Fix - azurerm_api_management_named_value would not enforce secret=true when using value_from_key_vault

[CSymes]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

When creating a azurerm_api_management_named_value and linking it to a value sourced from a Key Vault via the value_from_key_vault block, if the secret attribute is not set to true, you receive an unexpected 400 error, ala:

│ Error: creating or updating Named Value
│ Named Value: "http-function-key"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: ValidationError: One or more fields contain incorrect values:
│ 
│   with azurerm_api_management_named_value.http-function-key,
│   on def_apim.tf line 187, in resource "azurerm_api_management_named_value" "http-function-key":
│  187: resource "azurerm_api_management_named_value" "http-function-key" {

This is pretty un-helpful, so this PR adds validation to ensure that these two attributes are defined compatibly.
Unfortunately I couldn't see a way to validate an attribute value based on the state of another attribute, so this is necessarily performed at apply-time, rather than during validation.

This constraint is not well documented, however MS' examples do display the correct form.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass.

Change Log

• azurerm_api_management_named_value - enforce secret = true when a value_from_key_vault block is defined

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

No existing issue that I could see.

[stephybun]

Thanks for adding some validation for this @CSymes! There's one minor comment for the error message for consistency but otherwise this looks good.

[CSymes]

Sounds good!

[CSymes]

Looks like I've managed to brick the check suite somehow — it was failing on one unit test, so re-ran them since that test is fine locally.
I now note that it's likely a main issue as other PRs are failing on the same test, so not sure what's going on there.

[stephybun]

@CSymes this should be fixed now. Another rebase on top of main should fix the CI.

[CSymes]

@stephybun thanks, all green again.

[katbyte]

Thanks @CSymes - LGTM now 🚜

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.