-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Resource: Key Vault Access Policy #1149
Changes from 4 commits
223a5d8
f8b19a5
aae8844
24df15d
000963e
981dff0
6490dad
56dadaa
2422a1f
4638772
2c81721
2813a05
e9d1989
2e83293
0484bcf
bc13b6d
cea6c60
ee1dcac
e3d2c3d
4c618a2
7ac2e22
17f46df
f500bab
44b64a0
50e2837
0ea420a
56ae66b
aa2d2b0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
package azurerm | ||
|
||
import ( | ||
"github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2016-10-01/keyvault" | ||
"github.com/hashicorp/terraform/helper/schema" | ||
"github.com/hashicorp/terraform/helper/validation" | ||
) | ||
|
||
func keyPermissionsSchema() *schema.Schema { | ||
return &schema.Schema{ | ||
Type: schema.TypeList, | ||
Required: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
string(keyvault.KeyPermissionsBackup), | ||
string(keyvault.KeyPermissionsCreate), | ||
string(keyvault.KeyPermissionsDecrypt), | ||
string(keyvault.KeyPermissionsDelete), | ||
string(keyvault.KeyPermissionsEncrypt), | ||
string(keyvault.KeyPermissionsGet), | ||
string(keyvault.KeyPermissionsImport), | ||
string(keyvault.KeyPermissionsList), | ||
string(keyvault.KeyPermissionsPurge), | ||
string(keyvault.KeyPermissionsRecover), | ||
string(keyvault.KeyPermissionsRestore), | ||
string(keyvault.KeyPermissionsSign), | ||
string(keyvault.KeyPermissionsUnwrapKey), | ||
string(keyvault.KeyPermissionsUpdate), | ||
string(keyvault.KeyPermissionsVerify), | ||
string(keyvault.KeyPermissionsWrapKey), | ||
}, true), | ||
DiffSuppressFunc: ignoreCaseDiffSuppressFunc, | ||
}, | ||
} | ||
} | ||
|
||
func secretPermissionsSchema() *schema.Schema { | ||
return &schema.Schema{ | ||
Type: schema.TypeList, | ||
Required: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
string(keyvault.SecretPermissionsBackup), | ||
string(keyvault.SecretPermissionsDelete), | ||
string(keyvault.SecretPermissionsGet), | ||
string(keyvault.SecretPermissionsList), | ||
string(keyvault.SecretPermissionsPurge), | ||
string(keyvault.SecretPermissionsRecover), | ||
string(keyvault.SecretPermissionsRestore), | ||
string(keyvault.SecretPermissionsSet), | ||
}, true), | ||
DiffSuppressFunc: ignoreCaseDiffSuppressFunc, | ||
}, | ||
} | ||
} | ||
|
||
func certificatePermissionsSchema() *schema.Schema { | ||
return &schema.Schema{ | ||
Type: schema.TypeList, | ||
Optional: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
string(keyvault.Create), | ||
string(keyvault.Delete), | ||
string(keyvault.Deleteissuers), | ||
string(keyvault.Get), | ||
string(keyvault.Getissuers), | ||
string(keyvault.Import), | ||
string(keyvault.List), | ||
string(keyvault.Listissuers), | ||
string(keyvault.Managecontacts), | ||
string(keyvault.Manageissuers), | ||
string(keyvault.Purge), | ||
string(keyvault.Recover), | ||
string(keyvault.Setissuers), | ||
string(keyvault.Update), | ||
}, true), | ||
DiffSuppressFunc: ignoreCaseDiffSuppressFunc, | ||
}, | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -76,7 +76,6 @@ func resourceArmKeyVault() *schema.Resource { | |
"access_policy": { | ||
Type: schema.TypeList, | ||
Optional: true, | ||
This comment was marked as outdated.
