From 13be0dcf75769dcfa05c33f62944419b8503f574 Mon Sep 17 00:00:00 2001 From: kt Date: Fri, 20 Jul 2018 00:20:04 -0700 Subject: [PATCH 1/5] initial commit of datalake store encryption settings --- azurerm/resource_arm_data_lake_store.go | 161 ++++++++++++++- azurerm/resource_arm_data_lake_store_test.go | 194 +++++++++++++++++++ 2 files changed, 348 insertions(+), 7 deletions(-) diff --git a/azurerm/resource_arm_data_lake_store.go b/azurerm/resource_arm_data_lake_store.go index 523f2cc39247..be73e8c1ccd1 100644 --- a/azurerm/resource_arm_data_lake_store.go +++ b/azurerm/resource_arm_data_lake_store.go @@ -6,10 +6,15 @@ import ( "regexp" "github.com/Azure/azure-sdk-for-go/services/datalake/store/mgmt/2016-11-01/account" - "github.com/hashicorp/terraform/helper/schema" - "github.com/hashicorp/terraform/helper/validation" + + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response" + "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/suppress" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" + + "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" + "strings" ) func resourceArmDataLakeStore() *schema.Resource { @@ -18,6 +23,7 @@ func resourceArmDataLakeStore() *schema.Resource { Read: resourceArmDateLakeStoreRead, Update: resourceArmDateLakeStoreUpdate, Delete: resourceArmDateLakeStoreDelete, + Importer: &schema.ResourceImporter{ State: schema.ImportStatePassthrough, }, @@ -41,7 +47,7 @@ func resourceArmDataLakeStore() *schema.Resource { Type: schema.TypeString, Optional: true, Default: string(account.Consumption), - DiffSuppressFunc: ignoreCaseDiffSuppressFunc, + DiffSuppressFunc: suppress.CaseDifference, ValidateFunc: validation.StringInSlice([]string{ string(account.Consumption), string(account.Commitment1TB), @@ -53,8 +59,72 @@ func resourceArmDataLakeStore() *schema.Resource { }, true), }, + "encryption": { + Type: schema.TypeList, + Optional: true, + Computed: true, //true by default, so allow read to set this + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enabled": { + Type: schema.TypeBool, + Optional: true, + Default: true, + ForceNew: true, + }, + + "type": { + Type: schema.TypeString, + Optional: true, + Default: string(account.ServiceManaged), + ForceNew: true, + ValidateFunc: validation.StringInSlice([]string{ + string(account.ServiceManaged), + string(account.UserManaged), + }, true), + DiffSuppressFunc: suppress.CaseDifference, + }, + + //the follow are required if UserManaged is selected + "key_vault_id": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: azure.ValidateResourceID, + }, + + "key_name": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.NoZeroValues, + }, + + "key_version": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.NoZeroValues, + }, + }, + }, + }, + "tags": tagsSchema(), }, + + CustomizeDiff: func(d *schema.ResourceDiff, v interface{}) error { + + encryptionType, hasEncryptionType := d.GetOk("encryption.0.type") + + if hasEncryptionType && strings.EqualFold(encryptionType.(string), string(account.UserManaged)) { + if _, hasKeyValueId := d.GetOk("encryption.0.key_vault_id"); !hasKeyValueId { + //return fmt.Errorf("encryption key_vault_id must be specified if encryption type is UserManaged") + } + if _, hasKeyName := d.GetOk("encryption.0.key_name"); !hasKeyName { + return fmt.Errorf("encryption key_name must be specified if encryption type is UserManaged") + } + } + + return nil + }, } } @@ -74,10 +144,19 @@ func resourceArmDateLakeStoreCreate(d *schema.ResourceData, meta interface{}) er Location: &location, Tags: expandTags(tags), CreateDataLakeStoreAccountProperties: &account.CreateDataLakeStoreAccountProperties{ - NewTier: account.TierType(tier), + NewTier: account.TierType(tier), + EncryptionConfig: expandAzureRmDataLakeStoreEncryptionConfig(d), }, } + if encryptionEnabled, ok := d.GetOk("encryption.0.enabled"); ok { + if encryptionEnabled.(bool) { + dateLakeStore.CreateDataLakeStoreAccountProperties.EncryptionState = account.Enabled + } else { + dateLakeStore.CreateDataLakeStoreAccountProperties.EncryptionState = account.Disabled + } + } + future, err := client.Create(ctx, resourceGroup, name, dateLakeStore) if err != nil { return fmt.Errorf("Error issuing create request for Data Lake Store %q (Resource Group %q): %+v", name, resourceGroup, err) @@ -113,7 +192,8 @@ func resourceArmDateLakeStoreUpdate(d *schema.ResourceData, meta interface{}) er props := account.UpdateDataLakeStoreAccountParameters{ Tags: expandTags(newTags), UpdateDataLakeStoreAccountProperties: &account.UpdateDataLakeStoreAccountProperties{ - NewTier: account.TierType(newTier), + NewTier: account.TierType(newTier), + EncryptionConfig: expandAzureRmDataLakeStoreUpdateEncryptionConfig(d), }, } @@ -157,8 +237,10 @@ func resourceArmDateLakeStoreRead(d *schema.ResourceData, meta interface{}) erro d.Set("location", azureRMNormalizeLocation(*location)) } - if tier := resp.DataLakeStoreAccountProperties; tier != nil { - d.Set("tier", string(tier.CurrentTier)) + if properties := resp.DataLakeStoreAccountProperties; properties != nil { + d.Set("tier", string(properties.CurrentTier)) + d.Set("encryption", flattenAzureRmDataLakeStoreEncryption(properties)) + } flattenAndSetTags(d, resp.Tags) @@ -195,3 +277,68 @@ func resourceArmDateLakeStoreDelete(d *schema.ResourceData, meta interface{}) er return nil } + +func expandAzureRmDataLakeStoreEncryptionConfig(d *schema.ResourceData) *account.EncryptionConfig { + blocks, ok := d.GetOk("encryption") + if !ok { + return nil + } + + block := blocks.([]interface{})[0].(map[string]interface{}) + config := account.EncryptionConfig{ + Type: account.EncryptionConfigType(block["type"].(string)), + } + + if config.Type == account.UserManaged { + config.KeyVaultMetaInfo = &account.KeyVaultMetaInfo{ + KeyVaultResourceID: utils.String(block["key_vault_id"].(string)), + EncryptionKeyName: utils.String(block["key_name"].