diff --git a/internal/services/web/app_service_certificate_resource.go b/internal/services/web/app_service_certificate_resource.go index 6c9da2616f11..dcc3fa815758 100644 --- a/internal/services/web/app_service_certificate_resource.go +++ b/internal/services/web/app_service_certificate_resource.go @@ -100,7 +100,7 @@ func resourceAppServiceCertificateCreateUpdate(d *pluginsdk.ResourceData, meta i } if keyVaultSecretId != "" { - parsedSecretId, err := keyVaultParse.ParseNestedItemID(keyVaultSecretId) + parsedSecretId, err := keyVaultParse.ParseOptionallyVersionedNestedItemID(keyVaultSecretId) if err != nil { return err } @@ -253,7 +253,7 @@ func resourceAppServiceCertificateSchema() map[string]*pluginsdk.Schema { Optional: true, ForceNew: true, DiffSuppressFunc: keyVaultSuppress.DiffSuppressIgnoreKeyVaultKeyVersion, - ValidateFunc: keyVaultValidate.NestedItemId, + ValidateFunc: keyVaultValidate.NestedItemIdWithOptionalVersion, ConflictsWith: []string{"pfx_blob", "password"}, ExactlyOneOf: []string{"key_vault_secret_id", "pfx_blob"}, }, diff --git a/internal/services/web/app_service_certificate_resource_test.go b/internal/services/web/app_service_certificate_resource_test.go index fdb6d7fc08f1..72bda668af3f 100644 --- a/internal/services/web/app_service_certificate_resource_test.go +++ b/internal/services/web/app_service_certificate_resource_test.go @@ -79,6 +79,21 @@ func TestAccAppServiceCertificate_KeyVaultId(t *testing.T) { }) } +func TestAccAppServiceCertificate_KeyVaultIdVersionless(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_app_service_certificate", "test") + r := AppServiceCertificateResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.keyVaultIdVersionless(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("thumbprint").HasValue("7B985BF42467791F23E52B364A3E8DEBAB9C606E"), + ), + }, + data.ImportStep("key_vault_secret_id", "key_vault_id"), + }) +} + func (r AppServiceCertificateResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { id, err := parse.CertificateID(state.ID) if err != nil { @@ -332,3 +347,102 @@ resource "azurerm_app_service_certificate" "test" { } `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) } + +func (r AppServiceCertificateResource) keyVaultIdVersionless(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +provider "azuread" {} + +data "azurerm_client_config" "test" {} + +data "azuread_service_principal" "test" { + display_name = "Microsoft Azure App Service" +} + +resource "azurerm_resource_group" "test" { + name = "acctestwebcert%d" + location = "%s" +} + +resource "azurerm_key_vault" "test" { + name = "acct%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + + tenant_id = data.azurerm_client_config.test.tenant_id + + sku_name = "standard" + + access_policy { + tenant_id = data.azurerm_client_config.test.tenant_id + object_id = data.azurerm_client_config.test.object_id + + secret_permissions = [ + "Delete", + "Get", + "Purge", + "Set", + ] + + certificate_permissions = [ + "Create", + "Delete", + "Get", + "Purge", + "Import", + ] + } + + access_policy { + tenant_id = data.azurerm_client_config.test.tenant_id + object_id = data.azuread_service_principal.test.object_id + + secret_permissions = [ + "Get", + ] + + certificate_permissions = [ + "Get", + ] + } +} + +resource "azurerm_key_vault_certificate" "test" { + name = "acctest%d" + key_vault_id = azurerm_key_vault.test.id + + certificate { + contents = filebase64("testdata/app_service_certificate.pfx") + password = "terraform" + } + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = false + } + + secret_properties { + content_type = "application/x-pkcs12" + } + } +} + +resource "azurerm_app_service_certificate" "test" { + name = "acctest%d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + key_vault_id = azurerm_key_vault.test.id + key_vault_secret_id = azurerm_key_vault_certificate.test.versionless_secret_id +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) +}