From 3d4dba706b1d1a80be850081bcfbd10837eaf1a8 Mon Sep 17 00:00:00 2001 From: Alex Mabry Date: Wed, 18 Sep 2019 15:34:03 -0500 Subject: [PATCH 01/12] add key_vault_secret_id --- azurerm/resource_arm_application_gateway.go | 54 ++++-- .../resource_arm_application_gateway_test.go | 181 ++++++++++++++++++ azurerm/resource_arm_key_vault.go | 10 + azurerm/resource_arm_key_vault_test.go | 4 + 4 files changed, 237 insertions(+), 12 deletions(-) diff --git a/azurerm/resource_arm_application_gateway.go b/azurerm/resource_arm_application_gateway.go index f1da9c22f071..c3d874aa239f 100644 --- a/azurerm/resource_arm_application_gateway.go +++ b/azurerm/resource_arm_application_gateway.go @@ -1019,17 +1019,22 @@ func resourceArmApplicationGateway() *schema.Resource { "data": { Type: schema.TypeString, - Required: true, + Optional: true, Sensitive: true, StateFunc: base64EncodedStateFunc, }, "password": { Type: schema.TypeString, - Required: true, + Optional: true, Sensitive: true, }, + "key_vault_secret_id": { + Type: schema.TypeString, + Optional: true, + }, + "id": { Type: schema.TypeString, Computed: true, @@ -1389,6 +1394,11 @@ func resourceArmApplicationGatewayCreateUpdate(d *schema.ResourceData, meta inte return fmt.Errorf("Error expanding `redirect_configuration`: %+v", err) } + sslCertificates, err := expandApplicationGatewaySslCertificates(d) + if err != nil { + return fmt.Errorf("Error expanding `ssl_certificate`: %+v", err) + } + gatewayIPConfigurations, stopApplicationGateway := expandApplicationGatewayIPConfigurations(d) gateway := network.ApplicationGateway{ @@ -1412,7 +1422,7 @@ func resourceArmApplicationGatewayCreateUpdate(d *schema.ResourceData, meta inte RequestRoutingRules: requestRoutingRules, RedirectConfigurations: redirectConfigurations, Sku: expandApplicationGatewaySku(d), - SslCertificates: expandApplicationGatewaySslCertificates(d), + SslCertificates: sslCertificates, SslPolicy: expandApplicationGatewaySslPolicy(d), RewriteRuleSets: expandApplicationGatewayRewriteRuleSets(d), @@ -3228,7 +3238,7 @@ func flattenApplicationGatewaySku(input *network.ApplicationGatewaySku) []interf return []interface{}{result} } -func expandApplicationGatewaySslCertificates(d *schema.ResourceData) *[]network.ApplicationGatewaySslCertificate { +func expandApplicationGatewaySslCertificates(d *schema.ResourceData) (*[]network.ApplicationGatewaySslCertificate, error) { vs := d.Get("ssl_certificate").([]interface{}) results := make([]network.ApplicationGatewaySslCertificate, 0) @@ -3238,22 +3248,38 @@ func expandApplicationGatewaySslCertificates(d *schema.ResourceData) *[]network. name := v["name"].(string) data := v["data"].(string) password := v["password"].(string) - - // data must be base64 encoded - data = utils.Base64EncodeIfNot(data) + kvsid := v["key_vault_secret_id"].(string) output := network.ApplicationGatewaySslCertificate{ Name: utils.String(name), - ApplicationGatewaySslCertificatePropertiesFormat: &network.ApplicationGatewaySslCertificatePropertiesFormat{ - Data: utils.String(data), - Password: utils.String(password), - }, + ApplicationGatewaySslCertificatePropertiesFormat: &network.ApplicationGatewaySslCertificatePropertiesFormat{}, + } + + if data != "" && kvsid != "" { + return nil, fmt.Errorf("Error: only one of `key_vault_secret_id` or `data` must be specified for the `ssl_certificate` block %q", name) + } else if data != "" { + // data must be base64 encoded + output.ApplicationGatewaySslCertificatePropertiesFormat.Data = utils.String(utils.Base64EncodeIfNot(data)) + + if password == "" { + return nil, fmt.Errorf("Error: 'password' is required if `data` is specified for the `ssl_certificate` block %q", name) + } + + output.ApplicationGatewaySslCertificatePropertiesFormat.Password = utils.String(password) + } else if kvsid != "" { + if password != "" { + return nil, fmt.Errorf("Error: only one of `key_vault_secret_id` or `password` must be specified for the `ssl_certificate` block %q", name) + } + + output.ApplicationGatewaySslCertificatePropertiesFormat.KeyVaultSecretID = utils.String(kvsid) + } else { + return nil, fmt.Errorf("Error: either `key_vault_secret_id` or `data` must be specified for the `ssl_certificate` block %q", name) } results = append(results, output) } - return &results + return &results, nil } func flattenApplicationGatewaySslCertificates(input *[]network.ApplicationGatewaySslCertificate, d *schema.ResourceData) []interface{} { @@ -3280,6 +3306,10 @@ func flattenApplicationGatewaySslCertificates(input *[]network.ApplicationGatewa if data := props.PublicCertData; data != nil { output["public_cert_data"] = *data } + + if kvsid := props.KeyVaultSecretID; kvsid != nil { + output["key_vault_secret_id"] = *kvsid + } } // since the certificate data isn't returned we have to load it from the same index diff --git a/azurerm/resource_arm_application_gateway_test.go b/azurerm/resource_arm_application_gateway_test.go index e7dfd9528404..72f44418920e 100644 --- a/azurerm/resource_arm_application_gateway_test.go +++ b/azurerm/resource_arm_application_gateway_test.go @@ -631,6 +631,33 @@ func TestAccAzureRMApplicationGateway_settingsPickHostNameFromBackendAddress(t * }) } +func TestAccAzureRMApplicationGateway_sslCertificate_keyvault(t *testing.T) { + t.Skip() + + resourceName := "azurerm_application_gateway.test" + ri := tf.AccRandTimeInt() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMApplicationGateway_sslCertificate_keyvault(ri, testLocation()), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMApplicationGatewayExists(resourceName), + resource.TestCheckResourceAttrSet(resourceName, "ssl_certificate.0.key_vault_secret_id"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAzureRMApplicationGateway_sslCertificate(t *testing.T) { resourceName := "azurerm_application_gateway.test" ri := tf.AccRandTimeInt() @@ -2941,6 +2968,160 @@ resource "azurerm_application_gateway" "test" { `, template, rInt) } +func testAccAzureRMApplicationGateway_sslCertificate_keyvault(rInt int, location string) string { + template := testAccAzureRMApplicationGateway_template(rInt, location) + return fmt.Sprintf(` +%s + +# since these variables are re-used - a locals block makes this more maintainable +locals { + auth_cert_name = "${azurerm_virtual_network.test.name}-auth" + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" + listener_name = "${azurerm_virtual_network.test.name}-httplstn" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" +} + +data "azurerm_client_config" "test" {} + +data "azuread_service_principal" "test" { + display_name = "Microsoft Azure App Service" +} + +resource "azurerm_user_assigned_identity" "test" { + resource_group_name = "${azurerm_resource_group.test.name}" + location = "${azurerm_resource_group.test.location}" + + name = "acctest%[2]d" +} + +resource "azurerm_public_ip" "testStd" { + name = "acctest-PubIpStd-%[2]d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_key_vault" "test" { + name = "acct%[2]d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.test.tenant_id}" + sku_name = "standard" + + access_policy { + tenant_id = "${data.azurerm_client_config.test.tenant_id}" + object_id = "${data.azurerm_client_config.test.service_principal_object_id }" + secret_permissions = ["delete", "get", "set"] + certificate_permissions = ["create", "delete", "get", "import"] + } + + access_policy { + tenant_id = "${data.azurerm_client_config.test.tenant_id}" + object_id = "${azurerm_user_assigned_identity.test.principal_id}" + secret_permissions = ["get"] + certificate_permissions = ["get"] + } + + enable_soft_delete = true +} + +resource "azurerm_key_vault_certificate" "test" { + name = "acctest%[2]d" + key_vault_id = "${azurerm_key_vault.test.id}" + + certificate { + contents = filebase64("testdata/app_service_certificate.pfx") + password = "terraform" + } + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = false + } + + secret_properties { + content_type = "application/x-pkcs12" + } + } +} + +resource "azurerm_application_gateway" "test" { + name = "acctestag-%[2]d" + resource_group_name = "${azurerm_resource_group.test.name}" + location = "${azurerm_resource_group.test.location}" + + sku { + name = "WAF_v2" + tier = "WAF_v2" + capacity = 2 + } + + gateway_ip_configuration { + name = "my-gateway-ip-configuration" + subnet_id = "${azurerm_subnet.test.id}" + } + + identity { + identity_ids = ["${azurerm_user_assigned_identity.test.id}"] + } + + frontend_port { + name = "${local.frontend_port_name}" + port = 80 + } + + frontend_ip_configuration { + name = "${local.frontend_ip_configuration_name}" + public_ip_address_id = "${azurerm_public_ip.testStd.id}" + } + + backend_address_pool { + name = "${local.backend_address_pool_name}" + } + + backend_http_settings { + name = "${local.http_setting_name}" + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 1 + } + + http_listener { + name = "${local.listener_name}" + frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" + frontend_port_name = "${local.frontend_port_name}" + protocol = "Https" + ssl_certificate_name = "${local.ssl_certificate_name}" + } + + request_routing_rule { + name = "${local.request_routing_rule_name}" + rule_type = "Basic" + http_listener_name = "${local.listener_name}" + backend_address_pool_name = "${local.backend_address_pool_name}" + backend_http_settings_name = "${local.http_setting_name}" + } + + ssl_certificate { + name = "${local.ssl_certificate_name}" + key_vault_secret_id = "${azurerm_key_vault_certificate.test.secret_id}" + } +} +`, template, rInt) +} + func testAccAzureRMApplicationGateway_sslCertificate(rInt int, location string) string { template := testAccAzureRMApplicationGateway_template(rInt, location) return fmt.Sprintf(` diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go index af3479dd39e5..1c6ff5e5f86e 100644 --- a/azurerm/resource_arm_key_vault.go +++ b/azurerm/resource_arm_key_vault.go @@ -145,6 +145,12 @@ func resourceArmKeyVault() *schema.Resource { Optional: true, }, + "enable_soft_delete": { + Type: schema.TypeBool, + Optional: true, + ForceNew: true, + }, + "network_acls": { Type: schema.TypeList, Optional: true, @@ -238,6 +244,8 @@ func resourceArmKeyVaultCreateUpdate(d *schema.ResourceData, meta interface{}) e enabledForDeployment := d.Get("enabled_for_deployment").(bool) enabledForDiskEncryption := d.Get("enabled_for_disk_encryption").(bool) enabledForTemplateDeployment := d.Get("enabled_for_template_deployment").(bool) + enableSoftDelete := d.Get("enable_soft_delete").(bool) + t := d.Get("tags").(map[string]interface{}) networkAclsRaw := d.Get("network_acls").([]interface{}) @@ -258,6 +266,7 @@ func resourceArmKeyVaultCreateUpdate(d *schema.ResourceData, meta interface{}) e EnabledForDeployment: &enabledForDeployment, EnabledForDiskEncryption: &enabledForDiskEncryption, EnabledForTemplateDeployment: &enabledForTemplateDeployment, + EnableSoftDelete: &enableSoftDelete, NetworkAcls: networkAcls, }, Tags: tags.Expand(t), @@ -355,6 +364,7 @@ func resourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error { d.Set("enabled_for_deployment", props.EnabledForDeployment) d.Set("enabled_for_disk_encryption", props.EnabledForDiskEncryption) d.Set("enabled_for_template_deployment", props.EnabledForTemplateDeployment) + d.Set("enable_soft_delete", props.EnableSoftDelete) d.Set("vault_uri", props.VaultURI) if sku := props.Sku; sku != nil { diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go index 1a30d261b35b..16e284d01432 100644 --- a/azurerm/resource_arm_key_vault_test.go +++ b/azurerm/resource_arm_key_vault_test.go @@ -312,6 +312,7 @@ func TestAccAzureRMKeyVault_update(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "enabled_for_deployment", "true"), resource.TestCheckResourceAttr(resourceName, "enabled_for_disk_encryption", "true"), resource.TestCheckResourceAttr(resourceName, "enabled_for_template_deployment", "true"), + resource.TestCheckResourceAttr(resourceName, "enable_soft_delete", "true"), resource.TestCheckResourceAttr(resourceName, "tags.environment", "Staging"), ), }, @@ -713,6 +714,7 @@ resource "azurerm_key_vault" "test" { enabled_for_deployment = true enabled_for_disk_encryption = true enabled_for_template_deployment = true + enable_soft_delete = true tags = { environment = "Staging" @@ -743,6 +745,7 @@ resource "azurerm_key_vault" "test" { enabled_for_deployment = true enabled_for_disk_encryption = true enabled_for_template_deployment = true + enable_soft_delete = true tags = { environment = "Staging" @@ -775,6 +778,7 @@ resource "azurerm_key_vault" "test" { enabled_for_deployment = true enabled_for_disk_encryption = true enabled_for_template_deployment = true + enable_soft_delete = true tags = { environment = "Staging" From f1f364847ef37bd9fab9382e074f9b0f29f8997f Mon Sep 17 00:00:00 2001 From: Alex Mabry Date: Wed, 18 Sep 2019 15:34:23 -0500 Subject: [PATCH 02/12] add enable_soft_delete --- website/docs/d/key_vault.html.markdown | 2 ++ website/docs/r/application_gateway.html.markdown | 6 ++++-- website/docs/r/key_vault.html.markdown | 2 ++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/website/docs/d/key_vault.html.markdown b/website/docs/d/key_vault.html.markdown index fc447511634a..63073bc95b9f 100644 --- a/website/docs/d/key_vault.html.markdown +++ b/website/docs/d/key_vault.html.markdown @@ -53,6 +53,8 @@ The following attributes are exported: * `enabled_for_template_deployment` - Can Azure Resource Manager retrieve secrets from the Key