(string)), + } + + if v, ok := block["key_version"]; ok { + config.KeyVaultMetaInfo.EncryptionKeyVersion = utils.String(v.(string)) + } + } + + return &config +} + +func expandAzureRmDataLakeStoreUpdateEncryptionConfig(d *schema.ResourceData) *account.UpdateEncryptionConfig { + blocks, ok := d.GetOk("encryption") + if !ok { + return nil + } + + block := blocks.([]interface{})[0].(map[string]interface{}) + config := account.UpdateEncryptionConfig{} + if itemType, ok := block["type"]; ok && strings.EqualFold(itemType.(string), string(account.UserManaged)) { + if v, ok := block["key_version"]; ok { + config.KeyVaultMetaInfo.EncryptionKeyVersion = utils.String(v.(string)) + } + } + + return &config +} + +func flattenAzureRmDataLakeStoreEncryption(properties *account.DataLakeStoreAccountProperties) interface{} { + block := map[string]interface{}{ + "enabled": bool(properties.EncryptionState == account.Enabled), + } + + if config := properties.EncryptionConfig; config != nil { + block["type"] = string(config.Type) + if keyVault := config.KeyVaultMetaInfo; keyVault != nil { + if v := keyVault.KeyVaultResourceID; v != nil { + block["key_vault_id"] = *v + } + if v := keyVault.EncryptionKeyName; v != nil { + block["key_name"] = *v + } + if v := keyVault.EncryptionKeyName; v != nil { + block["key_version"] = *v + } + } + } + + return []interface{}{block} +} diff --git a/azurerm/resource_arm_data_lake_store_test.go b/azurerm/resource_arm_data_lake_store_test.go index c0dc71fc5fc3..baba5abb310b 100644 --- a/azurerm/resource_arm_data_lake_store_test.go +++ b/azurerm/resource_arm_data_lake_store_test.go @@ -26,6 +26,8 @@ func TestAccAzureRMDataLakeStore_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), resource.TestCheckResourceAttr(resourceName, "tier", "Consumption"), + resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), + resource.TestCheckResourceAttr(resourceName, "encryption.0.type", "ServiceManaged"), ), }, { @@ -64,6 +66,92 @@ func TestAccAzureRMDataLakeStore_tier(t *testing.T) { }) } +func TestAccAzureRMDataLakeStore_encryptionDefault(t *testing.T) { + resourceName := "azurerm_data_lake_store.test" + ri := acctest.RandInt() + rs := acctest.RandString(4) + config := testAccAzureRMDataLakeStore_encryptionDefault(ri, rs, testLocation()) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMDataLakeStoreExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), + resource.TestCheckResourceAttr(resourceName, "encryption.0.type", "ServiceManaged"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMDataLakeStore_encryptionDisabled(t *testing.T) { + resourceName := "azurerm_data_lake_store.test" + ri := acctest.RandInt() + rs := acctest.RandString(4) + config := testAccAzureRMDataLakeStore_encryptionDisabled(ri, rs, testLocation()) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMDataLakeStoreExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "false"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMDataLakeStore_encryptionUserManaged(t *testing.T) { + resourceName := "azurerm_data_lake_store.test" + ri := acctest.RandInt() + rs := acctest.RandString(4) + config := testAccAzureRMDataLakeStore_encryptionUserManaged(ri, rs, testLocation()) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMDataLakeStoreExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), + resource.TestCheckResourceAttr(resourceName, "encryption.0.type", "ServiceManaged"), + resource.TestCheckResourceAttrSet(resourceName, "encryption.0.key_vault_id"), + resource.TestCheckResourceAttrSet(resourceName, "encryption.0.key_name"), + resource.TestCheckResourceAttrSet(resourceName, "encryption.0.key_version"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAzureRMDataLakeStore_withTags(t *testing.T) { resourceName := "azurerm_data_lake_store.test" ri := acctest.RandInt() @@ -188,6 +276,112 @@ resource "azurerm_data_lake_store" "test" { `, rInt, location, rs, location) } +func testAccAzureRMDataLakeStore_encryptionDefault(rInt int, rs string, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_data_lake_store" "test" { + name = "unlikely23exst2acct%s" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "%s" + + encryption { + type = "ServiceManaged" + } +} +`, rInt, location, rs, location) +} + +func testAccAzureRMDataLakeStore_encryptionDisabled(rInt int, rs string, location string) string { + return fmt.Sprintf(` +resource "azurerm_resource_group" "test" { + name = "acctestRG-%d" + location = "%s" +} + +resource "azurerm_data_lake_store" "test" { + name = "unlikely23exst2acct%s" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "%s" + + encryption { + enabled = false + } +} +`, rInt, location, rs, location) +} + +func testAccAzureRMDataLakeStore_encryptionUserManaged(rInt int, rs string, location string) string { + return fmt.Sprintf(` +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%[1]d" + location = "%[2]s" +} + +resource "azurerm_key_vault" "test" { + name = "acctestkv-%[3]s" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + + sku { + name = "premium" + } + + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" + + key_permissions = [ + "create", + "delete", + "get", + ] + + secret_permissions = [ + "get", + "delete", + "set", + ] + } + + tags { + environment = "Production" + } +} + +resource "azurerm_key_vault_key" "test" { + name = "datastorekey" + vault_uri = "${azurerm_key_vault.test.vault_uri}" + key_type = "EC" + key_size = 2048 + + key_opts = [ + "sign", + "verify", + ] +} + +resource "azurerm_data_lake_store" "test" { + name = "unlikely23exst2acct%[3]s" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "%[2]s" + + encryption { + type = "UserManaged" + key_vault_id = "${azurerm_key_vault.test.id}" + key_name = "${azurerm_key_vault_key.test.name}" + key_version = "${azurerm_key_vault_key.test.version}" + } +} +`, rInt, location, rs) +} + func testAccAzureRMDataLakeStore_withTags(rInt int, rs string, location string) string { return fmt.Sprintf(` resource "azurerm_resource_group" "test" { From 53b8bc3cf1b6e34786b1d46b28fc0f7a702bd445 Mon Sep 17 00:00:00 2001 From: kt Date: Fri, 20 Jul 2018 17:02:10 -0700 Subject: [PATCH 2/5] Cleanup after merge and got disabling encryption to work --- azurerm/resource_arm_data_lake_store.go | 4 +- azurerm/resource_arm_data_lake_store_test.go | 44 +++++++++----------- website/docs/r/data_lake_store.html.markdown | 21 ++++++++++ 3 files changed, 42 insertions(+), 27 deletions(-) diff --git a/azurerm/resource_arm_data_lake_store.go b/azurerm/resource_arm_data_lake_store.go index 674cd1d6ed59..7b23952330fc 100644 --- a/azurerm/resource_arm_data_lake_store.go +++ b/azurerm/resource_arm_data_lake_store.go @@ -72,7 +72,7 @@ func resourceArmDataLakeStore() *schema.Resource { "type": { Type: schema.TypeString, Optional: true, - Default: string(account.ServiceManaged), + Computed: true, //so the user can leave it blank ForceNew: true, ValidateFunc: validation.StringInSlice([]string{ string(account.ServiceManaged), @@ -145,7 +145,7 @@ func resourceArmDateLakeStoreCreate(d *schema.ResourceData, meta interface{}) er }, } - if encryptionEnabled, ok := d.GetOk("encryption.0.enabled"); ok { + if encryptionEnabled, ok := d.GetOkExists("encryption.0.enabled"); ok { if encryptionEnabled.(bool) { dateLakeStore.CreateDataLakeStoreAccountProperties.EncryptionState = account.Enabled } else { diff --git a/azurerm/resource_arm_data_lake_store_test.go b/azurerm/resource_arm_data_lake_store_test.go index 90590cb49a29..dc9ad8dd6824 100644 --- a/azurerm/resource_arm_data_lake_store_test.go +++ b/azurerm/resource_arm_data_lake_store_test.go @@ -66,8 +66,6 @@ func TestAccAzureRMDataLakeStore_tier(t *testing.T) { func TestAccAzureRMDataLakeStore_encryptionDefault(t *testing.T) { resourceName := "azurerm_data_lake_store.test" ri := acctest.RandInt() - rs := acctest.RandString(4) - config := testAccAzureRMDataLakeStore_encryptionDefault(ri, rs, testLocation()) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -75,7 +73,7 @@ func TestAccAzureRMDataLakeStore_encryptionDefault(t *testing.T) { CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, Steps: []resource.TestStep{ { - Config: config, + Config: testAccAzureRMDataLakeStore_encryptionDefault(ri, testLocation()), Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), @@ -94,8 +92,6 @@ func TestAccAzureRMDataLakeStore_encryptionDefault(t *testing.T) { func TestAccAzureRMDataLakeStore_encryptionDisabled(t *testing.T) { resourceName := "azurerm_data_lake_store.test" ri := acctest.RandInt() - rs := acctest.RandString(4) - config := testAccAzureRMDataLakeStore_encryptionDisabled(ri, rs, testLocation()) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -103,7 +99,7 @@ func TestAccAzureRMDataLakeStore_encryptionDisabled(t *testing.T) { CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, Steps: []resource.TestStep{ { - Config: config, + Config: testAccAzureRMDataLakeStore_encryptionDisabled(ri, testLocation()), Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "false"), @@ -121,8 +117,6 @@ func TestAccAzureRMDataLakeStore_encryptionDisabled(t *testing.T) { func TestAccAzureRMDataLakeStore_encryptionUserManaged(t *testing.T) { resourceName := "azurerm_data_lake_store.test" ri := acctest.RandInt() - rs := acctest.RandString(4) - config := testAccAzureRMDataLakeStore_encryptionUserManaged(ri, rs, testLocation()) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -130,7 +124,7 @@ func TestAccAzureRMDataLakeStore_encryptionUserManaged(t *testing.T) { CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, Steps: []resource.TestStep{ { - Config: config, + Config: testAccAzureRMDataLakeStore_encryptionUserManaged(ri, testLocation()), Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), @@ -256,7 +250,7 @@ resource "azurerm_data_lake_store" "test" { func testAccAzureRMDataLakeStore_tier(rInt int, location string) string { return fmt.Sprintf(` resource "azurerm_resource_group" "test" { -name = "acctestRG-%d" + name = "acctestRG-%d" location = "%s" } @@ -270,7 +264,7 @@ resource "azurerm_data_lake_store" "test" { `, rInt, location, strconv.Itoa(rInt)[0:15]) } -func testAccAzureRMDataLakeStore_encryptionDefault(rInt int, rs string, location string) string { +func testAccAzureRMDataLakeStore_encryptionDefault(rInt int, location string) string { return fmt.Sprintf(` resource "azurerm_resource_group" "test" { name = "acctestRG-%d" @@ -278,18 +272,18 @@ resource "azurerm_resource_group" "test" { } resource "azurerm_data_lake_store" "test" { - name = "unlikely23exst2acct%s" + name = "acctest%s" resource_group_name = "${azurerm_resource_group.test.name}" - location = "%s" - + location = "${azurerm_resource_group.test.location}" + encryption { type = "ServiceManaged" } } -`, rInt, location, rs, location) +`, rInt, location, strconv.Itoa(rInt)[0:15]) } -func testAccAzureRMDataLakeStore_encryptionDisabled(rInt int, rs string, location string) string { +func testAccAzureRMDataLakeStore_encryptionDisabled(rInt int, location string) string { return fmt.Sprintf(` resource "azurerm_resource_group" "test" { name = "acctestRG-%d" @@ -297,18 +291,18 @@ resource "azurerm_resource_group" "test" { } resource "azurerm_data_lake_store" "test" { - name = "unlikely23exst2acct%s" + name = "acctest%s" resource_group_name = "${azurerm_resource_group.test.name}" - location = "%s" + location = "${azurerm_resource_group.test.location}" encryption { enabled = false } } -`, rInt, location, rs, location) +`, rInt, location, strconv.Itoa(rInt)[0:15]) } -func testAccAzureRMDataLakeStore_encryptionUserManaged(rInt int, rs string, location string) string { +func testAccAzureRMDataLakeStore_encryptionUserManaged(rInt int, location string) string { return fmt.Sprintf(` data "azurerm_client_config" "current" {} @@ -318,7 +312,7 @@ resource "azurerm_resource_group" "test" { } resource "azurerm_key_vault" "test" { - name = "acctestkv-%[3]s" + name = "acctestkv%[3]s" location = "${azurerm_resource_group.test.location}" resource_group_name = "${azurerm_resource_group.test.name}" tenant_id = "${data.azurerm_client_config.current.tenant_id}" @@ -362,9 +356,9 @@ resource "azurerm_key_vault_key" "test" { } resource "azurerm_data_lake_store" "test" { - name = "unlikely23exst2acct%[3]s" + name = "acctest%[3]s" resource_group_name = "${azurerm_resource_group.test.name}" - location = "%[2]s" + location = "${azurerm_resource_group.test.location}" encryption { type = "UserManaged" @@ -373,10 +367,10 @@ resource "azurerm_data_lake_store" "test" { key_version = "${azurerm_key_vault_key.test.version}" } } -`, rInt, location, rs) +`, rInt, location, strconv.Itoa(rInt)[0:15]) } -func testAccAzureRMDataLakeStore_withTags(rInt int, rs string, location string) string { +func testAccAzureRMDataLakeStore_withTags(rInt int, location string) string { return fmt.Sprintf(` resource "azurerm_resource_group" "test" { name = "acctestRG-%d" diff --git a/website/docs/r/data_lake_store.html.markdown b/website/docs/r/data_lake_store.html.markdown index 3a421467c774..f2de020b7c62 100644 --- a/website/docs/r/data_lake_store.html.markdown +++ b/website/docs/r/data_lake_store.html.markdown @@ -22,6 +22,13 @@ resource "azurerm_data_lake_store" "example" { name = "consumptiondatalake" resource_group_name = "${azurerm_resource_group.example.name}" location = "${azurerm_resource_group.example.location}" + + encrytpion { + type = "UserManaged" + key_vault_id = "${azurerm_key_vault.example.id}" + key_name = "${azurerm_key_vault_key.example.name}" + key_version = "${azurerm_key_vault_key.example.version}" + } } ``` @@ -37,8 +44,22 @@ The following arguments are supported: * `tier` - (Optional) The monthly commitment tier for Data Lake Store. Accepted values are `Consumption`, `Commitment_1TB`, `Commitment_10TB`, `Commitment_100TB`, `Commitment_500TB`, `Commitment_1PB` or `Commitment_5PB`. +* `encryption` - (Optional/Computed) A block detailing the current encryption settings. + * `tags` - (Optional) A mapping of tags to assign to the resource. +`encryption` block supports the following: + +* `enabled` - (Optional) Sets if encryption is enabled or disabled for this store. Defaults to `false` + +* `type` - (Optional) This property determins the source of the encryption keys used, can be one of `ServiceManaged` or `UserManaged`. Defaults to `ServiceManaged`. + +* `key_vault_id` - (Optional) The id of a key vault to get an encryption key from. This must be specified when the encryption type is `UserManaged` + +* `key_name` - (Optional) The name of a key in the key vault to use for encryption. This must be specified when the encryption type is `UserManaged` + +* `key_version` - (Optional) The version of the key to use. This must be specified when the encryption type is `UserManaged` + ## Attributes Reference The following attributes are exported: From b6e9888166dcad73bef7237ab7389212c61f3c06 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Mon, 23 Jul 2018 07:57:46 +0200 Subject: [PATCH 3/5] r/DataLakeStore: Support for Firewall/Encryption Tests pass: ``` $ acctests azurerm TestAccAzureRMDataLakeStore_ === RUN TestAccAzureRMDataLakeStore_basic --- PASS: TestAccAzureRMDataLakeStore_basic (147.99s) === RUN TestAccAzureRMDataLakeStore_tier --- PASS: TestAccAzureRMDataLakeStore_tier (140.91s) === RUN TestAccAzureRMDataLakeStore_encryptionDisabled --- PASS: TestAccAzureRMDataLakeStore_encryptionDisabled (126.77s) === RUN TestAccAzureRMDataLakeStore_firewallUpdate --- PASS: TestAccAzureRMDataLakeStore_firewallUpdate (253.79s) === RUN TestAccAzureRMDataLakeStore_withTags --- PASS: TestAccAzureRMDataLakeStore_withTags (161.95s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 831.835s ``` --- azurerm/resource_arm_data_lake_store.go | 223 ++++++------------- azurerm/resource_arm_data_lake_store_test.go | 156 +++---------- website/docs/r/data_lake_store.html.markdown | 16 +- 3 files changed, 117 insertions(+), 278 deletions(-) diff --git a/azurerm/resource_arm_data_lake_store.go b/azurerm/resource_arm_data_lake_store.go index 7b23952330fc..c07a21664773 100644 --- a/azurerm/resource_arm_data_lake_store.go +++ b/azurerm/resource_arm_data_lake_store.go @@ -5,15 +5,12 @@ import ( "log" "github.com/Azure/azure-sdk-for-go/services/datalake/store/mgmt/2016-11-01/account" - + "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/suppress" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" - - "github.com/hashicorp/terraform/helper/schema" - "github.com/hashicorp/terraform/helper/validation" - "strings" ) func resourceArmDataLakeStore() *schema.Resource { @@ -55,71 +52,52 @@ func resourceArmDataLakeStore() *schema.Resource { }, true), }, - "encryption": { - Type: schema.TypeList, + "encryption_state": { + Type: schema.TypeString, Optional: true, - Computed: true, //true by default, so allow read to set this - MaxItems: 1, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "enabled": { - Type: schema.TypeBool, - Optional: true, - Default: true, - ForceNew: true, - }, - - "type": { - Type: schema.TypeString, - Optional: true, - Computed: true, //so the user can leave it blank - ForceNew: true, - ValidateFunc: validation.StringInSlice([]string{ - string(account.ServiceManaged), - string(account.UserManaged), - }, true), - DiffSuppressFunc: suppress.CaseDifference, - }, - - //the follow are required if UserManaged is selected - "key_vault_id": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: azure.ValidateResourceID, - }, - - "key_name": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: validation.NoZeroValues, - }, - - "key_version": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: validation.NoZeroValues, - }, - }, - }, + Default: string(account.Enabled), + ForceNew: true, + ValidateFunc: validation.StringInSlice([]string{ + string(account.Enabled), + string(account.Disabled), + }, true), + DiffSuppressFunc: suppress.CaseDifference, }, - "tags": tagsSchema(), - }, - - CustomizeDiff: func(d *schema.ResourceDiff, v interface{}) error { + "encryption_type": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice([]string{ + string(account.ServiceManaged), + }, true), + DiffSuppressFunc: suppress.CaseDifference, + }, - encryptionType, hasEncryptionType := d.GetOk("encryption.0.type") + "firewall_state": { + Type: schema.TypeString, + Optional: true, + Default: string(account.FirewallStateEnabled), + ValidateFunc: validation.StringInSlice([]string{ + string(account.FirewallStateEnabled), + string(account.FirewallStateDisabled), + }, true), + DiffSuppressFunc: suppress.CaseDifference, + }, - if hasEncryptionType && strings.EqualFold(encryptionType.