azurerm_stream_analytics_reference_input_blob: Make `storage_accoun…

…t_key` optional when MSI auth is used (#19676) Co-authored-by: Alexander Guth <[email protected]>
hashicorp · Jan 5, 2023 · 625686c · 625686c
1 parent 1fc4094
commit 625686c
Show file tree

Hide file tree

Showing 9 changed files with 122 additions and 28 deletions.
diff --git a/examples/stream-analytics/README.md → ...es/stream-analytics/basic-usage/README.md b/examples/stream-analytics/README.md → ...es/stream-analytics/basic-usage/README.md
@@ -1,3 +1,3 @@
-## Example: Azure Stream Analytics
+# Azure Stream Analytics: Basic usage
 
 This example provisions an Azure Storage Account and a Stream Analytics job, that uses it as a reference input.
diff --git a/examples/stream-analytics/main.tf → ...ples/stream-analytics/basic-usage/main.tf b/examples/stream-analytics/main.tf → ...ples/stream-analytics/basic-usage/main.tf
@@ -4,27 +4,27 @@ provider "azurerm" {
 
 resource "azurerm_resource_group" "example" {
   name     = "${var.prefix}-example-resources"
-  location = "${var.location}"
+  location = var.location
 }
 
 resource "azurerm_storage_account" "example" {
-  name                     = "${var.prefix}-examplestoracc"
-  resource_group_name      = "${azurerm_resource_group.example.name}"
-  location                 = "${azurerm_resource_group.example.location}"
+  name                     = "${var.prefix}examplestoracc"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
   account_tier             = "Standard"
   account_replication_type = "LRS"
 }
 
 resource "azurerm_storage_container" "example" {
   name                  = "${var.prefix}example"
-  storage_account_name  = "${azurerm_storage_account.example.name}"
+  storage_account_name  = azurerm_storage_account.example.name
   container_access_type = "private"
 }
 
 resource "azurerm_stream_analytics_job" "example" {
   name                                     = "${var.prefix}-example-job"
-  resource_group_name                      = "${azurerm_resource_group.example.name}"
-  location                                 = "${azurerm_resource_group.example.location}"
+  resource_group_name                      = azurerm_resource_group.example.name
+  location                                 = azurerm_resource_group.example.location
   compatibility_level                      = "1.1"
   data_locale                              = "en-US"
   events_late_arrival_max_delay_in_seconds = 60
@@ -45,15 +45,15 @@ QUERY
 }
 
 resource "azurerm_stream_analytics_reference_input_blob" "test" {
-  name                         = "${var.prefix}-blob-reference-input"
-  stream_analytics_job_name    = "${azurerm_stream_analytics_job.example.name}"
-  resource_group_name          = "${azurerm_stream_analytics_job.example.resource_group_name}"
-  storage_account_name         = "${azurerm_storage_account.example.name}"
-  storage_account_key          = "${azurerm_storage_account.example.primary_access_key}"
-  storage_container_name       = "${azurerm_storage_container.example.name}"
-  path_pattern                 = "some-random-pattern"
-  date_format                  = "yyyy/MM/dd"
-  time_format                  = "HH"
+  name                      = "${var.prefix}-blob-reference-input"
+  stream_analytics_job_name = azurerm_stream_analytics_job.example.name
+  resource_group_name       = azurerm_stream_analytics_job.example.resource_group_name
+  storage_account_name      = azurerm_storage_account.example.name
+  storage_account_key       = azurerm_storage_account.example.primary_access_key
+  storage_container_name    = azurerm_storage_container.example.name
+  path_pattern              = "some-random-pattern"
+  date_format               = "yyyy/MM/dd"
+  time_format               = "HH"
 
   serialization {
     type     = "Json"

diff --git a/examples/stream-analytics/variables.tf → ...stream-analytics/basic-usage/variables.tf b/examples/stream-analytics/variables.tf → ...stream-analytics/basic-usage/variables.tf
diff --git a/examples/stream-analytics/msi-auth/README.md b/examples/stream-analytics/msi-auth/README.md
@@ -0,0 +1,7 @@
+# Azure Stream Analytics: MSI authentication
+
+This example provisions a Stream Analytics job that uses [MSI authentication](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) for the Stream Analytics inputs and outputs.
+
+## Inputs
+
+- `azurerm_stream_analytics_reference_input_blob`
diff --git a/examples/stream-analytics/msi-auth/main.tf b/examples/stream-analytics/msi-auth/main.tf
@@ -0,0 +1,72 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-example-resources"
+  location = var.location
+}
+
+resource "azurerm_storage_account" "example" {
+  name                     = "${var.prefix}examplestoracc"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_role_assignment" "example" {
+  scope                = azurerm_storage_account.example.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_stream_analytics_job.example.identity[0].principal_id
+}
+
+resource "azurerm_storage_container" "example" {
+  name                  = "${var.prefix}example"
+  storage_account_name  = azurerm_storage_account.example.name
+  container_access_type = "private"
+}
+
+resource "azurerm_stream_analytics_job" "example" {
+  name                                     = "${var.prefix}-example-job"
+  resource_group_name                      = azurerm_resource_group.example.name
+  location                                 = azurerm_resource_group.example.location
+  compatibility_level                      = "1.1"
+  data_locale                              = "en-US"
+  events_late_arrival_max_delay_in_seconds = 60
+  events_out_of_order_max_delay_in_seconds = 50
+  events_out_of_order_policy               = "Adjust"
+  output_error_policy                      = "Drop"
+  streaming_units                          = 3
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    environment = "Example"
+  }
+
+  transformation_query = <<QUERY
+    SELECT *
+    INTO [YourOutputAlias]
+    FROM [YourInputAlias]
+QUERY
+}
+
+resource "azurerm_stream_analytics_reference_input_blob" "test" {
+  name                      = "${var.prefix}-blob-reference-input"
+  stream_analytics_job_name = azurerm_stream_analytics_job.example.name
+  resource_group_name       = azurerm_stream_analytics_job.example.resource_group_name
+  storage_account_name      = azurerm_storage_account.example.name
+  storage_container_name    = azurerm_storage_container.example.name
+  authentication_mode       = "Msi"
+  path_pattern              = "some-random-pattern"
+  date_format               = "yyyy/MM/dd"
+  time_format               = "HH"
+
+  serialization {
+    type     = "Json"
+    encoding = "UTF8"
+  }
+}
diff --git a/examples/stream-analytics/msi-auth/variables.tf b/examples/stream-analytics/msi-auth/variables.tf
@@ -0,0 +1,7 @@
+variable "prefix" {
+  description = "The prefix which should be used for all resources in this example"
+}
+
+variable "location" {
+  description = "The Azure Region in which all resources in this example should be created."
+}
diff --git a/internal/services/streamanalytics/stream_analytics_reference_input_blob_resource.go b/internal/services/streamanalytics/stream_analytics_reference_input_blob_resource.go
@@ -72,7 +72,7 @@ func resourceStreamAnalyticsReferenceInputBlob() *pluginsdk.Resource {
 
