-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Resource: Key Vault Access Policy #1149
New Resource: Key Vault Access Policy #1149
Conversation
Reviewed and tested this code. The implementation is solid, and everything worked perfectly in my real-world test. Thanks for this! |
@@ -364,50 +298,11 @@ func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} { | |||
return []interface{}{result} | |||
} | |||
|
|||
func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []interface{} { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was removed due to it only being used in a refresh. Refresh the access policies on the key vault resource causes a fight between key vault and key vault policy over ownership of the resource (basically doing this during a keyvault refresh it wants to remove resources created by a key vault policy
I note this because the merge conflict is now due to content that has been changes in the function that I had removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's intentional - we can instead make the field access_policy
Optional + Computed - which means that the value will be used from the API unless it's set locally (in which case diff's will be detected)
Any updates on this? I have some use cases for this new resource type. Thanks for your contribution. |
This is cool! Looking forward to seeing it implemented as well |
…t need to wait for keyvaults creationg as we aren't creating keyvaults
azurerm/resource_arm_key_vault.go
Outdated
@@ -76,7 +76,7 @@ func resourceArmKeyVault() *schema.Resource { | |||
"access_policy": { | |||
Type: schema.TypeList, | |||
Optional: true, | |||
MinItems: 1, | |||
MinItems: 0, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it is optional, you might just remove this line (MinItems: 0
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed.
log.Printf("[INFO] preparing arguments for Azure ARM Policy: %s.", action) | ||
|
||
name := d.Get("vault_name").(string) | ||
//location := azureRMNormalizeLocation(d.Get("vault_location").(string)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is not used, remove this line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed
|
||
d.SetId(*read.ID) | ||
|
||
return resourceArmKeyVaultRead(d, meta) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typically we don't read terraform resources after it is deleted, and we don't set its ID either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a check that we aren't deleting it.
} | ||
|
||
if action != keyvault.Remove { | ||
d.SetId(*read.ID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if action != keyvault.Remove {
d.SetId(*read.ID)
return resourceArmKeyVaultRead(d, meta)
} else {
return nil
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can actually make this:
if d.IsNewResource() {
d.SetID(*read.ID)
}
since the ID won't change post-creation
Is there anything I need to do here right now? Have 2 approvals and a couple of pending. Sorry this is my first PR against terraform. Just curious as to what the normal process is from here as the CONTRIBUTING.md is a bit vague around this point of the process. Also thanks for looking this over as well as the great platform/product that is terraform! -Jeff |
@tombuildsstuff could you please merge? |
I'm really desperate to get this functionality, is there a way to help or do we just need to wait for the reviews? |
I think at this point it is waiting for reviews. It is not a small PR so it would take a little bit longer...hopefully tom and kat can get to it soon, but they are both very busy and have a lot to review....best think you can do is upvote this PR in my opinion. |
@tiwood: Another option is to clone and build Jeff's branch: sophos-jeff:feature/key_vault_policy |
@sophos-jeff apologies for the delayed re-review here; I'm still trying to catch up from a few weeks AFK - I'll be taking another look through this shortly :) |
Ensuring we only lock on the Key Vault name, since the access policy doesn't matter for locking purposes if we lock on the entire KeyVault ``` $ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_ === RUN TestAccAzureRMKeyVaultAccessPolicy_basic --- PASS: TestAccAzureRMKeyVaultAccessPolicy_basic (222.29s) === RUN TestAccAzureRMKeyVaultAccessPolicy_multiple --- PASS: TestAccAzureRMKeyVaultAccessPolicy_multiple (228.28s) === RUN TestAccAzureRMKeyVaultAccessPolicy_update --- PASS: TestAccAzureRMKeyVaultAccessPolicy_update (238.59s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 689.209s ```
Tests pass: ``` $ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_import === RUN TestAccAzureRMKeyVaultAccessPolicy_importBasic --- PASS: TestAccAzureRMKeyVaultAccessPolicy_importBasic (225.81s) === RUN TestAccAzureRMKeyVaultAccessPolicy_importMultiple --- PASS: TestAccAzureRMKeyVaultAccessPolicy_importMultiple (218.71s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 444.557s ```
@sophos-jeff I've been spending some time on this resource this afternoon testing this/working out what's needed to get this merged and have made a few commits (mostly fixing the locking/refactoring/tests) - I hope you don't mind but I'm going to push these so that we can run the tests. Once the tests pass (which the Access Policy tests have locally) - we'll do some edge case testing (probably Monday) and then we should be good to merge this :) |
changes have been pushed
Key Vault Access Policy Tests pass:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This now LGTM / seems fine with some edge-case testing 👍🏻
Thanks for this @sophos-jeff (hope you don't mind me pushing a few commits to finish this off!) :)
Not at all Tom. Thanks for getting this merged :D Glad to see this feature available soon :D |
@sophos-jeff thanks a lot for working on this! |
@tombuildsstuff Great work! This would be very useful to us and anyone else using azure, finally this is merged!! 😋 👍 🥇 |
Hello everyone.
This is to address #754 which allows for separating our Key Vault Policies from the Key Vault Resource. This is also a feature I wanted as it allows me to pass in N number of policies for a Key Vault where N is not a constant. I can now add 'count' to the policy resource to create multiple at once.
The resource looks like below allowing you to update the policy of an existing policy.
This PR changes some behavior of the existing resrouce
The way the new Key Vault resource interacts with these is as follows
I also moved the access policy definitions into its own file so there is a single place to update this.
Let me know what changes if any you guys would like me to make here. I do apologize if my go code is sloppy, this is my first time contributing to terraform and my first time writing in go, so I am sure there will be some issues to resolve.
-Jeff