(string), string(account.UserManaged)) { - if _, hasKeyValueId := d.GetOk("encryption.0.key_vault_id"); !hasKeyValueId { - //return fmt.Errorf("encryption key_vault_id must be specified if encryption type is UserManaged") - } - if _, hasKeyName := d.GetOk("encryption.0.key_name"); !hasKeyName { - return fmt.Errorf("encryption key_name must be specified if encryption type is UserManaged") - } - } + "firewall_allow_azure_ips": { + Type: schema.TypeString, + Optional: true, + Default: string(account.FirewallAllowAzureIpsStateEnabled), + ValidateFunc: validation.StringInSlice([]string{ + string(account.FirewallAllowAzureIpsStateEnabled), + string(account.FirewallAllowAzureIpsStateDisabled), + }, true), + DiffSuppressFunc: suppress.CaseDifference, + }, - return nil + "tags": tagsSchema(), }, } } @@ -132,33 +110,35 @@ func resourceArmDateLakeStoreCreate(d *schema.ResourceData, meta interface{}) er location := azureRMNormalizeLocation(d.Get("location").(string)) resourceGroup := d.Get("resource_group_name").(string) tier := d.Get("tier").(string) + + encryptionState := account.EncryptionState(d.Get("encryption_state").(string)) + encryptionType := account.EncryptionConfigType(d.Get("encryption_type").(string)) + firewallState := account.FirewallState(d.Get("firewall_state").(string)) + firewallAllowAzureIPs := account.FirewallAllowAzureIpsState(d.Get("firewall_allow_azure_ips").(string)) tags := d.Get("tags").(map[string]interface{}) - log.Printf("[INFO] preparing arguments for Azure ARM Date Lake Store creation %q (Resource Group %q)", name, resourceGroup) + log.Printf("[INFO] preparing arguments for Data Lake Store creation %q (Resource Group %q)", name, resourceGroup) dateLakeStore := account.CreateDataLakeStoreAccountParameters{ Location: &location, Tags: expandTags(tags), CreateDataLakeStoreAccountProperties: &account.CreateDataLakeStoreAccountProperties{ - NewTier: account.TierType(tier), - EncryptionConfig: expandAzureRmDataLakeStoreEncryptionConfig(d), + NewTier: account.TierType(tier), + FirewallState: firewallState, + FirewallAllowAzureIps: firewallAllowAzureIPs, + EncryptionState: encryptionState, + EncryptionConfig: &account.EncryptionConfig{ + Type: encryptionType, + }, }, } - if encryptionEnabled, ok := d.GetOkExists("encryption.0.enabled"); ok { - if encryptionEnabled.(bool) { - dateLakeStore.CreateDataLakeStoreAccountProperties.EncryptionState = account.Enabled - } else { - dateLakeStore.CreateDataLakeStoreAccountProperties.EncryptionState = account.Disabled - } - } - future, err := client.Create(ctx, resourceGroup, name, dateLakeStore) if err != nil { return fmt.Errorf("Error issuing create request for Data Lake Store %q (Resource Group %q): %+v", name, resourceGroup, err) } - err = future.WaitForCompletion(ctx, client.Client) + err = future.WaitForCompletionRef(ctx, client.Client) if err != nil { return fmt.Errorf("Error creating Data Lake Store %q (Resource Group %q): %+v", name, resourceGroup, err) } @@ -182,15 +162,18 @@ func resourceArmDateLakeStoreUpdate(d *schema.ResourceData, meta interface{}) er name := d.Get("name").(string) resourceGroup := d.Get("resource_group_name").(string) - newTags := d.Get("tags").(map[string]interface{}) - newTier := d.Get("tier").(string) + tier := d.Get("tier").(string) + firewallState := account.FirewallState(d.Get("firewall_state").(string)) + firewallAllowAzureIPs := account.FirewallAllowAzureIpsState(d.Get("firewall_allow_azure_ips").(string)) + tags := d.Get("tags").(map[string]interface{}) props := account.UpdateDataLakeStoreAccountParameters{ - Tags: expandTags(newTags), UpdateDataLakeStoreAccountProperties: &account.UpdateDataLakeStoreAccountProperties{ - NewTier: account.TierType(newTier), - EncryptionConfig: expandAzureRmDataLakeStoreUpdateEncryptionConfig(d), + NewTier: account.TierType(tier), + FirewallState: firewallState, + FirewallAllowAzureIps: firewallAllowAzureIPs, }, + Tags: expandTags(tags), } future, err := client.Update(ctx, resourceGroup, name, props) @@ -198,7 +181,7 @@ func resourceArmDateLakeStoreUpdate(d *schema.ResourceData, meta interface{}) er return fmt.Errorf("Error issuing update request for Data Lake Store %q (Resource Group %q): %+v", name, resourceGroup, err) } - err = future.WaitForCompletion(ctx, client.Client) + err = future.WaitForCompletionRef(ctx, client.Client) if err != nil { return fmt.Errorf("Error waiting for the update of Data Lake Store %q (Resource Group %q) to commplete: %+v", name, resourceGroup, err) } @@ -220,10 +203,11 @@ func resourceArmDateLakeStoreRead(d *schema.ResourceData, meta interface{}) erro resp, err := client.Get(ctx, resourceGroup, name) if err != nil { if utils.ResponseWasNotFound(resp.Response) { - log.Printf("[WARN] DataLakeStoreAccount '%s' was not found (resource group '%s')", name, resourceGroup) + log.Printf("[WARN] Data Lake Store Account %q was not found (Resource Group %q)", name, resourceGroup) d.SetId("") return nil } + return fmt.Errorf("Error making Read request on Azure Data Lake Store %q (Resource Group %q): %+v", name, resourceGroup, err) } @@ -235,8 +219,14 @@ func resourceArmDateLakeStoreRead(d *schema.ResourceData, meta interface{}) erro if properties := resp.DataLakeStoreAccountProperties; properties != nil { d.Set("tier", string(properties.CurrentTier)) - d.Set("encryption", flattenAzureRmDataLakeStoreEncryption(properties)) + d.Set("encryption_state", string(properties.EncryptionState)) + d.Set("firewall_state", string(properties.FirewallState)) + d.Set("firewall_allow_azure_ips", string(properties.FirewallAllowAzureIps)) + + if config := properties.EncryptionConfig; config != nil { + d.Set("encryption_type", string(config.Type)) + } } flattenAndSetTags(d, resp.Tags) @@ -273,68 +263,3 @@ func resourceArmDateLakeStoreDelete(d *schema.ResourceData, meta interface{}) er return nil } - -func expandAzureRmDataLakeStoreEncryptionConfig(d *schema.ResourceData) *account.EncryptionConfig { - blocks, ok := d.GetOk("encryption") - if !ok { - return nil - } - - block := blocks.