From 94f88b1822b5f7d7de379d2dfd2d858707d9720b Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Fri, 24 Jun 2022 15:33:58 +0800 Subject: [PATCH 1/6] add encryption in automation account --- .../automation/automation_account_resource.go | 132 +++++++++++++++++ .../automation_account_resource_test.go | 139 ++++++++++++++++++ .../docs/r/automation_account.html.markdown | 18 +++ 3 files changed, 289 insertions(+) diff --git a/internal/services/automation/automation_account_resource.go b/internal/services/automation/automation_account_resource.go index 7f300f2f5a4e..9bf0255e676f 100644 --- a/internal/services/automation/automation_account_resource.go +++ b/internal/services/automation/automation_account_resource.go @@ -6,10 +6,12 @@ import ( "time" "github.com/hashicorp/go-azure-helpers/lang/response" + "github.com/hashicorp/go-azure-helpers/resourcemanager/commonids" "github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema" "github.com/hashicorp/go-azure-helpers/resourcemanager/identity" "github.com/hashicorp/go-azure-helpers/resourcemanager/location" "github.com/hashicorp/go-azure-sdk/resource-manager/automation/2021-06-22/automationaccount" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-provider-azurerm/helpers/tf" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" "github.com/hashicorp/terraform-provider-azurerm/internal/services/automation/validate" @@ -58,6 +60,50 @@ func resourceAutomationAccount() *pluginsdk.Resource { "identity": commonschema.SystemAssignedUserAssignedIdentityOptional(), + "encryption": { + Type: pluginsdk.TypeList, + Optional: true, + Computed: true, + Elem: &pluginsdk.Resource{ + Schema: map[string]*schema.Schema{ + "user_identity_id": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: commonids.ValidateUserAssignedIdentityID, + }, + "key_source": { + Type: pluginsdk.TypeString, + Optional: true, + Computed: true, + ValidateFunc: validation.StringInSlice( + automationaccount.PossibleValuesForEncryptionKeySourceType(), + false, + ), + }, + "key_name": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + "key_version": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + "key_vault_uri": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + }, + }, + + "disable_local_auth": { + Type: pluginsdk.TypeBool, + Optional: true, + }, + "tags": tags.Schema(), "dsc_server_endpoint": { @@ -111,9 +157,17 @@ func resourceAutomationAccountCreate(d *pluginsdk.ResourceData, meta interface{} Name: automationaccount.SkuNameEnum(d.Get("sku_name").(string)), }, PublicNetworkAccess: utils.Bool(d.Get("public_network_access_enabled").(bool)), + DisableLocalAuth: utils.Bool(d.Get("disable_local_auth").(bool)), }, Location: utils.String(location.Normalize(d.Get("location").(string))), } + if encryption := d.Get("encryption").([]interface{}); len(encryption) > 0 { + enc, err := expandEncryption(encryption[0].(map[string]interface{})) + if err != nil { + return fmt.Errorf("expanding `encryption`: %v", err) + } + parameters.Properties.Encryption = enc + } // for create account do not set identity property (even TypeNone is not allowed), or api will response error if identityVal.Type != identity.TypeNone { parameters.Identity = identityVal @@ -149,11 +203,20 @@ func resourceAutomationAccountUpdate(d *pluginsdk.ResourceData, meta interface{} Name: automationaccount.SkuNameEnum(d.Get("sku_name").(string)), }, PublicNetworkAccess: utils.Bool(d.Get("public_network_access_enabled").(bool)), + DisableLocalAuth: utils.Bool(d.Get("disable_local_auth").(bool)), }, Location: utils.String(location.Normalize(d.Get("location").(string))), Identity: identity, } + if encryption := d.Get("encryption").([]interface{}); len(encryption) > 0 { + enc, err := expandEncryption(encryption[0].(map[string]interface{})) + if err != nil { + return fmt.Errorf("expanding `encryption`: %v", err) + } + parameters.Properties.Encryption = enc + } + if tagsVal := expandTags(d.Get("tags").(map[string]interface{})); tagsVal != nil { parameters.Tags = &tagsVal } @@ -217,6 +280,16 @@ func resourceAutomationAccountRead(d *pluginsdk.ResourceData, meta interface{}) } d.Set("sku_name", skuName) + if prop.DisableLocalAuth != nil { + d.Set("disable_local_auth", *prop.DisableLocalAuth) + } + + if encryption, err := flattenEncryption(prop.Encryption); err != nil { + return fmt.Errorf("flattening `encryption`: %+v", err) + } else if encryption != nil { + d.Set("encryption", encryption) + } + d.Set("dsc_server_endpoint", keysResp.Endpoint) if keys := keysResp.Keys; keys != nil { d.Set("dsc_primary_access_key", keys.Primary) @@ -258,3 +331,62 @@ func resourceAutomationAccountDelete(d *pluginsdk.ResourceData, meta interface{} return nil } + +func expandEncryption(encMap map[string]interface{}) (*automationaccount.EncryptionProperties, error) { + var id interface{} + id, ok := encMap["user_identity_id"].(string) + if !ok { + return nil, fmt.Errorf("read encryption user identity id error") + } + prop := &automationaccount.EncryptionProperties{ + Identity: &automationaccount.EncryptionPropertiesIdentity{ + UserAssignedIdentity: &id, + }, + } + if val, ok := encMap["key_source"].(string); ok && val != "" { + prop.KeySource = (*automationaccount.EncryptionKeySourceType)(&val) + } + var keyProp automationaccount.KeyVaultProperties + var hasKeyProp bool + if val, ok := encMap["key_name"].(string); ok && val != "" { + keyProp.KeyName = &val + hasKeyProp = true + } + if val, ok := encMap["key_version"].(string); ok && val != "" { + keyProp.KeyVersion = &val + hasKeyProp = true + } + if val, ok := encMap["key_vault_uri"].(string); ok && val != "" { + keyProp.KeyvaultUri = &val + hasKeyProp = true + } + if hasKeyProp { + prop.KeyVaultProperties = &keyProp + } + return prop, nil +} + +func flattenEncryption(encryption *automationaccount.EncryptionProperties) (res []interface{}, err error) { + if encryption == nil { + return + } + item := map[string]interface{}{} + if encryption.KeySource != nil { + item["key_source"] = (string)(*encryption.KeySource) + } + if encryption.Identity != nil && encryption.Identity.UserAssignedIdentity != nil { + item["user_identity_id"] = (*encryption.Identity.UserAssignedIdentity).(string) + } + if keyProp := encryption.KeyVaultProperties; keyProp != nil { + if keyProp.KeyName != nil { + item["key_name"] = *keyProp.KeyName + } + if keyProp.KeyVersion != nil { + item["key_version"] = *keyProp.KeyVersion + } + if keyProp.KeyName != nil { + item["key_vault_uri"] = *keyProp.KeyvaultUri + } + } + return []interface{}{item}, nil +} diff --git a/internal/services/automation/automation_account_resource_test.go b/internal/services/automation/automation_account_resource_test.go index 7a71212ace81..f8f6d22b819a 100644 --- a/internal/services/automation/automation_account_resource_test.go +++ b/internal/services/automation/automation_account_resource_test.go @@ -70,6 +70,23 @@ func TestAccAutomationAccount_complete(t *testing.T) { }) } +func TestAccAutomationAccount_encryption(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_automation_account", "test") + r := AutomationAccountResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.encryption(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + check.That(data.ResourceName).Key("sku_name").HasValue("Basic"), + check.That(data.ResourceName).Key("disable_local_auth").HasValue("true"), + ), + }, + data.ImportStep(), + }) +} + func TestAccAutomationAccount_identityUpdate(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_automation_account", "test") r := AutomationAccountResource{} @@ -257,6 +274,128 @@ resource "azurerm_automation_account" "test" { `, data.RandomInteger, data.Locations.Primary) } +func (AutomationAccountResource) encryption(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features { + key_vault { + purge_soft_delete_on_destroy = false + purge_soft_deleted_keys_on_destroy = false + } + } +} + +data "azurerm_client_config" "current" { +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-auto-%[1]d" + location = "%[2]s" +} + +resource "azurerm_user_assigned_identity" "test" { + name = "acctestUAI-%[1]d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name +} + +resource "azurerm_key_vault" "test" { + name = "vault%[1]d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "standard" + soft_delete_retention_days = 7 + purge_protection_enabled = true + + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + certificate_permissions = [ + "ManageContacts", + ] + + key_permissions = [ + "Create", + "Get", + "List", + "Delete", + "Purge", + ] + + secret_permissions = [ + "Set", + ] + } + + access_policy { + tenant_id = azurerm_user_assigned_identity.test.tenant_id + object_id = azurerm_user_assigned_identity.test.principal_id + + certificate_permissions = [] + + key_permissions = [ + "Get", + "Recover", + "WrapKey", + "UnwrapKey", + ] + + secret_permissions = [] + } +} + +data "azurerm_key_vault" "test" { + name = azurerm_key_vault.test.name + resource_group_name = azurerm_key_vault.test.resource_group_name +} + +data "azurerm_key_vault_key" "test" { + name = azurerm_key_vault_key.test.name + key_vault_id = azurerm_key_vault.test.id +} + +resource "azurerm_key_vault_key" "test" { + name = "key-%[1]d" + key_vault_id = azurerm_key_vault.test.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] +} + +resource "azurerm_automation_account" "test" { + name = "acctest-%[1]d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + sku_name = "Basic" + + identity { + type = "UserAssigned" + identity_ids = [ + azurerm_user_assigned_identity.test.id + ] + } + disable_local_auth = true + encryption { + key_source = "Microsoft.Keyvault" + user_identity_id = azurerm_user_assigned_identity.test.id + key_vault_uri = azurerm_key_vault.test.vault_uri + key_name = azurerm_key_vault_key.test.name + key_version = azurerm_key_vault_key.test.version + } +} +`, data.RandomInteger, data.Locations.Primary) +} + func (AutomationAccountResource) userAssignedIdentity(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/website/docs/r/automation_account.html.markdown b/website/docs/r/automation_account.html.markdown index b4443cd50a53..fbca3cd0b3f0 100644 --- a/website/docs/r/automation_account.html.markdown +++ b/website/docs/r/automation_account.html.markdown @@ -44,12 +44,16 @@ The following arguments are supported: * `sku_name` - (Required) The SKU of the account - only `Basic` is supported at this time. +* `disable_local_auth` - (Optional) Whether requests using non-AAD authentication are blocked. + --- * `identity` - (Optional) An `identity` block as defined below. * `tags` - (Optional) A mapping of tags to assign to the resource. +* `encryption` - (Optional) An `encryption` block as defined below. + --- An `identity` block supports the following: @@ -60,6 +64,20 @@ An `identity` block supports the following: -> **Note:** `identity_ids` is required when `type` is set to `UserAssigned` or `SystemAssigned, UserAssigned`. +-- + +An `encryption` block supports the following: + +* `user_identity_id` - (Optional) The user identity used for CMK. It will be an ARM resource id. + +* `key_source` - (Optional) The source of the encryption key. Possible values are `Microsoft.Keyvault` and `Microsoft.Storage`. + +* `key_name` - (Optional) The name of the key used to encrypt data. + +* `key_version` - (Optional) The version of the key used to encrypt data. + +* `key_vault_uri` - (Optional) The URI of the Key Vault key used to encrypt data. + --- ## Attributes Reference From 851ad0474beff616b6f981f262e5711eef65d221 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 3 Aug 2022 14:17:19 +0800 Subject: [PATCH 2/6] fix pr --- .../automation/automation_account_resource.go | 31 ++++++++++++------- .../automation_account_resource_test.go | 4 +-- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/internal/services/automation/automation_account_resource.go b/internal/services/automation/automation_account_resource.go index 9bf0255e676f..3e4170983e06 100644 --- a/internal/services/automation/automation_account_resource.go +++ b/internal/services/automation/automation_account_resource.go @@ -71,6 +71,11 @@ func resourceAutomationAccount() *pluginsdk.Resource { Optional: true, ValidateFunc: commonids.ValidateUserAssignedIdentityID, }, + "key_name": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringIsNotEmpty, + }, "key_source": { Type: pluginsdk.TypeString, Optional: true, @@ -80,7 +85,7 @@ func resourceAutomationAccount() *pluginsdk.Resource { false, ), }, - "key_name": { + "key_vault_uri": { Type: pluginsdk.TypeString, Optional: true, ValidateFunc: validation.StringIsNotEmpty, @@ -90,18 +95,14 @@ func resourceAutomationAccount() *pluginsdk.Resource { Optional: true, ValidateFunc: validation.StringIsNotEmpty, }, - "key_vault_uri": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, - }, }, }, }, - "disable_local_auth": { + "local_auth_enabled": { Type: pluginsdk.TypeBool, Optional: true, + Default: true, }, "tags": tags.Schema(), @@ -157,10 +158,13 @@ func resourceAutomationAccountCreate(d *pluginsdk.ResourceData, meta interface{} Name: automationaccount.SkuNameEnum(d.Get("sku_name").(string)), }, PublicNetworkAccess: utils.Bool(d.Get("public_network_access_enabled").(bool)), - DisableLocalAuth: utils.Bool(d.Get("disable_local_auth").(bool)), }, Location: utils.String(location.Normalize(d.Get("location").(string))), } + + if localAuth := d.Get("local_auth_enabled").(bool); localAuth == false { + parameters.Properties.DisableLocalAuth = utils.Bool(true) + } if encryption := d.Get("encryption").([]interface{}); len(encryption) > 0 { enc, err := expandEncryption(encryption[0].(map[string]interface{})) if err != nil { @@ -203,12 +207,15 @@ func resourceAutomationAccountUpdate(d *pluginsdk.ResourceData, meta interface{} Name: automationaccount.SkuNameEnum(d.Get("sku_name").(string)), }, PublicNetworkAccess: utils.Bool(d.Get("public_network_access_enabled").(bool)), - DisableLocalAuth: utils.Bool(d.Get("disable_local_auth").(bool)), }, Location: utils.String(location.Normalize(d.Get("location").(string))), Identity: identity, } + if localAuth := d.Get("local_auth_enabled").(bool); localAuth == false { + parameters.Properties.DisableLocalAuth = utils.Bool(true) + } + if encryption := d.Get("encryption").([]interface{}); len(encryption) > 0 { enc, err := expandEncryption(encryption[0].(map[string]interface{})) if err != nil { @@ -280,9 +287,11 @@ func resourceAutomationAccountRead(d *pluginsdk.ResourceData, meta interface{}) } d.Set("sku_name", skuName) - if prop.DisableLocalAuth != nil { - d.Set("disable_local_auth", *prop.DisableLocalAuth) + var localAuthEnabled bool = true + if val := prop.DisableLocalAuth; val != nil { + localAuthEnabled = *val } + d.Set("local_auth_enabled", localAuthEnabled) if encryption, err := flattenEncryption(prop.Encryption); err != nil { return fmt.Errorf("flattening `encryption`: %+v", err) diff --git a/internal/services/automation/automation_account_resource_test.go b/internal/services/automation/automation_account_resource_test.go index f8f6d22b819a..ec7896591600 100644 --- a/internal/services/automation/automation_account_resource_test.go +++ b/internal/services/automation/automation_account_resource_test.go @@ -80,7 +80,7 @@ func TestAccAutomationAccount_encryption(t *testing.T) { Check: acceptance.ComposeTestCheckFunc( check.That(data.ResourceName).ExistsInAzure(r), check.That(data.ResourceName).Key("sku_name").HasValue("Basic"), - check.That(data.ResourceName).Key("disable_local_auth").HasValue("true"), + check.That(data.ResourceName).Key("local_auth_enabled").HasValue("false"), ), }, data.ImportStep(), @@ -384,7 +384,7 @@ resource "azurerm_automation_account" "test" { azurerm_user_assigned_identity.test.id ] } - disable_local_auth = true + local_auth_enabled = false encryption { key_source = "Microsoft.Keyvault" user_identity_id = azurerm_user_assigned_identity.test.id From 112b1b3c418397c26edcd1f03f93d537749bbe3b Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 3 Aug 2022 17:59:53 +0800 Subject: [PATCH 3/6] use key vault key id and fix pr other issues --- .../automation/automation_account_resource.go | 77 +++++++------------ .../automation_account_resource_test.go | 15 +--- .../docs/r/automation_account.html.markdown | 8 +- 3 files changed, 34 insertions(+), 66 deletions(-) diff --git a/internal/services/automation/automation_account_resource.go b/internal/services/automation/automation_account_resource.go index 3e4170983e06..19ecf8127304 100644 --- a/internal/services/automation/automation_account_resource.go +++ b/internal/services/automation/automation_account_resource.go @@ -15,6 +15,8 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/helpers/tf" "github.com/hashicorp/terraform-provider-azurerm/internal/clients" "github.com/hashicorp/terraform-provider-azurerm/internal/services/automation/validate" + keyVaultParse "github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault/parse" + keyVaultValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/tags" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation" @@ -66,16 +68,11 @@ func resourceAutomationAccount() *pluginsdk.Resource { Computed: true, Elem: &pluginsdk.Resource{ Schema: map[string]*schema.Schema{ - "user_identity_id": { + "user_assigned_identity_id": { Type: pluginsdk.TypeString, Optional: true, ValidateFunc: commonids.ValidateUserAssignedIdentityID, }, - "key_name": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, - }, "key_source": { Type: pluginsdk.TypeString, Optional: true, @@ -85,15 +82,10 @@ func resourceAutomationAccount() *pluginsdk.Resource { false, ), }, - "key_vault_uri": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, - }, - "key_version": { + "key_vault_key_id": { Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: validation.StringIsNotEmpty, + Required: true, + ValidateFunc: keyVaultValidate.NestedItemIdWithOptionalVersion, }, }, }, @@ -287,16 +279,14 @@ func resourceAutomationAccountRead(d *pluginsdk.ResourceData, meta interface{}) } d.Set("sku_name", skuName) - var localAuthEnabled bool = true - if val := prop.DisableLocalAuth; val != nil { - localAuthEnabled = *val + localAuthEnabled := true + if val := prop.DisableLocalAuth; val != nil && *val == true { + localAuthEnabled = false } d.Set("local_auth_enabled", localAuthEnabled) - if encryption, err := flattenEncryption(prop.Encryption); err != nil { - return fmt.Errorf("flattening `encryption`: %+v", err) - } else if encryption != nil { - d.Set("encryption", encryption) + if err := d.Set("encryption", flattenEncryption(prop.Encryption)); err != nil { + return fmt.Errorf("setting `encryption`: %+v", err) } d.Set("dsc_server_endpoint", keysResp.Endpoint) @@ -343,7 +333,7 @@ func resourceAutomationAccountDelete(d *pluginsdk.ResourceData, meta interface{} func expandEncryption(encMap map[string]interface{}) (*automationaccount.EncryptionProperties, error) { var id interface{} - id, ok := encMap["user_identity_id"].(string) + id, ok := encMap["user_assigned_identity_id"].(string) if !ok { return nil, fmt.Errorf("read encryption user identity id error") } @@ -355,27 +345,21 @@ func expandEncryption(encMap map[string]interface{}) (*automationaccount.Encrypt if val, ok := encMap["key_source"].(string); ok && val != "" { prop.KeySource = (*automationaccount.EncryptionKeySourceType)(&val) } - var keyProp automationaccount.KeyVaultProperties - var hasKeyProp bool - if val, ok := encMap["key_name"].(string); ok && val != "" { - keyProp.KeyName = &val - hasKeyProp = true - } - if val, ok := encMap["key_version"].(string); ok && val != "" { - keyProp.KeyVersion = &val - hasKeyProp = true - } - if val, ok := encMap["key_vault_uri"].(string); ok && val != "" { - keyProp.KeyvaultUri = &val - hasKeyProp = true - } - if hasKeyProp { - prop.KeyVaultProperties = &keyProp + if keyIdStr := encMap["key_vault_key_id"].(string); keyIdStr != "" { + keyId, err := keyVaultParse.ParseOptionallyVersionedNestedItemID(keyIdStr) + if err != nil { + return nil, err + } + prop.KeyVaultProperties = &automationaccount.KeyVaultProperties{ + KeyName: utils.String(keyId.Name), + KeyVersion: utils.String(keyId.Version), + KeyvaultUri: utils.String(keyId.KeyVaultBaseUrl), + } } return prop, nil } -func flattenEncryption(encryption *automationaccount.EncryptionProperties) (res []interface{}, err error) { +func flattenEncryption(encryption *automationaccount.EncryptionProperties) (res []interface{}) { if encryption == nil { return } @@ -384,18 +368,13 @@ func flattenEncryption(encryption *automationaccount.EncryptionProperties) (res item["key_source"] = (string)(*encryption.KeySource) } if encryption.Identity != nil && encryption.Identity.UserAssignedIdentity != nil { - item["user_identity_id"] = (*encryption.Identity.UserAssignedIdentity).(string) + item["user_assigned_identity_id"] = (*encryption.Identity.UserAssignedIdentity).(string) } if keyProp := encryption.KeyVaultProperties; keyProp != nil { - if keyProp.KeyName != nil { - item["key_name"] = *keyProp.KeyName - } - if keyProp.KeyVersion != nil { - item["key_version"] = *keyProp.KeyVersion - } - if keyProp.KeyName != nil { - item["key_vault_uri"] = *keyProp.KeyvaultUri + keyVaultKeyId, err := keyVaultParse.NewNestedItemID(*keyProp.KeyvaultUri, "keys", *keyProp.KeyName, *keyProp.KeyVersion) + if err == nil { + item["key_vault_key_id"] = keyVaultKeyId.ID() } } - return []interface{}{item}, nil + return []interface{}{item} } diff --git a/internal/services/automation/automation_account_resource_test.go b/internal/services/automation/automation_account_resource_test.go index ec7896591600..ba72946a889b 100644 --- a/internal/services/automation/automation_account_resource_test.go +++ b/internal/services/automation/automation_account_resource_test.go @@ -351,13 +351,8 @@ data "azurerm_key_vault" "test" { resource_group_name = azurerm_key_vault.test.resource_group_name } -data "azurerm_key_vault_key" "test" { - name = azurerm_key_vault_key.test.name - key_vault_id = azurerm_key_vault.test.id -} - resource "azurerm_key_vault_key" "test" { - name = "key-%[1]d" + name = "acckvkey-%[1]d" key_vault_id = azurerm_key_vault.test.id key_type = "RSA" key_size = 2048 @@ -386,11 +381,9 @@ resource "azurerm_automation_account" "test" { } local_auth_enabled = false encryption { - key_source = "Microsoft.Keyvault" - user_identity_id = azurerm_user_assigned_identity.test.id - key_vault_uri = azurerm_key_vault.test.vault_uri - key_name = azurerm_key_vault_key.test.name - key_version = azurerm_key_vault_key.test.version + key_source = "Microsoft.Keyvault" + user_assigned_identity_id = azurerm_user_assigned_identity.test.id + key_vault_key_id = azurerm_key_vault_key.test.id } } `, data.RandomInteger, data.Locations.Primary) diff --git a/website/docs/r/automation_account.html.markdown b/website/docs/r/automation_account.html.markdown index fbca3cd0b3f0..0b0f70220db5 100644 --- a/website/docs/r/automation_account.html.markdown +++ b/website/docs/r/automation_account.html.markdown @@ -68,15 +68,11 @@ An `identity` block supports the following: An `encryption` block supports the following: -* `user_identity_id` - (Optional) The user identity used for CMK. It will be an ARM resource id. +* `user_assigned_identity_id` - (Optional) The User Assigned Managed Identity ID to be used for accessing the Customer Managed Key for encryption. * `key_source` - (Optional) The source of the encryption key. Possible values are `Microsoft.Keyvault` and `Microsoft.Storage`. -* `key_name` - (Optional) The name of the key used to encrypt data. - -* `key_version` - (Optional) The version of the key used to encrypt data. - -* `key_vault_uri` - (Optional) The URI of the Key Vault key used to encrypt data. +* `key_vault_key_id` - (Required) The ID of the Key Vault Key which should be used to Encrypt the data in this Automation Account. --- From 162737fa777724f574a3717dabe6ab2ef5f47af7 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 10 Aug 2022 10:42:30 +0800 Subject: [PATCH 4/6] update code format for pr --- .../services/automation/automation_account_resource.go | 10 ++++++---- .../automation/automation_account_resource_test.go | 4 +++- website/docs/r/automation_account.html.markdown | 2 +- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/internal/services/automation/automation_account_resource.go b/internal/services/automation/automation_account_resource.go index 19ecf8127304..4ed67afa2db9 100644 --- a/internal/services/automation/automation_account_resource.go +++ b/internal/services/automation/automation_account_resource.go @@ -73,6 +73,7 @@ func resourceAutomationAccount() *pluginsdk.Resource { Optional: true, ValidateFunc: commonids.ValidateUserAssignedIdentityID, }, + "key_source": { Type: pluginsdk.TypeString, Optional: true, @@ -82,6 +83,7 @@ func resourceAutomationAccount() *pluginsdk.Resource { false, ), }, + "key_vault_key_id": { Type: pluginsdk.TypeString, Required: true, @@ -91,7 +93,7 @@ func resourceAutomationAccount() *pluginsdk.Resource { }, }, - "local_auth_enabled": { + "local_authentication_enabled": { Type: pluginsdk.TypeBool, Optional: true, Default: true, @@ -154,7 +156,7 @@ func resourceAutomationAccountCreate(d *pluginsdk.ResourceData, meta interface{} Location: utils.String(location.Normalize(d.Get("location").(string))), } - if localAuth := d.Get("local_auth_enabled").