From 96e198f377cb36942deed2a6766e290099db3ebe Mon Sep 17 00:00:00 2001
From: tombuildsstuff <git@ibuildstuff.co.uk>
Date: Wed, 11 Jul 2018 09:01:38 +0200
Subject: [PATCH 1/2] Ensuring Key Vault Key's detect when the parent Key
 Vault's have been deleted

Also adds tests for the other resources
---
 ...resource_arm_key_vault_certificate_test.go | 69 ++++++++++++++++++
 azurerm/resource_arm_key_vault_key.go         |  5 ++
 azurerm/resource_arm_key_vault_key_test.go    | 70 +++++++++++++++++++
 azurerm/resource_arm_key_vault_secret_test.go | 69 ++++++++++++++++++
 azurerm/resource_arm_key_vault_test.go        | 53 ++++++++++++++
 5 files changed, 266 insertions(+)

diff --git a/azurerm/resource_arm_key_vault_certificate_test.go b/azurerm/resource_arm_key_vault_certificate_test.go
index bc5d31e43935..86cf2954d9e1 100644
--- a/azurerm/resource_arm_key_vault_certificate_test.go
+++ b/azurerm/resource_arm_key_vault_certificate_test.go
@@ -31,6 +31,49 @@ func TestAccAzureRMKeyVaultCertificate_basicImportPFX(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVaultCertificate_disappears(t *testing.T) {
+	resourceName := "azurerm_key_vault_certificate.test"
+	rs := acctest.RandString(6)
+	config := testAccAzureRMKeyVaultCertificate_basicGenerate(rs, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultCertificateDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultCertificateExists(resourceName),
+					testCheckAzureRMKeyVaultCertificateDisappears(resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMKeyVaultCertificate_disappearsWhenParentKeyVaultDeleted(t *testing.T) {
+	rs := acctest.RandString(6)
+	config := testAccAzureRMKeyVaultCertificate_basicGenerate(rs, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultCertificateDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultCertificateExists("azurerm_key_vault_certificate.test"),
+					testCheckAzureRMKeyVaultDisappears("azurerm_key_vault.test"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func TestAccAzureRMKeyVaultCertificate_basicGenerate(t *testing.T) {
 	resourceName := "azurerm_key_vault_certificate.test"
 	rs := acctest.RandString(6)
@@ -129,6 +172,32 @@ func testCheckAzureRMKeyVaultCertificateExists(name string) resource.TestCheckFu
 	}
 }
 
+func testCheckAzureRMKeyVaultCertificateDisappears(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+		name := rs.Primary.Attributes["name"]
+		vaultBaseUrl := rs.Primary.Attributes["vault_uri"]
+
+		client := testAccProvider.Meta().(*ArmClient).keyVaultManagementClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+
+		resp, err := client.DeleteCertificate(ctx, vaultBaseUrl, name)
+		if err != nil {
+			if utils.ResponseWasNotFound(resp.Response) {
+				return nil
+			}
+
+			return fmt.Errorf("Bad: Delete on keyVaultManagementClient: %+v", err)
+		}
+
+		return nil
+	}
+}
+
 func testAccAzureRMKeyVaultCertificate_basicImportPFX(rString string, location string) string {
 	return fmt.Sprintf(`
 data "azurerm_client_config" "current" {}
diff --git a/azurerm/resource_arm_key_vault_key.go b/azurerm/resource_arm_key_vault_key.go
index ccaf78a7ae1e..9e2c66abfe8b 100644
--- a/azurerm/resource_arm_key_vault_key.go
+++ b/azurerm/resource_arm_key_vault_key.go
@@ -174,6 +174,11 @@ func resourceArmKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) error
 
 	resp, err := client.GetKey(ctx, id.KeyVaultBaseUrl, id.Name, "")
 	if err != nil {
+		if utils.ResponseWasNotFound(resp.Response) {
+			d.SetId("")
+			return nil
+		}
+
 		return err
 	}
 