Sorry, something went wrong. |
||
MinItems: 1, | ||
MaxItems: 16, | ||
Elem: &schema.Resource{ | ||
Schema: map[string]*schema.Schema{ | ||
|
@@ -95,74 +94,9 @@ func resourceArmKeyVault() *schema.Resource { | |
Optional: true, | ||
ValidateFunc: validateUUID, | ||
}, | ||
"certificate_permissions": { | ||
Type: schema.TypeList, | ||
Optional: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
string(keyvault.Create), | ||
string(keyvault.Delete), | ||
string(keyvault.Deleteissuers), | ||
string(keyvault.Get), | ||
string(keyvault.Getissuers), | ||
string(keyvault.Import), | ||
string(keyvault.List), | ||
string(keyvault.Listissuers), | ||
string(keyvault.Managecontacts), | ||
string(keyvault.Manageissuers), | ||
string(keyvault.Purge), | ||
string(keyvault.Recover), | ||
string(keyvault.Setissuers), | ||
string(keyvault.Update), | ||
}, true), | ||
DiffSuppressFunc: ignoreCaseDiffSuppressFunc, | ||
}, | ||
}, | ||
"key_permissions": { | ||
Type: schema.TypeList, | ||
Required: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
string(keyvault.KeyPermissionsBackup), | ||
string(keyvault.KeyPermissionsCreate), | ||
string(keyvault.KeyPermissionsDecrypt), | ||
string(keyvault.KeyPermissionsDelete), | ||
string(keyvault.KeyPermissionsEncrypt), | ||
string(keyvault.KeyPermissionsGet), | ||
string(keyvault.KeyPermissionsImport), | ||
string(keyvault.KeyPermissionsList), | ||
string(keyvault.KeyPermissionsPurge), | ||
string(keyvault.KeyPermissionsRecover), | ||
string(keyvault.KeyPermissionsRestore), | ||
string(keyvault.KeyPermissionsSign), | ||
string(keyvault.KeyPermissionsUnwrapKey), | ||
string(keyvault.KeyPermissionsUpdate), | ||
string(keyvault.KeyPermissionsVerify), | ||
string(keyvault.KeyPermissionsWrapKey), | ||
}, true), | ||
DiffSuppressFunc: ignoreCaseDiffSuppressFunc, | ||
}, | ||
}, | ||
"secret_permissions": { | ||
Type: schema.TypeList, | ||
Required: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
string(keyvault.SecretPermissionsBackup), | ||
string(keyvault.SecretPermissionsDelete), | ||
string(keyvault.SecretPermissionsGet), | ||
string(keyvault.SecretPermissionsList), | ||
string(keyvault.SecretPermissionsPurge), | ||
string(keyvault.SecretPermissionsRecover), | ||
string(keyvault.SecretPermissionsRestore), | ||
string(keyvault.SecretPermissionsSet), | ||
}, true), | ||
DiffSuppressFunc: ignoreCaseDiffSuppressFunc, | ||
}, | ||
}, | ||
"certificate_permissions": certificatePermissionsSchema(), | ||
"key_permissions": keyPermissionsSchema(), | ||
"secret_permissions": secretPermissionsSchema(), | ||
}, | ||
}, | ||
}, | ||
|
@@ -283,7 +217,6 @@ func resourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error { | |
d.Set("enabled_for_disk_encryption", resp.Properties.EnabledForDiskEncryption) | ||
d.Set("enabled_for_template_deployment", resp.Properties.EnabledForTemplateDeployment) | ||
d.Set("sku", flattenKeyVaultSku(resp.Properties.Sku)) | ||
d.Set("access_policy", flattenKeyVaultAccessPolicies(resp.Properties.AccessPolicies)) | ||
d.Set("vault_uri", resp.Properties.VaultURI) | ||
|
||
flattenAndSetTags(d, resp.Tags) | ||
|
@@ -377,62 +310,11 @@ func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} { | |
return []interface{}{result} | ||
} | ||
|
||
func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []interface{} { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This was removed due to it only being used in a refresh. Refresh the access policies on the key vault resource causes a fight between key vault and key vault policy over ownership of the resource (basically doing this during a keyvault refresh it wants to remove resources created by a key vault policy I note this because the merge conflict is now due to content that has been changes in the function that I had removed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. that's intentional - we can instead make the field |
||
result := make([]interface{}, 0, len(*policies)) | ||
|
||
if policies == nil { | ||
return result | ||
} | ||
|
||
for _, policy := range *policies { | ||
policyRaw := make(map[string]interface{}) | ||
|
||
keyPermissionsRaw := make([]interface{}, 0) | ||
secretPermissionsRaw := make([]interface{}, 0) | ||
certificatePermissionsRaw := make([]interface{}, 0) | ||
|
||
if permissions := policy.Permissions; permissions != nil { | ||
if keys := permissions.Keys; keys != nil { | ||
for _, keyPermission := range *keys { | ||
keyPermissionsRaw = append(keyPermissionsRaw, string(keyPermission)) | ||
} | ||
} | ||
if secrets := permissions.Secrets; secrets != nil { | ||
for _, secretPermission := range *secrets { | ||
secretPermissionsRaw = append(secretPermissionsRaw, string(secretPermission)) | ||
} | ||
} | ||
|
||
if certificates := permissions.Certificates; certificates != nil { | ||
for _, certificatePermission := range *certificates { | ||
certificatePermissionsRaw = append(certificatePermissionsRaw, string(certificatePermission)) | ||
} | ||
} | ||
} | ||
|
||
policyRaw["tenant_id"] = policy.TenantID.String() | ||
if policy.ObjectID != nil { | ||
policyRaw["object_id"] = *policy.ObjectID | ||
} | ||
if policy.ApplicationID != nil { | ||
policyRaw["application_id"] = policy.ApplicationID.String() | ||
} | ||
policyRaw["key_permissions"] = keyPermissionsRaw | ||
policyRaw["secret_permissions"] = secretPermissionsRaw | ||
policyRaw["certificate_permissions"] = certificatePermissionsRaw | ||
|
||
result = append(result, policyRaw) | ||
} | ||
|
||
return result | ||
} | ||
|
||
func validateKeyVaultName(v interface{}, k string) (ws []string, errors []error) { | ||
value := v.(string) | ||
if matched := regexp.MustCompile(`^[a-zA-Z0-9-]{3,24}$`).Match([]byte(value)); !matched { | ||
errors = append(errors, fmt.Errorf("%q may only contain alphanumeric characters and dashes and must be between 3-24 chars", k)) | ||
} | ||
|
||
return | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we rename this from
azurerm_key_vault_policy
->azurerm_key_vault_access_policy
? Policy's pretty generic as such I'm concerned this could conflict in the futureThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually was expecting this one and told my team I didn't want to build support for this resource into anything until the review since I thought we would need to rename it. I really should have named this azurerm_key_vault_access_policy from the start. I apologize for not doing this.