diff --git a/azurerm/data_source_key_vault.go b/azurerm/data_source_key_vault.go index 5bbcae0df4e1..cdf7f5f98a16 100644 --- a/azurerm/data_source_key_vault.go +++ b/azurerm/data_source_key_vault.go @@ -87,6 +87,13 @@ func dataSourceArmKeyVault() *schema.Resource { Type: schema.TypeString, }, }, + "storage_permissions": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, }, }, }, diff --git a/azurerm/helpers/azure/key_vault_access_policy.go b/azurerm/helpers/azure/key_vault_access_policy.go index 270b72773910..1720d252cecb 100644 --- a/azurerm/helpers/azure/key_vault_access_policy.go +++ b/azurerm/helpers/azure/key_vault_access_policy.go @@ -87,6 +87,32 @@ func SchemaKeyVaultSecretPermissions() *schema.Schema { } } +func SchemaKeyVaultStoragePermissions() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice([]string{ + string(keyvault.StoragePermissionsBackup), + string(keyvault.StoragePermissionsDelete), + string(keyvault.StoragePermissionsDeletesas), + string(keyvault.StoragePermissionsGet), + string(keyvault.StoragePermissionsGetsas), + string(keyvault.StoragePermissionsList), + string(keyvault.StoragePermissionsListsas), + string(keyvault.StoragePermissionsPurge), + string(keyvault.StoragePermissionsRecover), + string(keyvault.StoragePermissionsRegeneratekey), + string(keyvault.StoragePermissionsRestore), + string(keyvault.StoragePermissionsSet), + string(keyvault.StoragePermissionsSetsas), + string(keyvault.StoragePermissionsUpdate), + }, false), + }, + } +} + func ExpandKeyVaultAccessPolicies(input []interface{}) (*[]keyvault.AccessPolicyEntry, error) { output := make([]keyvault.AccessPolicyEntry, 0) @@ -96,12 +122,14 @@ func ExpandKeyVaultAccessPolicies(input []interface{}) (*[]keyvault.AccessPolicy certificatePermissionsRaw := policyRaw["certificate_permissions"].([]interface{}) keyPermissionsRaw := policyRaw["key_permissions"].([]interface{}) secretPermissionsRaw := policyRaw["secret_permissions"].([]interface{}) + storagePermissionsRaw := policyRaw["storage_permissions"].([]interface{}) policy := keyvault.AccessPolicyEntry{ Permissions: &keyvault.Permissions{ Certificates: ExpandCertificatePermissions(certificatePermissionsRaw), Keys: ExpandKeyPermissions(keyPermissionsRaw), Secrets: ExpandSecretPermissions(secretPermissionsRaw), + Storage: ExpandStoragePermissions(storagePermissionsRaw), }, } @@ -152,6 +180,9 @@ func FlattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []map secrets := FlattenSecretPermissions(permissions.Secrets) policyRaw["secret_permissions"] = secrets + + storage := FlattenStoragePermissions(permissions.Storage) + policyRaw["storage_permissions"] = storage } result = append(result, policyRaw) @@ -224,3 +255,25 @@ func FlattenSecretPermissions(input *[]keyvault.SecretPermissions) []interface{} return output } + +func ExpandStoragePermissions(input []interface{}) *[]keyvault.StoragePermissions { + output := make([]keyvault.StoragePermissions, 0) + + for _, permission := range input { + output = append(output, keyvault.StoragePermissions(permission.(string))) + } + + return &output +} + +func FlattenStoragePermissions(input *[]keyvault.StoragePermissions) []interface{} { + output := make([]interface{}, 0) + + if input != nil { + for _, storagePermission := range *input { + output = append(output, string(storagePermission)) + } + } + + return output +} diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go index e02881b42292..f67dd065e559 100644 --- a/azurerm/resource_arm_key_vault.go +++ b/azurerm/resource_arm_key_vault.go @@ -105,6 +105,7 @@ func resourceArmKeyVault() *schema.Resource { "certificate_permissions": azure.SchemaKeyVaultCertificatePermissions(), "key_permissions": azure.SchemaKeyVaultKeyPermissions(), "secret_permissions": azure.SchemaKeyVaultSecretPermissions(), + "storage_permissions": azure.SchemaKeyVaultStoragePermissions(), }, }, }, diff --git a/azurerm/resource_arm_key_vault_certificate_test.go b/azurerm/resource_arm_key_vault_certificate_test.go index f52ef5c45b9a..b89f7769f414 100644 --- a/azurerm/resource_arm_key_vault_certificate_test.go +++ b/azurerm/resource_arm_key_vault_certificate_test.go @@ -458,6 +458,10 @@ resource "azurerm_key_vault" "test" { secret_permissions = [ "set", ] + + storage_permissions = [ + "set", + ] } } @@ -560,6 +564,10 @@ resource "azurerm_key_vault" "test" { secret_permissions = [ "set", ] + + storage_permissions = [ + "set", + ] } } @@ -648,6 +656,10 @@ resource "azurerm_key_vault" "test" { secret_permissions = [ "set", ] + + storage_permissions = [ + "set", + ] } } @@ -835,6 +847,10 @@ resource "azurerm_key_vault" "test" { secret_permissions = [ "set", ] + + storage_permissions = [ + "set", + ] } } diff --git a/azurerm/resource_arm_key_vault_migration_test.go b/azurerm/resource_arm_key_vault_migration_test.go index b8ede42dba76..46be91a85535 100644 --- a/azurerm/resource_arm_key_vault_migration_test.go +++ b/azurerm/resource_arm_key_vault_migration_test.go @@ -35,6 +35,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "Get", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -47,6 +48,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "Get", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, }, "v0_1_certificates": { @@ -63,6 +65,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "Get", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -86,6 +89,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "Get", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, }, "v0_1_certificates_multiple": { @@ -104,6 +108,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "Get", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -127,6 +132,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "Get", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, }, "v0_1_keys": { @@ -142,6 +148,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "All", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -168,6 +175,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.15": "wrapKey", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, }, "v0_1_keys_multiple": { @@ -185,6 +193,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.1": "create", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -211,6 +220,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.15": "wrapKey", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "Get", + "access_policy.0.storage_permissions.#": "0", }, }, "v0_1_secrets": { @@ -226,6 +236,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "create", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "All", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -244,6 +255,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.secret_permissions.5": "recover", "access_policy.0.secret_permissions.6": "restore", "access_policy.0.secret_permissions.7": "set", + "access_policy.0.storage_permissions.#": "0", }, }, "v0_1_secrets_multiple": { @@ -261,6 +273,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.secret_permissions.#": "2", "access_policy.0.secret_permissions.0": "backup", "access_policy.0.secret_permissions.1": "all", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -279,6 +292,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.secret_permissions.5": "recover", "access_policy.0.secret_permissions.6": "restore", "access_policy.0.secret_permissions.7": "set", + "access_policy.0.storage_permissions.#": "0", }, }, "v0_1_all": { @@ -295,6 +309,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.key_permissions.0": "all", "access_policy.0.secret_permissions.#": "1", "access_policy.0.secret_permissions.0": "all", + "access_policy.0.storage_permissions.#": "0", }, Expected: map[string]string{ "access_policy.#": "1", @@ -340,6 +355,7 @@ func TestAzureRMKeyVaultMigrateState(t *testing.T) { "access_policy.0.secret_permissions.5": "recover", "access_policy.0.secret_permissions.6": "restore", "access_policy.0.secret_permissions.7": "set", + "access_policy.0.storage_permissions.#": "0", }, }, } diff --git a/website/docs/d/key_vault.html.markdown b/website/docs/d/key_vault.html.markdown index badfb50756ea..fc447511634a 100644 --- a/website/docs/d/key_vault.html.markdown +++ b/website/docs/d/key_vault.html.markdown @@ -72,3 +72,5 @@ A `sku` block exports the following: * `key_permissions` - A list of key permissions applicable to this Access Policy. * `secret_permissions` - A list of secret permissions applicable to this Access Policy. + +* `storage_permissions` - A list of storage permissions applicable to this Access Policy. diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown index b2b95b635fac..b3134d015d3f 100644 --- a/website/docs/r/key_vault.html.markdown +++ b/website/docs/r/key_vault.html.markdown @@ -42,6 +42,10 @@ resource "azurerm_key_vault" "test" { secret_permissions = [ "get", ] + + storage_permissions = [ + "get", + ] } network_acls { @@ -95,10 +99,11 @@ A `access_policy` block supports the following: * `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `backup`, `create`, `delete`, `deleteissuers`, `get`, `getissuers`, `import`, `list`, `listissuers`, `managecontacts`, `manageissuers`, `purge`, `recover`, `restore`, `setissuers` and `update`. -* `key_permissions` - (Required) List of key permissions, must be one or more from the following: `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `purge`, `recover`, `restore`, `sign`, `unwrapKey`, `update`, `verify` and `wrapKey`. +* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `purge`, `recover`, `restore`, `sign`, `unwrapKey`, `update`, `verify` and `wrapKey`. -* `secret_permissions` - (Required) List of secret permissions, must be one or more from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`. +* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`. +* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `backup`, `delete`, `deletesas`, `get`, `getsas`, `list`, `listsas`, `purge`, `recover`, `regeneratekey`, `restore`, `set`, `setsas` and `update`. ---