diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go index dfe926798e39..864360b29613 100644 --- a/azurerm/resource_arm_key_vault.go +++ b/azurerm/resource_arm_key_vault.go @@ -157,6 +157,7 @@ func resourceArmKeyVault() *schema.Resource { "network_acls": { Type: schema.TypeList, Optional: true, + Computed: true, MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ @@ -471,7 +472,14 @@ func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} { func flattenKeyVaultNetworkAcls(input *keyvault.NetworkRuleSet) []interface{} { if input == nil { - return []interface{}{} + return []interface{}{ + map[string]interface{}{ + "bypass": string(keyvault.AzureServices), + "default_action": string(keyvault.Allow), + "ip_rules": schema.NewSet(schema.HashString, []interface{}{}), + "virtual_network_subnet_ids": schema.NewSet(schema.HashString, []interface{}{}), + }, + } } output := make(map[string]interface{}) diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go index 6e39f1cb8ae0..5d2b220e935b 100644 --- a/azurerm/resource_arm_key_vault_test.go +++ b/azurerm/resource_arm_key_vault_test.go @@ -86,7 +86,6 @@ func TestAccAzureRMKeyVault_basic(t *testing.T) { Config: config, Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"), resource.TestCheckResourceAttr(resourceName, "sku_name", "premium"), ), }, @@ -132,7 +131,6 @@ func TestAccAzureRMKeyVault_basicClassic(t *testing.T) { Config: config, Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"), resource.TestCheckResourceAttr(resourceName, "sku.0.name", "premium"), ), }, @@ -164,7 +162,6 @@ func TestAccAzureRMKeyVault_requiresImport(t *testing.T) { Config: testAccAzureRMKeyVault_basic(ri, location), Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"), ), }, { @@ -189,24 +186,49 @@ func TestAccAzureRMKeyVault_networkAcls(t *testing.T) { Config: testAccAzureRMKeyVault_networkAcls(ri, location), Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "1"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.bypass", "None"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.default_action", "Deny"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.ip_rules.#", "0"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.virtual_network_subnet_ids.#", "2"), ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, { Config: testAccAzureRMKeyVault_networkAclsUpdated(ri, location), Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "1"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.bypass", "AzureServices"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.default_action", "Allow"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.ip_rules.#", "1"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.virtual_network_subnet_ids.#", "1"), ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMKeyVault_networkAclsAllowed(t *testing.T) { + resourceName := "azurerm_key_vault.test" + ri := tf.AccRandTimeInt() + location := testLocation() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMKeyVault_networkAclsAllowed(ri, location), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, }, }) } @@ -673,13 +695,47 @@ resource "azurerm_key_vault" "test" { network_acls { default_action = "Allow" bypass = "AzureServices" - ip_rules = ["10.0.0.102/32"] + ip_rules = ["123.0.0.102/32"] virtual_network_subnet_ids = ["${azurerm_subnet.test_a.id}"] } } `, template, rInt) } +func testAccAzureRMKeyVault_networkAclsAllowed(rInt int, location string) string { + template := testAccAzureRMKeyVault_networkAclsTemplate(rInt, location) + return fmt.Sprintf(` +%s + +resource "azurerm_key_vault" "test" { + name = "vault%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + + sku_name = "premium" + + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.client_id}" + + key_permissions = [ + "create", + ] + + secret_permissions = [ + "set", + ] + } + + network_acls { + default_action = "Allow" + bypass = "AzureServices" + } +} +`, template, rInt) +} + func testAccAzureRMKeyVault_update(rInt int, location string) string { return fmt.Sprintf(` data "azurerm_client_config" "current" {}