Additions to azurerm_key_vault

azurerm/data_source_arm_client_config.go

@@ -24,6 +24,10 @@ func dataSourceArmClientConfig() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"service_principal_application_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"service_principal_object_id": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -54,6 +58,7 @@ func dataSourceArmClientConfigRead(d *schema.ResourceData, meta interface{}) err
 	d.Set("client_id", client.clientId)
 	d.Set("tenant_id", client.tenantId)
 	d.Set("subscription_id", client.subscriptionId)
+	d.Set("service_principal_application_id", *servicePrincipal.AppID)
 	d.Set("service_principal_object_id", *servicePrincipal.ObjectID)
 
 	return nil

azurerm/data_source_arm_client_config_test.go

@@ -25,6 +25,7 @@ func TestAccDataSourceAzureRMClientConfig_basic(t *testing.T) {
 					testAzureRMClientConfigAttr(dataSourceName, "client_id", clientId),
 					testAzureRMClientConfigAttr(dataSourceName, "tenant_id", tenantId),
 					testAzureRMClientConfigAttr(dataSourceName, "subscription_id", subscriptionId),
+					testAzureRMClientConfigGUIDAttr(dataSourceName, "service_principal_application_id"),
 					testAzureRMClientConfigGUIDAttr(dataSourceName, "service_principal_object_id"),
 				),
 			},

azurerm/provider.go

@@ -74,8 +74,8 @@ func Provider() terraform.ResourceProvider {
 			"azurerm_app_service":                 resourceArmAppService(),
 			"azurerm_app_service_plan":            resourceArmAppServicePlan(),
 			"azurerm_automation_account":          resourceArmAutomationAccount(),
-			"azurerm_automation_runbook":          resourceArmAutomationRunbook(),
 			"azurerm_automation_credential":       resourceArmAutomationCredential(),
+			"azurerm_automation_runbook":          resourceArmAutomationRunbook(),
 			"azurerm_automation_schedule":         resourceArmAutomationSchedule(),
 			"azurerm_availability_set":            resourceArmAvailabilitySet(),
 			"azurerm_cdn_endpoint":                resourceArmCdnEndpoint(),

azurerm/resource_arm_key_vault.go

@@ -84,6 +84,34 @@ func resourceArmKeyVault() *schema.Resource {
 							Required:     true,
 							ValidateFunc: validateUUID,
 						},
+						"application_id": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validateUUID,
+						},
+						"certificate_permissions": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+								ValidateFunc: validation.StringInSlice([]string{
+									string(keyvault.All),
+									string(keyvault.Create),
+									string(keyvault.Delete),
+									string(keyvault.Deleteissuers),
+									string(keyvault.Get),
+									string(keyvault.Getissuers),
+									string(keyvault.Import),
+									string(keyvault.List),
+									string(keyvault.Listissuers),
+									string(keyvault.Managecontacts),
+									string(keyvault.Manageissuers),
+									string(keyvault.Setissuers),
+									string(keyvault.Update),
+								}, true),
+								DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
+							},
+						},
 						"key_permissions": {
 							Type:     schema.TypeList,
 							Required: true,
@@ -105,7 +133,8 @@ func resourceArmKeyVault() *schema.Resource {
 									string(keyvault.KeyPermissionsUpdate),
 									string(keyvault.KeyPermissionsVerify),
 									string(keyvault.KeyPermissionsWrapKey),
-								}, false),
+								}, true),
+								DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
 							},
 						},
 						"secret_permissions": {
@@ -119,7 +148,8 @@ func resourceArmKeyVault() *schema.Resource {
 									string(keyvault.SecretPermissionsGet),
 									string(keyvault.SecretPermissionsList),
 									string(keyvault.SecretPermissionsSet),
-								}, false),
+								}, true),
+								DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
 							},
 						},
 					},
@@ -257,6 +287,12 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli
 	for _, policySet := range policies {
 		policyRaw := policySet.(map[string]interface{})
 
+		certificatePermissionsRaw := policyRaw["certificate_permissions"].([]interface{})
+		certificatePermissions := []keyvault.CertificatePermissions{}
+		for _, permission := range certificatePermissionsRaw {
+			certificatePermissions = append(certificatePermissions, keyvault.CertificatePermissions(permission.(string)))
+		}
+
 		keyPermissionsRaw := policyRaw["key_permissions"].([]interface{})
 		keyPermissions := []keyvault.KeyPermissions{}
 		for _, permission := range keyPermissionsRaw {
@@ -271,8 +307,9 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli
 
 		policy := keyvault.AccessPolicyEntry{
 			Permissions: &keyvault.Permissions{
-				Keys:    &keyPermissions,
-				Secrets: &secretPermissions,
+				Certificates: &certificatePermissions,
+				Keys:         &keyPermissions,
+				Secrets:      &secretPermissions,
 			},
 		}
 
