From f39f883ee84e22b269dc3cd4741272b4da9b6f68 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Tue, 12 Feb 2019 17:48:11 +0100 Subject: [PATCH 1/4] key vault children: ensuring we always lookup the key vault resource id --- .../resource_arm_key_vault_access_policy.go | 2 +- azurerm/resource_arm_key_vault_certificate.go | 16 +++++++++++--- azurerm/resource_arm_key_vault_key.go | 14 +++++++++++-- azurerm/resource_arm_key_vault_secret.go | 21 ++++++++++++++++--- 4 files changed, 44 insertions(+), 9 deletions(-) diff --git a/azurerm/resource_arm_key_vault_access_policy.go b/azurerm/resource_arm_key_vault_access_policy.go index efb03addc385..1118d33fa202 100644 --- a/azurerm/resource_arm_key_vault_access_policy.go +++ b/azurerm/resource_arm_key_vault_access_policy.go @@ -217,7 +217,7 @@ func resourceArmKeyVaultAccessPolicyCreateOrDelete(d *schema.ResourceData, meta if applicationIdRaw != "" { applicationId, err2 := uuid.FromString(applicationIdRaw) if err2 != nil { - return fmt.Errorf("Error parsing Appliciation ID %q as a UUID: %+v", applicationIdRaw, err2) + return fmt.Errorf("Error parsing Application ID %q as a UUID: %+v", applicationIdRaw, err2) } accessPolicy.ApplicationID = &applicationId diff --git a/azurerm/resource_arm_key_vault_certificate.go b/azurerm/resource_arm_key_vault_certificate.go index d518fb5f5e5f..3244d2c58166 100644 --- a/azurerm/resource_arm_key_vault_certificate.go +++ b/azurerm/resource_arm_key_vault_certificate.go @@ -435,16 +435,21 @@ func keyVaultCertificateCreationRefreshFunc(ctx context.Context, client keyvault } func resourceArmKeyVaultCertificateRead(d *schema.ResourceData, meta interface{}) error { + keyVaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + } + + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } @@ -495,15 +500,20 @@ func resourceArmKeyVaultCertificateRead(d *schema.ResourceData, meta interface{} } func resourceArmKeyVaultCertificateDelete(d *schema.ResourceData, meta interface{}) error { + keyVaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + } + ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) diff --git a/azurerm/resource_arm_key_vault_key.go b/azurerm/resource_arm_key_vault_key.go index edadc32064f9..65a6f52a691d 100644 --- a/azurerm/resource_arm_key_vault_key.go +++ b/azurerm/resource_arm_key_vault_key.go @@ -223,15 +223,20 @@ func resourceArmKeyVaultKeyUpdate(d *schema.ResourceData, meta interface{}) erro } func resourceArmKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) error { + keyVaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + } + ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) @@ -276,15 +281,20 @@ func resourceArmKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) error } func resourceArmKeyVaultKeyDelete(d *schema.ResourceData, meta interface{}) error { + keyVaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + } + ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) diff --git a/azurerm/resource_arm_key_vault_secret.go b/azurerm/resource_arm_key_vault_secret.go index a8f324ec5dfc..7c641ddeca72 100644 --- a/azurerm/resource_arm_key_vault_secret.go +++ b/azurerm/resource_arm_key_vault_secret.go @@ -143,16 +143,21 @@ func resourceArmKeyVaultSecretCreate(d *schema.ResourceData, meta interface{}) e } func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) error { + keyVaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext log.Print("[INFO] preparing arguments for AzureRM KeyVault Secret update.") - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + } + ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) @@ -206,15 +211,20 @@ func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) e } func resourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) error { + keyVaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + } + ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) @@ -253,15 +263,20 @@ func resourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) err } func resourceArmKeyVaultSecretDelete(d *schema.ResourceData, meta interface{}) error { + keyVaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + } + ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) From 332db337b4b7a56c8b94c2b12d8b2428e9b59745 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Tue, 12 Feb 2019 18:23:21 +0100 Subject: [PATCH 2/4] Handling resources being deleted/not existing --- azurerm/data_source_key_vault_key.go | 5 +++- azurerm/data_source_key_vault_secret.go | 6 +++- azurerm/helpers/azure/key_vault.go | 17 ++++++----- azurerm/resource_arm_key_vault_certificate.go | 22 +++++++++++---- azurerm/resource_arm_key_vault_key.go | 28 +++++++++++++++---- azurerm/resource_arm_key_vault_secret.go | 23 +++++++++++---- 6 files changed, 73 insertions(+), 28 deletions(-) diff --git a/azurerm/data_source_key_vault_key.go b/azurerm/data_source_key_vault_key.go index 9aba04b6661c..f7b39e9d16be 100644 --- a/azurerm/data_source_key_vault_key.go +++ b/azurerm/data_source_key_vault_key.go @@ -102,7 +102,10 @@ func dataSourceArmKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) erro } else { id, err := azure.GetKeyVaultIDFromBaseUrl(ctx, vaultClient, keyVaultBaseUri) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", keyVaultBaseUri, name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", keyVaultBaseUri, err) + } + if id == nil { + return fmt.Errorf("Unable to locate the Resource ID for the Key Vault at URL %q: %s", keyVaultBaseUri, err) } d.Set("key_vault_id", id) } diff --git a/azurerm/data_source_key_vault_secret.go b/azurerm/data_source_key_vault_secret.go index 02cf3a2f63cd..98ab090d01ca 100644 --- a/azurerm/data_source_key_vault_secret.go +++ b/azurerm/data_source_key_vault_secret.go @@ -86,8 +86,12 @@ func dataSourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) e } else { id, err := azure.GetKeyVaultIDFromBaseUrl(ctx, vaultClient, keyVaultBaseUri) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", keyVaultBaseUri, name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", keyVaultBaseUri, err) } + if id == nil { + return fmt.Errorf("Unable to locate the Resource ID for the Key Vault at URL %q: %s", keyVaultBaseUri, err) + } + d.Set("key_vault_id", id) } diff --git a/azurerm/helpers/azure/key_vault.go b/azurerm/helpers/azure/key_vault.go index a054b1c1ed9d..a9d7a89dd02a 100644 --- a/azurerm/helpers/azure/key_vault.go +++ b/azurerm/helpers/azure/key_vault.go @@ -41,17 +41,16 @@ func GetKeyVaultBaseUrlFromID(ctx context.Context, client keyvault.VaultsClient, return *resp.Properties.VaultURI, nil } -func GetKeyVaultIDFromBaseUrl(ctx context.Context, client keyvault.VaultsClient, keyVaultUrl string) (string, error) { - +func GetKeyVaultIDFromBaseUrl(ctx context.Context, client keyvault.VaultsClient, keyVaultUrl string) (*string, error) { list, err := client.ListComplete(ctx, utils.Int32(1000)) if err != nil { - return "", fmt.Errorf("Error GetKeyVaultId unable to list Key Vaults %v", err) + return nil, fmt.Errorf("Error GetKeyVaultId unable to list Key Vaults %v", err) } for list.NotDone() { v := list.Value() if v.ID == nil { - log.Printf("[DEBUG]GetKeyVaultId: v.ID was nil, continuing") + log.Printf("[DEBUG] GetKeyVaultId: v.ID was nil, continuing") continue } @@ -76,16 +75,16 @@ func GetKeyVaultIDFromBaseUrl(ctx context.Context, client keyvault.VaultsClient, } if keyVaultUrl == *get.Properties.VaultURI { - return *get.ID, nil + return get.ID, nil } - e := list.NextWithContext(ctx) - if e != nil { - return "", fmt.Errorf("Error GetKeyVaultId: Error getting next value on KeyVault %q (Resource Group %q): %+v", name, resourceGroup, err) + if e := list.NextWithContext(ctx); e != nil { + return nil, fmt.Errorf("Error GetKeyVaultId: Error getting next value on KeyVault %q (Resource Group %q): %+v", name, resourceGroup, err) } } - return "", fmt.Errorf("Error GetKeyVaultId unable to find Key Vault with url %q", keyVaultUrl) + // we haven't found it, but Data Sources and Resources need to handle this error separately + return nil, nil } func KeyVaultExists(ctx context.Context, client keyvault.VaultsClient, keyVaultId string) (bool, error) { diff --git a/azurerm/resource_arm_key_vault_certificate.go b/azurerm/resource_arm_key_vault_certificate.go index 3244d2c58166..7eb309105188 100644 --- a/azurerm/resource_arm_key_vault_certificate.go +++ b/azurerm/resource_arm_key_vault_certificate.go @@ -31,8 +31,12 @@ func resourceArmKeyVaultChildResourceImporter(d *schema.ResourceData, meta inter kvid, err := azure.GetKeyVaultIDFromBaseUrl(ctx, client, id.KeyVaultBaseUrl) if err != nil { - return []*schema.ResourceData{d}, fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return []*schema.ResourceData{d}, fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) } + if id == nil { + return []*schema.ResourceData{d}, fmt.Errorf("Unable to locate