azurerm_storage_account{,_customer_managed_key}: use environment-sp…

…ecific HSM suffix
hashicorp · Mar 1, 2024 · e993524 · e993524
1 parent 6378089
commit e993524
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 6 deletions.
diff --git a/internal/services/managedhsm/parse/mhsm_nested_item.go b/internal/services/managedhsm/parse/mhsm_nested_item.go
@@ -9,6 +9,8 @@ import (
 	"strings"
 
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/resourceids"
+	"github.com/hashicorp/go-azure-sdk/sdk/environments"
+	"github.com/hashicorp/terraform-provider-azurerm/utils"
 )
 
 var _ resourceids.Id = RoleNestedItemId{}
@@ -29,8 +31,18 @@ type RoleNestedItemId struct {
 	Name         string
 }
 
-func IsManagedHSMURI(uri string) bool {
-	return strings.Contains(uri, ".managedhsm.")
+func IsManagedHSMURI(uri string, env *environments.Environment) (bool, error) {
+	domainSuffix, found := env.ManagedHSM.DomainSuffix()
+	if !found {
+		domainSuffix = utils.String(".managedhsm.azure.net")
+	}
+
+	url, err := url.Parse(uri)
+	if err != nil {
+		return false, err
+	}
+
+	return strings.HasSuffix(url.Host, *domainSuffix), nil
 }
 
 func NewRoleNestedItemID(hsmBaseUrl, scope string, typ MHSMResourceType, name string) (*RoleNestedItemId, error) {

diff --git a/internal/services/storage/storage_account_customer_managed_key_resource.go b/internal/services/storage/storage_account_customer_managed_key_resource.go
@@ -218,6 +218,7 @@ func resourceStorageAccountCustomerManagedKeyCreateUpdate(d *pluginsdk.ResourceD
 func resourceStorageAccountCustomerManagedKeyRead(d *pluginsdk.ResourceData, meta interface{}) error {
 	storageClient := meta.(*clients.Client).Storage.AccountsClient
 	keyVaultsClient := meta.(*clients.Client).KeyVault
+	env := meta.(*clients.Client).Account.Environment
 	ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
@@ -281,8 +282,12 @@ func resourceStorageAccountCustomerManagedKeyRead(d *pluginsdk.ResourceData, met
 
 	// we can't look up the ID when using federated identity as the key will be under different tenant
 	if federatedIdentityClientID == "" {
-		isHSMURI := managedHsmParse.IsManagedHSMURI(keyVaultURI)
+		isHSMURI, err := managedHsmParse.IsManagedHSMURI(keyVaultURI, &env)
 		switch {
+		case err != nil:
+			{
+				return fmt.Errorf("parsing Base Key Vault URI %q: %+v", keyVaultURI, err)
+			}
 		case isHSMURI:
 			{
 				d.Set("managed_hsm_uri", keyVaultURI)

diff --git a/internal/services/storage/storage_account_resource.go b/internal/services/storage/storage_account_resource.go
@@ -2039,6 +2039,7 @@ func resourceStorageAccountUpdate(d *pluginsdk.ResourceData, meta interface{}) e
 
 func resourceStorageAccountRead(d *pluginsdk.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).Storage.AccountsClient
+	env := meta.(*clients.Client).Account.Environment
 	ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
@@ -2244,7 +2245,7 @@ func resourceStorageAccountRead(d *pluginsdk.ResourceData, meta interface{}) err
 		d.Set("table_encryption_key_type", tableEncryptionKeyType)
 		d.Set("queue_encryption_key_type", queueEncryptionKeyType)
 
-		customerManagedKey, err := flattenStorageAccountCustomerManagedKey(id, props.Encryption)
+		customerManagedKey, err := flattenStorageAccountCustomerManagedKey(id, props.Encryption, &env)
 		if err != nil {
 			return err
 		}
@@ -2576,7 +2577,7 @@ func flattenStorageAccountImmutabilityPolicy(policy *storage.ImmutableStorageAcc
 	}
 }
 
-func flattenStorageAccountCustomerManagedKey(storageAccountId *commonids.StorageAccountId, input *storage.Encryption) ([]interface{}, error) {
+func flattenStorageAccountCustomerManagedKey(storageAccountId *commonids.StorageAccountId, input *storage.Encryption, env *environments.Environment) ([]interface{}, error) {
 	if input == nil || input.KeySource == storage.KeySourceMicrosoftStorage {
 		return make([]interface{}, 0), nil
 	}
@@ -2612,8 +2613,12 @@ func flattenStorageAccountCustomerManagedKey(storageAccountId *commonids.Storage
 		"user_assigned_identity_id": userAssignedIdentityId,
 	}
 
-	isHSMURI := managedHsmParse.IsManagedHSMURI(keyVaultURI)
+	isHSMURI, err := managedHsmParse.IsManagedHSMURI(keyVaultURI, env)
 	switch {
+	case err != nil:
+		{
+			return nil, fmt.Errorf("parsing Base Key Vault URI %q: %+v", keyVaultURI, err)
+		}
 	case isHSMURI:
 		{
 			keyId, err := managedHsmParse.NewManagedHSMKeyID(keyVaultURI, keyName, keyVersion)