([]interface{})[0].(map[string]interface{}) - config := account.EncryptionConfig{ - Type: account.EncryptionConfigType(block["type"].(string)), - } - - if config.Type == account.UserManaged { - config.KeyVaultMetaInfo = &account.KeyVaultMetaInfo{ - KeyVaultResourceID: utils.String(block["key_vault_id"].(string)), - EncryptionKeyName: utils.String(block["key_name"].(string)), - } - - if v, ok := block["key_version"]; ok { - config.KeyVaultMetaInfo.EncryptionKeyVersion = utils.String(v.(string)) - } - } - - return &config -} - -func expandAzureRmDataLakeStoreUpdateEncryptionConfig(d *schema.ResourceData) *account.UpdateEncryptionConfig { - blocks, ok := d.GetOk("encryption") - if !ok { - return nil - } - - block := blocks.([]interface{})[0].(map[string]interface{}) - config := account.UpdateEncryptionConfig{} - if itemType, ok := block["type"]; ok && strings.EqualFold(itemType.(string), string(account.UserManaged)) { - if v, ok := block["key_version"]; ok { - config.KeyVaultMetaInfo.EncryptionKeyVersion = utils.String(v.(string)) - } - } - - return &config -} - -func flattenAzureRmDataLakeStoreEncryption(properties *account.DataLakeStoreAccountProperties) interface{} { - block := map[string]interface{}{ - "enabled": bool(properties.EncryptionState == account.Enabled), - } - - if config := properties.EncryptionConfig; config != nil { - block["type"] = string(config.Type) - if keyVault := config.KeyVaultMetaInfo; keyVault != nil { - if v := keyVault.KeyVaultResourceID; v != nil { - block["key_vault_id"] = *v - } - if v := keyVault.EncryptionKeyName; v != nil { - block["key_name"] = *v - } - if v := keyVault.EncryptionKeyName; v != nil { - block["key_version"] = *v - } - } - } - - return []interface{}{block} -} diff --git a/azurerm/resource_arm_data_lake_store_test.go b/azurerm/resource_arm_data_lake_store_test.go index dc9ad8dd6824..0304cd7c4b92 100644 --- a/azurerm/resource_arm_data_lake_store_test.go +++ b/azurerm/resource_arm_data_lake_store_test.go @@ -25,8 +25,8 @@ func TestAccAzureRMDataLakeStore_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), resource.TestCheckResourceAttr(resourceName, "tier", "Consumption"), - resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "encryption.0.type", "ServiceManaged"), + resource.TestCheckResourceAttr(resourceName, "encryption_state", "Enabled"), + resource.TestCheckResourceAttr(resourceName, "encryption_type", "ServiceManaged"), ), }, { @@ -63,7 +63,7 @@ func TestAccAzureRMDataLakeStore_tier(t *testing.T) { }) } -func TestAccAzureRMDataLakeStore_encryptionDefault(t *testing.T) { +func TestAccAzureRMDataLakeStore_encryptionDisabled(t *testing.T) { resourceName := "azurerm_data_lake_store.test" ri := acctest.RandInt() @@ -73,11 +73,11 @@ func TestAccAzureRMDataLakeStore_encryptionDefault(t *testing.T) { CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, Steps: []resource.TestStep{ { - Config: testAccAzureRMDataLakeStore_encryptionDefault(ri, testLocation()), + Config: testAccAzureRMDataLakeStore_encryptionDisabled(ri, testLocation()), Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "encryption.0.type", "ServiceManaged"), + resource.TestCheckResourceAttr(resourceName, "encryption_state", "Disabled"), + resource.TestCheckResourceAttr(resourceName, "encryption_type", ""), ), }, { @@ -89,9 +89,10 @@ func TestAccAzureRMDataLakeStore_encryptionDefault(t *testing.T) { }) } -func TestAccAzureRMDataLakeStore_encryptionDisabled(t *testing.T) { +func TestAccAzureRMDataLakeStore_firewallUpdate(t *testing.T) { resourceName := "azurerm_data_lake_store.test" ri := acctest.RandInt() + location := testLocation() resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -99,45 +100,36 @@ func TestAccAzureRMDataLakeStore_encryptionDisabled(t *testing.T) { CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, Steps: []resource.TestStep{ { - Config: testAccAzureRMDataLakeStore_encryptionDisabled(ri, testLocation()), + Config: testAccAzureRMDataLakeStore_firewall(ri, location, "Enabled", "Enabled"), Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "false"), + resource.TestCheckResourceAttr(resourceName, "firewall_state", "Enabled"), + resource.TestCheckResourceAttr(resourceName, "firewall_allow_azure_ips", "Enabled"), ), }, { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, + Config: testAccAzureRMDataLakeStore_firewall(ri, location, "Enabled", "Disabled"), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMDataLakeStoreExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "firewall_state", "Enabled"), + resource.TestCheckResourceAttr(resourceName, "firewall_allow_azure_ips", "Disabled"), + ), }, - }, - }) -} - -func TestAccAzureRMDataLakeStore_encryptionUserManaged(t *testing.T) { - resourceName := "azurerm_data_lake_store.test" - ri := acctest.RandInt() - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testCheckAzureRMDataLakeStoreDestroy, - Steps: []resource.TestStep{ { - Config: testAccAzureRMDataLakeStore_encryptionUserManaged(ri, testLocation()), + Config: testAccAzureRMDataLakeStore_firewall(ri, location, "Disabled", "Enabled"), Check: resource.ComposeTestCheckFunc( testCheckAzureRMDataLakeStoreExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "encryption.