Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Resource: azurerm_key_vault_managed_hardware_security_module_key #25935

Merged
merged 9 commits into from
May 16, 2024

Conversation

mbfrahry
Copy link
Member

@mbfrahry mbfrahry commented May 10, 2024

Community Note

  • Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
  • Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

This PR adds support for HSM Keys.

PR Checklist

  • I have followed the guidelines in our Contributing Documentation.
  • I have checked to ensure there aren't other open Pull Requests for the same update/change.
  • I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
  • I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
  • I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
    For example: “resource_name_here - description of change e.g. adding property new_property_name_here

Changes to existing Resource / Data Source

  • I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
  • I have written new tests for my resource or datasource changes & updated any relevent documentation.
  • I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.

Testing

  • My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

  • New Resource: azurerm_key_vault_managed_hardware_security_module_key [GH-00000]

This is a (please select all that apply):

  • Bug Fix
  • New Feature (ie adding a service, resource, or data source)
  • Enhancement
  • Breaking Change

Related Issue(s)

Fixes #0000

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

@mbfrahry mbfrahry changed the title [WIP] New Resource: azurerm_key_vault_managed_hardware_security_module_key New Resource: azurerm_key_vault_managed_hardware_security_module_key May 14, 2024
@mbfrahry mbfrahry marked this pull request as ready for review May 14, 2024 23:36
Copy link
Member

@catriona-m catriona-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a couple of minor comments, but otherwise LGTM!

Timeout: 30 * time.Minute,
Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error {
client := metadata.Client.ManagedHSMs.DataPlaneKeysClient
// client := metadata.Client.ManagedHSMs.ManagedHsmKeyClient
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be removed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good shout! Ty ty

}

if resp, err := client.CreateKey(ctx, endpoint.BaseURI(), config.Name, parameters); err != nil {
if metadata.Client.Features.KeyVault.RecoverSoftDeletedKeys && utils.ResponseWasConflict(resp.Response) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be checking for HSM keys?

Suggested change
if metadata.Client.Features.KeyVault.RecoverSoftDeletedKeys && utils.ResponseWasConflict(resp.Response) {
if metadata.Client.Features.KeyVault.RecoverSoftDeletedHSMKeys && utils.ResponseWasConflict(resp.Response) {

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohhhh that coulda been a big bug. Ty ty

Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few comments inline but this otherwise LGTM 👍

Comment on lines 29 to 34
PurgeSoftDeletedHSMKeysOnDestroy: true,
RecoverSoftDeletedKeyVaults: true,
RecoverSoftDeletedKeys: true,
RecoverSoftDeletedCerts: true,
RecoverSoftDeletedSecrets: true,
RecoverSoftDeletedHSMKeys: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're supporting Key Vault Keys and Managed HSM Keys in the Provider - it'd probably be worth putting the Managed HSM stuff within managed_hsm - so whilst I realise we have the existing feature-flag here - can we add a TODO to fix this in 4.0?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!


conn, err := client.Get(secretUri)
if err != nil {
log.Printf("[DEBUG] Didn't find KeyVault secret at %q", secretUri)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.Printf("[DEBUG] Didn't find KeyVault secret at %q", secretUri)
log.Printf("[DEBUG] Didn't find Managed HSM Key at %q", secretUri)

Comment on lines 110 to 114
func keyVaultChildItemRefreshFunc(secretUri string) pluginsdk.StateRefreshFunc {
return func() (interface{}, string, error) {
log.Printf("[DEBUG] Checking to see if KeyVault Secret %q is available..", secretUri)

PTransport := &http.Transport{Proxy: http.ProxyFromEnvironment}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func keyVaultChildItemRefreshFunc(secretUri string) pluginsdk.StateRefreshFunc {
return func() (interface{}, string, error) {
log.Printf("[DEBUG] Checking to see if KeyVault Secret %q is available..", secretUri)
PTransport := &http.Transport{Proxy: http.ProxyFromEnvironment}
func keyVaultChildItemRefreshFunc(keyUri string) pluginsdk.StateRefreshFunc {
return func() (interface{}, string, error) {
log.Printf("[DEBUG] Checking to see if Managed HSM Key %q is available..", keyUri)
PTransport := &http.Transport{
Proxy: http.ProxyFromEnvironment,
}


defer conn.Body.Close()

log.Printf("[DEBUG] Found KeyVault Secret %q", secretUri)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.Printf("[DEBUG] Found KeyVault Secret %q", secretUri)
log.Printf("[DEBUG] Found Managed HSM Key %q", keyUri)

Comment on lines 210 to 211
locks.ByName(managedHsmId.ID(), "azurerm_key_vault_managed_hardware_security_module")
defer locks.UnlockByName(managedHsmId.ID(), "azurerm_key_vault_managed_hardware_security_module")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should do this above the RequiresImport check, else we're potentially provisioning 2 of these

return fmt.Errorf("determining Resource Manager ID for %q: %+v", id, err)
}
if resourceManagerId == nil {
return fmt.Errorf("unable to determine the Resource Manager ID for %s", id)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could also mean it's gone:

Suggested change
return fmt.Errorf("unable to determine the Resource Manager ID for %s", id)
return metadata.MarkAsGone(*id)

return fmt.Errorf("determining Resource Manager ID for %q: %+v", id, err)
}
if resourceManagerId == nil {
return fmt.Errorf("unable to determine the Resource Manager ID for %s", id)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(note: this should stay as it is, and not become return nil, since we'd have passed by the Read prior to calling Delete, so this'd be an inconsistency error)

