From dd551e901123181df9f957b7254cac146e7289d3 Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Mon, 1 Feb 2021 14:18:50 +1100 Subject: [PATCH 01/12] Continue tests if a case successfully fails --- .../services/keyvault/parse/nested_item_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/azurerm/internal/services/keyvault/parse/nested_item_test.go b/azurerm/internal/services/keyvault/parse/nested_item_test.go index db8d5b6287ab..eb289942c85b 100644 --- a/azurerm/internal/services/keyvault/parse/nested_item_test.go +++ b/azurerm/internal/services/keyvault/parse/nested_item_test.go @@ -100,11 +100,11 @@ func TestParseNestedItemID(t *testing.T) { for _, tc := range cases { secretId, err := ParseNestedItemID(tc.Input) if err != nil { - if !tc.ExpectError { - t.Fatalf("Got error for ID '%s': %+v", tc.Input, err) + if tc.ExpectError { + continue } - return + t.Fatalf("Got error for ID '%s': %+v", tc.Input, err) } if secretId == nil { @@ -184,11 +184,11 @@ func TestParseOptionallyVersionedNestedItemID(t *testing.T) { for _, tc := range cases { secretId, err := ParseOptionallyVersionedNestedItemID(tc.Input) if err != nil { - if !tc.ExpectError { - t.Fatalf("Got error for ID '%s': %+v", tc.Input, err) + if tc.ExpectError { + continue } - return + t.Fatalf("Got error for ID '%s': %+v", tc.Input, err) } if secretId == nil { From 1cf5738d683dd443a6131778eca5de5ca3746373 Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Mon, 1 Feb 2021 14:24:48 +1100 Subject: [PATCH 02/12] Ensure parsing NestedItemIds round trip to ID() --- azurerm/internal/services/keyvault/parse/nested_item.go | 4 +++- .../internal/services/keyvault/parse/nested_item_test.go | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/azurerm/internal/services/keyvault/parse/nested_item.go b/azurerm/internal/services/keyvault/parse/nested_item.go index 3b3b1106751b..a0cc38e4e5f5 100644 --- a/azurerm/internal/services/keyvault/parse/nested_item.go +++ b/azurerm/internal/services/keyvault/parse/nested_item.go @@ -6,6 +6,7 @@ import ( "strings" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/resourceid" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" ) var _ resourceid.Formatter = NestedItemId{} @@ -37,7 +38,8 @@ func NewNestedItemID(keyVaultBaseUrl, nestedItemType, name, version string) (*Ne func (n NestedItemId) ID() string { // example: https://tharvey-keyvault.vault.azure.net/type/bird/fdf067c93bbb4b22bff4d8b7a9a56217 - return fmt.Sprintf("%s/%s/%s/%s", n.KeyVaultBaseUrl, n.NestedItemType, n.Name, n.Version) + elements := []string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name, n.Version} + return strings.Join(utils.RemoveFromStringArray(elements, ""), "/") } // ParseNestedItemID parses a Key Vault Nested Item ID (such as a Certificate, Key or Secret) diff --git a/azurerm/internal/services/keyvault/parse/nested_item_test.go b/azurerm/internal/services/keyvault/parse/nested_item_test.go index eb289942c85b..41dfc87936ea 100644 --- a/azurerm/internal/services/keyvault/parse/nested_item_test.go +++ b/azurerm/internal/services/keyvault/parse/nested_item_test.go @@ -122,6 +122,10 @@ func TestParseNestedItemID(t *testing.T) { if tc.Expected.Version != secretId.Version { t.Fatalf("Expected 'Version' to be '%s', got '%s' for ID '%s'", tc.Expected.Version, secretId.Version, tc.Input) } + + if tc.Input != secretId.ID() { + t.Fatalf("Expected 'ID()' to be '%s', got '%s'", tc.Input, secretId.ID()) + } } } @@ -206,5 +210,9 @@ func TestParseOptionallyVersionedNestedItemID(t *testing.T) { if tc.Expected.Version != secretId.Version { t.Fatalf("Expected 'Version' to be '%s', got '%s' for ID '%s'", tc.Expected.Version, secretId.Version, tc.Input) } + + if tc.Input != secretId.ID() { + t.Fatalf("Expected 'ID()' to be '%s', got '%s'", tc.Input, secretId.ID()) + } } } From 