the Resource ID for the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + d.Set("key_vault_id", kvid) return []*schema.ResourceData{d}, nil @@ -446,10 +450,15 @@ func resourceArmKeyVaultCertificateRead(d *schema.ResourceData, meta interface{} keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + log.Printf("[DEBUG] Unable to determine the Resource ID for the Key Vault at URL %q - removing from state!", id.KeyVaultBaseUrl) + d.SetId("") + return nil } - ok, err := azure.KeyVaultExists(ctx, keyVaultClient, keyVaultId) + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } @@ -511,10 +520,13 @@ func resourceArmKeyVaultCertificateDelete(d *schema.ResourceData, meta interface keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + return fmt.Errorf("Unable to determine the Resource ID for the Key Vault at URL %q", id.KeyVaultBaseUrl) } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } diff --git a/azurerm/resource_arm_key_vault_key.go b/azurerm/resource_arm_key_vault_key.go index 65a6f52a691d..3256fdd78ef8 100644 --- a/azurerm/resource_arm_key_vault_key.go +++ b/azurerm/resource_arm_key_vault_key.go @@ -185,16 +185,24 @@ func resourceArmKeyVaultKeyCreate(d *schema.ResourceData, meta interface{}) erro } func resourceArmKeyVaultKeyUpdate(d *schema.ResourceData, meta interface{}) error { + vaultClient := meta.(*ArmClient).keyVaultClient client := meta.(*ArmClient).keyVaultManagementClient ctx := meta.(*ArmClient).StopContext - keyVaultId := d.Get("key_vault_id").(string) id, err := azure.ParseKeyVaultChildID(d.Id()) if err != nil { return err } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, vaultClient, id.KeyVaultBaseUrl) + if err != nil { + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + return fmt.Errorf("Unable to determine the Resource ID for the Key Vault at URL %q", id.KeyVaultBaseUrl) + } + + ok, err := azure.KeyVaultExists(ctx, vaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } @@ -234,10 +242,15 @@ func resourceArmKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) error keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + log.Printf("[DEBUG] Unable to determine the Resource ID for the Key Vault at URL %q - removing from state!", id.KeyVaultBaseUrl) + d.SetId("") + return nil } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } @@ -292,10 +305,13 @@ func resourceArmKeyVaultKeyDelete(d *schema.ResourceData, meta interface{}) erro keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + return fmt.Errorf("Unable to determine the Resource ID for the Key Vault at URL %q", id.KeyVaultBaseUrl) } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } diff --git a/azurerm/resource_arm_key_vault_secret.go b/azurerm/resource_arm_key_vault_secret.go index 7c641ddeca72..cbe802a352db 100644 --- a/azurerm/resource_arm_key_vault_secret.go +++ b/azurerm/resource_arm_key_vault_secret.go @@ -155,10 +155,13 @@ func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) e keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + return fmt.Errorf("Unable to determine the Resource ID for the Key Vault at URL %q", id.KeyVaultBaseUrl) } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } @@ -222,10 +225,15 @@ func resourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) err keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + log.Printf("[DEBUG] Unable to determine the Resource ID for the Key Vault at URL %q - removing from state!", id.KeyVaultBaseUrl) + d.SetId("") + return nil } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } @@ -274,10 +282,13 @@ func resourceArmKeyVaultSecretDelete(d *schema.ResourceData, meta interface{}) e keyVaultId, err := azure.GetKeyVaultIDFromBaseUrl(ctx, keyVaultClient, id.KeyVaultBaseUrl) if err != nil { - return fmt.Errorf("Error unable to find key vault ID from URL %q for certificate %q: %+v", id.KeyVaultBaseUrl, id.Name, err) + return fmt.Errorf("Error retrieving the Resource ID the Key Vault at URL %q: %s", id.KeyVaultBaseUrl, err) + } + if keyVaultId == nil { + return fmt.Errorf("Unable to determine the Resource ID for the Key Vault at URL %q", id.KeyVaultBaseUrl) } - ok, err := azure.KeyVaultExists(ctx, meta.