diff --git a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go index eba7fd15de3a..715127d2cb69 100644 --- a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go +++ b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go @@ -172,7 +172,7 @@ func resourceKeyVaultManagedHardwareSecurityModule() *pluginsdk.Resource { }, // https://github.com/Azure/azure-rest-api-specs/issues/13365 - "tags": commonschema.TagsForceNew(), + "tags": commonschema.Tags(), }, } } @@ -260,6 +260,22 @@ func resourceArmKeyVaultManagedHardwareSecurityModuleUpdate(d *pluginsdk.Resourc return fmt.Errorf("retrieving %s: %+v", id, err) } + model := resp.Model + hasUpdate := false + if d.HasChange("tags") { + hasUpdate = true + model.Tags = tags.Expand(d.Get("tags").(map[string]interface{})) + } + if d.HasChange("network_acls") { + hasUpdate = true + model.Properties.NetworkAcls = expandMHSMNetworkAcls(d.Get("network_acls").([]interface{})) + } + if hasUpdate { + if err := hsmClient.CreateOrUpdateThenPoll(ctx, *id, *model); err != nil { + return fmt.Errorf("updating %s tags: %+v", id, err) + } + } + // security domain download to activate this module if ok := d.HasChange("security_domain_key_vault_certificate_ids"); ok { // get hsm uri diff --git a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go index 78310440881d..244482098fd4 100644 --- a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go +++ b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go @@ -25,7 +25,7 @@ func TestAccKeyVaultManagedHardwareSecurityModule(t *testing.T) { "resource": { "data_source": testAccDataSourceKeyVaultManagedHardwareSecurityModule_basic, "basic": testAccKeyVaultManagedHardwareSecurityModule_basic, - "update": testAccKeyVaultManagedHardwareSecurityModule_requiresImport, + "update": testAccKeyVaultManagedHardwareSecurityModule_updateAndRequiresImport, "complete": testAccKeyVaultManagedHardwareSecurityModule_complete, "download": testAccKeyVaultManagedHardwareSecurityModule_download, "role_define": testAccKeyVaultManagedHardwareSecurityModule_roleDefinition, @@ -122,7 +122,7 @@ func testAccKeyVaultManagedHardwareSecurityModule_roleAssignment(t *testing.T) { }) } -func testAccKeyVaultManagedHardwareSecurityModule_requiresImport(t *testing.T) { +func testAccKeyVaultManagedHardwareSecurityModule_updateAndRequiresImport(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_key_vault_managed_hardware_security_module", "test") r := KeyVaultManagedHardwareSecurityModuleResource{} @@ -133,6 +133,14 @@ func testAccKeyVaultManagedHardwareSecurityModule_requiresImport(t *testing.T) { check.That(data.ResourceName).ExistsInAzure(r), ), }, + data.ImportStep(), + { + Config: r.basicUpdate(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), data.RequiresImportErrorStep(r.requiresImport), }) } @@ -187,6 +195,37 @@ resource "azurerm_key_vault_managed_hardware_security_module" "test" { `, template, data.RandomInteger) } +func (r KeyVaultManagedHardwareSecurityModuleResource) basicUpdate(data acceptance.TestData) string { + template := r.template(data) + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_key_vault_managed_hardware_security_module" "test" { + name = "kvHsm%d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + sku_name = "Standard_B1" + tenant_id = data.azurerm_client_config.current.tenant_id + admin_object_ids = [data.azurerm_client_config.current.object_id] + purge_protection_enabled = false + + network_acls { + default_action = "Deny" + bypass = "AzureServices" + } + + tags = { + Env = "Test" + App = "TF" + } +} +`, template, data.RandomInteger) +} + func (r KeyVaultManagedHardwareSecurityModuleResource) requiresImport(data acceptance.TestData) string { template := r.basic(data) return fmt.Sprintf(`