Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix - azurerm_api_management_named_value would not enforce secret=true when using value_from_key_vault #26150

Merged
merged 7 commits into from
Jun 4, 2024
+41 βˆ’1
Merged

Fix - azurerm_api_management_named_value would not enforce secret=true when using value_from_key_vault #26150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2113627
fix: APIM named values must be secret when stored in KV
CSymes May 29, 2024
953735b
test: add acceptance test for new validation enforcement
CSymes May 30, 2024
ce7c04b
Update internal/services/apimanagement/api_management_named_value_res…
CSymes May 31, 2024
47548b6
Update internal/services/apimanagement/api_management_named_value_res…
CSymes May 31, 2024
8c0683f
fix: string syntax
CSymes May 31, 2024
7ec8319
run tests
CSymes May 31, 2024
06d4189
Merge branch 'hashicorp:main' into apim-named-val-kv-secret-validation
CSymes Jun 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions internal/services/apimanagement/api_management_named_value_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ func resourceApiManagementNamedValue() *pluginsdk.Resource {
},
},
},
RequiredWith: []string{"secret"},
},

"value": {
Expand Down Expand Up @@ -129,6 +130,10 @@ func resourceApiManagementNamedValueCreateUpdate(d *pluginsdk.ResourceData, meta
},
}

if parameters.Properties.KeyVault != nil && (parameters.Properties.Secret == nil || !*parameters.Properties.Secret) {
return fmt.Errorf("`secret` must be true when `value_from_key_vault` is set")
}

if v, ok := d.GetOk("value"); ok {
parameters.Properties.Value = pointer.To(v.(string))
}
Expand Down
35 changes: 35 additions & 0 deletions internal/services/apimanagement/api_management_named_value_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package apimanagement_test
import (
"context"
"fmt"
"regexp"
"testing"

"github.com/hashicorp/go-azure-helpers/lang/pointer"
Expand Down Expand Up @@ -63,6 +64,18 @@ func TestAccApiManagementNamedValue_keyVaultSystemAssigned(t *testing.T) {
})
}

func TestAccApiManagementNamedValue_keyVaultInvalidSecretValue(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_api_management_named_value", "test")
r := ApiManagementNamedValueResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.keyVaultWithInvalidSecretValue(data),
ExpectError: regexp.MustCompile("`secret` must be true when `value_from_key_vault` is set"),
},
})
}

func TestAccApiManagementNamedValue_keyVaultUpdate(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_api_management_named_value", "test")
r := ApiManagementNamedValueResource{}
Expand Down Expand Up @@ -346,6 +359,28 @@ resource "azurerm_api_management_named_value" "test" {
`, r.keyVaultTemplate(data), data.RandomInteger)
}

func (r ApiManagementNamedValueResource) keyVaultWithInvalidSecretValue(data acceptance.TestData) string {
return fmt.Sprintf(`
%[1]s

resource "azurerm_api_management_named_value" "test" {
name = "acctestAMProperty-%[2]d"
resource_group_name = azurerm_resource_group.test.name
api_management_name = azurerm_api_management.test.name
display_name = "TestKeyVault%[2]d"
secret = false
value_from_key_vault {
secret_id = azurerm_key_vault_secret.test.id
identity_client_id = azurerm_user_assigned_identity.test.client_id
}

tags = ["tag1", "tag2"]

depends_on = [azurerm_key_vault_access_policy.test2]
}
`, r.keyVaultTemplate(data), data.RandomInteger)
}

func (r ApiManagementNamedValueResource) keyVaultSystemAssigned(data acceptance.TestData) string {
return fmt.Sprintf(`
provider "azurerm" {
Expand Down
2 changes: 1 addition & 1 deletion website/docs/r/api_management_named_value.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ The following arguments are supported:

* `value` - (Optional) The value of this API Management Named Value.

* `value_from_key_vault` - (Optional) A `value_from_key_vault` block as defined below.
* `value_from_key_vault` - (Optional) A `value_from_key_vault` block as defined below. If specified, `secret` must also be set to `true`.

* `secret` - (Optional) Specifies whether the API Management Named Value is secret. Valid values are `true` or `false`. The default value is `false`.

Expand Down
Loading