(*ArmClient).keyVaultClient, keyVaultId) + ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } From 0e52c9a334d2f051b6435850ffe7ab020919ccdf Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Tue, 12 Feb 2019 18:33:00 +0100 Subject: [PATCH 3/4] Adding acceptance tests for the old codepaths --- ...source_arm_key_vault_access_policy_test.go | 51 ++++++++++ ...resource_arm_key_vault_certificate_test.go | 95 +++++++++++++++++++ azurerm/resource_arm_key_vault_key_test.go | 83 +++++++++++++++- azurerm/resource_arm_key_vault_secret_test.go | 73 ++++++++++++++ 4 files changed, 301 insertions(+), 1 deletion(-) diff --git a/azurerm/resource_arm_key_vault_access_policy_test.go b/azurerm/resource_arm_key_vault_access_policy_test.go index 56f27b177249..eaf01bda0512 100644 --- a/azurerm/resource_arm_key_vault_access_policy_test.go +++ b/azurerm/resource_arm_key_vault_access_policy_test.go @@ -38,6 +38,34 @@ func TestAccAzureRMKeyVaultAccessPolicy_basic(t *testing.T) { }) } +func TestAccAzureRMKeyVaultAccessPolicy_basicClassic(t *testing.T) { + resourceName := "azurerm_key_vault_access_policy.test" + rs := acctest.RandString(6) + config := testAccAzureRMKeyVaultAccessPolicy_basicClassic(rs, testLocation()) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultAccessPolicyExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "key_permissions.0", "get"), + resource.TestCheckResourceAttr(resourceName, "secret_permissions.0", "get"), + resource.TestCheckResourceAttr(resourceName, "secret_permissions.1", "set"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAzureRMKeyVaultAccessPolicy_requiresImport(t *testing.T) { if !requireResourcesToBeImported { t.Skip("Skipping since resources aren't required to be imported") @@ -213,6 +241,29 @@ resource "azurerm_key_vault_access_policy" "test" { `, template) } +func testAccAzureRMKeyVaultAccessPolicy_basicClassic(rString string, location string) string { + template := testAccAzureRMKeyVaultAccessPolicy_template(rString, location) + return fmt.Sprintf(` +%s + +resource "azurerm_key_vault_access_policy" "test" { + vault_uri = "${azurerm_key_vault.test.vault_uri}" + + key_permissions = [ + "get", + ] + + secret_permissions = [ + "get", + "set", + ] + + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" +} +`, template) +} + func testAccAzureRMKeyVaultAccessPolicy_requiresImport(rString string, location string) string { template := testAccAzureRMKeyVaultAccessPolicy_basic(rString, location) return fmt.Sprintf(` diff --git a/azurerm/resource_arm_key_vault_certificate_test.go b/azurerm/resource_arm_key_vault_certificate_test.go index f1f64a025163..7b650ef47fbd 100644 --- a/azurerm/resource_arm_key_vault_certificate_test.go +++ b/azurerm/resource_arm_key_vault_certificate_test.go @@ -40,6 +40,33 @@ func TestAccAzureRMKeyVaultCertificate_basicImportPFX(t *testing.T) { }) } +func TestAccAzureRMKeyVaultCertificate_basicImportPFXClassic(t *testing.T) { + resourceName := "azurerm_key_vault_certificate.test" + rs := acctest.RandString(6) + config := testAccAzureRMKeyVaultCertificate_basicImportPFXClassic(rs, testLocation()) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultCertificateDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultCertificateExists(resourceName), + resource.TestCheckResourceAttrSet(resourceName, "certificate_data"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"certificate"}, + }, + }, + }) +} + func TestAccAzureRMKeyVaultCertificate_requiresImport(t *testing.T) { if !requireResourcesToBeImported { t.Skip("Skipping since resources aren't required to be imported") @@ -395,6 +422,74 @@ resource "azurerm_key_vault_certificate" "test" { `, rString, location, rString, rString) } +func testAccAzureRMKeyVaultCertificate_basicImportPFXClassic(rString string, location string) string { + return fmt.Sprintf(` +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%s" + location = "%s" +} + +resource "azurerm_key_vault" "test" { + name = "acctestkeyvault%s" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + + sku { + name = "standard" + } + + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" + + certificate_permissions = [ + "delete", + "import", + "get", + ] + + key_permissions = [ + "create", + ] + + secret_permissions = [ + "set", + ] + } +} + +resource "azurerm_key_vault_certificate" "test" { + name = "acctestcert%s" + vault_uri = "${azurerm_key_vault.test.vault_uri}" + + certificate { + contents = "${base64encode(file("testdata/keyvaultcert.pfx"))}" + password = "" + } + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = false + } + + secret_properties { + content_type = "application/x-pkcs12" + } + } +} +`, rString, location, rString, rString) +} + func