azurerm_api_management - support key_vault_id's without a version

[sirlatrom]

Fixes #4408.

[sirlatrom]

@katbyte As with previous PRs, I've not been able to run acceptance tests but have verified functionality within my org's tenant.

[tombuildsstuff]

Hey @sirlatrom

Thanks for this PR - taking a look through this mostly LGTM, however can we add an acceptance test covering provisioning with a versionless secret to confirm that this works?

Thanks!

[sirlatrom]

Hey @sirlatrom

Thanks for this PR - taking a look through this mostly LGTM, however can we add an acceptance test covering provisioning with a versionless secret to confirm that this works?

Thanks!

I'd like to, but there's a catch 22: Currently, only System Assigned Identity is used against the Key Vault, and you can of course use an azurerm_key_vault_access_policy to grant the API Management service's System Assigned Identity access to the Key Vault.

But if you create the API Management service with the Key Vault references, versioned or not, they are evaluated during creation of the API Management service, preventing us from creating the access policy ahead of time.

I've tried with User Assigned Identity and confirmed it is not used for Key Vault access. I've got the impression that User Assigned Identity is currently only used to access API backends.

Is there a way that I can have two phases in the acceptance test? In our pipeline we're currently working around the issue by using a variable to conditionally set the key_vault_idhostname_configurations field the first time, conditional on the existence of the relevant azurerm_key_vault_access_policy resource.

[sirlatrom]

@tombuildsstuff In 31e4993, I've added acceptance tests setting the key_vault_uri to either a versioned or a versionless URI.

[sirlatrom]

@tombuildsstuff @katbyte Rebased this on master after other tests were merged, should apply cleanly now.

[katbyte]

Thanks @sirlatrom! LGLTM 👍

[ghost]

This has been released in version 2.10.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.10.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!