Vault? +* `enable_soft_delete` - Will Azure Resource Manager use the 'soft delete' functionality for this key vault? + * `tags` - A mapping of tags assigned to the Key Vault. A `sku` block exports the following: diff --git a/website/docs/r/application_gateway.html.markdown b/website/docs/r/application_gateway.html.markdown index ed3b0cb14ff0..0f6cd057fbbc 100644 --- a/website/docs/r/application_gateway.html.markdown +++ b/website/docs/r/application_gateway.html.markdown @@ -393,9 +393,11 @@ A `ssl_certificate` block supports the following: * `name` - (Required) The Name of the SSL certificate that is unique within this Application Gateway -* `data` - (Required) PFX certificate. +* `data` - (Optional) PFX certificate. Required if `key_vault_secret_id` is not set. -* `password` - (Required) Password for the pfx file specified in data. +* `password` - (Optional) Password for the pfx file specified in data. Required if `data` is set. + +* `key_vault_secret_id` - (Optional) Secret Id of (base-64 encoded unencrypted pfx) `Secret` or `Certificate` object stored in Azure KeyVault. You need enable soft delete for keyvault to use this feature. Required if `data` is not set. --- diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown index 1133ddab59e8..4cef41b9e6bf 100644 --- a/website/docs/r/key_vault.html.markdown +++ b/website/docs/r/key_vault.html.markdown @@ -83,6 +83,8 @@ The following arguments are supported: * `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to `false`. +* `enable_soft_delete` - (Optional) Boolean flag to specify whether Azure Resource Manager uses the 'soft delete' functionality. Can only be changed to `true` once Key Valut is created. Defaults to `false`. + * `network_acls` - (Optional) A `network_acls` block as defined below. * `tags` - (Optional) A mapping of tags to assign to the resource. From 2029e6fab37ab6a597b6397a9d55c08e34d941e2 Mon Sep 17 00:00:00 2001 From: Alex Mabry Date: Wed, 18 Sep 2019 15:43:19 -0500 Subject: [PATCH 03/12] update changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1158af45932..5f9b941dbc9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## 1.35.0 (Unreleased) +IMPROVEMENTS: + +* `azurerm_application_gateway` - support for key vault secret in `ssl_certificate` blocks ([#3935](https://github.com/terraform-providers/terraform-provider-azurerm/issues/3935)) + BUG FIXES: * `azurerm_key_vault_certificate` - storing the certificate data as hex [GH-4335] From 961d98beddf246e450bba8061323c9172f04dccc Mon Sep 17 00:00:00 2001 From: Alex Mabry Date: Wed, 18 Sep 2019 15:46:34 -0500 Subject: [PATCH 04/12] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f9b941dbc9c..1f1cc8418d56 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ IMPROVEMENTS: * `azurerm_application_gateway` - support for key vault secret in `ssl_certificate` blocks ([#3935](https://github.com/terraform-providers/terraform-provider-azurerm/issues/3935)) +* `azurerm_key_vault` - support for safe delete mode in key vaults BUG FIXES: From 1ad4d973903dece626448e4df1414c539c7e6f29 Mon Sep 17 00:00:00 2001 From: Alex Mabry Date: Wed, 18 Sep 2019 15:51:12 -0500 Subject: [PATCH 05/12] remove ForceNew tag --- azurerm/resource_arm_key_vault.go | 1 - 1 file changed, 1 deletion(-) diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go index 1c6ff5e5f86e..00c49e7e6cfa 100644 --- a/azurerm/resource_arm_key_vault.go +++ b/azurerm/resource_arm_key_vault.go @@ -148,7 +148,6 @@ func resourceArmKeyVault() *schema.Resource { "enable_soft_delete": { Type: schema.TypeBool, Optional: true, - ForceNew: true, }, "network_acls": { From c9c7f3e50d7fb293b48b0b2d4cdb01cf83149ecb Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 17 Mar 2020 14:51:13 -0700 Subject: [PATCH 06/12] post merge pr fixup --- .../resource_arm_application_gateway.go | 16 ++- .../resource_arm_application_gateway_test.go | 113 ++++++++---------- website/docs/r/key_vault.html.markdown | 4 +- 3 files changed, 64 insertions(+), 69 deletions(-) diff --git a/azurerm/internal/services/network/resource_arm_application_gateway.go b/azurerm/internal/services/network/resource_arm_application_gateway.go index 6dbe456f3f3d..79172f205183 100644 --- a/azurerm/internal/services/network/resource_arm_application_gateway.go +++ b/azurerm/internal/services/network/resource_arm_application_gateway.go @@ -1001,8 +1001,9 @@ func resourceArmApplicationGateway() *schema.Resource { }, "key_vault_secret_id": { - Type: schema.TypeString, - Optional: true, + Type: schema.TypeString, + Optional: true, + ValidateFunc: azure.ValidateKeyVaultChildId, }, "id": { @@ -3207,30 +3208,33 @@ func expandApplicationGatewaySslCertificates(d *schema.ResourceData) (*[]network password := v["password"].