@mbfrahry mbfrahry added this to the v3.104.0 milestone May 16, 2024
@mbfrahry mbfrahry merged commit 02b4634 into main May 16, 2024
32 checks passed
@mbfrahry mbfrahry deleted the f-managedhsm-key branch May 16, 2024 18:38
mbfrahry added a commit that referenced this pull request May 16, 2024
dduportal pushed a commit to jenkins-infra/azure that referenced this pull request May 20, 2024
<Actions>
<action
id="f410411e63aff4bb73a81c2aec1d373cf8a903e63b30dee2006b0030d8a94cc8">
        <h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>changes detected:&#xA;&#x9;&#34;hashicorp/azurerm&#34; updated from
&#34;3.103.1&#34; to &#34;3.104.0&#34; in file
&#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>3.104.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.104.0&#xA;FEATURES:&#xA;&#xA;*
New Data Source: `azurerm_elastic_san`
([#25719](https://github.com/hashicorp/terraform-provider-azurerm/issues/25719))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
New Resource - `azurerm_key_vault_managed_hardware_security_module_key`
([#25935](hashicorp/terraform-provider-azurerm#25935
Data Source - `azurerm_kubernetes_service_version` - support for the
`default_version` property
([#25953](hashicorp/terraform-provider-azurerm#25953
`network/applicationgateways` - update to use `hashicorp/go-azure-sdk`
([#25844](hashicorp/terraform-provider-azurerm#25844
`dataprotection` - update API version to `2024-04-01`
([#25882](hashicorp/terraform-provider-azurerm#25882
`databasemigration` - update API version to `2021-06-30`
([#25997](hashicorp/terraform-provider-azurerm#25997
`network/ips` - update to use `hashicorp/go-azure-sdk`
([#25905](hashicorp/terraform-provider-azurerm#25905
`network/localnetworkgateway` - update to use `hashicorp/go-azure-sdk`
([#25905](hashicorp/terraform-provider-azurerm#25905
`network/natgateway` - update to use `hashicorp/go-azure-sdk`
([#25905](hashicorp/terraform-provider-azurerm#25905
`network/networksecuritygroup` - update to use `hashicorp/go-azure-sdk`
([#25971](hashicorp/terraform-provider-azurerm#25971
`network/publicips` - update to use `hashicorp/go-azure-sdk`
([#25971](hashicorp/terraform-provider-azurerm#25971
`network/virtualwan` - update to use `hashicorp/go-azure-sdk`
([#25971](hashicorp/terraform-provider-azurerm#25971
`network/vpn` - update to use `hashicorp/go-azure-sdk`
([#25971](hashicorp/terraform-provider-azurerm#25971
`azurerm_databricks_workspace` - support for the
`default_storage_firewall_enabled` property
([#25919](hashicorp/terraform-provider-azurerm#25919
`azurerm_key_vault` - allow previously existing key vaults to continue
to manage the `contact` field prior to the `v3.93.0` conditional polling
change
([#25777](hashicorp/terraform-provider-azurerm#25777
`azurerm_linux_function_app` - support for the PowerShell `7.4`
([#25980](hashicorp/terraform-provider-azurerm#25980
`azurerm_log_analytics_cluster` - support for the value `UserAssigned`
in the `identity.type` property
([#25940](hashicorp/terraform-provider-azurerm#25940
`azurerm_pim_active_role_assignment` - remove hard dependency on the
`roleAssignmentScheduleRequests` API, so that role assignments will not
become unmanageable over time
([#25956](hashicorp/terraform-provider-azurerm#25956
`azurerm_pim_eligible_role_assignment` - remove hard dependency on the
`roleEligibilityScheduleRequests` API, so that role assignments will not
become unmanageable over time
([#25956](hashicorp/terraform-provider-azurerm#25956
`azurerm_windows_function_app` - support for the PowerShell `7.4`
([#25980](https://github.com/hashicorp/terraform-provider-azurerm/issues/25980))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* `azurerm_container_app_job` - Allow
`event_trigger_config.scale.min_executions` to be `0`
([#25931](hashicorp/terraform-provider-azurerm#25931
`azurerm_container_app_job` - update validation to allow the
`replica_retry_limit` property to be set to `0`
([#25984](hashicorp/terraform-provider-azurerm#25984
`azurerm_data_factory_trigger_custom_event` - one of
`subject_begins_with` and `subject_ends_with` no longer need to be set
([#25932](hashicorp/terraform-provider-azurerm#25932
`azurerm_kubernetes_cluster_node_pool` - prevent race condition by
checking the virtual network status when creating a node pool with a
subnet ID
([#25888](hashicorp/terraform-provider-azurerm#25888
`azurerm_postgresql_flexible_server` - fix for default `storage_tier`
value when `storage_mb` field has been changed
([#25947](hashicorp/terraform-provider-azurerm#25947
`azurerm_pim_active_role_assignment` - resolve a number of potential
crashes
([#25956](hashicorp/terraform-provider-azurerm#25956
`azurerm_pim_eligible_role_assignment` - resolve a number of potential
crashes
([#25956](hashicorp/terraform-provider-azurerm#25956
`azurerm_redis_enterprise_cluster_location_zone_support` - add `Central
India` zones support
([#26000](hashicorp/terraform-provider-azurerm#26000
`azurerm_sentinel_alert_rule_scheduled` - the
`alert_rule_template_version` property is no longer `ForceNew`
([#25688](hashicorp/terraform-provider-azurerm#25688
`azurerm_storage_sync_server_endpoint` - preventing a crashed due to
`initial_upload_policy`
([#25968](https://github.com/hashicorp/terraform-provider-azurerm/issues/25968))&#xA;&#xA;&#xA;</pre>
            </details>
        </details>
<a
href="https://infra.ci.jenkins.io/job/updatecli/job/azure/job/main/185/">Jenkins
pipeline link</a>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

Co-authored-by: Jenkins Infra Bot (updatecli) <[email protected]>
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants