azurerm_search_service - add support for local_authentication_enabled, authentication_failure_mode, authentication_options and hosting_mode
#21323
Conversation
WodansSon
changed the title
azurerm_search_service - add support for authentication_options, cmk_encryption and hosting_modeazurerm_search_service - add support for api_access_control, cmk_encryption and hosting_mode
WodansSon
changed the title
azurerm_search_service - add support for api_access_control, cmk_encryption and hosting_modeazurerm_search_service - add support for api_access_control, cmk_enforcement_enabled and hosting_mode
|
Progress! 🙂 |
|
|
There was a problem hiding this comment.
hey @WodansSon
Thanks for this PR - I've taken a look through and left some design comments inline, but if we can fix those up then we should be able to take another look here.
Thanks!
| // fix for issue #10151, if the identity type is TypeNone do not include it | ||
| // in the create call, only in the update call when 'identity' is removed from the | ||
| // configuration file... | ||
| if expandedIdentity.Type != identity.TypeNone { |
There was a problem hiding this comment.
there's a Swagger issue for this if memory serves?
There was a problem hiding this comment.
I don't know... I looked but was not able to locate it... 🤷♂️
| return fmt.Errorf("expanding `identity`: %+v", err) | ||
| } | ||
|
|
||
| // NOTE: Passing type 'None' on update will remove all identities from the service. |
There was a problem hiding this comment.
that's the standard behaviour in ARM, so I think we can remove this comment?
| // NOTE: Passing type 'None' on update will remove all identities from the service. |
| var cmkCompliance string | ||
| if props.EncryptionWithCmk != nil { | ||
| cmkEnforcement = strings.EqualFold(string(pointer.From(props.EncryptionWithCmk.Enforcement)), string(services.SearchEncryptionWithCmkEnabled)) | ||
| cmkCompliance = string(pointer.From(props.EncryptionWithCmk.EncryptionComplianceStatus)) | ||
| } |
There was a problem hiding this comment.
Given the compliance status is checking data within the search service, it's a reasonable expectation that this would be as async value, therefore the value returned from the API is likely to be outdated on the initial run, so I'm curious as to the value of exposing these field(s)? Whilst the enabled toggle may make sense, the status isn't going to be something users are likely to action upon in Terraform (and would instead be triggered via a report/interactively via the CLI/Portal etc) - so I have a feeling we shouldn't expose status here?
There was a problem hiding this comment.
I am not sure, but I would lean toward exposing it rather than hide it as we don't know how the end-users would use this field. On a side note, what is the harm in having it exposed even if no one uses it?
There was a problem hiding this comment.
On a side note, what is the harm in having it exposed even if no one uses it?
The challenge in doing so is where doing so can have unintended consequences - for example in this case since the status field is likely to be updated asynchronously, the value being returned by Terraform here likely doesn't make sense for us to expose. Whilst we could expose the enabled field - since the status field is both:
a) possible out of date since it's likely this is updated OOB
b) likely run interactively (e.g. via the Azure CLI, or alerted on via a monitor etc)
I think we should remove the status field for now until we have a valid use-case for that
|
|
||
| func TestAccSearchService_replicaCountInvalid(t *testing.T) { | ||
| data := acceptance.BuildTestData(t, "azurerm_search_service", "test") | ||
| // NOTE: The default qouta for the 'free' sku is 1 |
There was a problem hiding this comment.
| // NOTE: The default qouta for the 'free' sku is 1 | |
| // NOTE: The default quota for the 'free' sku is 1 |
| sku string | ||
| count int | ||
| enforceCmk bool | ||
| apiAccessControlType string | ||
| apiAccessControlAuthenticationFailureMode string |
There was a problem hiding this comment.
nit: elsewhere in the provider we pass these arguments in where required - but typically use pre-templated Terraform configurations as tests - could we update this to match the convention used in the rest of the provider?
| sku string | |
| count int | |
| enforceCmk bool | |
| apiAccessControlType string | |
| apiAccessControlAuthenticationFailureMode string |
| rbac := SearchServiceResource{sku: "standard", apiAccessControlType: "role_based_access_control"} | ||
| rbacApiFourZeroOne := SearchServiceResource{sku: "standard", apiAccessControlType: "role_based_access_control_and_api_keys", apiAccessControlAuthenticationFailureMode: "http401WithBearerChallenge"} | ||
| rbacApiFourZeroThree := SearchServiceResource{sku: "standard", apiAccessControlType: "role_based_access_control_and_api_keys", apiAccessControlAuthenticationFailureMode: "http403"} |
There was a problem hiding this comment.