diff --git a/azurerm/resource_arm_key_vault_key_test.go b/azurerm/resource_arm_key_vault_key_test.go
index 9ce16f053434..7b4be7cfbc7b 100644
--- a/azurerm/resource_arm_key_vault_key_test.go
+++ b/azurerm/resource_arm_key_vault_key_test.go
@@ -123,6 +123,49 @@ func TestAccAzureRMKeyVaultKey_update(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVaultKey_disappears(t *testing.T) {
+	resourceName := "azurerm_key_vault_key.test"
+	rs := acctest.RandString(6)
+	config := testAccAzureRMKeyVaultKey_basicEC(rs, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultKeyExists(resourceName),
+					testCheckAzureRMKeyVaultKeyDisappears(resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMKeyVaultKey_disappearsWhenParentKeyVaultDeleted(t *testing.T) {
+	rs := acctest.RandString(6)
+	config := testAccAzureRMKeyVaultKey_basicEC(rs, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultKeyExists("azurerm_key_vault_key.test"),
+					testCheckAzureRMKeyVaultDisappears("azurerm_key_vault.test"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func testCheckAzureRMKeyVaultKeyDestroy(s *terraform.State) error {
 	client := testAccProvider.Meta().(*ArmClient).keyVaultManagementClient
 	ctx := testAccProvider.Meta().(*ArmClient).StopContext
@@ -176,6 +219,33 @@ func testCheckAzureRMKeyVaultKeyExists(name string) resource.TestCheckFunc {
 	}
 }
 
+func testCheckAzureRMKeyVaultKeyDisappears(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		name := rs.Primary.Attributes["name"]
+		vaultBaseUrl := rs.Primary.Attributes["vault_uri"]
+
+		client := testAccProvider.Meta().(*ArmClient).keyVaultManagementClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+
+		resp, err := client.DeleteKey(ctx, vaultBaseUrl, name)
+		if err != nil {
+			if utils.ResponseWasNotFound(resp.Response) {
+				return nil
+			}
+
+			return fmt.Errorf("Bad: Delete on keyVaultManagementClient: %+v", err)
+		}
+
+		return nil
+	}
+}
+
 func testAccAzureRMKeyVaultKey_basicEC(rString string, location string) string {
 	return fmt.Sprintf(`
 data "azurerm_client_config" "current" {}
diff --git a/azurerm/resource_arm_key_vault_secret_test.go b/azurerm/resource_arm_key_vault_secret_test.go
index 7568bdcb93de..5b58b4aadc9d 100644
--- a/azurerm/resource_arm_key_vault_secret_test.go
+++ b/azurerm/resource_arm_key_vault_secret_test.go
@@ -31,6 +31,49 @@ func TestAccAzureRMKeyVaultSecret_basic(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVaultSecret_disappears(t *testing.T) {
+	resourceName := "azurerm_key_vault_secret.test"
+	rs := acctest.RandString(6)
+	config := testAccAzureRMKeyVaultSecret_basic(rs, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultSecretDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultSecretExists(resourceName),
+					testCheckAzureRMKeyVaultSecretDisappears(resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMKeyVaultSecret_disappearsWhenParentKeyVaultDeleted(t *testing.T) {
+	rs := acctest.RandString(6)
+	config := testAccAzureRMKeyVaultSecret_basic(rs, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultSecretDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultSecretExists("azurerm_key_vault_secret.test"),
+					testCheckAzureRMKeyVaultDisappears("azurerm_key_vault.test"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func TestAccAzureRMKeyVaultSecret_complete(t *testing.T) {
 	resourceName := "azurerm_key_vault_secret.test"
 	rs := acctest.RandString(6)
@@ -135,6 +178,32 @@ func testCheckAzureRMKeyVaultSecretExists(name string) resource.TestCheckFunc {
 	}
 }
 
+func testCheckAzureRMKeyVaultSecretDisappears(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+		name := rs.Primary.Attributes["name"]
+		vaultBaseUrl := rs.Primary.Attributes["vault_uri"]
+
+		client := testAccProvider.Meta().(*ArmClient).keyVaultManagementClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+
+		resp, err := client.DeleteSecret(ctx, vaultBaseUrl, name)
+		if err != nil {
+			if utils.ResponseWasNotFound(resp.Response) {
+				return nil
+			}
+
+			return fmt.Errorf("Bad: Delete on keyVaultManagementClient: %+v", err)
+		}
+
+		return nil
+	}
+}
+
 func testAccAzureRMKeyVaultSecret_basic(rString string, location string) string {
 	return fmt.Sprintf(`
 data "azurerm_client_config" "current" {}
diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go
index e8f79974d29c..105153a2f4e3 100644
--- a/azurerm/resource_arm_key_vault_test.go
+++ b/azurerm/resource_arm_key_vault_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/terraform/helper/acctest"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
 