testAccAzureRMKeyVaultCertificate_requiresImport(rString string, location string) string { template := testAccAzureRMKeyVaultCertificate_basicImportPFX(rString, location) return fmt.Sprintf(` diff --git a/azurerm/resource_arm_key_vault_key_test.go b/azurerm/resource_arm_key_vault_key_test.go index daa2579cec70..6d8266683ff6 100644 --- a/azurerm/resource_arm_key_vault_key_test.go +++ b/azurerm/resource_arm_key_vault_key_test.go @@ -39,6 +39,32 @@ func TestAccAzureRMKeyVaultKey_basicEC(t *testing.T) { }) } +func TestAccAzureRMKeyVaultKey_basicECClassic(t *testing.T) { + resourceName := "azurerm_key_vault_key.test" + rs := acctest.RandString(6) + config := testAccAzureRMKeyVaultKey_basicECClassic(rs, testLocation()) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultKeyDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultKeyExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"key_size"}, + }, + }, + }) +} + func TestAccAzureRMKeyVaultKey_requiresImport(t *testing.T) { if !requireResourcesToBeImported { t.Skip("Skipping since resources aren't required to be imported") @@ -373,9 +399,64 @@ resource "azurerm_key_vault" "test" { } } +resource "azurerm_key_vault_key" "test" { + name = "key-%s" + key_vault_id = "${azurerm_key_vault.test.id}" + key_type = "EC" + key_size = 2048 + + key_opts = [ + "sign", + "verify", + ] +} +`, rString, location, rString, rString) +} + +func testAccAzureRMKeyVaultKey_basicECClassic(rString string, location string) string { + return fmt.Sprintf(` +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%s" + location = "%s" +} + +resource "azurerm_key_vault" "test" { + name = "acctestkv-%s" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + + sku { + name = "premium" + } + + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" + + key_permissions = [ + "create", + "delete", + "get", + ] + + secret_permissions = [ + "get", + "delete", + "set", + ] + } + + tags { + environment = "Production" + } +} + resource "azurerm_key_vault_key" "test" { name = "key-%s" - key_vault_id = "${azurerm_key_vault.test.id}" + vault_uri = "${azurerm_key_vault.test.vault_uri}" key_type = "EC" key_size = 2048 diff --git a/azurerm/resource_arm_key_vault_secret_test.go b/azurerm/resource_arm_key_vault_secret_test.go index f6b33121cceb..519d8bbd5312 100644 --- a/azurerm/resource_arm_key_vault_secret_test.go +++ b/azurerm/resource_arm_key_vault_secret_test.go @@ -39,6 +39,32 @@ func TestAccAzureRMKeyVaultSecret_basic(t *testing.T) { }) } +func TestAccAzureRMKeyVaultSecret_basicClassic(t *testing.T) { + resourceName := "azurerm_key_vault_secret.test" + rs := acctest.RandString(6) + config := testAccAzureRMKeyVaultSecret_basicClasic(rs, testLocation()) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultSecretDestroy, + Steps: []resource.TestStep{ + { + Config: config, + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultSecretExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "value", "rick-and-morty"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAzureRMKeyVaultSecret_requiresImport(t *testing.T) { if !requireResourcesToBeImported { t.Skip("Skipping since resources aren't required to be imported") @@ -324,6 +350,53 @@ resource "azurerm_key_vault_secret" "test" { `, rString, location, rString, rString) } +func testAccAzureRMKeyVaultSecret_basicClassic(rString string, location string) string { + return fmt.Sprintf(` +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%s" + location = "%s" +} + +resource "azurerm_key_vault" "test" { + name = "acctestkv-%s" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + + sku { + name = "premium" + } + + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" + + key_permissions = [ + "get", + ] + + secret_permissions = [ + "get", + "delete", + "set", + ] + } + + tags { + environment = "Production" + } +} + +resource "azurerm_key_vault_secret" "test" { + name = "secret-%s" + value = "rick-and-morty" + vault_uri = "${azurerm_key_vault.test.vault_uri}" +} +`, rString, location, rString, rString) +} + func testAccAzureRMKeyVaultSecret_requiresImport(rString string, location string) string { template := testAccAzureRMKeyVaultSecret_basic(rString, location) return fmt.Sprintf(` From ad21e0f48cc16423e31bbe2bffde835e7beace97 Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 12 Feb 2019 12:02:23 -0800 Subject: [PATCH 4/4] fix tests & format