whilst there's some readability benefits on a per-test basis here - it's more likely we'll introduce bugs with this approach since the configs are harder to reason with, can we update this to use distinct Terraform configurations (as above)?
| partitionCount := v.(int) | ||
|
|
||
| switch partitionCount { | ||
| case 5, 7, 8, 9, 10, 11: | ||
| errors = append(errors, fmt.Errorf("%q must be 1, 2, 3, 4, 6, or 12, got %d", k, partitionCount)) | ||
| } | ||
|
|
||
| if partitionCount > 12 { | ||
| errors = append(errors, fmt.Errorf("%q must be 1, 2, 3, 4, 6, or 12, got %d", k, partitionCount)) | ||
| } | ||
|
|
||
| return warnings, errors |
There was a problem hiding this comment.
we can reuse an existing validation function here:
| partitionCount := v.(int) | |
| switch partitionCount { | |
| case 5, 7, 8, 9, 10, 11: | |
| errors = append(errors, fmt.Errorf("%q must be 1, 2, 3, 4, 6, or 12, got %d", k, partitionCount)) | |
| } | |
| if partitionCount > 12 { | |
| errors = append(errors, fmt.Errorf("%q must be 1, 2, 3, 4, 6, or 12, got %d", k, partitionCount)) | |
| } | |
| return warnings, errors | |
| return validation.IntInSlice([]int{ | |
| 1, | |
| 2, | |
| 3, | |
| 4, | |
| 6, | |
| 12, | |
| }) |
|
|
WodansSon
changed the title
azurerm_search_service - add support for api_access_control, cmk_enforcement_enabled and hosting_modeazurerm_search_service - add support for local_authentication_disabled, authentication_failure_mode and hosting_mode
WodansSon
changed the title
azurerm_search_service - add support for local_authentication_disabled, authentication_failure_mode and hosting_modeazurerm_search_service - add support for local_authentication_disabled, authentication_failure_mode, authentication_options and hosting_mode
There was a problem hiding this comment.
hey @WodansSon
Thanks for pushing those changes, I've taken a look through and left some comments inline - so that we can get this PR merged I hope you don't mind but I'm going to push a commit to fix those, so that we can get this shipped.
Thanks!
|
|
||
| // NOTE: hosting mode is only valid if the SKU is 'standard3' | ||
| if skuName != services.SkuNameStandardThree && hostingMode == services.HostingModeHighDensity { | ||
| return fmt.Errorf("'hosting_mode' can only be defined if the 'sku' field is set to the 'standard3' SKU, got %q", skuName) |
There was a problem hiding this comment.
Can you link the other PR? Where a constant value is used in an error message, we should be referencing the constant value, since this ensures we avoid typos etc
| var cmkCompliance string | ||
| if props.EncryptionWithCmk != nil { | ||
| cmkEnforcement = strings.EqualFold(string(pointer.From(props.EncryptionWithCmk.Enforcement)), string(services.SearchEncryptionWithCmkEnabled)) | ||
| cmkCompliance = string(pointer.From(props.EncryptionWithCmk.EncryptionComplianceStatus)) | ||
| } |
There was a problem hiding this comment.
On a side note, what is the harm in having it exposed even if no one uses it?
The challenge in doing so is where doing so can have unintended consequences - for example in this case since the status field is likely to be updated asynchronously, the value being returned by Terraform here likely doesn't make sense for us to expose. Whilst we could expose the enabled field - since the status field is both:
a) possible out of date since it's likely this is updated OOB
b) likely run interactively (e.g. via the Azure CLI, or alerted on via a monitor etc)
I think we should remove the status field for now until we have a valid use-case for that
tombuildsstuff
force-pushed
the
e_search_fix
branch
from
6e9e741 to
859433a
Compare
tombuildsstuff
changed the title
azurerm_search_service - add support for local_authentication_disabled, authentication_failure_mode, authentication_options and hosting_modeazurerm_search_service - add support for local_authentication_enabled, authentication_failure_mode, authentication_options and hosting_mode
|
Tests pass:
|
|
This functionality has been released in v3.54.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
There seems to be an issue with the new argument: "hosting_mode" with azurerm 3.54. It is forcing a replacement of the search service due to the API returning 'Default' with a capital and azurerm trying change this to 'default' without a capital: hosting_mode = "Default" -> "default" # forces replacement I've checked the terraform state: resource "azurerm_search_service" "example" { Removing the resource from state and re-importing does not help to resolve the issue. Setting the argument in the Terraform code to: Trying to use I've had to lock the azurerm provider to 3.53 to allow the run to complete without forcing the replacement. Here is the original Terrafrom code: resource "azurerm_search_service" "example" { |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
(fixes #10151)