(string) kvsid := v["key_vault_secret_id"].(string) + // data must be base64 encoded + data = utils.Base64EncodeIfNot(data) + output := network.ApplicationGatewaySslCertificate{ Name: utils.String(name), ApplicationGatewaySslCertificatePropertiesFormat: &network.ApplicationGatewaySslCertificatePropertiesFormat{}, } if data != "" && kvsid != "" { - return nil, fmt.Errorf("Error: only one of `key_vault_secret_id` or `data` must be specified for the `ssl_certificate` block %q", name) + return nil, fmt.Errorf("only one of `key_vault_secret_id` or `data` must be specified for the `ssl_certificate` block %q", name) } else if data != "" { // data must be base64 encoded output.ApplicationGatewaySslCertificatePropertiesFormat.Data = utils.String(utils.Base64EncodeIfNot(data)) if password == "" { - return nil, fmt.Errorf("Error: 'password' is required if `data` is specified for the `ssl_certificate` block %q", name) + return nil, fmt.Errorf("'password' is required if `data` is specified for the `ssl_certificate` block %q", name) } output.ApplicationGatewaySslCertificatePropertiesFormat.Password = utils.String(password) } else if kvsid != "" { if password != "" { - return nil, fmt.Errorf("Error: only one of `key_vault_secret_id` or `password` must be specified for the `ssl_certificate` block %q", name) + return nil, fmt.Errorf("only one of `key_vault_secret_id` or `password` must be specified for the `ssl_certificate` block %q", name) } output.ApplicationGatewaySslCertificatePropertiesFormat.KeyVaultSecretID = utils.String(kvsid) } else { - return nil, fmt.Errorf("Error: either `key_vault_secret_id` or `data` must be specified for the `ssl_certificate` block %q", name) + return nil, fmt.Errorf("either `key_vault_secret_id` or `data` must be specified for the `ssl_certificate` block %q", name) } results = append(results, output) diff --git a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go index 3f86666872bc..832e421d0d18 100644 --- a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go +++ b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go @@ -541,28 +541,21 @@ func TestAccAzureRMApplicationGateway_settingsPickHostNameFromBackendAddress(t * } func TestAccAzureRMApplicationGateway_sslCertificate_keyvault(t *testing.T) { - t.Skip() - - resourceName := "azurerm_application_gateway.test" - ri := tf.AccRandTimeInt() + data := acceptance.BuildTestData(t, "azurerm_application_gateway", "test") resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, Steps: []resource.TestStep{ { - Config: testAccAzureRMApplicationGateway_sslCertificate_keyvault(ri, testLocation()), + Config: testAccAzureRMApplicationGateway_sslCertificate_keyvault(data), Check: resource.ComposeTestCheckFunc( - testCheckAzureRMApplicationGatewayExists(resourceName), - resource.TestCheckResourceAttrSet(resourceName, "ssl_certificate.0.key_vault_secret_id"), + testCheckAzureRMApplicationGatewayExists(data.ResourceName), + resource.TestCheckResourceAttrSet(data.ResourceName, "ssl_certificate.0.key_vault_secret_id"), ), }, - { - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - }, + data.ImportStep(), }, }) } @@ -2945,20 +2938,20 @@ resource "azurerm_application_gateway" "test" { `, template, data.RandomInteger) } -func testAccAzureRMApplicationGateway_sslCertificate_keyvault(rInt int, location string) string { - template := testAccAzureRMApplicationGateway_template(rInt, location) +func testAccAzureRMApplicationGateway_sslCertificate_keyvault(data acceptance.TestData) string { + template := testAccAzureRMApplicationGateway_template(data) return fmt.Sprintf(` %s # since these variables are re-used - a locals block makes this more maintainable locals { - auth_cert_name = "${azurerm_virtual_network.test.name}-auth" - backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" - frontend_port_name = "${azurerm_virtual_network.test.name}-feport" - frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" - http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" - listener_name = "${azurerm_virtual_network.test.name}-httplstn" - request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" + auth_cert_name = azurerm_virtual_network.test.name-auth + backend_address_pool_name = azurerm_virtual_network.test.name-beap + frontend_port_name = azurerm_virtual_network.test.name-feport + frontend_ip_configuration_name = azurerm_virtual_network.test.name-feip + http_setting_name = azurerm_virtual_network.test.name-be-htst + listener_name = azurerm_virtual_network.test.name-httplstn + request_routing_rule_name = azurerm_virtual_network.test.name-rqrt } data "azurerm_client_config" "test" {} @@ -2968,47 +2961,47 @@ data "azuread_service_principal" "test" { } resource "azurerm_user_assigned_identity" "test" { - resource_group_name = "${azurerm_resource_group.test.name}" - location = "${azurerm_resource_group.test.location}" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location name = "acctest%[2]d" } resource "azurerm_public_ip" "testStd" { name = "acctest-PubIpStd-%[2]d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name allocation_method = "Static" - sku = "Standard" + sku = "Standard" } resource "azurerm_key_vault" "test" { name = "acct%[2]d" - location = "${azurerm_resource_group.test.location}" - resource_group_name = "${azurerm_resource_group.test.name}" - tenant_id = "${data.azurerm_client_config.test.tenant_id}" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tenant_id = data.azurerm_client_config.test.tenant_id sku_name = "standard" access_policy { - tenant_id = "${data.azurerm_client_config.test.tenant_id}" - object_id = "${data.azurerm_client_config.test.service_principal_object_id }" + tenant_id = data.azurerm_client_config.test.tenant_id + object_id = data.azurerm_client_config.test.service_principal_object_id secret_permissions = ["delete", "get", "set"] certificate_permissions = ["create", "delete", "get", "import"] } access_policy { - tenant_id = "${data.azurerm_client_config.test.tenant_id}" - object_id = "${azurerm_user_assigned_identity.test.principal_id}" + tenant_id = data.azurerm_client_config.test.tenant_id + object_id = azurerm_user_assigned_identity.test.principal_id secret_permissions = ["get"] certificate_permissions = ["get"] } - enable_soft_delete = true + soft_delete_enabled = true } resource "azurerm_key_vault_certificate" "test" { name = "acctest%[2]d" - key_vault_id = "${azurerm_key_vault.test.id}" + key_vault_id = azurerm_key_vault.test.id certificate { contents = filebase64("testdata/app_service_certificate.pfx") @@ -3035,8 +3028,8 @@ resource "azurerm_key_vault_certificate" "test" { resource "azurerm_application_gateway" "test" { name = "acctestag-%[2]d" - resource_group_name = "${azurerm_resource_group.test.name}" - location = "${azurerm_resource_group.test.location}" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location sku { name = "WAF_v2" @@ -3046,29 +3039,29 @@ resource "azurerm_application_gateway" "test" { gateway_ip_configuration { name = "my-gateway-ip-configuration" - subnet_id = "${azurerm_subnet.test.id}" + subnet_id = azurerm_subnet.test.id } identity { - identity_ids = ["${azurerm_user_assigned_identity.test.id}"] + identity_ids = [azurerm_user_assigned_identity.test.id] } frontend_port { - name = "${local.frontend_port_name}" + name = local.frontend_port_name port = 80 } frontend_ip_configuration { - name = "${local.frontend_ip_configuration_name}" - public_ip_address_id = "${azurerm_public_ip.testStd.id}" + name = local.frontend_ip_configuration_name + public_ip_address_id = azurerm_public_ip.testStd.id } backend_address_pool { - name = "${local.backend_address_pool_name}" + name = local.backend_address_pool_name } backend_http_settings { - name = "${local.http_setting_name}" + name = local.http_setting_name cookie_based_affinity = "Disabled" port = 80 protocol = "Http" @@ -3076,31 +3069,31 @@ resource "azurerm_application_gateway" "test" { } http_listener { - name = "${local.listener_name}" - frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}" - frontend_port_name = "${local.frontend_port_name}" + name = local.listener_name + frontend_ip_configuration_name = local.frontend_ip_configuration_name + frontend_port_name = local.frontend_port_name protocol = "Https" - ssl_certificate_name = "${local.ssl_certificate_name}" + ssl_certificate_name = local.ssl_certificate_name } request_routing_rule { - name = "${local.request_routing_rule_name}" + name = local.request_routing_rule_name rule_type = "Basic" - http_listener_name = "${local.listener_name}" - backend_address_pool_name = "${local.backend_address_pool_name}" - backend_http_settings_name = "${local.http_setting_name}" + http_listener_name = local.listener_name + backend_address_pool_name = local.backend_address_pool_name + backend_http_settings_name = local.http_setting_name } ssl_certificate { - name = "${local.ssl_certificate_name}" - key_vault_secret_id = "${azurerm_key_vault_certificate.test.secret_id}" - } + name = local.ssl_certificate_name + key_vault_secret_id = azurerm_key_vault_certificate.test.secret_id + } } -`, template, rInt) +`, template, data.RandomInteger) } -func testAccAzureRMApplicationGateway_sslCertificate(rInt int, location string) string { - template := testAccAzureRMApplicationGateway_template(rInt, location) +func testAccAzureRMApplicationGateway_sslCertificate(data acceptance.TestData) string { + template := testAccAzureRMApplicationGateway_template(data) return fmt.Sprintf(` %s diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown index f77f44e7f5e7..3c5abe0c0342 100644 --- a/website/docs/r/key_vault.html.markdown +++ b/website/docs/r/key_vault.html.markdown @@ -97,9 +97,7 @@ The following arguments are supported: * `enabled_for_disk_encryption` - (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to `false`. -* `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to `false`. - -* `enable_soft_delete` - (Optional) Boolean flag to specify whether Azure Resource Manager uses the 'soft delete' functionality. Can only be changed to `true` once Key Valut is created. Defaults to `false`. +* `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to `false`. * `network_acls` - (Optional) A `network_acls` block as defined below. From 1d791f56eaad4984c6b80b1f0b358b41a53407f3 Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 17 Mar 2020 14:56:37 -0700 Subject: [PATCH 07/12] fix test tf --- .../network/resource_arm_application_gateway.go | 3 --- .../tests/resource_arm_application_gateway_test.go | 14 +++++++------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/azurerm/internal/services/network/resource_arm_application_gateway.go b/azurerm/internal/services/network/resource_arm_application_gateway.go index 79172f205183..023253cf8583 100644 --- a/azurerm/internal/services/network/resource_arm_application_gateway.go +++ b/azurerm/internal/services/network/resource_arm_application_gateway.go @@ -3208,9 +3208,6 @@ func expandApplicationGatewaySslCertificates(d *schema.ResourceData) (*[]network password := v["password"].(string) kvsid := v["key_vault_secret_id"].(string) - // data must be base64 encoded - data = utils.Base64EncodeIfNot(data) - output := network.ApplicationGatewaySslCertificate{ Name: utils.String(name), ApplicationGatewaySslCertificatePropertiesFormat: &network.ApplicationGatewaySslCertificatePropertiesFormat{}, diff --git a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go index 832e421d0d18..9b5a82cc4605 100644 --- a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go +++ b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go @@ -2945,13 +2945,13 @@ func testAccAzureRMApplicationGateway_sslCertificate_keyvault(data acceptance.Te # since these variables are re-used - a locals block makes this more maintainable locals { - auth_cert_name = azurerm_virtual_network.test.name-auth - backend_address_pool_name = azurerm_virtual_network.test.name-beap - frontend_port_name = azurerm_virtual_network.test.name-feport - frontend_ip_configuration_name = azurerm_virtual_network.test.name-feip - http_setting_name = azurerm_virtual_network.test.name-be-htst - listener_name = azurerm_virtual_network.test.name-httplstn - request_routing_rule_name = azurerm_virtual_network.test.name-rqrt + auth_cert_name = "${azurerm_virtual_network.test.name}-auth"" + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap"" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport"" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst"" + listener_name = "${azurerm_virtual_network.test.name}-httplstn"" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt"" } data "azurerm_client_config" "test" {} From 6208c1b7021389f09cb0ebced586a7ca9b799559 Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 17 Mar 2020 15:35:08 -0700 Subject: [PATCH 08/12] fix tet tf --- .../tests/resource_arm_application_gateway_test.