363ad7a82c0720edd4aa479d87bb0927c41b3a5e Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Mon, 1 Feb 2021 17:58:48 +1100 Subject: [PATCH 03/12] Fix note formatting --- website/docs/r/cosmosdb_account.html.markdown | 1 + 1 file changed, 1 insertion(+) diff --git a/website/docs/r/cosmosdb_account.html.markdown b/website/docs/r/cosmosdb_account.html.markdown index 769c25a954be..c657bfbd03b1 100644 --- a/website/docs/r/cosmosdb_account.html.markdown +++ b/website/docs/r/cosmosdb_account.html.markdown @@ -99,6 +99,7 @@ The following arguments are supported: * `key_vault_key_id` - (Optional) A Key Vault Key ID for CMK encryption. Changing this forces a new resource to be created. ~> **NOTE:** The CosmosDB service always uses the latest version of the specified key, so terraform ignores the version specified in the Key Vault Key ID. + ~> **NOTE:** In order to use a `Custom Key` from Key Vault for encryption you must grant Azure Cosmos DB Service access to your key vault. For instuctions on how to configure your Key Vault correctly please refer to the [product documentation](https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk#add-an-access-policy-to-your-azure-key-vault-instance) * `virtual_network_rule` - (Optional) Specifies a `virtual_network_rules` resource, used to define which subnets are allowed to access this CosmosDB account. From 964f4e873ea4bcb694b8789826f4b4960fd11586 Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Tue, 2 Feb 2021 12:07:06 +1100 Subject: [PATCH 04/12] Use latest version ID for cosmos db key vault keys --- .../services/cosmos/cosmosdb_account_resource.go | 4 ++-- .../internal/services/keyvault/parse/nested_item.go | 12 ++++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/azurerm/internal/services/cosmos/cosmosdb_account_resource.go b/azurerm/internal/services/cosmos/cosmosdb_account_resource.go index 7f8327bad37d..e05fc58339d1 100644 --- a/azurerm/internal/services/cosmos/cosmosdb_account_resource.go +++ b/azurerm/internal/services/cosmos/cosmosdb_account_resource.go @@ -443,7 +443,7 @@ func resourceCosmosDbAccountCreate(d *schema.ResourceData, meta interface{}) err if err != nil { return fmt.Errorf("could not parse Key Vault Key ID: %+v", err) } - account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.ID()) + account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.LatestVersionID()) } // additional validation on MaxStalenessPrefix as it varies depending on if the DB is multi region or not @@ -551,7 +551,7 @@ func resourceCosmosDbAccountUpdate(d *schema.ResourceData, meta interface{}) err if err != nil { return fmt.Errorf("could not parse Key Vault Key ID: %+v", err) } - account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.ID()) + account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.LatestVersionID()) } if _, err = resourceCosmosDbAccountApiUpsert(client, ctx, resourceGroup, name, account, d); err != nil { diff --git a/azurerm/internal/services/keyvault/parse/nested_item.go b/azurerm/internal/services/keyvault/parse/nested_item.go index a0cc38e4e5f5..51a5639dae5b 100644 --- a/azurerm/internal/services/keyvault/parse/nested_item.go +++ b/azurerm/internal/services/keyvault/parse/nested_item.go @@ -38,8 +38,16 @@ func NewNestedItemID(keyVaultBaseUrl, nestedItemType, name, version string) (*Ne func (n NestedItemId) ID() string { // example: https://tharvey-keyvault.vault.azure.net/type/bird/fdf067c93bbb4b22bff4d8b7a9a56217 - elements := []string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name, n.Version} - return strings.Join(utils.RemoveFromStringArray(elements, ""), "/") + return formatID([]string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name, n.Version}) +} + +func (n NestedItemId) LatestVersionID() string { + // example: https://tharvey-keyvault.vault.azure.net/type/bird + return formatID([]string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name}) +} + +func