@@ -281,6 +318,11 @@ func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPoli
 		objectUUID := policyRaw["object_id"].(string)
 		policy.ObjectID = &objectUUID
 
+		if v := policyRaw["application_id"]; v != "" {
+			applicationUUID := uuid.FromStringOrNil(v.(string))
+			policy.ApplicationID = &applicationUUID
+		}
+
 		result = append(result, policy)
 	}
 
@@ -301,6 +343,11 @@ func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []int
 	for _, policy := range *policies {
 		policyRaw := make(map[string]interface{})
 
+		certificatePermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Keys))
+		for _, certificatePermission := range *policy.Permissions.Certificates {
+			certificatePermissionsRaw = append(certificatePermissionsRaw, string(certificatePermission))
+		}
+
 		keyPermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Keys))
 		for _, keyPermission := range *policy.Permissions.Keys {
 			keyPermissionsRaw = append(keyPermissionsRaw, string(keyPermission))
@@ -313,6 +360,10 @@ func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []int
 
 		policyRaw["tenant_id"] = policy.TenantID.String()
 		policyRaw["object_id"] = *policy.ObjectID
+		if policy.ApplicationID != nil {
+			policyRaw["application_id"] = policy.ApplicationID.String()
+		}
+		policyRaw["certificate_permissions"] = certificatePermissionsRaw
 		policyRaw["key_permissions"] = keyPermissionsRaw
 		policyRaw["secret_permissions"] = secretPermissionsRaw
 

azurerm/resource_arm_key_vault_test.go

@@ -87,6 +87,27 @@ func TestAccAzureRMKeyVault_basic(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVault_complete(t *testing.T) {
+	resourceName := "azurerm_key_vault.test"
+	ri := acctest.RandInt()
+	config := testAccAzureRMKeyVault_complete(ri, testLocation())
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(resourceName),
+					resource.TestCheckResourceAttrSet(resourceName, "access_policy.0.application_id"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAzureRMKeyVault_update(t *testing.T) {
 	ri := acctest.RandInt()
 	resourceName := "azurerm_key_vault.test"
@@ -257,3 +278,47 @@ resource "azurerm_key_vault" "test" {
 }
 `, rInt, location, rInt)
 }
+
+func testAccAzureRMKeyVault_complete(rInt int, location string) string {
+	return fmt.Sprintf(`
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_key_vault" "test" {
+  name                = "vault%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"
+
+  sku {
+    name = "premium"
+  }
+
+  access_policy {
+    tenant_id      = "${data.azurerm_client_config.current.tenant_id}"
+    object_id      = "${data.azurerm_client_config.current.client_id}"
+    application_id = "${data.azurerm_client_config.current.service_principal_application_id}"
+
+    certificate_permissions = [
+      "get",
+    ]
+
+    key_permissions = [
+      "get",
+    ]
+
+    secret_permissions = [
+      "get",
+    ]
+  }
+
+  tags {
+    environment = "Production"
+  }
+}
+`, rInt, location, rInt)
+}

website/docs/d/client_config.html.markdown

@@ -30,7 +30,8 @@ There are no arguments available for this data source.
 * `client_id` is set to the Azure Client ID (Application Object ID).
 * `tenant_id` is set to the Azure Tenant ID.
 * `subscription_id` is set to the Azure Subscription ID.
+* `service_principal_application_id` is the Service Principal Application ID.
 * `service_principal_object_id` is the Service Principal Object ID.
 
-~> **Note:** To better understand "application" and "service principal", please read 
+~> **Note:** To better understand "application" and "service principal", please read
 [Application and service principal objects in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-objects).

website/docs/r/key_vault.html.markdown

@@ -100,6 +100,11 @@ The following arguments are supported:
     group in the Azure Active Directory tenant for the vault. The object ID must
     be unique for the list of access policies.
 
+* `application_id` - (Optional) The object ID of an Application in Azure Active Directory.
+
+* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from
+    the following: `All`, `Create`, `Delete`, `Deleteissuers`, `Get`, `Getissuers`, `Import`, `List`, `Listissuers`, `Managecontacts`, `Manageissuers`, `Setissuers` and `Update`.
+
 * `key_permissions` - (Required) List of key permissions, must be one or more from
     the following: `all`, `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`,
     `import`, `list`, `restore`, `sign`, `unwrapKey`, `update`, `verify`, `wrapKey`.