Skip to content

Commit

Permalink
Support more than 16 access policies (#2866)
Browse files Browse the repository at this point in the history
* Support more than 16 access policies

Key Vault supports up to 1024 access policy entries for a key vault.

* updating document for #2866

* Update resource_arm_key_vault_key_test.go

Added test case for multiple access policies

* Re-added the access policy test

* Re-basic test cases from Master

* Reset to master updated wrong file

* Updating the correct key vault test file

* Updated test to add access policies directly to the key vault

* Added random string to reduce risk of name collision

* Removed depends on string from test

* Fixed function to call test

* Changed format of storage account name

* Update CHANGELOG.md to include #2866
  • Loading branch information
pratik141 authored and WodansSon committed Mar 1, 2019
1 parent a14c978 commit f10474d
Show file tree
Hide file tree
Showing 4 changed files with 93 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ IMPROVEMENTS:
* `azurerm_application_gateway` - support for setting `path` within the `backend_http_settings` block [GH-2879]
* `azurerm_application_gateway` - support for setting `connection_draining` to the `backend_http_settings` [GH-2778]
* `azurerm_iothub` - support for the `fallback_route` property [GH-2764]
* `azurerm_key_vault` - support for 1024 `access policies` [GH-2866]
* `azurerm_redis_cache` - support for configuring the `maxfragmentationmemory_reserved` in the `redis_configuration` block [GH-2887]
* `azurerm_service_fabric_cluster` - support for setting `capacities` and `placement_properties` [GH-2936]
* `azurerm_storage_account` - exposing primary/secondary `_host` attributes [GH-2792]
Expand Down
2 changes: 1 addition & 1 deletion azurerm/resource_arm_key_vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ func resourceArmKeyVault() *schema.Resource {
Type: schema.TypeList,
Optional: true,
Computed: true,
MaxItems: 16,
MaxItems: 1024,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"tenant_id": {
Expand Down
90 changes: 90 additions & 0 deletions azurerm/resource_arm_key_vault_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"fmt"
"testing"

"github.com/hashicorp/terraform/helper/acctest"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response"
Expand Down Expand Up @@ -161,6 +162,29 @@ func TestAccAzureRMKeyVault_networkAcls(t *testing.T) {
})
}

func TestAccAzureRMKeyVault_accessPolicyUpperLimit(t *testing.T) {
resourceName := "azurerm_key_vault.test"
ri := tf.AccRandTimeInt()
rs := acctest.RandString(10)
config := testAccAzureRMKeyVault_accessPolicyUpperLimit(ri, testLocation(), rs)

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testCheckAzureRMKeyVaultDestroy,
Steps: []resource.TestStep{
{
Config: config,
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMKeyVaultExists(resourceName),
testCheckAzureRMKeyVaultDisappears(resourceName),
),
ExpectNonEmptyPlan: true,
},
},
})
}

func TestAccAzureRMKeyVault_disappears(t *testing.T) {
resourceName := "azurerm_key_vault.test"
ri := tf.AccRandTimeInt()
Expand Down Expand Up @@ -648,3 +672,69 @@ resource "azurerm_key_vault" "test" {
}
`, rInt, location, rInt)
}

func testAccAzureRMKeyVault_accessPolicyUpperLimit(rInt int, location string, rs string) string {

var storageAccountConfigs string
var accessPoliciesConfigs string

for i := 1; i <= 20; i++ {
storageAccountConfigs += testAccAzureRMKeyVault_generateStorageAccountConfigs(i, rs)
accessPoliciesConfigs += testAccAzureRMKeyVault_generateAccessPolicyConfigs(i)
}

return fmt.Sprintf(`
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "test" {
name = "acctestRG-%d"
location = "%s"
}
resource "azurerm_key_vault" "test" {
name = "vault%d"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
sku {
name = "premium"
}
%s
}
%s
`, rInt, location, rInt, accessPoliciesConfigs, storageAccountConfigs)
}

func testAccAzureRMKeyVault_generateStorageAccountConfigs(accountNum int, rs string) string {
return fmt.Sprintf(`
resource "azurerm_storage_account" "testsa%d" {
name = "testsa%s%d"
resource_group_name = "${azurerm_resource_group.test.name}"
location = "${azurerm_resource_group.test.location}"
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
tags {
environment = "testing"
}
}
`, accountNum, rs, accountNum)
}

func testAccAzureRMKeyVault_generateAccessPolicyConfigs(accountNum int) string {
return fmt.Sprintf(`
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${azurerm_storage_account.testsa%d.identity.0.principal_id}"
key_permissions = ["get","create","delete","list","restore","recover","unwrapkey","wrapkey","purge","encrypt","decrypt","sign","verify"]
secret_permissions = ["get"]
}
`, accountNum)
}
2 changes: 1 addition & 1 deletion website/docs/r/key_vault_access_policy.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Manages a Key Vault Access Policy.

~> **NOTE:** It's possible to define Key Vault Access Policies both within [the `azurerm_key_vault` resource](key_vault.html) via the `access_policy` block and by using [the `azurerm_key_vault_access_policy` resource](key_vault_access_policy.html). However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.

-> **NOTE:** Azure permits a maximum of 16 Access Policies per Key Vault - [more information can be found in this document](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#data-plane-access-control).
-> **NOTE:** Azure permits a maximum of 1024 Access Policies per Key Vault - [more information can be found in this document](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#data-plane-access-control).

## Example Usage

Expand Down

0 comments on commit f10474d

Please sign in to comment.