diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go index ef347deed01e..cd813f0940f0 100644 --- a/azurerm/resource_arm_key_vault.go +++ b/azurerm/resource_arm_key_vault.go @@ -84,6 +84,34 @@ func resourceArmKeyVault() *schema.Resource { Required: true, ValidateFunc: validateUUID, }, + "application_id": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validateUUID, + }, + "certificate_permissions": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice([]string{ + string(keyvault.All), + string(keyvault.Create), + string(keyvault.Delete), + string(keyvault.Deleteissuers), + string(keyvault.Get), + string(keyvault.Getissuers), + string(keyvault.Import), + string(keyvault.List), + string(keyvault.Listissuers), + string(keyvault.Managecontacts), + string(keyvault.Manageissuers), + string(keyvault.Setissuers), + string(keyvault.Update), + }, true), + DiffSuppressFunc: ignoreCaseDiffSuppressFunc, + }, + }, "key_permissions": { Type: schema.TypeList, Required: true, @@ -105,7 +133,8 @@ func resourceArmKeyVault() *schema.Resource { string(keyvault.KeyPermissionsUpdate), string(keyvault.KeyPermissionsVerify), string(keyvault.KeyPermissionsWrapKey), - }, false), + }, true), + DiffSuppressFunc: ignoreCaseDiffSuppressFunc, }, }, "secret_permissions": { @@ -119,7 +148,8 @@ func resourceArmKeyVault() *schema.Resource { string(keyvault.SecretPermissionsGet), string(keyvault.SecretPermissionsList), string(keyvault.SecretPermissionsSet), - }, false), + }, true), + DiffSuppressFunc: ignoreCaseDiffSuppressFunc, }, }, }, @@ -257,6 +287,12 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli for _, policySet := range policies { policyRaw := policySet.(map[string]interface{}) + certificatePermissionsRaw := policyRaw["certificate_permissions"].([]interface{}) + certificatePermissions := []keyvault.CertificatePermissions{} + for _, permission := range certificatePermissionsRaw { + certificatePermissions = append(certificatePermissions, keyvault.CertificatePermissions(permission.(string))) + } + keyPermissionsRaw := policyRaw["key_permissions"].([]interface{}) keyPermissions := []keyvault.KeyPermissions{} for _, permission := range keyPermissionsRaw { @@ -271,8 +307,9 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli policy := keyvault.AccessPolicyEntry{ Permissions: &keyvault.Permissions{ - Keys: &keyPermissions, - Secrets: &secretPermissions, + Certificates: &certificatePermissions, + Keys: &keyPermissions, + Secrets: &secretPermissions, }, } @@ -281,6 +318,11 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli objectUUID := policyRaw["object_id"].(string) policy.ObjectID = &objectUUID + if v := policyRaw["application_id"]; v != "" { + applicationUUID := uuid.FromStringOrNil(v.(string)) + policy.ApplicationID = &applicationUUID + } + result = append(result, policy) } @@ -301,6 +343,11 @@ func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []int for _, policy := range *policies { policyRaw := make(map[string]interface{}) + certificatePermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Keys)) + for _, certificatePermission := range *policy.Permissions.Certificates { + certificatePermissionsRaw = append(certificatePermissionsRaw, string(certificatePermission)) + } + keyPermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Keys)) for _, keyPermission := range *policy.Permissions.Keys { keyPermissionsRaw = append(keyPermissionsRaw, string(keyPermission)) @@ -313,6 +360,10 @@ func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []int policyRaw["tenant_id"] = policy.TenantID.String() policyRaw["object_id"] = *policy.ObjectID + if policy.ApplicationID != nil { + policyRaw["application_id"] = policy.ApplicationID.String() + } + policyRaw["certificate_permissions"] = certificatePermissionsRaw policyRaw["key_permissions"] = keyPermissionsRaw policyRaw["secret_permissions"] = secretPermissionsRaw diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go index c03a702bf64f..a9c232a28f24 100644 --- a/azurerm/resource_arm_key_vault_test.go +++ b/azurerm/resource_arm_key_vault_test.go @@ -87,6 +87,27 @@ func TestAccAzureRMKeyVault_basic(t *testing.T) { }) } +func TestAccAzureRMKeyVault_complete(t *testing.T) { + resourceName := "azurerm_key_vault.test" + ri := acctest.RandInt() + config := testAccAzureRMKeyVault_complete(ri, testLocation()) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultExists(resourceName), + resource.TestCheckResourceAttrSet(resourceName, "access_policy.0.application_id"), + ), + }, + }, + }) +} + func TestAccAzureRMKeyVault_update(t *testing.T) { ri := acctest.RandInt() resourceName := "azurerm_key_vault.test" @@ -257,3 +278,47 @@ resource "azurerm_key_vault" "test" { } `, rInt, location, rInt) } + +func testAccAzureRMKeyVault_complete(rInt int, location string) string { + return fmt.Sprintf(` +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_key_vault" "test" { + name = "vault%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + + sku { + name = "premium" + } + + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.client_id}" + application_id = "${data.azurerm_client_config.current.service_principal_application_id}" + + certificate_permissions = [ + "get", + ] + + key_permissions = [ + "get", + ] + + secret_permissions = [ + "get", + ] + } + + tags { + environment = "Production" + } +} +`, rInt, location, rInt) +} diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown index e3022d23c7b9..a6d852fb395a 100644 --- a/website/docs/r/key_vault.html.markdown +++ b/website/docs/r/key_vault.html.markdown @@ -100,6 +100,11 @@ The following arguments are supported: group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. +* `application_id` - (Optional) The object ID of an Application in Azure Active Directory. + +* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from + the following: `All`, `Create`, `Delete`, `Deleteissuers`, `Get`, `Getissuers`, `Import`, `List`, `Listissuers`, `Managecontacts`, `Manageissuers`, `Setissuers` and `Update`. + * `key_permissions` - (Required) List of key permissions, must be one or more from the following: `all`, `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `restore`, `sign`, `unwrapKey`, `update`, `verify`, `wrapKey`.