Skip to content

Commit

Permalink
update automation account encryption logic
Browse files Browse the repository at this point in the history
  • Loading branch information
wuxu92 committed Mar 8, 2023
1 parent 7049d4b commit f8a26a5
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 26 deletions.
36 changes: 19 additions & 17 deletions internal/services/automation/automation_account_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,10 @@ func resourceAutomationAccount() *pluginsdk.Resource {
},

"key_source": {
Type: pluginsdk.TypeString,
Optional: true,
Type: pluginsdk.TypeString,
Optional: true,
Computed: true,
Deprecated: "`key_source` can inferred from if `key_vault_key_id` set",
ValidateFunc: validation.StringInSlice(
automationaccount.PossibleValuesForEncryptionKeySourceType(),
false,
Expand Down Expand Up @@ -366,33 +368,33 @@ func resourceAutomationAccountDelete(d *pluginsdk.ResourceData, meta interface{}
}

func expandEncryption(encMap map[string]interface{}) (*automationaccount.EncryptionProperties, error) {
var id interface{}
id, ok := encMap["user_assigned_identity_id"].(string)
if !ok {
return nil, fmt.Errorf("read encryption user identity id error")
}
prop := &automationaccount.EncryptionProperties{
Identity: &automationaccount.EncryptionPropertiesIdentity{
UserAssignedIdentity: &id,
},
}
prop.KeySource = pointer.To(automationaccount.EncryptionKeySourceTypeMicrosoftPointAutomation)
if val, ok := encMap["key_source"].(string); ok && val != "" {
prop.KeySource = (*automationaccount.EncryptionKeySourceType)(&val)
Identity: &automationaccount.EncryptionPropertiesIdentity{},
}
idObject, ok := encMap["user_assigned_identity_id"]
if ok {
if idStr, ok := idObject.(string); !ok {
return nil, fmt.Errorf("read encryption user identity id error")
} else if idStr != "" {
var id interface{} = idStr
prop.Identity.UserAssignedIdentity = &id
}
}

if keyIdStr := encMap["key_vault_key_id"].(string); keyIdStr != "" {
keyId, err := keyVaultParse.ParseOptionallyVersionedNestedItemID(keyIdStr)
if err != nil {
return nil, err
}
if prop.KeySource == nil {
prop.KeySource = pointer.To(automationaccount.EncryptionKeySourceTypeMicrosoftPointKeyvault)
}

prop.KeySource = pointer.To(automationaccount.EncryptionKeySourceTypeMicrosoftPointKeyvault)
prop.KeyVaultProperties = &automationaccount.KeyVaultProperties{
KeyName: utils.String(keyId.Name),
KeyVersion: utils.String(keyId.Version),
KeyvaultUri: utils.String(keyId.KeyVaultBaseUrl),
}
} else {
prop.KeySource = pointer.To(automationaccount.EncryptionKeySourceTypeMicrosoftPointAutomation)
}
return prop, nil
}
Expand Down
37 changes: 31 additions & 6 deletions internal/services/automation/automation_account_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,14 +76,26 @@ func TestAccAutomationAccount_encryption(t *testing.T) {

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.encryption(data),
Config: r.encryptionBasic(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("encryption.0.key_source").HasValue("Microsoft.Automation"),
),
},
{
Config: r.encryptionKeyVault(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("sku_name").HasValue("Basic"),
check.That(data.ResourceName).Key("local_authentication_enabled").HasValue("false"),
check.That(data.ResourceName).Key("encryption.0.key_source").HasValue("Microsoft.Keyvault"),
),
},
{
Config: r.encryptionBasic(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("encryption.0.key_source").HasValue("Microsoft.Automation"),
),
},
data.ImportStep(),
})
}
Expand Down Expand Up @@ -275,7 +287,7 @@ resource "azurerm_automation_account" "test" {
`, data.RandomInteger, data.Locations.Primary)
}

func (AutomationAccountResource) encryption(data acceptance.TestData) string {
func (AutomationAccountResource) encryptionTemplate(data acceptance.TestData, encrypt string) string {
return fmt.Sprintf(`
provider "azurerm" {
features {
Expand Down Expand Up @@ -383,13 +395,26 @@ resource "azurerm_automation_account" "test" {
local_authentication_enabled = false
%[3]s
}
`, data.RandomInteger, data.Locations.Primary, encrypt)
}

func (a AutomationAccountResource) encryptionBasic(data acceptance.TestData) string {
return a.encryptionTemplate(data, `
encryption {
}
`)
}

func (a AutomationAccountResource) encryptionKeyVault(data acceptance.TestData) string {
return a.encryptionTemplate(data, `
encryption {
key_source = "Microsoft.Keyvault"
user_assigned_identity_id = azurerm_user_assigned_identity.test.id
key_vault_key_id = azurerm_key_vault_key.test.id
}
}
`, data.RandomInteger, data.Locations.Primary)
`)
}

func (AutomationAccountResource) userAssignedIdentity(data acceptance.TestData) string {
Expand Down
6 changes: 3 additions & 3 deletions website/docs/r/automation_account.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ The following arguments are supported:

* `tags` - (Optional) A mapping of tags to assign to the resource.

* `encryption` - (Optional) An `encryption` block as defined below.
* `encryption` - (Optional) An `encryption` block as defined below. set as an empty block for `Microsoft.Automation` kind of encryption.

---

Expand All @@ -70,9 +70,9 @@ An `encryption` block supports the following:

* `user_assigned_identity_id` - (Optional) The User Assigned Managed Identity ID to be used for accessing the Customer Managed Key for encryption.

* `key_source` - (Optional) The source of the encryption key. Possible values are `Microsoft.Automation` and `Microsoft.Keyvault`.
* `key_source` - (Optional **Deprecated**) The source of the encryption key. Possible values are `Microsoft.Automation` and `Microsoft.Keyvault`. This field will be set to `Microsoft.Keyvault` when `key_vault_key_id` is set. otherwise it will be `Microsoft.Automation`.

* `key_vault_key_id` - (Optional) The ID of the Key Vault Key which should be used to Encrypt the data in this Automation Account. Required when `key_source` is set to `Microsoft.Keyvault`.
* `key_vault_key_id` - (Optional) The ID of the Key Vault Key which should be used to Encrypt the data in this Automation Account.

---

Expand Down

0 comments on commit f8a26a5

Please sign in to comment.