formatID(idElements []string) string { + return strings.Join(utils.RemoveFromStringArray(idElements, ""), "/") } // ParseNestedItemID parses a Key Vault Nested Item ID (such as a Certificate, Key or Secret) From 3c9cf78491ed819981f8d30b98dac2029a76a84a Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 14:31:44 +1100 Subject: [PATCH 05/12] Add `versionless_id` to azurerm_key_vault_key --- .../internal/services/keyvault/key_vault_key_resource.go | 7 +++++++ .../services/keyvault/key_vault_key_resource_test.go | 1 + website/docs/d/key_vault_key.html.markdown | 2 ++ website/docs/r/key_vault_key.html.markdown | 1 + 4 files changed, 11 insertions(+) diff --git a/azurerm/internal/services/keyvault/key_vault_key_resource.go b/azurerm/internal/services/keyvault/key_vault_key_resource.go index caa0e623d1fa..0abd73bec0eb 100644 --- a/azurerm/internal/services/keyvault/key_vault_key_resource.go +++ b/azurerm/internal/services/keyvault/key_vault_key_resource.go @@ -5,6 +5,7 @@ import ( "encoding/base64" "fmt" "log" + "strings" "time" "github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault" @@ -130,6 +131,11 @@ func resourceKeyVaultKey() *schema.Resource { Computed: true, }, + "versionless_id": { + Type: schema.TypeString, + Computed: true, + }, + "n": { Type: schema.TypeString, Computed: true, @@ -413,6 +419,7 @@ func resourceKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) error { // Computed d.Set("version", id.Version) + d.Set("versionless_id", fmt.Sprintf("%s/%s/%s", strings.TrimSuffix(id.KeyVaultBaseUrl, "/"), id.NestedItemType, id.Name)) return tags.FlattenAndSet(d, resp.Tags) } diff --git a/azurerm/internal/services/keyvault/key_vault_key_resource_test.go b/azurerm/internal/services/keyvault/key_vault_key_resource_test.go index d777cdcb8a80..e3f72040fc45 100644 --- a/azurerm/internal/services/keyvault/key_vault_key_resource_test.go +++ b/azurerm/internal/services/keyvault/key_vault_key_resource_test.go @@ -125,6 +125,7 @@ func TestAccKeyVaultKey_complete(t *testing.T) { check.That(data.ResourceName).Key("expiration_date").HasValue("2021-01-01T01:02:03Z"), check.That(data.ResourceName).Key("tags.%").HasValue("1"), check.That(data.ResourceName).Key("tags.hello").HasValue("world"), + check.That(data.ResourceName).Key("versionless_id").HasValue(fmt.Sprintf("https://acctestkv-%s.vault.azure.net/keys/key-%s", data.RandomString, data.RandomString)), ), }, data.ImportStep("key_size"), diff --git a/website/docs/d/key_vault_key.html.markdown b/website/docs/d/key_vault_key.html.markdown index d02dcc30b050..ff74c661f215 100644 --- a/website/docs/d/key_vault_key.html.markdown +++ b/website/docs/d/key_vault_key.html.markdown @@ -57,6 +57,8 @@ The following attributes are exported: * `version` - The current version of the Key Vault Key. +* `versionless_id` - The Base ID of the Key Vault Key. + ## Timeouts diff --git a/website/docs/r/key_vault_key.html.markdown b/website/docs/r/key_vault_key.html.markdown index 15a944c16b1f..54f089a9d0b8 100644 --- a/website/docs/r/key_vault_key.html.markdown +++ b/website/docs/r/key_vault_key.html.markdown @@ -91,6 +91,7 @@ The following attributes are exported: * `id` - The Key Vault Key ID. * `version` - The current version of the Key Vault Key. +* `versionless_id` - The Base ID of the Key Vault Key. * `n` - The RSA modulus of this Key Vault Key. * `e` - The RSA public exponent of this Key Vault Key. * `x` - The EC X component of this Key Vault Key. From 145f6a4e4da92031c156019e0cce4a5bef2c7217 Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 14:33:26 +1100 Subject: [PATCH 06/12] Revert cosmosdb to use the nested item's ID --- .../cosmos/cosmosdb_account_resource.go | 4 ++-- .../services/keyvault/parse/nested_item.go | 20 +++++++++---------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/azurerm/internal/services/cosmos/cosmosdb_account_resource.go