 			"storage_account_key": {
 				Type:         pluginsdk.TypeString,
-				Required:     true,
+				Optional:     true,
 				Sensitive:    true,
 				ValidateFunc: validation.StringIsNotEmpty,
 			},
@@ -149,7 +149,7 @@ func resourceStreamAnalyticsReferenceInputBlobCreate(d *pluginsdk.ResourceData,
 					StorageAccounts: &[]inputs.StorageAccount{
 						{
 							AccountName: utils.String(d.Get("storage_account_name").(string)),
-							AccountKey:  utils.String(d.Get("storage_account_key").(string)),
+							AccountKey:  normalizeAccountKey(d.Get("storage_account_key").(string)),
 						},
 					},
 					AuthenticationMode: utils.ToPtr(inputs.AuthenticationMode(d.Get("authentication_mode").(string))),
@@ -198,7 +198,7 @@ func resourceStreamAnalyticsReferenceInputBlobUpdate(d *pluginsdk.ResourceData,
 					StorageAccounts: &[]inputs.StorageAccount{
 						{
 							AccountName: utils.String(d.Get("storage_account_name").(string)),
-							AccountKey:  utils.String(d.Get("storage_account_key").(string)),
+							AccountKey:  normalizeAccountKey(d.Get("storage_account_key").(string)),
 						},
 					},
 					AuthenticationMode: utils.ToPtr(inputs.AuthenticationMode(d.Get("authentication_mode").(string))),
@@ -321,3 +321,11 @@ func resourceStreamAnalyticsReferenceInputBlobDelete(d *pluginsdk.ResourceData,
 
 	return nil
 }
+
+func normalizeAccountKey(accountKey string) *string {
+	if accountKey != "" {
+		return utils.String(accountKey)
+	}
+
+	return nil
+}
diff --git a/internal/services/streamanalytics/stream_analytics_reference_input_blob_resource_test.go b/internal/services/streamanalytics/stream_analytics_reference_input_blob_resource_test.go
@@ -247,7 +247,6 @@ resource "azurerm_stream_analytics_reference_input_blob" "test" {
   stream_analytics_job_name = azurerm_stream_analytics_job.test.name
   resource_group_name       = azurerm_stream_analytics_job.test.resource_group_name
   storage_account_name      = azurerm_storage_account.test.name
-  storage_account_key       = azurerm_storage_account.test.primary_access_key
   storage_container_name    = azurerm_storage_container.test.name
   path_pattern              = "some-random-pattern"
   date_format               = "yyyy/MM/dd"
@@ -300,11 +299,12 @@ resource "azurerm_resource_group" "test" {
 }
 
 resource "azurerm_storage_account" "test" {
-  name                     = "acctestsa%s"
-  resource_group_name      = azurerm_resource_group.test.name
-  location                 = azurerm_resource_group.test.location
-  account_tier             = "Standard"
-  account_replication_type = "LRS"
+  name                            = "acctestsa%s"
+  resource_group_name             = azurerm_resource_group.test.name
+  location                        = azurerm_resource_group.test.location
+  account_tier                    = "Standard"
+  account_replication_type        = "LRS"
+  allow_nested_items_to_be_public = false
 }
 
 resource "azurerm_storage_container" "test" {
@@ -317,7 +317,7 @@ resource "azurerm_stream_analytics_job" "test" {
   name                                     = "acctestjob-%d"
   resource_group_name                      = azurerm_resource_group.test.name
   location                                 = azurerm_resource_group.test.location
-  compatibility_level                      = "1.0"
+  compatibility_level                      = "1.1"
   data_locale                              = "en-GB"
   events_late_arrival_max_delay_in_seconds = 60
   events_out_of_order_max_delay_in_seconds = 50

diff --git a/website/docs/r/stream_analytics_reference_input_blob.html.markdown b/website/docs/r/stream_analytics_reference_input_blob.html.markdown
@@ -71,7 +71,7 @@ The following arguments are supported:
 
 * `storage_account_name` - (Required) The name of the Storage Account that has the blob container with reference data.
 
-* `storage_account_key` - (Required) The Access Key which should be used to connect to this Storage Account.
+* `storage_account_key` - (Optional) The Access Key which should be used to connect to this Storage Account. Required if `authentication_mode` is `ConnectionString`.
 
 * `storage_container_name` - (Required) The name of the Container within the Storage Account.