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "encryption.0.type", "ServiceManaged"), - resource.TestCheckResourceAttrSet(resourceName, "encryption.0.key_vault_id"), - resource.TestCheckResourceAttrSet(resourceName, "encryption.0.key_name"), - resource.TestCheckResourceAttrSet(resourceName, "encryption.0.key_version"), + resource.TestCheckResourceAttr(resourceName, "firewall_state", "Disabled"), + resource.TestCheckResourceAttr(resourceName, "firewall_allow_azure_ips", "Enabled"), ), }, { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, + Config: testAccAzureRMDataLakeStore_firewall(ri, location, "Disabled", "Disabled"), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMDataLakeStoreExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "firewall_state", "Disabled"), + resource.TestCheckResourceAttr(resourceName, "firewall_allow_azure_ips", "Disabled"), + ), }, }, }) @@ -258,13 +250,12 @@ resource "azurerm_data_lake_store" "test" { name = "acctest%s" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - tier = "Commitment_1TB" } `, rInt, location, strconv.Itoa(rInt)[0:15]) } -func testAccAzureRMDataLakeStore_encryptionDefault(rInt int, location string) string { +func testAccAzureRMDataLakeStore_encryptionDisabled(rInt int, location string) string { return fmt.Sprintf(` resource "azurerm_resource_group" "test" { name = "acctestRG-%d" @@ -275,15 +266,12 @@ resource "azurerm_data_lake_store" "test" { name = "acctest%s" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - - encryption { - type = "ServiceManaged" - } + encryption_state = "Disabled" } `, rInt, location, strconv.Itoa(rInt)[0:15]) } -func testAccAzureRMDataLakeStore_encryptionDisabled(rInt int, location string) string { +func testAccAzureRMDataLakeStore_firewall(rInt int, location string, firewallState string, firewallAllowAzureIPs string) string { return fmt.Sprintf(` resource "azurerm_resource_group" "test" { name = "acctestRG-%d" @@ -291,83 +279,13 @@ resource "azurerm_resource_group" "test" { } resource "azurerm_data_lake_store" "test" { - name = "acctest%s" - resource_group_name = "${azurerm_resource_group.test.name}" - location = "${azurerm_resource_group.test.location}" - - encryption { - enabled = false - } -} -`, rInt, location, strconv.Itoa(rInt)[0:15]) -} - -func testAccAzureRMDataLakeStore_encryptionUserManaged(rInt int, location string) string { - return fmt.Sprintf(` -data "azurerm_client_config" "current" {} - -resource "azurerm_resource_group" "test" { - name = "acctestRG-%[1]d" - location = "%[2]s" -} - -resource "azurerm_key_vault" "test" { - name = "acctestkv%[3]s" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" - tenant_id = "${data.azurerm_client_config.current.tenant_id}" - - sku { - name = "premium" - } - - access_policy { - tenant_id = "${data.azurerm_client_config.current.tenant_id}" - object_id = "${data.azurerm_client_config.current.service_principal_object_id}" - - key_permissions = [ - "create", - "delete", - "get", - ] - - secret_permissions = [ - "get", - "delete", - "set", - ] - } - - tags { - environment = "Production" - } -} - -resource "azurerm_key_vault_key" "test" { - name = "datastorekey" - vault_uri = "${azurerm_key_vault.test.vault_uri}" - key_type = "EC" - key_size = 2048 - - key_opts = [ - "sign", - "verify", - ] -} - -resource "azurerm_data_lake_store" "test" { - name = "acctest%[3]s" - resource_group_name = "${azurerm_resource_group.test.name}" - location = "${azurerm_resource_group.test.location}" - - encryption { - type = "UserManaged" - key_vault_id = "${azurerm_key_vault.test.id}" - key_name = "${azurerm_key_vault_key.test.name}" - key_version = "${azurerm_key_vault_key.test.version}" - } + name = "acctest%s" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "${azurerm_resource_group.test.location}" + firewall_state = "%s" + firewall_allow_azure_ips = "%s" } -`, rInt, location, strconv.Itoa(rInt)[0:15]) +`, rInt, location, strconv.Itoa(rInt)[0:15], firewallState, firewallAllowAzureIPs) } func testAccAzureRMDataLakeStore_withTags(rInt int, location string) string { @@ -381,7 +299,7 @@ resource "azurerm_data_lake_store" "test" { name = "acctest%s" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - + tags { environment = "Production" cost_center = "MSFT" @@ -401,7 +319,7 @@ resource "azurerm_data_lake_store" "test" { name = "acctest%s" resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" - + tags { environment = "staging" } diff --git a/website/docs/r/data_lake_store.html.markdown b/website/docs/r/data_lake_store.html.markdown index f2de020b7c62..9bd121d7b758 100644 --- a/website/docs/r/data_lake_store.html.markdown +++ b/website/docs/r/data_lake_store.html.markdown @@ -44,22 +44,18 @@ The following arguments are supported: * `tier` - (Optional) The monthly commitment tier for Data Lake Store. Accepted values are `Consumption`, `Commitment_1TB`, `Commitment_10TB`, `Commitment_100TB`, `Commitment_500TB`, `Commitment_1PB` or `Commitment_5PB`. -* `encryption` - (Optional/Computed) A block detailing the current encryption settings. +* `encryption_state` - (Optional) Is Encryption enabled on this Data Lake Store Account? Possible values are `Enabled` or `Disabled`. Defaults to `Enabled`. -* `tags` - (Optional) A mapping of tags to assign to the resource. +* `encryption_type` - (Optional) The Encryption Type used for this Data Lake Store Account. Defaults to `SystemManaged` which is the only supported value at this time. -`encryption` block supports the following: +-> **NOTE:** Support for User Managed encryption will be supported in the future once a bug in the API is fixed. -* `enabled` - (Optional) Sets if encryption is enabled or disabled for this store. Defaults to `false` +* `firewall_allow_azure_ips` - are Azure Service IP's allowed through the firewall? Possible values are `Enabled` and `Disabled`. Defaults to `Enabled.