strings --- azurerm/resource_arm_key_vault_certificate.go | 8 ++++---- azurerm/resource_arm_key_vault_key.go | 12 ++++++------ azurerm/resource_arm_key_vault_secret.go | 12 ++++++------ azurerm/resource_arm_key_vault_secret_test.go | 2 +- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/azurerm/resource_arm_key_vault_certificate.go b/azurerm/resource_arm_key_vault_certificate.go index 7eb309105188..10f73b1f9ac2 100644 --- a/azurerm/resource_arm_key_vault_certificate.go +++ b/azurerm/resource_arm_key_vault_certificate.go @@ -460,10 +460,10 @@ func resourceArmKeyVaultCertificateRead(d *schema.ResourceData, meta interface{} ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Certificate %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Certificate %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } @@ -528,10 +528,10 @@ func resourceArmKeyVaultCertificateDelete(d *schema.ResourceData, meta interface ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Certificate %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Certificate %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Certificate %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } diff --git a/azurerm/resource_arm_key_vault_key.go b/azurerm/resource_arm_key_vault_key.go index 3256fdd78ef8..df3701fee596 100644 --- a/azurerm/resource_arm_key_vault_key.go +++ b/azurerm/resource_arm_key_vault_key.go @@ -204,10 +204,10 @@ func resourceArmKeyVaultKeyUpdate(d *schema.ResourceData, meta interface{}) erro ok, err := azure.KeyVaultExists(ctx, vaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Key %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Key %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } @@ -252,10 +252,10 @@ func resourceArmKeyVaultKeyRead(d *schema.ResourceData, meta interface{}) error ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Key %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Key %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } @@ -313,10 +313,10 @@ func resourceArmKeyVaultKeyDelete(d *schema.ResourceData, meta interface{}) erro ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Key %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Key %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Key %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } diff --git a/azurerm/resource_arm_key_vault_secret.go b/azurerm/resource_arm_key_vault_secret.go index cbe802a352db..cf54c2b1de74 100644 --- a/azurerm/resource_arm_key_vault_secret.go +++ b/azurerm/resource_arm_key_vault_secret.go @@ -163,10 +163,10 @@ func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) e ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Secret %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Secret %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } @@ -235,10 +235,10 @@ func resourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) err ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Secret %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Secret %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } @@ -290,10 +290,10 @@ func resourceArmKeyVaultSecretDelete(d *schema.ResourceData, meta interface{}) e ok, err := azure.KeyVaultExists(ctx, keyVaultClient, *keyVaultId) if err != nil { - return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", keyVaultId, id.Name, id.KeyVaultBaseUrl, err) + return fmt.Errorf("Error checking if key vault %q for Secret %q in Vault at url %q exists: %v", *keyVaultId, id.Name, id.KeyVaultBaseUrl, err) } if !ok { - log.Printf("[DEBUG] Secret %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, keyVaultId, id.KeyVaultBaseUrl) + log.Printf("[DEBUG] Secret %q Key Vault %q was not found in Key Vault at URI %q - removing from state", id.Name, *keyVaultId, id.KeyVaultBaseUrl) d.SetId("") return nil } diff --git a/azurerm/resource_arm_key_vault_secret_test.go b/azurerm/resource_arm_key_vault_secret_test.go index 519d8bbd5312..a088eb8bfe79 100644 --- a/azurerm/resource_arm_key_vault_secret_test.go +++ b/azurerm/resource_arm_key_vault_secret_test.go @@ -350,7 +350,7 @@ resource "azurerm_key_vault_secret" "test" { `, rString, location, rString, rString) } -func testAccAzureRMKeyVaultSecret_basicClassic(rString string, location string) string { +func testAccAzureRMKeyVaultSecret_basicClasic(rString string, location string) string { return fmt.Sprintf(` data "azurerm_client_config" "current" {}