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go index 9b5a82cc4605..85374b6aaf9b 100644 --- a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go +++ b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go @@ -2945,13 +2945,13 @@ func testAccAzureRMApplicationGateway_sslCertificate_keyvault(data acceptance.Te # since these variables are re-used - a locals block makes this more maintainable locals { - auth_cert_name = "${azurerm_virtual_network.test.name}-auth"" - backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap"" - frontend_port_name = "${azurerm_virtual_network.test.name}-feport"" - frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"" - http_setting_name = "${azurerm_virtual_network.test.name}-be-htst"" - listener_name = "${azurerm_virtual_network.test.name}-httplstn"" - request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt"" + auth_cert_name = "${azurerm_virtual_network.test.name}-auth" + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" + listener_name = "${azurerm_virtual_network.test.name}-httplstn" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" } data "azurerm_client_config" "test" {} From d850d98b74f479da6ae70cece9cb861c6a1acecd Mon Sep 17 00:00:00 2001 From: kt Date: Wed, 18 Mar 2020 08:17:32 -0700 Subject: [PATCH 09/12] Update website/docs/r/application_gateway.html.markdown Co-Authored-By: Steve <11830746+jackofallops@users.noreply.github.com> --- website/docs/r/application_gateway.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/application_gateway.html.markdown b/website/docs/r/application_gateway.html.markdown index a1b303211866..2c0b894f5754 100644 --- a/website/docs/r/application_gateway.html.markdown +++ b/website/docs/r/application_gateway.html.markdown @@ -392,7 +392,7 @@ A `ssl_certificate` block supports the following: * `password` - (Optional) Password for the pfx file specified in data. Required if `data` is set. -* `key_vault_secret_id` - (Optional) Secret Id of (base-64 encoded unencrypted pfx) `Secret` or `Certificate` object stored in Azure KeyVault. You need enable soft delete for keyvault to use this feature. Required if `data` is not set. +* `key_vault_secret_id` - (Optional) Secret Id of (base-64 encoded unencrypted pfx) `Secret` or `Certificate` object stored in Azure KeyVault. You need to enable soft delete for keyvault to use this feature. Required if `data` is not set. --- From 0d67903f5066053779457665fc9bfbe44b1f327a Mon Sep 17 00:00:00 2001 From: kt Date: Wed, 18 Mar 2020 08:19:08 -0700 Subject: [PATCH 10/12] move off deprecated propety --- .../network/tests/resource_arm_application_gateway_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go index 85374b6aaf9b..e39b59cde8ef 100644 --- a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go +++ b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go @@ -2984,7 +2984,7 @@ resource "azurerm_key_vault" "test" { access_policy { tenant_id = data.azurerm_client_config.test.tenant_id - object_id = data.azurerm_client_config.test.service_principal_object_id + object_id = data.azurerm_client_config.test.object_id secret_permissions = ["delete", "get", "set"] certificate_permissions = ["create", "delete", "get", "import"] } From 45fe25aa4fe6b0f752ff001a702141fcba90b637 Mon Sep 17 00:00:00 2001 From: kt Date: Wed, 18 Mar 2020 09:32:13 -0700 Subject: [PATCH 11/12] make test pass --- .../network/tests/resource_arm_application_gateway_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go index e39b59cde8ef..d815599f908e 100644 --- a/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go +++ b/azurerm/internal/services/network/tests/resource_arm_application_gateway_test.go @@ -2952,6 +2952,7 @@ locals { http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" listener_name = "${azurerm_virtual_network.test.name}-httplstn" request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" + ssl_certificate_name = "${azurerm_virtual_network.test.name}-sslcert" } data "azurerm_client_config" "test" {} @@ -3048,7 +3049,7 @@ resource "azurerm_application_gateway" "test" { frontend_port { name = local.frontend_port_name - port = 80 + port = 443 } frontend_ip_configuration { From b8ff55e42941c53ef3d53a6150806c2cd981b6f1 Mon Sep 17 00:00:00 2001 From: kt Date: Wed, 18 Mar 2020 10:27:21 -0700 Subject: [PATCH 12/12] Update key_vault.html.markdown --- website/docs/r/key_vault.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown index 3c5abe0c0342..c682c021e4af 100644 --- a/website/docs/r/key_vault.html.markdown +++ b/website/docs/r/key_vault.html.markdown @@ -97,7 +97,7 @@ The following arguments are supported: * `enabled_for_disk_encryption` - (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to `false`. -* `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to `false`. +* `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to `false`. * `network_acls` - (Optional) A `network_acls` block as defined below.