValue_keyVaultUpdate(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_api_management_named_value", "test")
 	r := ApiManagementNamedValueResource{}
@@ -346,6 +359,28 @@ resource "azurerm_api_management_named_value" "test" {
 `, r.keyVaultTemplate(data), data.RandomInteger)
 }
 
+func (r ApiManagementNamedValueResource) keyVaultWithInvalidSecretValue(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_api_management_named_value" "test" {
+  name                = "acctestAMProperty-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  api_management_name = azurerm_api_management.test.name
+  display_name        = "TestKeyVault%[2]d"
+  secret              = false
+  value_from_key_vault {
+    secret_id          = azurerm_key_vault_secret.test.id
+    identity_client_id = azurerm_user_assigned_identity.test.client_id
+  }
+
+  tags = ["tag1", "tag2"]
+
+  depends_on = [azurerm_key_vault_access_policy.test2]
+}
+`, r.keyVaultTemplate(data), data.RandomInteger)
+}
+
 func (r ApiManagementNamedValueResource) keyVaultSystemAssigned(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {

website/docs/r/api_management_named_value.html.markdown

@@ -51,7 +51,7 @@ The following arguments are supported:
 
 * `value` - (Optional) The value of this API Management Named Value.
 
-* `value_from_key_vault` - (Optional) A `value_from_key_vault` block as defined below.
+* `value_from_key_vault` - (Optional) A `value_from_key_vault` block as defined below. If specified, `secret` must also be set to `true`.
 
 * `secret` - (Optional) Specifies whether the API Management Named Value is secret. Valid values are `true` or `false`. The default value is `false`.