From ad07dd06ace9cf282f4ff1d94fc2ddb68ec7eb4a Mon Sep 17 00:00:00 2001 From: Matthew Date: Tue, 25 Jun 2024 15:58:57 -0700 Subject: [PATCH 1/6] Start of adding key support --- ...er_transparent_data_encryption_resource.go | 66 +++++++++++++++++-- 1 file changed, 59 insertions(+), 7 deletions(-) diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go index 42e38c1c825d..52ab49a6086a 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go @@ -14,10 +14,13 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/clients" keyVaultParser "github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault/parse" keyVaultValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault/validate" + mhsmParser "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/parse" + "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/migration" "github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/parse" mssqlValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" + "github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation" "github.com/hashicorp/terraform-provider-azurerm/internal/timeouts" "github.com/hashicorp/terraform-provider-azurerm/utils" ) @@ -56,9 +59,17 @@ func resourceMsSqlTransparentDataEncryption() *pluginsdk.Resource { }, "key_vault_key_id": { - Type: pluginsdk.TypeString, - Optional: true, - ValidateFunc: keyVaultValidate.NestedItemId, + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: keyVaultValidate.NestedItemId, + ConflictsWith: []string{"managed_hsm_key_id"}, + }, + + "managed_hsm_key_id": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.Any(validate.ManagedHSMDataPlaneVersionedKeyID, validate.ManagedHSMDataPlaneVersionlessKeyID), + ConflictsWith: []string{"key_vault_id"}, }, "auto_rotation_enabled": { @@ -94,10 +105,8 @@ func resourceMsSqlTransparentDataEncryptionCreateUpdate(d *pluginsdk.ResourceDat serverKeyName := "" serverKeyType := sql.ServerKeyTypeServiceManaged - keyVaultKeyId := strings.TrimSpace(d.Get("key_vault_key_id").(string)) - - // If it has content, then we assume it's a key vault key id - if keyVaultKeyId != "" { + if v, ok := d.GetOk("key_vault_id"); ok { + keyVaultKeyId := strings.TrimSpace(v.(string)) // Update the server key type to AKV serverKeyType = sql.ServerKeyTypeAzureKeyVault @@ -136,6 +145,49 @@ func resourceMsSqlTransparentDataEncryptionCreateUpdate(d *pluginsdk.ResourceDat } } + if v, ok := d.GetOk("managed_hsm_key_id"); ok { + mhsmKeyId := strings.TrimSpace(v.(string)) + // Update the server key type to AKV + serverKeyType = sql.ServerKeyTypeAzureKeyVault + + // Set the SQL Server Key properties z + serverKeyProperties := sql.ServerKeyProperties{ + ServerKeyType: serverKeyType, + URI: &mhsmKeyId, + AutoRotationEnabled: utils.Bool(d.Get("auto_rotation_enabled").(bool)), + } + serverKey.ServerKeyProperties = &serverKeyProperties + + keyName := "" + keyVersion := "" + keyVaultURI := "" + + // Make sure it's a key, if not, throw an error + if keyId, err := mhsmParser.ManagedHSMDataPlaneVersionedKeyID(mhsmKeyId, nil); err != nil { + keyName = keyId.KeyName + keyVersion = keyId.KeyVersion + keyVaultURI = keyId.BaseUri() + } else if keyId, err := mhsmParser.ManagedHSMDataPlaneVersionlessKeyID(mhsmKeyId, nil); err != nil { + keyName = keyId.KeyName + keyVersion = "" + keyVaultURI = keyId.BaseUri() + } else { + return fmt.Errorf("failed to parse '%s' as HSM key ID", mhsmKeyId) + } + + // Extract the vault name from the keyvault base url + idURL, err := url.ParseRequestURI(keyVaultURI) + if err != nil { + return fmt.Errorf("unable to parse key vault hostname: %s", keyVaultURI) + } + + hostParts := strings.Split(idURL.Host, ".") + vaultName := hostParts[0] + + // Create the key path for the Encryption Protector. Format is: {vaultname}_{key}_{key_version} + serverKeyName = fmt.Sprintf("%s_%s_%s", vaultName, keyName, keyVersion) + } + // Service managed doesn't require a key name encryptionProtectorProperties := sql.EncryptionProtectorProperties{ ServerKeyType: serverKeyType, From 19e071fad1b15697270e2602483cd730ef4cd7b3 Mon Sep 17 00:00:00 2001 From: Matthew Date: Tue, 25 Jun 2024 16:43:08 -0700 Subject: [PATCH 2/6] Finish support keys --- .../mssql/mssql_server_transparent_data_encryption_resource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go index 52ab49a6086a..fdf7f85e9bbd 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go @@ -69,7 +69,7 @@ func resourceMsSqlTransparentDataEncryption() *pluginsdk.Resource { Type: pluginsdk.TypeString, Optional: true, ValidateFunc: validation.Any(validate.ManagedHSMDataPlaneVersionedKeyID, validate.ManagedHSMDataPlaneVersionlessKeyID), - ConflictsWith: []string{"key_vault_id"}, + ConflictsWith: []string{"key_vault_key_id"}, }, "auto_rotation_enabled": { From c58b94d82db806de4fdaf148f8710631f5f22737 Mon Sep 17 00:00:00 2001 From: Matthew Date: Wed, 26 Jun 2024 17:42:43 -0700 Subject: [PATCH 3/6] add a test and docs --- ...er_transparent_data_encryption_resource.go | 47 +++-- ...ansparent_data_encryption_resource_test.go | 188 ++++++++++++++++++ 2 files changed, 213 insertions(+), 22 deletions(-) diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go index fdf7f85e9bbd..7e590ae9516b 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go @@ -5,6 +5,7 @@ package mssql import ( "fmt" + managedHsmHelpers "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/helpers" "log" "net/url" "strings" @@ -20,7 +21,6 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/parse" mssqlValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" - "github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation" "github.com/hashicorp/terraform-provider-azurerm/internal/timeouts" "github.com/hashicorp/terraform-provider-azurerm/utils" ) @@ -68,7 +68,7 @@ func resourceMsSqlTransparentDataEncryption() *pluginsdk.Resource { "managed_hsm_key_id": { Type: pluginsdk.TypeString, Optional: true, - ValidateFunc: validation.Any(validate.ManagedHSMDataPlaneVersionedKeyID, validate.ManagedHSMDataPlaneVersionlessKeyID), + ValidateFunc: validate.ManagedHSMDataPlaneVersionedKeyID, ConflictsWith: []string{"key_vault_key_id"}, }, @@ -158,34 +158,23 @@ func resourceMsSqlTransparentDataEncryptionCreateUpdate(d *pluginsdk.ResourceDat } serverKey.ServerKeyProperties = &serverKeyProperties - keyName := "" - keyVersion := "" - keyVaultURI := "" - // Make sure it's a key, if not, throw an error - if keyId, err := mhsmParser.ManagedHSMDataPlaneVersionedKeyID(mhsmKeyId, nil); err != nil { - keyName = keyId.KeyName - keyVersion = keyId.KeyVersion - keyVaultURI = keyId.BaseUri() - } else if keyId, err := mhsmParser.ManagedHSMDataPlaneVersionlessKeyID(mhsmKeyId, nil); err != nil { - keyName = keyId.KeyName - keyVersion = "" - keyVaultURI = keyId.BaseUri() - } else { + keyId, err := mhsmParser.ManagedHSMDataPlaneVersionedKeyID(mhsmKeyId, nil) + if err != nil { return fmt.Errorf("failed to parse '%s' as HSM key ID", mhsmKeyId) } // Extract the vault name from the keyvault base url - idURL, err := url.ParseRequestURI(keyVaultURI) + idURL, err := url.ParseRequestURI(keyId.BaseUri()) if err != nil { - return fmt.Errorf("unable to parse key vault hostname: %s", keyVaultURI) + return fmt.Errorf("unable to parse key vault hostname: %s", keyId.BaseUri()) } hostParts := strings.Split(idURL.Host, ".") vaultName := hostParts[0] // Create the key path for the Encryption Protector. Format is: {vaultname}_{key}_{key_version} - serverKeyName = fmt.Sprintf("%s_%s_%s", vaultName, keyName, keyVersion) + serverKeyName = fmt.Sprintf("%s_%s_%s", vaultName, keyId.KeyName, keyId.KeyVersion) } // Service managed doesn't require a key name @@ -231,6 +220,7 @@ func resourceMsSqlTransparentDataEncryptionCreateUpdate(d *pluginsdk.ResourceDat func resourceMsSqlTransparentDataEncryptionRead(d *pluginsdk.ResourceData, meta interface{}) error { encryptionProtectorClient := meta.(*clients.Client).MSSQL.EncryptionProtectorClient + env := meta.