b/azurerm/internal/services/cosmos/cosmosdb_account_resource.go index e05fc58339d1..7f8327bad37d 100644 --- a/azurerm/internal/services/cosmos/cosmosdb_account_resource.go +++ b/azurerm/internal/services/cosmos/cosmosdb_account_resource.go @@ -443,7 +443,7 @@ func resourceCosmosDbAccountCreate(d *schema.ResourceData, meta interface{}) err if err != nil { return fmt.Errorf("could not parse Key Vault Key ID: %+v", err) } - account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.LatestVersionID()) + account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.ID()) } // additional validation on MaxStalenessPrefix as it varies depending on if the DB is multi region or not @@ -551,7 +551,7 @@ func resourceCosmosDbAccountUpdate(d *schema.ResourceData, meta interface{}) err if err != nil { return fmt.Errorf("could not parse Key Vault Key ID: %+v", err) } - account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.LatestVersionID()) + account.DatabaseAccountCreateUpdateProperties.KeyVaultKeyURI = utils.String(keyVaultKey.ID()) } if _, err = resourceCosmosDbAccountApiUpsert(client, ctx, resourceGroup, name, account, d); err != nil { diff --git a/azurerm/internal/services/keyvault/parse/nested_item.go b/azurerm/internal/services/keyvault/parse/nested_item.go index 51a5639dae5b..85519f571b17 100644 --- a/azurerm/internal/services/keyvault/parse/nested_item.go +++ b/azurerm/internal/services/keyvault/parse/nested_item.go @@ -6,7 +6,6 @@ import ( "strings" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/resourceid" - "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" ) var _ resourceid.Formatter = NestedItemId{} @@ -38,16 +37,15 @@ func NewNestedItemID(keyVaultBaseUrl, nestedItemType, name, version string) (*Ne func (n NestedItemId) ID() string { // example: https://tharvey-keyvault.vault.azure.net/type/bird/fdf067c93bbb4b22bff4d8b7a9a56217 - return formatID([]string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name, n.Version}) -} - -func (n NestedItemId) LatestVersionID() string { - // example: https://tharvey-keyvault.vault.azure.net/type/bird - return formatID([]string{strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), n.NestedItemType, n.Name}) -} - -func formatID(idElements []string) string { - return strings.Join(utils.RemoveFromStringArray(idElements, ""), "/") + segments := []string{ + strings.TrimSuffix(n.KeyVaultBaseUrl, "/"), + n.NestedItemType, + n.Name, + } + if n.Version != "" { + segments = append(segments, n.Version) + } + return strings.TrimSuffix(strings.Join(segments, "/"), "/") } // ParseNestedItemID parses a Key Vault Nested Item ID (such as a Certificate, Key or Secret) From 1edfd543f22c46546414d545f64b638ec1534d9c Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 14:33:55 +1100 Subject: [PATCH 07/12] Add versionless nested item id validator --- .../keyvault/validate/nested_item_id.go | 24 +++++++++ .../keyvault/validate/nested_item_id_test.go | 53 +++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/azurerm/internal/services/keyvault/validate/nested_item_id.go b/azurerm/internal/services/keyvault/validate/nested_item_id.go index 9ce3bc230337..b8474e34739e 100644 --- a/azurerm/internal/services/keyvault/validate/nested_item_id.go +++ b/azurerm/internal/services/keyvault/validate/nested_item_id.go @@ -26,6 +26,30 @@ func NestedItemId(i interface{}, k string) (warnings []string, errors []error) { return warnings, errors } +func VersionlessNestedItemId(i interface{}, k string) (warnings []string, errors []error) { + if warnings, errors = validation.StringIsNotEmpty(i, k); len(errors) > 0 { + return warnings, errors + } + + v, ok := i.(string) + if !ok { + errors = append(errors, fmt.Errorf("Expected %s to be a string!", k)) + return warnings, errors + } + + id, err := keyVaultParse.ParseOptionallyVersionedNestedItemID(v) + if err != nil { + errors = append(errors, fmt.Errorf("parsing %q: %s", v, err)) + return warnings, errors + } + + if id.Version != "" { + errors = append(errors, fmt.Errorf("expected %s to not have a version", k)) + } + + return warnings, errors +} + func NestedItemIdWithOptionalVersion(i interface{}, k string) (warnings []string, errors []error) { if warnings, errors = validation.StringIsNotEmpty(i, k); len(errors) > 0 { return warnings, errors diff --git a/azurerm/internal/services/keyvault/validate/nested_item_id_test.go b/azurerm/internal/services/keyvault/validate/nested_item_id_test.go index cc204df29370..74f2cb1e2ffe 100644 --- a/azurerm/internal/services/keyvault/validate/nested_item_id_test.go +++ b/azurerm/internal/services/keyvault/validate/nested_item_id_test.go @@ -57,6 +57,59 @@ func TestNestedItemId(t *testing.T) { } } +func TestVersionlessNestedItemId(t *testing.T) { + cases := []struct { + Input string + ExpectError bool + }{ + { + Input: "", + ExpectError: true, + }, + { + Input: "https://my-keyvault.vault.azure.net/secrets", + ExpectError: true, + }, + { + Input: "https://my-keyvault.vault.azure.net/secrets/bird", + ExpectError: false, + }, + { + Input: "https://my-keyvault.vault.azure.net/secrets/bird/fdf067c93bbb4b22bff4d8b7a9a56217", + ExpectError: true, + }, + { + Input: "https://my-keyvault.vault.azure.net/certificates/hello/world", + ExpectError: true, + }, + { + Input: "https://my-keyvault.vault.azure.net/keys/castle/1492", + ExpectError: true, + }, + { + Input: "https://my-keyvault.vault.azure.net/secrets/bird/fdf067c93bbb4b22bff4d8b7a9a56217/XXX", + ExpectError: true, + }, + } + + for _, tc := range cases { + warnings, err := VersionlessNestedItemId(tc.Input, "example") + if err != nil { + if tc.ExpectError { + continue + } + + t.Fatalf("Got error for input %q: %+v", tc.Input, err) + } + + if tc.ExpectError && len(warnings) == 0 { + t.Fatalf("Got no errors for input %q but expected some", tc.Input) + } else if !tc.ExpectError && len(warnings) > 0 { + t.Fatalf("Got %d errors for input %q when didn't expect any", len(warnings), tc.Input) + } + } +} + func TestNestedItemIdWithOptionalVersion(t *testing.T) { cases := []struct { Input string From 835c6c9360478426a662d2d9f3ec594c3fdcec7e Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 14:34:07 +1100 Subject: [PATCH 08/12] Validate key_vault_key_id is explicitly versionless --- azurerm/internal/services/cosmos/cosmosdb_account_resource.go | 2 +- .../internal/services/cosmos/cosmosdb_account_resource_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/azurerm/internal/services/cosmos/cosmosdb_account_resource.go b/azurerm/internal/services/cosmos/cosmosdb_account_resource.go index 7f8327bad37d..2f1a51c8533e 100644 --- a/azurerm/internal/services/cosmos/cosmosdb_account_resource.go +++ b/azurerm/internal/services/cosmos/cosmosdb_account_resource.go @@ -136,7 +136,7 @@ func resourceCosmosDbAccount() *schema.Resource { Optional: true, ForceNew: true, DiffSuppressFunc: diffSuppressIgnoreKeyVaultKeyVersion, - ValidateFunc: keyVaultValidate.NestedItemIdWithOptionalVersion, + ValidateFunc: keyVaultValidate.VersionlessNestedItemId, }, "consistency_policy": { diff --git a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go index 0ef89a1d6fa6..c034309426f6 100644 --- a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go +++ b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go @@ -1221,7 +1221,7 @@ resource "azurerm_cosmosdb_account" "test" { resource_group_name = azurerm_resource_group.test.name offer_type = "Standard" kind = "%s" - key_vault_key_id = azurerm_key_vault_key.test.id + key_vault_key_id = azurerm_key_vault_key.test.versionless_id consistency_policy { consistency_level = "%s" From 1eb6f9f57841f9eb9542cee5e08809f11650ea92 Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 