Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New resource: azurerm_key_vault_managed_hardware_security_module_key_rotation_policy #27306

Merged
merged 13 commits into from
Sep 19, 2024

Conversation

wuxu92
Copy link
Contributor

@wuxu92 wuxu92 commented Sep 6, 2024

Community Note

  • Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

Add key rotation policy support for Managed HSM Keys. Since this based on a Data plane API, I created a New resource for it instead of integrating into the Managed HSM Key resource. Based on my test, notification is not supported in MHSM Key. There is only one rotate policy for each key and there is no separation resource/id for it, so the new resource just resuse the managed hsm key id as its resource id.

https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/key-rotation

Given that creating a Managed HSM resource is a heavy operation, I created only one AccTest with both basic and update included. The creation/update of the rotation policy is fast.

PR Checklist

  • I have followed the guidelines in our Contributing Documentation.
  • I have checked to ensure there aren't other open Pull Requests for the same update/change.
  • I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
  • I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
  • I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
    For example: “resource_name_here - description of change e.g. adding property new_property_name_here

Changes to existing Resource / Data Source

  • I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
  • I have written new tests for my resource or datasource changes & updated any relevent documentation.
  • I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
  • (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

  • My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)
--- PASS: TestAccMHSMKeyRotationPolicy_all (2749.04s)
PASS

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

  • azurerm_key_vault_managed_hardware_security_module_key_rotation_policy - New resource for Managed HSM Key rotation policy

This is a (please select all that apply):

  • Bug Fix
  • New Feature (ie adding a service, resource, or data source)
  • Enhancement
  • Breaking Change

Related Issue(s)

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

@wuxu92 wuxu92 marked this pull request as draft September 9, 2024 01:50
@wuxu92 wuxu92 marked this pull request as ready for review September 9, 2024 04:32

The following arguments are supported:

* `expire_after` - (Required) Specify the expiration time of the key.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this a date? a duration? what format?

Suggested change
* `expire_after` - (Required) Specify the expiration time of the key.
* `expire_after_date` - (Required) Specify the expiration time of the key.
Suggested change
* `expire_after` - (Required) Specify the expiration time of the key.
* `expire_after_duration` - (Required) Specify the expiration time of the key.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please detail what this actually means, is it related to the lifecycle actions/trigger not the key?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the description and kept the name unchanged to align with the key vault rotation policy schema.

Comment on lines 38 to 40

---

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this sperator here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

Comment on lines 111 to 112
_, err = client.GetKey(ctx, keyID.BaseUri(), keyID.KeyName, "")
if err != nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these lines can be merged

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

func flattenKeyRotationPolicy(p keyvault.KeyRotationPolicy) MHSMKeyRotationPolicyResourceSchema {
var res MHSMKeyRotationPolicyResourceSchema
if p.Attributes != nil {
res.ExipreAfter = pointer.From(p.Attributes.ExpiryTime)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does this expire? what happens ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as documentation specified this is to set the key expiry after create/rotation.

Copy link
Member

@jackofallops jackofallops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @wuxu92 - Just a couple of additional comments to @katbyte 's review to take a look at.


var expiryTime *string // = nil // needs to be set to nil if not set
if policy.ExipreAfter != "" {
expiryTime = utils.String(policy.ExipreAfter)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we not use the utils package here as we're deprecating these functions, and instead use the pointer package as you have done in the flatten below?

Suggested change
expiryTime = utils.String(policy.ExipreAfter)
expiryTime = pointer.To(policy.ExipreAfter)

type MHSMKeyRotationPolicyTestResource struct{}

func testAccMHSMKeyRotationPolicy_all(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_key_vault_managed_hardware_security_module_key", "test")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the wrong resource here?

Suggested change
data := acceptance.BuildTestData(t, "azurerm_key_vault_managed_hardware_security_module_key", "test")
data := acceptance.BuildTestData(t, "azurerm_key_vault_managed_hardware_security_module_key_rotation_policy", "test")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

udpated.

Copy link
Member

@jackofallops jackofallops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @wuxu92 - Spotted a couple typos and whitespace items if you can take a look, then I think we should be good to run the test.

return err
}

// settign a blank policy to delete the existing policy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// settign a blank policy to delete the existing policy
// setting a blank policy to delete the existing policy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed


type MHSMKeyRotationPolicyResourceSchema struct {
ManagedHSMKeyID string `tfschema:"managed_hsm_key_id"`
ExipreAfter string `tfschema:"expire_after"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo here

Suggested change
ExipreAfter string `tfschema:"expire_after"`
ExpireAfter string `tfschema:"expire_after"`

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

Comment on lines 102 to 105




Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unnecessary whitespace here?

Suggested change

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

format issues of acc test fixed. can we add this to the terrafmt linter?

Comment on lines 195 to 196
}
resource "azurerm_key_vault_managed_hardware_security_module" "test" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
resource "azurerm_key_vault_managed_hardware_security_module" "test" {
}
resource "azurerm_key_vault_managed_hardware_security_module" "test" {

Comment on lines 84 to 85


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unnecessary whitespace here?

Suggested change

Comment on lines 155 to 156
}
resource "azurerm_key_vault_certificate" "cert" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
resource "azurerm_key_vault_certificate" "cert" {
}
resource "azurerm_key_vault_certificate" "cert" {

@wuxu92
Copy link
Contributor Author

wuxu92 commented Sep 19, 2024

Test passed:

--- PASS: TestAccMHSMKeyRotationPolicy_all (2591.03s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm 2591.069s

Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @wuxu92 - LGTM 🛋️

@katbyte katbyte merged commit 2fc6631 into hashicorp:main Sep 19, 2024
32 checks passed
@github-actions github-actions bot added this to the v4.3.0 milestone Sep 19, 2024
katbyte added a commit that referenced this pull request Sep 19, 2024
@wuxu92 wuxu92 deleted the mhsm/key-rotate branch September 19, 2024 03:57
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants