Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_container_app add support for key vault secret references as secret #23958

Closed
wants to merge 10 commits into from
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ type ContainerAppEnvironmentDaprComponentModel struct {
Version string `tfschema:"version"`
IgnoreErrors bool `tfschema:"ignore_errors"`
InitTimeout string `tfschema:"init_timeout"`
Secrets []helpers.Secret `tfschema:"secret"`
Secrets []helpers.DaprSecret `tfschema:"secret"`
Scopes []string `tfschema:"scopes"`
Metadata []helpers.DaprMetadata `tfschema:"metadata"`
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,18 @@ resource "azurerm_container_app_environment" "test" {
`, r.template(data), data.RandomInteger)
}

func (r ContainerAppEnvironmentResource) basicNoProvider(data acceptance.TestData) string {
return fmt.Sprintf(`
%[1]s

resource "azurerm_container_app_environment" "test" {
name = "acctest-CAEnv%[2]d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
}
`, r.template(data), data.RandomInteger)
}

func (r ContainerAppEnvironmentResource) requiresImport(data acceptance.TestData) string {
return fmt.Sprintf(`

Expand Down
17 changes: 12 additions & 5 deletions internal/services/containerapps/container_app_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ import (
"github.com/hashicorp/go-azure-helpers/resourcemanager/tags"
"github.com/hashicorp/go-azure-sdk/resource-manager/containerapps/2023-05-01/containerapps"
"github.com/hashicorp/go-azure-sdk/resource-manager/containerapps/2023-05-01/managedenvironments"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-provider-azurerm/internal/sdk"
"github.com/hashicorp/terraform-provider-azurerm/internal/services/containerapps/helpers"
"github.com/hashicorp/terraform-provider-azurerm/internal/services/containerapps/validate"
Expand Down Expand Up @@ -185,13 +184,18 @@ func (r ContainerAppResource) Create() sdk.ResourceFunc {
return fmt.Errorf("invalid registry config for %s: %+v", id, err)
}

secrets, err := helpers.ExpandContainerSecrets(app.Secrets)
if err != nil {
return fmt.Errorf("invalid secrets config for %s: %+v", id, err)
}

containerApp := containerapps.ContainerApp{
Location: location.Normalize(env.Model.Location),
Properties: &containerapps.ContainerAppProperties{
Configuration: &containerapps.Configuration{
Ingress: helpers.ExpandContainerAppIngress(app.Ingress, id.ContainerAppName),
Dapr: helpers.ExpandContainerAppDapr(app.Dapr),
Secrets: helpers.ExpandContainerSecrets(app.Secrets),
Secrets: secrets,
Registries: registries,
},
ManagedEnvironmentId: pointer.To(app.ManagedEnvironmentId),
Expand Down Expand Up @@ -379,7 +383,10 @@ func (r ContainerAppResource) Update() sdk.ResourceFunc {
}

if metadata.ResourceData.HasChange("secret") {
model.Properties.Configuration.Secrets = helpers.ExpandContainerSecrets(state.Secrets)
model.Properties.Configuration.Secrets, err = helpers.ExpandContainerSecrets(state.Secrets)
if err != nil {
return fmt.Errorf("invalid secrets config for %s: %+v", id, err)
}
}

if metadata.ResourceData.HasChange("identity") {
Expand Down Expand Up @@ -411,8 +418,8 @@ func (r ContainerAppResource) CustomizeDiff() sdk.ResourceFunc {
Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error {
if metadata.ResourceDiff != nil && metadata.ResourceDiff.HasChange("secret") {
stateSecretsRaw, configSecretsRaw := metadata.ResourceDiff.GetChange("secret")
stateSecrets := stateSecretsRaw.(*schema.Set).List()
configSecrets := configSecretsRaw.(*schema.Set).List()
stateSecrets := stateSecretsRaw.([]interface{})
configSecrets := configSecretsRaw.([]interface{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See below, this needs to remain a TypeSet unfortunately.

// Check there's not less
if len(configSecrets) < len(stateSecrets) {
return fmt.Errorf("cannot remove secrets from Container Apps at this time due to a limitation in the Container Apps Service. Please see `https://github.com/microsoft/azure-container-apps/issues/395` for more details")
Expand Down
114 changes: 114 additions & 0 deletions internal/services/containerapps/container_app_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,21 @@ func TestAccContainerAppResource_withUserAssignedIdentity(t *testing.T) {
})
}

func TestAccContainerAppResource_withKeyVaultSecret(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_container_app", "test")
r := ContainerAppResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.withKeyVaultSecret(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
})
}

func TestAccContainerAppResource_withSystemAndUserAssignedIdentity(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_container_app", "test")
r := ContainerAppResource{}
Expand Down Expand Up @@ -548,6 +563,101 @@ resource "azurerm_container_app" "test" {
`, r.template(data), data.RandomInteger)
}

func (r ContainerAppResource) withKeyVaultSecret(data acceptance.TestData) string {
return fmt.Sprintf(`
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
recover_soft_deleted_key_vaults = true
}
magodo marked this conversation as resolved.
Show resolved Hide resolved
}
}

%[1]s

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "test" {
name = "acctest-kv-%[3]s"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
tenant_id = data.azurerm_client_config.current.tenant_id
enable_rbac_authorization = true
sku_name = "standard"
}

resource "azurerm_key_vault_secret" "test" {
name = "secret-%[3]s"
value = "test-secret"
key_vault_id = azurerm_key_vault.test.id

depends_on = [
azurerm_role_assignment.self_key_vault_admin
]
}

resource "azurerm_role_assignment" "self_key_vault_admin" {
scope = azurerm_key_vault.test.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}

resource "azurerm_role_assignment" "mi_key_vault_secrets" {
scope = azurerm_key_vault.test.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.test.principal_id
}

resource "azurerm_user_assigned_identity" "test" {
name = "acct-%[2]d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
}

resource "azurerm_container_app" "test" {
name = "acctest-capp-%[2]d"
resource_group_name = azurerm_resource_group.test.name
container_app_environment_id = azurerm_container_app_environment.test.id
revision_mode = "Single"

identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.test.id]
}

template {
container {
name = "acctest-cont-%[2]d"
image = "jackofallops/azure-containerapps-python-acctest:v0.0.1"
cpu = 0.25
memory = "0.5Gi"
env {
name = "key-vault-secret"
secret_name = "key-vault-secret"
}
}
}
secret {
name = "key-vault-secret"
identity = azurerm_user_assigned_identity.test.id
key_vault_secret_id = azurerm_key_vault_secret.test.versionless_id
}

depends_on = [
azurerm_role_assignment.mi_key_vault_secrets
]

lifecycle {
ignore_changes = [
secret[0].value
]
}
}
`, r.templateNoProvider(data), data.RandomInteger, data.RandomString)

}

func (r ContainerAppResource) basicUpdate(data acceptance.TestData) string {
return fmt.Sprintf(`
%s
Expand Down Expand Up @@ -1753,6 +1863,10 @@ func (ContainerAppResource) template(data acceptance.TestData) string {
return ContainerAppEnvironmentResource{}.basic(data)
}

func (ContainerAppResource) templateNoProvider(data acceptance.TestData) string {
return ContainerAppEnvironmentResource{}.basicNoProvider(data)
}

func (ContainerAppResource) templateWithVnet(data acceptance.TestData) string {
return fmt.Sprintf(`
%s
Expand Down
Loading
Loading