azurerm_api_management_certificate - allow key vault certificates (#…

…11175) Dependency on #11146 Fixes #10138 Creating this pull request even though dependency is not merged yet since I want feedback on if implementation is OK. Unfortunately Microsoft is not so consistent with which ID of User Assigned Managed Identity they want on resources.
hashicorp · May 1, 2021 · d330b9b · d330b9b
1 parent 01d389f
commit d330b9b
Show file tree

Hide file tree

Showing 4 changed files with 418 additions and 15 deletions.
diff --git a/azurerm/internal/services/apimanagement/api_management_certificate_resource.go b/azurerm/internal/services/apimanagement/api_management_certificate_resource.go
@@ -15,6 +15,8 @@ import (
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
+	keyVaultParse "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/keyvault/parse"
+	keyVaultValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/keyvault/validate"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/timeouts"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
@@ -43,16 +45,34 @@ func resourceApiManagementCertificate() *schema.Resource {
 			"api_management_name": schemaz.SchemaApiManagementName(),
 
 			"data": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Sensitive:     true,
+				ValidateFunc:  validation.StringIsBase64,
+				AtLeastOneOf:  []string{"data", "key_vault_secret_id"},
+				ConflictsWith: []string{"key_vault_secret_id", "key_vault_identity_client_id"},
+			},
+
+			"password": {
 				Type:         schema.TypeString,
-				Required:     true,
+				Optional:     true,
 				Sensitive:    true,
-				ValidateFunc: validation.StringIsBase64,
+				RequiredWith: []string{"data"},
 			},
 
-			"password": {
-				Type:      schema.TypeString,
-				Optional:  true,
-				Sensitive: true,
+			"key_vault_secret_id": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ValidateFunc:  keyVaultValidate.NestedItemIdWithOptionalVersion,
+				AtLeastOneOf:  []string{"data", "key_vault_secret_id"},
+				ConflictsWith: []string{"data", "password"},
+			},
+
+			"key_vault_identity_client_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.IsUUID,
+				RequiredWith: []string{"key_vault_secret_id"},
 			},
 
 			"expiration": {
@@ -83,6 +103,8 @@ func resourceApiManagementCertificateCreateUpdate(d *schema.ResourceData, meta i
 	serviceName := d.Get("api_management_name").(string)
 	data := d.Get("data").(string)
 	password := d.Get("password").(string)
+	keyVaultSecretId := d.Get("key_vault_secret_id").(string)
+	keyVaultIdentity := d.Get("key_vault_identity_client_id").(string)
 
 	if d.IsNewResource() {
 		existing, err := client.Get(ctx, resourceGroup, serviceName, name)
@@ -98,10 +120,27 @@ func resourceApiManagementCertificateCreateUpdate(d *schema.ResourceData, meta i
 	}
 
 	parameters := apimanagement.CertificateCreateOrUpdateParameters{
-		CertificateCreateOrUpdateProperties: &apimanagement.CertificateCreateOrUpdateProperties{
-			Data:     utils.String(data),
-			Password: utils.String(password),
-		},
+		CertificateCreateOrUpdateProperties: &apimanagement.CertificateCreateOrUpdateProperties{},
+	}
+
+	if keyVaultSecretId != "" {
+		parsedSecretId, err := keyVaultParse.ParseOptionallyVersionedNestedItemID(keyVaultSecretId)
+		if err != nil {
+			return err
+		}
+
+		parameters.KeyVault = &apimanagement.KeyVaultContractCreateProperties{
+			SecretIdentifier: utils.String(parsedSecretId.ID()),
+		}
+
+		if keyVaultIdentity != "" {
+			parameters.KeyVault.IdentityClientID = utils.String(keyVaultIdentity)
+		}
+	}
+
+	if data != "" {
+		parameters.Data = utils.String(data)
+		parameters.Password = utils.String(password)
 	}
 
 	if _, err := client.CreateOrUpdate(ctx, resourceGroup, serviceName, name, parameters, ""); err != nil {
@@ -113,7 +152,7 @@ func resourceApiManagementCertificateCreateUpdate(d *schema.ResourceData, meta i
 		return fmt.Errorf("retrieving Certificate %q (Resource Group %q / API Management Service %q): %+v", name, resourceGroup, serviceName, err)
 	}
 	if resp.ID == nil {
-		return fmt.Errorf("Cannot read ID for Certificate %q (Resource Group %q / API Management Service %q)", name, resourceGroup, serviceName)
+		return fmt.Errorf("cannot read ID for Certificate %q (Resource Group %q / API Management Service %q)", name, resourceGroup, serviceName)
 	}
 	d.SetId(*resp.ID)
 
@@ -153,9 +192,13 @@ func resourceApiManagementCertificateRead(d *schema.ResourceData, meta interface
 			formatted := expiration.Format(time.RFC3339)
 			d.Set("expiration", formatted)
 		}
-
 		d.Set("subject", props.Thumbprint)
 		d.Set("thumbprint", props.Thumbprint)
+
+		if keyvault := props.KeyVault; keyvault != nil {
+			d.Set("key_vault_secret_id", keyvault.SecretIdentifier)
+			d.Set("key_vault_identity_client_id", keyvault.IdentityClientID)
+		}
 	}
 
 	return nil