14:34:37 +1100 Subject: [PATCH 09/12] Update key_vault_key_id description to specify versionless --- website/docs/r/cosmosdb_account.html.markdown | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/r/cosmosdb_account.html.markdown b/website/docs/r/cosmosdb_account.html.markdown index c657bfbd03b1..2fab940be465 100644 --- a/website/docs/r/cosmosdb_account.html.markdown +++ b/website/docs/r/cosmosdb_account.html.markdown @@ -96,9 +96,9 @@ The following arguments are supported: * `is_virtual_network_filter_enabled` - (Optional) Enables virtual network filtering for this Cosmos DB account. -* `key_vault_key_id` - (Optional) A Key Vault Key ID for CMK encryption. Changing this forces a new resource to be created. +* `key_vault_key_id` - (Optional) A versionless Key Vault Key ID for CMK encryption. Changing this forces a new resource to be created. -~> **NOTE:** The CosmosDB service always uses the latest version of the specified key, so terraform ignores the version specified in the Key Vault Key ID. +~> **NOTE:** When referencing an `azurerm_key_vault_key` resource, use `versionless_id` instead of `id` ~> **NOTE:** In order to use a `Custom Key` from Key Vault for encryption you must grant Azure Cosmos DB Service access to your key vault. For instuctions on how to configure your Key Vault correctly please refer to the [product documentation](https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk#add-an-access-policy-to-your-azure-key-vault-instance) From 6d86e3915749411bad15de1614215def3dd7f50a Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 15:18:07 +1100 Subject: [PATCH 10/12] Add capabilities to test cosmosdb_account --- .../services/cosmos/cosmosdb_account_resource_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go index c034309426f6..1cf462f2b34f 100644 --- a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go +++ b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go @@ -1223,6 +1223,10 @@ resource "azurerm_cosmosdb_account" "test" { kind = "%s" key_vault_key_id = azurerm_key_vault_key.test.versionless_id + capabilities { + name = "EnableMongo" + } + consistency_policy { consistency_level = "%s" } From c4e1541f9cecceb0e1ab05e246ee9996824b308b Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 15:40:56 +1100 Subject: [PATCH 11/12] Set soft delete days to minimum --- .../services/cosmos/cosmosdb_account_resource_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go index 1cf462f2b34f..741a2ffa5391 100644 --- a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go +++ b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go @@ -1154,8 +1154,9 @@ resource "azurerm_key_vault" "test" { tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "standard" - purge_protection_enabled = true - soft_delete_enabled = true + purge_protection_enabled = true + soft_delete_enabled = true + soft_delete_retention_days = 7 access_policy { tenant_id = data.azurerm_client_config.current.tenant_id From 9e99f301f41ce4cc17dae3a1be4158a6c74e634e Mon Sep 17 00:00:00 2001 From: Lucas Maxwell Date: Thu, 4 Feb 2021 16:01:47 +1100 Subject: [PATCH 12/12] Don't purge soft deleted keys --- .../services/cosmos/cosmosdb_account_resource_test.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go index 741a2ffa5391..12ff2fcf283d 100644 --- a/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go +++ b/azurerm/internal/services/cosmos/cosmosdb_account_resource_test.go @@ -1133,7 +1133,11 @@ resource "azurerm_cosmosdb_account" "test" { func (CosmosDBAccountResource) key_vault_uri(data acceptance.TestData, kind documentdb.DatabaseAccountKind, consistency documentdb.DefaultConsistencyLevel) string { return fmt.Sprintf(` provider "azurerm" { - features {} + features { + key_vault { + purge_soft_delete_on_destroy = false + } + } } resource "azurerm_resource_group" "test" {