(bool); localAuth == false { + if localAuth := d.Get("local_authentication_enabled").(bool); localAuth == false { parameters.Properties.DisableLocalAuth = utils.Bool(true) } if encryption := d.Get("encryption").([]interface{}); len(encryption) > 0 { @@ -204,7 +206,7 @@ func resourceAutomationAccountUpdate(d *pluginsdk.ResourceData, meta interface{} Identity: identity, } - if localAuth := d.Get("local_auth_enabled").(bool); localAuth == false { + if localAuth := d.Get("local_authentication_enabled").(bool); localAuth == false { parameters.Properties.DisableLocalAuth = utils.Bool(true) } @@ -283,7 +285,7 @@ func resourceAutomationAccountRead(d *pluginsdk.ResourceData, meta interface{}) if val := prop.DisableLocalAuth; val != nil && *val == true { localAuthEnabled = false } - d.Set("local_auth_enabled", localAuthEnabled) + d.Set("local_authentication_enabled", localAuthEnabled) if err := d.Set("encryption", flattenEncryption(prop.Encryption)); err != nil { return fmt.Errorf("setting `encryption`: %+v", err) diff --git a/internal/services/automation/automation_account_resource_test.go b/internal/services/automation/automation_account_resource_test.go index ba72946a889b..3a753f5ea122 100644 --- a/internal/services/automation/automation_account_resource_test.go +++ b/internal/services/automation/automation_account_resource_test.go @@ -379,7 +379,9 @@ resource "azurerm_automation_account" "test" { azurerm_user_assigned_identity.test.id ] } - local_auth_enabled = false + + local_authentication_enabled = false + encryption { key_source = "Microsoft.Keyvault" user_assigned_identity_id = azurerm_user_assigned_identity.test.id diff --git a/website/docs/r/automation_account.html.markdown b/website/docs/r/automation_account.html.markdown index 0b0f70220db5..33e99f95f572 100644 --- a/website/docs/r/automation_account.html.markdown +++ b/website/docs/r/automation_account.html.markdown @@ -44,7 +44,7 @@ The following arguments are supported: * `sku_name` - (Required) The SKU of the account - only `Basic` is supported at this time. -* `disable_local_auth` - (Optional) Whether requests using non-AAD authentication are blocked. +* `local_authentication_enabled` - (Optional) Whether requests using non-AAD authentication are blocked. --- From 78e2596cdb3054c2850ed24063fb0fd9ff5fb917 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 10 Aug 2022 11:08:59 +0800 Subject: [PATCH 5/6] fix acc test --- .../services/automation/automation_account_resource_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/automation/automation_account_resource_test.go b/internal/services/automation/automation_account_resource_test.go index 3a753f5ea122..0bff9c3fe8ae 100644 --- a/internal/services/automation/automation_account_resource_test.go +++ b/internal/services/automation/automation_account_resource_test.go @@ -80,7 +80,7 @@ func TestAccAutomationAccount_encryption(t *testing.T) { Check: acceptance.ComposeTestCheckFunc( check.That(data.ResourceName).ExistsInAzure(r), check.That(data.ResourceName).Key("sku_name").HasValue("Basic"), - check.That(data.ResourceName).Key("local_auth_enabled").HasValue("false"), + check.That(data.ResourceName).Key("local_authentication_enabled").HasValue("false"), ), }, data.ImportStep(), From 06c9699a869408bc3df51e3acc01ea39d6295f1d Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Wed, 10 Aug 2022 12:41:02 +0800 Subject: [PATCH 6/6] add acc check to rerun pr --- internal/services/automation/automation_account_resource_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/services/automation/automation_account_resource_test.go b/internal/services/automation/automation_account_resource_test.go index 0bff9c3fe8ae..bbf395aefceb 100644 --- a/internal/services/automation/automation_account_resource_test.go +++ b/internal/services/automation/automation_account_resource_test.go @@ -81,6 +81,7 @@ func TestAccAutomationAccount_encryption(t *testing.T) { check.That(data.ResourceName).ExistsInAzure(r), check.That(data.ResourceName).Key("sku_name").HasValue("Basic"), check.That(data.ResourceName).Key("local_authentication_enabled").HasValue("false"), + check.That(data.ResourceName).Key("encryption.0.key_source").HasValue("Microsoft.Keyvault"), ), }, data.ImportStep(),