@@ -87,6 +88,28 @@ func TestAccAzureRMKeyVault_basic(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVault_disappears(t *testing.T) {
+	resourceName := "azurerm_key_vault.test"
+	ri := acctest.RandInt()
+	config := testAccAzureRMKeyVault_basic(ri, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(resourceName),
+					testCheckAzureRMKeyVaultDisappears(resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func TestAccAzureRMKeyVault_complete(t *testing.T) {
 	resourceName := "azurerm_key_vault.test"
 	ri := acctest.RandInt()
@@ -199,6 +222,36 @@ func testCheckAzureRMKeyVaultExists(name string) resource.TestCheckFunc {
 	}
 }
 
+func testCheckAzureRMKeyVaultDisappears(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		vaultName := rs.Primary.Attributes["name"]
+		resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"]
+		if !hasResourceGroup {
+			return fmt.Errorf("Bad: no resource group found in state for vault: %s", vaultName)
+		}
+
+		client := testAccProvider.Meta().(*ArmClient).keyVaultClient
+		ctx := testAccProvider.Meta().(*ArmClient).StopContext
+
+		resp, err := client.Delete(ctx, resourceGroup, vaultName)
+		if err != nil {
+			if response.WasNotFound(resp.Response) {
+				return nil
+			}
+
+			return fmt.Errorf("Bad: Delete on keyVaultClient: %+v", err)
+		}
+
+		return nil
+	}
+}
+
 func testAccAzureRMKeyVault_basic(rInt int, location string) string {
 	return fmt.Sprintf(`
 data "azurerm_client_config" "current" {}

From 7b35b63c7a9a6f2232dae3d956e543520539ca7b Mon Sep 17 00:00:00 2001
From: tombuildsstuff <git@ibuildstuff.co.uk>
Date: Wed, 11 Jul 2018 12:47:44 +0200
Subject: [PATCH 2/2] Adding debug lines

---
 azurerm/resource_arm_key_vault_certificate.go | 1 +
 azurerm/resource_arm_key_vault_key.go         | 1 +
 azurerm/resource_arm_key_vault_secret.go      | 1 +
 3 files changed, 3 insertions(+)

diff --git a/azurerm/resource_arm_key_vault_certificate.go b/azurerm/resource_arm_key_vault_certificate.go
index 5374eae3824e..9b82a13e3b56 100644
--- a/azurerm/resource_arm_key_vault_certificate.go
+++ b/azurerm/resource_arm_key_vault_certificate.go
@@ -326,6 +326,7 @@ func resourceArmKeyVaultCertificateRead(d *schema.ResourceData, meta interface{}
 
 	if err != nil {
 		if utils.ResponseWasNotFound(cert.Response) {
+			log.Printf("[DEBUG] Certificate %q was not found in Key Vault at URI %q - removing from state", id.Name, id.KeyVaultBaseUrl)
 			d.SetId("")
 			return nil
 		}
diff --git a/azurerm/resource_arm_key_vault_key.go b/azurerm/resource_arm_key_vault_key.go
index 9e2c66abfe8b..7f7beeb82970 100644
--- a/azurerm/resource_arm_key_vault_key.go
+++ b/azurerm/resource_arm_key_vault_key.go
@@ -175,6 +175,7 @@ func resourceArmKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) error
 	resp, err := client.GetKey(ctx, id.KeyVaultBaseUrl, id.Name, "")
 	if err != nil {
 		if utils.ResponseWasNotFound(resp.Response) {
+			log.Printf("[DEBUG] Key %q was not found in Key Vault at URI %q - removing from state", id.Name, id.KeyVaultBaseUrl)
 			d.SetId("")
 			return nil
 		}
diff --git a/azurerm/resource_arm_key_vault_secret.go b/azurerm/resource_arm_key_vault_secret.go
index ce50045b4c59..91e3b283216c 100644
--- a/azurerm/resource_arm_key_vault_secret.go
+++ b/azurerm/resource_arm_key_vault_secret.go
@@ -155,6 +155,7 @@ func resourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) err
 	resp, err := client.GetSecret(ctx, id.KeyVaultBaseUrl, id.Name, "")
 	if err != nil {
 		if utils.ResponseWasNotFound(resp.Response) {
+			log.Printf("[DEBUG] Secret %q was not found in Key Vault at URI %q - removing from state", id.Name, id.KeyVaultBaseUrl)
 			d.SetId("")
 			return nil
 		}