azurerm_cosmosdb_account: Fix submitted key_vault_key_id values #10420
Conversation
There was a problem hiding this comment.
hey @tism
Thanks for this PR - I've taken a look through and left some comments inline. On the whole this looks pretty good, but in retrospect perhaps we're being slightly misleading with the key_vault_key_id field, if we're requiring a versionless ID for the Key Vault Key, it'd be worth updating validation for this field to require this, rather than throwing away the version (and showing it in the plan) - WDYT?
Thanks!
| @@ -37,7 +38,16 @@ func NewNestedItemID(keyVaultBaseUrl, nestedItemType, name, version string) (*Ne | |||
|
|
|||
| func (n NestedItemId) ID() string { | |||
| // example: https://tharvey-keyvault.vault.azure.net/type/bird/fdf067c93bbb4b22bff4d8b7a9a56217 | |||
| return fmt.Sprintf("%s/%s/%s/%s", n.KeyVaultBaseUrl, n.NestedItemType, n.Name, n.Version) | |||
| return formatID([]string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name, n.Version}) | |||
There was a problem hiding this comment.
to be honest we could arguably change this to be:
| return formatID([]string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name, n.Version}) | |
| segments := []string{ | |
| strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), | |
| n.Name, | |
| } | |
| if n.Version != "" { | |
| segments = append(segments, n.Version) | |
| } | |
| return strings.TrimPrefix(strings.Join(segments, "/"), "/") |
There was a problem hiding this comment.
👍 That'll also highlight if the struct was somehow populated incorrectly with missing values like name
| func (n NestedItemId) LatestVersionID() string { | ||
| // example: https://tharvey-keyvault.vault.azure.net/type/bird | ||
| return formatID([]string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name}) | ||
| } |
There was a problem hiding this comment.
whilst there's some use-cases for this, Terraform shouldn't be using this directly (unless a users specifying it) - since this means the apply value for this could drift from the plan value - as such consolidating this into ID above should handle this.
This means we could update the key_vault_key_id field within the CosmosDB Account resource to take a versionless ID, by adding a Versionless validation function in azurerm/internal/services/keyvault/validate/nested_item_id.go - meaning what users pass in (the Versionless ID is what gets sent, ensuring the Plan matches the Apply).
This'd also need the versionless_id added to the azurerm_key_vault_key resource to be fair, but would make this more consistent in general - WDYT?
There was a problem hiding this comment.
I like that, it makes the interface a lot clearer and the resource isn't making changes to the value under the covers.
|
While running the key vault acceptance tests I couldn't get it to stop trying to purge the soft deleted keys, so anything that uses I thought |
This'll be due to a bug in the Plugin SDK where at this time the test framework doesn't honour the |
|
This has been released in version 2.47.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.47.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked as resolved and limited conversation to collaborators
Fixes #10379 by removing the doubled
//(left the trailing/onKeyVaultBaseUrl) and using a versionless ID forazurerm_cosmosdb_account.key_vault_key_id. Not sure how wellLatestVersionIDfits into theNewxxID()/ID()parse package pattern.