Enhancement: azurerm_key_vault: Add support for soft delete, purge protection, and purge on destroy
#5344
Conversation
There was a problem hiding this comment.
hey @WodansSon
Thanks for porting this PR over to the new structure.
Taking a look though this mostly LGTM - if we can fix up the comments then this should otherwise be good to go out in 2.0 👍
Thanks!
| Optional: true, | ||
| Default: false, | ||
| ConflictsWith: []string{"enabled_for_purge_protection"}, | ||
| }, |
There was a problem hiding this comment.
this can't go in the resource unfortunately, since the config isn't necessarily available during a destroy (e.g. if the users removed the code, this property won't be accessible) - instead it'll need to be in the provider block (which wants a little design work) - probably something like this:
provider "azurerm" {
# ...
purge_on_delete {
key_vault = true
}
}
the reason for doing this as a nested block is this also applies to some other resources (recovery services) so we may as well use the same (design) approach for both
There was a problem hiding this comment.
Fixed, moved it into the features section of the provider block.
| "enabled_for_purge_protection": { | ||
| Type: schema.TypeBool, | ||
| Optional: true, | ||
| ValidateFunc: validate.BoolIsTrue(), |
There was a problem hiding this comment.
(same here)
| ValidateFunc: validate.BoolIsTrue(), |
| parameters.Properties.EnableSoftDelete = &enabledForSoftDelete | ||
| } | ||
|
|
||
| // This setting can only be set if it is true, if set when value is false API returns errors |
There was a problem hiding this comment.
there's an issue tracking disabling purge protection: Azure/azure-rest-api-specs#8075
There was a problem hiding this comment.
...it still throws an error, maybe in future they will fix this and we can re-address the behavior.
| @@ -277,6 +298,16 @@ func resourceArmKeyVaultCreateUpdate(d *schema.ResourceData, meta interface{}) e | |||
| Tags: tags.Expand(t), | |||
| } | |||
|
|
|||
| // This setting can only be set if it is true, if set when value is false API returns errors | |||
There was a problem hiding this comment.
I believe this is no longer true - soft delete can be enabled/disabled?
There was a problem hiding this comment.
Nope... it still throws an error, maybe in future they will fix this and we can re-address the behavior.
| @@ -461,6 +494,22 @@ func resourceArmKeyVaultDelete(d *schema.ResourceData, meta interface{}) error { | |||
| } | |||
| } | |||
|
|
|||
| if d.Get("purge_on_delete").(bool) && d.Get("enabled_for_soft_delete").(bool) && err == nil { | |||
There was a problem hiding this comment.
(as above) we'll need to pull this from the provider block instead unfortunately
| @@ -84,6 +84,12 @@ The following arguments are supported: | |||
|
|
|||
| * `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to `false`. | |||
|
|
|||
| * `enabled_for_soft_delete` - (Optional) Boolean flag to specify whether the key vault is enabled for soft delete. Once enabled you can not disable this setting. | |||
|
|
|||
| * `purge_on_delete` - (Optional) Boolean flag to specify if the KeyVault should be purged on delete. This purges KeyVaults enabled for soft delete on resource deletition. | |||
There was a problem hiding this comment.
(as above) we'll need to move this into the provider block
Co-Authored-By: Tom Harvey <[email protected]>
Co-Authored-By: Tom Harvey <[email protected]>
Co-Authored-By: Tom Harvey <[email protected]>
…form-provider-azurerm into e_keyvault_puge_softdelete
…form-provider-azurerm into e_keyvault_puge_softdelete
WodansSon
changed the title
azurerm_key_vault: Add support for soft delete, purge protection, and purge on destroy
There was a problem hiding this comment.
hey @WodansSon
Thanks for porting this PR over to the refactored structure - I've taken a look through and left some comments inline but this otherwise LGTM; as discussed offline I'm going to push a few commits to resolve the issues highlighted below, but this otherwise looks good to me 👍
Thanks!
azurerm/internal/services/keyvault/tests/resource_arm_key_vault_test.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/keyvault/tests/resource_arm_key_vault_test.go
Outdated
Show resolved
Hide resolved
|
I'm not sure what to do for the test cases where soft delete is enabled, when the test finishes and it destroys the test resources, the key vault will still be there just soft deleted. My workaround for this was to add an extra test step pointing the config to the I also think we need to update the
WDYT? |
…viders/terraform-provider-azurerm into e_keyvault_puge_softdelete
|
Tests pass:
|
|
This has been released in version 2.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.0.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Porting features from closed #1805 to new code base
Original: #1517
Dependent PR: #4366 #5668
(fixes #1329)