New Resource: azurerm_key_vault_managed_hardware_security_module_key
#25069
Conversation
github-actions
bot
added
documentation
service/managed-hsm
size/XL
waiting-response
labels
| // NestedItemObjectType enumerates the type of the "NestedItemType" value (e.g."keys", "secrets" or "certificates"). | ||
| type NestedItemObjectType string | ||
|
|
||
| const ( | ||
| // KeyVaultObjectType Keys... | ||
| NestedItemTypeKey NestedItemObjectType = "keys" | ||
| ) |
There was a problem hiding this comment.
We're intending to move away from the NestedItemId in favour of Resource ID types specific to the type of Nested Item (e.g. a ManagedHSMKey etc) - as such can we update this Resource ID type to be one for each type?
There was a problem hiding this comment.
This is still pending FWIW
There was a problem hiding this comment.
this ID is replaced with ManagedHSMKeyID in ./parse/managed_hsm_key_id.go. is there other updates needed to ressolve this comment?
There was a problem hiding this comment.
Should we use the KeyID of internal/services/managedhsm/parse/key.go as the resource ID instead of the NestedItemID format?
|
|
||
| * `key_opts` - (Required) A list of JSON web key operations. Possible values are `decrypt`, `encrypt`, `import`, `export`, `sign`, `unwrapKey`, `verify` and `wrapKey`. Please note these values are case sensitive. | ||
|
|
||
| * `not_before_date` - (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). |
There was a problem hiding this comment.
would this be better as
| * `not_before_date` - (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). | |
| * `not_usable_before_date` - (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). |
|
|
||
| * `curve` - (Optional) Specifies the curve to use when creating an `EC` key. Possible values are `P-256`, `P-256K`, `P-384`, and `P-521`. This field will be required in a future release if `key_type` is `EC-HSM`. The API will default to `P-256` if nothing is specified. Changing this forces a new resource to be created. | ||
|
|
||
| * `key_opts` - (Required) A list of JSON web key operations. Possible values are `decrypt`, `encrypt`, `import`, `export`, `sign`, `unwrapKey`, `verify` and `wrapKey`. Please note these values are case sensitive. |
There was a problem hiding this comment.
| * `key_opts` - (Required) A list of JSON web key operations. Possible values are `decrypt`, `encrypt`, `import`, `export`, `sign`, `unwrapKey`, `verify` and `wrapKey`. Please note these values are case sensitive. | |
| * `key_options` - (Required) A list of JSON web key operations. Possible values are `decrypt`, `encrypt`, `import`, `export`, `sign`, `unwrapKey`, `verify` and `wrapKey`. Please note these values are case sensitive. |
|
|
||
| * `key_type` - (Required) Specifies the Key Type to use for this Managed Hardware Security Module Key. Possible values are `EC-HSM`, `RSA-HSM` and `oct-HSM`. Changing this forces a new resource to be created. | ||
|
|
||
| * `key_size` - (Optional) Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `key_type` is `RSA-HSM`. Changing this forces a new resource to be created. |
There was a problem hiding this comment.
| * `key_size` - (Optional) Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `key_type` is `RSA-HSM`. Changing this forces a new resource to be created. | |
| * `key_size` - (Optional) Specifies the Size of the RSA key to create in bytes. For example, `1024` or `2048`. *Note*: This field is required if `key_type` is `RSA-HSM`. Changing this forces a new resource to be created. |
|
|
||
| An `automatic` block supports the following: | ||
|
|
||
| * `time_after_creation` - (Optional) Rotate automatically at a duration after create as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). |
There was a problem hiding this comment.
it seems like these should be called durations not times? ie
| * `time_after_creation` - (Optional) Rotate automatically at a duration after create as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). | |
| * `duration_after_creation` - (Optional) Rotate automatically at a duration after create as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). |
|
|
||
| * `duration_after_creation` - (Optional) Rotate automatically at a duration after create as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). | ||
|
|
||
| * `time_before_expiry` - (Optional) Rotate automatically at a duration before expiry as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). |
There was a problem hiding this comment.
this is also a duration? and hsould be duration_before_expiry
|
|
||
| A `rotation_policy` block supports the following: | ||
|
|
||
| * `expire_after` - (Optional) Expire a Managed Hardware Security Module Key after given duration as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). |
There was a problem hiding this comment.
and here
| * `expire_after` - (Optional) Expire a Managed Hardware Security Module Key after given duration as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). | |
| * `expire_after_duration` - (Optional) Expire a Managed Hardware Security Module Key after given duration as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). |
|
|
||
| // ParseNestedItemID parses a managed HSM Nested Item ID (such as a Certificate, Key or Secret) | ||
| // containing a version into a NestedItemId object | ||
| func ParseNestedItemID(input string) (*ManagedHSMKeyID, error) { |
There was a problem hiding this comment.
this name is wrong and hsould have managed HSM in it?
| @@ -22,14 +22,14 @@ const ( | |||
| RoleAssignmentType MHSMResourceType = "RoleAssignment" | |||
| ) | |||
|
|
|||
| type NestedItemId struct { | |||
| type RoleNestedItemId struct { | |||
There was a problem hiding this comment.
So instead of making a generic tyoe trying to do multiple things can we split this into three specific IDs with specific opininated types with their own set of parsers and validators? id managed hsm nestedKeyId, managed hsm role definition id, managed hsm role assingment? this will make things far more clear as what the intented suppoted types are
There was a problem hiding this comment.
reverted this changed. will create separate PR to move to sepcific IDs for role related IDs.
| type localCache struct { | ||
| mux sync.Locker | ||
| nameToItem map[string]cacheItem | ||
| } | ||
|
|
||
| var defaultCache = &localCache{ | ||
| mux: &sync.Mutex{}, | ||
| nameToItem: map[string]cacheItem{}, | ||
| } | ||
|
|
There was a problem hiding this comment.
why are there two caches??
There was a problem hiding this comment.
I just defined a struct and an instance of the struct to managed the cache, instead of a global map and lock variables which used in keyvault helpers. I think this way is more readable and easy to manage the lock operations.
| @@ -0,0 +1,177 @@ | |||
| // Copyright (c) HashiCorp, Inc. | |||
There was a problem hiding this comment.
actually - why is this so different this https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/keyvault/client/helpers.go ?
There was a problem hiding this comment.
I implemented a new cache logic that differs from keyvault's helper functions. It may appear different, but it should work properly. The locks in the keyvault helpers are complex and may not function as expected actually.
| DeleteNestedItem(ctx context.Context) (autorest.Response, error) | ||
| NestedItemHasBeenDeleted(ctx context.Context) (autorest.Response, error) | ||
| PurgeNestedItem(ctx context.Context) (autorest.Response, error) | ||
| NestedItemHasBeenPurged(ctx context.Context) (autorest.Response, error) |
There was a problem hiding this comment.
we should be removing all references to autorest, so instead can we return at the very least an http response instead?
| @@ -0,0 +1,135 @@ | |||
| // Copyright (c) HashiCorp, Inc. | |||
There was a problem hiding this comment.
to simplify this can we move all the ID parser/id changes into a seperate PR so it can be more easily reviewed & unblock other PRs & work waiting on it?
There was a problem hiding this comment.
the managed hsm key id is a new file which shoud be included in this PR. I'll create another pull request to move the role definitions into specific IDs.
There was a problem hiding this comment.
@wuxu92 can we also include the ManagedHSMNestedKey in the other PR
There was a problem hiding this comment.
@tombuildsstuff do you mean the KeyID or ManagedHSMKeyID? there is no ManagedHSMNestedKey in this PR.
There was a problem hiding this comment.
KeyIdshould becomeManagedHSMNestedKeyIdWithVersionKeyVersionlessIdshould becomeManagedHSMNestedKeyIdVersionlessManagedHSMKeyIDcan be removed
-> Note: whilst this differs from the Key Vault Nested Item parsers - those will change to this approach in the future - since we should not be using these generic Resource ID parser methods going forward.
However as @katbyte has mentioned, can we split this out to a separate PR, since these Resource ID parsers need to be used elsewhere?
|
hey @wuxu92 Thanks for this PR. Since this PR requires some rework based on the changes from #25601 - given the criticality of this resource and the learnings from #25601 - we're wanting to take a deeper look into this resource to ensure the behaviour ships the way it needs to. As such whilst I'd like to thank you for this contribution, unfortunately I'm going to close this PR for the moment - but I've asked @manicminer to take a look into this one next once #25601 has been merged. Thanks! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
fixes: #13654.