` -* `type` - (Optional) This property determins the source of the encryption keys used, can be one of `ServiceManaged` or `UserManaged`. Defaults to `ServiceManaged`. - -* `key_vault_id` - (Optional) The id of a key vault to get an encryption key from. This must be specified when the encryption type is `UserManaged` +* `firewall_state` - the state of the Firewall. Possible values are `Enabled` and `Disabled`. Defaults to `Enabled.` -* `key_name` - (Optional) The name of a key in the key vault to use for encryption. This must be specified when the encryption type is `UserManaged` +* `tags` - (Optional) A mapping of tags to assign to the resource. -* `key_version` - (Optional) The version of the key to use. This must be specified when the encryption type is `UserManaged` - ## Attributes Reference The following attributes are exported: From e54c222382720d45d5316a6e689cb4164724f627 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Mon, 23 Jul 2018 07:58:11 +0200 Subject: [PATCH 4/5] d/DataLakeStore: support for Encryption/Firewall Rules Tests pass: ``` $ acctests azurerm TestAccDataSourceAzureRMDataLakeStore_ === RUN TestAccDataSourceAzureRMDataLakeStore_basic --- PASS: TestAccDataSourceAzureRMDataLakeStore_basic (150.71s) === RUN TestAccDataSourceAzureRMDataLakeStore_tier --- PASS: TestAccDataSourceAzureRMDataLakeStore_tier (143.18s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 294.220s ``` --- azurerm/data_source_data_lake_store.go | 30 +++++++++++++++++++- website/docs/d/data_lake_store.html.markdown | 11 +++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/azurerm/data_source_data_lake_store.go b/azurerm/data_source_data_lake_store.go index e3578b50c967..4c49094ca2a9 100644 --- a/azurerm/data_source_data_lake_store.go +++ b/azurerm/data_source_data_lake_store.go @@ -27,6 +27,26 @@ func dataSourceArmDataLakeStoreAccount() *schema.Resource { Computed: true, }, + "encryption_state": { + Type: schema.TypeString, + Computed: true, + }, + + "encryption_type": { + Type: schema.TypeString, + Computed: true, + }, + + "firewall_state": { + Type: schema.TypeString, + Computed: true, + }, + + "firewall_allow_azure_ips": { + Type: schema.TypeString, + Computed: true, + }, + "tags": tagsForDataSourceSchema(), }, } @@ -42,7 +62,7 @@ func dataSourceArmDateLakeStoreAccountRead(d *schema.ResourceData, meta interfac resp, err := client.Get(ctx, resourceGroup, name) if err != nil { if utils.ResponseWasNotFound(resp.Response) { - log.Printf("[WARN] DataLakeStoreAccount '%s' was not found (resource group '%s')", name, resourceGroup) + log.Printf("[WARN] DataLakeStoreAccount %q was not found (Resource Group %q)", name, resourceGroup) d.SetId("") return nil } @@ -59,6 +79,14 @@ func dataSourceArmDateLakeStoreAccountRead(d *schema.ResourceData, meta interfac if properties := resp.DataLakeStoreAccountProperties; properties != nil { d.Set("tier", string(properties.CurrentTier)) + + d.Set("encryption_state", string(properties.EncryptionState)) + d.Set("firewall_allow_azure_ips", string(properties.FirewallAllowAzureIps)) + d.Set("firewall_state", string(properties.FirewallState)) + + if config := properties.EncryptionConfig; config != nil { + d.Set("encryption_type", string(config.Type)) + } } flattenAndSetTags(d, resp.Tags) diff --git a/website/docs/d/data_lake_store.html.markdown b/website/docs/d/data_lake_store.html.markdown index b13258e105c2..05d6b5999d5b 100644 --- a/website/docs/d/data_lake_store.html.markdown +++ b/website/docs/d/data_lake_store.html.markdown @@ -27,10 +27,21 @@ output "data_lake_store_id" { ## Argument Reference * `name` - (Required) The name of the Data Lake Store. + * `resource_group_name` - (Required) The Name of the Resource Group where the Data Lake Store exists. ## Attributes Reference * `id` - The ID of the Data Lake Store. + +* `encryption_state` - the Encryption State of this Data Lake Store Account, such as `Enabled` or `Disabled`. + +* `encryption_type` - the Encryption Type used for this Data Lake Store Account. + +* `firewall_allow_azure_ips` - are Azure Service IP's allowed through the firewall? + +* `firewall_state` - the state of the firewall, such as `Enabled` or `Disabled`. + * `tier` - Current monthly commitment tier for the account. + * `tags` - A mapping of tags to assign to the Data Lake Store. From 08033bed61dd0a784fef2467904b4977f50c8fcf Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Tue, 24 Jul 2018 12:14:52 +0200 Subject: [PATCH 5/5] Clarfiying the data lake docs --- website/docs/r/data_lake_store.html.markdown | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/website/docs/r/data_lake_store.html.markdown b/website/docs/r/data_lake_store.html.markdown index 9bd121d7b758..fb981e4b8256 100644 --- a/website/docs/r/data_lake_store.html.markdown +++ b/website/docs/r/data_lake_store.html.markdown @@ -1,3 +1,4 @@ + --- layout: "azurerm" page_title: "Azure Resource Manager: azurerm_data_lake_store" @@ -22,7 +23,7 @@ resource "azurerm_data_lake_store" "example" { name = "consumptiondatalake" resource_group_name = "${azurerm_resource_group.example.name}" location = "${azurerm_resource_group.example.location}" - + encrytpion { type = "UserManaged" key_vault_id = "${azurerm_key_vault.example.id}" @@ -46,7 +47,7 @@ The following arguments are supported: * `encryption_state` - (Optional) Is Encryption enabled on this Data Lake Store Account? Possible values are `Enabled` or `Disabled`. Defaults to `Enabled`. -* `encryption_type` - (Optional) The Encryption Type used for this Data Lake Store Account. Defaults to `SystemManaged` which is the only supported value at this time. +* `encryption_type` - (Optional) The Encryption Type used for this Data Lake Store Account. Currently can be set to `SystemManaged` when `encryption_state` is `Enabled` - and must be a blank string when it's Disabled. -> **NOTE:** Support for User Managed encryption will be supported in the future once a bug in the API is fixed.