(*clients.Client).Account.Environment ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d) defer cancel() @@ -254,13 +244,13 @@ func resourceMsSqlTransparentDataEncryptionRead(d *pluginsdk.ResourceData, meta log.Printf("[INFO] Encryption protector key type is %s", resp.EncryptionProtectorProperties.ServerKeyType) - keyVaultKeyId := "" + keyId := "" autoRotationEnabled := false // Only set the key type if it's an AKV key. For service managed, we can omit the setting the key_vault_key_id if resp.EncryptionProtectorProperties != nil && resp.EncryptionProtectorProperties.ServerKeyType == sql.ServerKeyTypeAzureKeyVault { log.Printf("[INFO] Setting Key Vault URI to %s", *resp.EncryptionProtectorProperties.URI) - keyVaultKeyId = *resp.EncryptionProtectorProperties.URI + keyId = *resp.EncryptionProtectorProperties.URI // autoRotation is only for AKV keys if resp.EncryptionProtectorProperties.AutoRotationEnabled != nil { @@ -268,8 +258,21 @@ func resourceMsSqlTransparentDataEncryptionRead(d *pluginsdk.ResourceData, meta } } - if err := d.Set("key_vault_key_id", keyVaultKeyId); err != nil { - return fmt.Errorf("setting `key_vault_key_id`: %+v", err) + if keyId != "" { + isHSMURI, err, _, _ := managedHsmHelpers.IsManagedHSMURI(env, keyId) + if err != nil { + return err + } + + if isHSMURI { + if err := d.Set("managed_hsm_key_id", keyId); err != nil { + return fmt.Errorf("setting `managed_hsm_key_id`: %+v", err) + } + } else { + if err := d.Set("key_vault_key_id", keyId); err != nil { + return fmt.Errorf("setting `key_vault_key_id`: %+v", err) + } + } } if err := d.Set("auto_rotation_enabled", autoRotationEnabled); err != nil { diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go index a8d10d3ded59..e10fe9af1352 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go @@ -33,6 +33,21 @@ func TestAccMsSqlServerTransparentDataEncryption_keyVault(t *testing.T) { }) } +func TestAccMsSqlServerTransparentDataEncryption_managedHSM(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_mssql_server_transparent_data_encryption", "test") + r := MsSqlServerTransparentDataEncryptionResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.managedHSM(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccMsSqlServerTransparentDataEncryption_autoRotate(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_mssql_server_transparent_data_encryption", "test") r := MsSqlServerTransparentDataEncryptionResource{} @@ -180,6 +195,17 @@ resource "azurerm_mssql_server_transparent_data_encryption" "test" { `, r.baseKeyVault(data)) } +func (r MsSqlServerTransparentDataEncryptionResource) managedHSM(data acceptance.TestData) string { + return fmt.Sprintf(` +%s + +resource "managed_hsm_key_id" "test" { + server_id = azurerm_mssql_server.test.id + managed_hsm_key_id = azurerm_key_vault_managed_hardware_security_module_key.test.versioned_id +} +`, r.withManagedHSM(data)) +} + func (r MsSqlServerTransparentDataEncryptionResource) autoRotate(data acceptance.TestData) string { return fmt.Sprintf(` %s @@ -233,3 +259,165 @@ resource "azurerm_mssql_server" "test" { } `, data.RandomInteger, data.Locations.Primary) } + +func (r MsSqlServerTransparentDataEncryptionResource) withManagedHSM(data acceptance.TestData) string { + return fmt.Sprintf(` +%s + +resource "azurerm_key_vault" "test" { + name = "acc%[2]s" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "standard" + soft_delete_retention_days = 7 + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + key_permissions = [ + "Create", + "Delete", + "Get", + "Purge", + "Recover", + "Update", + "GetRotationPolicy", + ] + secret_permissions = [ + "Delete", + "Get", + "Set", + ] + certificate_permissions = [ + "Create", + "Delete", + "DeleteIssuers", + "Get", + "Purge", + "Update" + ] + } + tags = { + environment = "Production" + } +} +resource "azurerm_key_vault_certificate" "cert" { + count = 3 + name = "acchsmcert${count.index}" + key_vault_id = azurerm_key_vault.test.id + certificate_policy { + issuer_parameters { + name = "Self" + } + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = true + } + lifetime_action { + action { + action_type = "AutoRenew" + } + trigger { + days_before_expiry = 30 + } + } + secret_properties { + content_type = "application/x-pkcs12" + } + x509_certificate_properties { + extended_key_usage = [] + key_usage = [ + "cRLSign", + "dataEncipherment", + "digitalSignature", + "keyAgreement", + "keyCertSign", + "keyEncipherment", + ] + subject = "CN=hello-world" + validity_in_months = 12 + } + } +} + +resource "azurerm_key_vault_managed_hardware_security_module" "test" { + name = "kvHsm%[2]s" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + sku_name = "Standard_B1" + tenant_id = data.azurerm_client_config.current.tenant_id + admin_object_ids = [data.azurerm_client_config.current.object_id] + purge_protection_enabled = false + + security_domain_key_vault_certificate_ids = [for cert in azurerm_key_vault_certificate.cert : cert.id] + security_domain_quorum = 3 +} + +resource "azurerm_user_assigned_identity" "test" { + name = "acctestmi%[2]s" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name +} + +resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test" { + vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad22" + scope = "/keys" + role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b" + principal_id = data.azurerm_client_config.current.object_id +} + +resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test1" { + vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad23" + scope = "/keys" + role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778" + principal_id = data.azurerm_client_config.current.object_id +} + +resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "user" { + vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad20" + scope = "/keys" + role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b" + principal_id = azurerm_user_assigned_identity.test.principal_id +} + +resource "azurerm_key_vault_managed_hardware_security_module_key" "test" { + name = "acctestHSMK-%[2]s" + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id + key_type = "RSA-HSM" + key_size = 2048 + key_opts = ["unwrapKey", "wrapKey"] + + depends_on = [ + azurerm_key_vault_managed_hardware_security_module_role_assignment.test, + azurerm_key_vault_managed_hardware_security_module_role_assignment.test1 + ] +} + +resource "azurerm_mssql_server" "test" { + name = "acctestsqlserver-%[2]s" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + identity { + type = "SystemAssigned, UserAssigned" + identity_ids = [ + azurerm_user_assigned_identity.test.id, + ] + } + + primary_user_assigned_identity_id = azurerm_user_assigned_identity.test.id + + lifecycle { + ignore_changes = [transparent_data_encryption_key_vault_key_id] + } +} +`, r.server(data), data.RandomStringOfLength(5)) +} From 4ed3067308c442be705f2b5030e415bd67f40856 Mon Sep 17 00:00:00 2001 From: Matthew Date: Thu, 27 Jun 2024 09:59:12 -0700 Subject: [PATCH 4/6] lint --- ...l_server_transparent_data_encryption_resource.go | 2 +- ...ver_transparent_data_encryption_resource_test.go | 13 +++++++++++-- ...stance_transparent_data_encryption.html.markdown | 2 ++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go index 7e590ae9516b..66cee509741f 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go @@ -5,7 +5,6 @@ package mssql import ( "fmt" - managedHsmHelpers "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/helpers" "log" "net/url" "strings" @@ -15,6 +14,7 @@ import ( "github.com/hashicorp/terraform-provider-azurerm/internal/clients" keyVaultParser "github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault/parse" keyVaultValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault/validate" + managedHsmHelpers "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/helpers" mhsmParser "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/parse" "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/validate" "github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/migration" diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go index e10fe9af1352..fb743741fdc0 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go @@ -262,7 +262,16 @@ resource "azurerm_mssql_server" "test" { func (r MsSqlServerTransparentDataEncryptionResource) withManagedHSM(data acceptance.TestData) string { return fmt.Sprintf(` -%s +provider "azurerm" { + features {} +} + +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-mssql-%[2]s" + location = "%[1]s" +} resource "azurerm_key_vault" "test" { name = "acc%[2]s" @@ -419,5 +428,5 @@ resource "azurerm_mssql_server" "test" { ignore_changes = [transparent_data_encryption_key_vault_key_id] } } -`, r.server(data), data.RandomStringOfLength(5)) +`, data.Locations.Primary, data.RandomStringOfLength(5)) } diff --git a/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown b/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown index 2e6803e8b40e..3beb2b207c7c 100644 --- a/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown +++ b/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown @@ -187,6 +187,8 @@ The following arguments are supported: * `key_vault_key_id` - (Optional) To use customer managed keys from Azure Key Vault, provide the AKV Key ID. To use service managed keys, omit this field. +* `managed_hsm_key_id` - (Optional) To use customer managed keys from a managed HSM, provide the Managed HSM Key ID. To use service managed keys, omit this field. + ~> **NOTE:** In order to use customer managed keys, the identity of the MSSQL Managed Instance must have the following permissions on the key vault: 'get', 'wrapKey' and 'unwrapKey' ~> **NOTE:** If `managed_instance_id` denotes a secondary instance deployed for disaster recovery purposes, then the `key_vault_key_id` should be the same key used for the primary instance's transparent data encryption. Both primary and secondary instances should be encrypted with same key material. From a308fa02efed27df2673a7272c33feab4b9e090c Mon Sep 17 00:00:00 2001 From: Matthew Date: Thu, 27 Jun 2024 11:08:20 -0700 Subject: [PATCH 5/6] Fix tests --- .../mssql/mssql_server_transparent_data_encryption_resource.go | 2 +- .../mssql_server_transparent_data_encryption_resource_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go index 66cee509741f..5fa71825c01a 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go @@ -105,7 +105,7 @@ func resourceMsSqlTransparentDataEncryptionCreateUpdate(d *pluginsdk.ResourceDat serverKeyName := "" serverKeyType := sql.ServerKeyTypeServiceManaged - if v, ok := d.GetOk("key_vault_id"); ok { + if v, ok := d.GetOk("key_vault_key_id"); ok { keyVaultKeyId := strings.TrimSpace(v.(string)) // Update the server key type to AKV serverKeyType = sql.ServerKeyTypeAzureKeyVault diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go index fb743741fdc0..f0df04775ab0 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource_test.go @@ -199,7 +199,7 @@ func (r MsSqlServerTransparentDataEncryptionResource) managedHSM(data acceptance return fmt.Sprintf(` %s -resource "managed_hsm_key_id" "test" { +resource "azurerm_mssql_server_transparent_data_encryption" "test" { server_id = azurerm_mssql_server.test.id managed_hsm_key_id = azurerm_key_vault_managed_hardware_security_module_key.test.versioned_id } From 8a2513424df1d9d7428e84954efadb03c66f309a Mon Sep 17 00:00:00 2001 From: Matthew Date: Thu, 27 Jun 2024 14:07:25 -0700 Subject: [PATCH 6/6] Fix TestAccMsSqlServerTransparentDataEncryption_update --- ...er_transparent_data_encryption_resource.go | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go index 5fa71825c01a..eb458f612501 100644 --- a/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go +++ b/internal/services/mssql/mssql_server_transparent_data_encryption_resource.go @@ -258,6 +258,8 @@ func resourceMsSqlTransparentDataEncryptionRead(d *pluginsdk.ResourceData, meta } } + hsmKey := "" + keyVaultKeyId := "" if keyId != "" { isHSMURI, err, _, _ := managedHsmHelpers.IsManagedHSMURI(env, keyId) if err != nil { @@ -265,16 +267,21 @@ func resourceMsSqlTransparentDataEncryptionRead(d *pluginsdk.ResourceData, meta } if isHSMURI { - if err := d.Set("managed_hsm_key_id", keyId); err != nil { - return fmt.Errorf("setting `managed_hsm_key_id`: %+v", err) - } + hsmKey = keyId } else { - if err := d.Set("key_vault_key_id", keyId); err != nil { - return fmt.Errorf("setting `key_vault_key_id`: %+v", err) - } + keyVaultKeyId = keyId + } } + if err := d.Set("managed_hsm_key_id", hsmKey); err != nil { + return fmt.Errorf("setting `managed_hsm_key_id`: %+v", err) + } + + if err := d.Set("key_vault_key_id", keyVaultKeyId); err != nil { + return fmt.Errorf("setting `key_vault_key_id`: %+v", err) + } + if err := d.Set("auto_rotation_enabled", autoRotationEnabled); err != nil { return fmt.Errorf("setting `auto_rotation_enabled`: %+v", err) }