From 8562bc6fbde647fd049d3f0e428f9f839f90d630 Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Wed, 18 Dec 2019 11:19:51 +0100 Subject: [PATCH 1/2] r/key_vault: defaulting the `network_acl` block to `allowed` to match the API behaviour ``` $ acctests azurerm TestAccAzureRMKeyVault_networkAclsAllowed === RUN TestAccAzureRMKeyVault_networkAclsAllowed === PAUSE TestAccAzureRMKeyVault_networkAclsAllowed === CONT TestAccAzureRMKeyVault_networkAclsAllowed --- PASS: TestAccAzureRMKeyVault_networkAclsAllowed (246.39s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 246.448s ``` --- azurerm/resource_arm_key_vault.go | 10 +++- azurerm/resource_arm_key_vault_test.go | 82 ++++++++++++++++++++++---- 2 files changed, 78 insertions(+), 14 deletions(-) diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go index dfe926798e39..864360b29613 100644 --- a/azurerm/resource_arm_key_vault.go +++ b/azurerm/resource_arm_key_vault.go @@ -157,6 +157,7 @@ func resourceArmKeyVault() *schema.Resource { "network_acls": { Type: schema.TypeList, Optional: true, + Computed: true, MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ @@ -471,7 +472,14 @@ func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} { func flattenKeyVaultNetworkAcls(input *keyvault.NetworkRuleSet) []interface{} { if input == nil { - return []interface{}{} + return []interface{}{ + map[string]interface{}{ + "bypass": string(keyvault.AzureServices), + "default_action": string(keyvault.Allow), + "ip_rules": schema.NewSet(schema.HashString, []interface{}{}), + "virtual_network_subnet_ids": schema.NewSet(schema.HashString, []interface{}{}), + }, + } } output := make(map[string]interface{}) diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go index 6e39f1cb8ae0..bca901de2150 100644 --- a/azurerm/resource_arm_key_vault_test.go +++ b/azurerm/resource_arm_key_vault_test.go @@ -86,7 +86,6 @@ func TestAccAzureRMKeyVault_basic(t *testing.T) { Config: config, Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"), resource.TestCheckResourceAttr(resourceName, "sku_name", "premium"), ), }, @@ -132,7 +131,6 @@ func TestAccAzureRMKeyVault_basicClassic(t *testing.T) { Config: config, Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"), resource.TestCheckResourceAttr(resourceName, "sku.0.name", "premium"), ), }, @@ -164,7 +162,6 @@ func TestAccAzureRMKeyVault_requiresImport(t *testing.T) { Config: testAccAzureRMKeyVault_basic(ri, location), Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"), ), }, { @@ -189,24 +186,49 @@ func TestAccAzureRMKeyVault_networkAcls(t *testing.T) { Config: testAccAzureRMKeyVault_networkAcls(ri, location), Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "1"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.bypass", "None"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.default_action", "Deny"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.ip_rules.#", "0"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.virtual_network_subnet_ids.#", "2"), ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, { Config: testAccAzureRMKeyVault_networkAclsUpdated(ri, location), Check: resource.ComposeTestCheckFunc( testCheckAzureRMKeyVaultExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "network_acls.#", "1"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.bypass", "AzureServices"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.default_action", "Allow"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.ip_rules.#", "1"), - resource.TestCheckResourceAttr(resourceName, "network_acls.0.virtual_network_subnet_ids.#", "1"), ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAzureRMKeyVault_networkAclsAllowed(t *testing.T) { + resourceName := "azurerm_key_vault.test" + ri := tf.AccRandTimeInt() + location := testLocation() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMKeyVaultDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMKeyVault_networkAclsAllowed(ri, location), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMKeyVaultExists(resourceName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, }, }) } @@ -680,6 +702,40 @@ resource "azurerm_key_vault" "test" { `, template, rInt) } +func testAccAzureRMKeyVault_networkAclsAllowed(rInt int, location string) string { + template := testAccAzureRMKeyVault_networkAclsTemplate(rInt, location) + return fmt.Sprintf(` +%s + +resource "azurerm_key_vault" "test" { + name = "vault%d" + location = "${azurerm_resource_group.test.location}" + resource_group_name = "${azurerm_resource_group.test.name}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + + sku_name = "premium" + + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.client_id}" + + key_permissions = [ + "create", + ] + + secret_permissions = [ + "set", + ] + } + + network_acls { + default_action = "Allow" + bypass = "AzureServices" + } +} +`, template, rInt) +} + func testAccAzureRMKeyVault_update(rInt int, location string) string { return fmt.Sprintf(` data "azurerm_client_config" "current" {} From d304c1fc39ab3108c75099f02e9baae11f29b0ea Mon Sep 17 00:00:00 2001 From: tombuildsstuff Date: Wed, 18 Dec 2019 13:36:47 +0100 Subject: [PATCH 2/2] r/key_vault: making the `network_acls` block computed --- azurerm/resource_arm_key_vault_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go index bca901de2150..5d2b220e935b 100644 --- a/azurerm/resource_arm_key_vault_test.go +++ b/azurerm/resource_arm_key_vault_test.go @@ -695,7 +695,7 @@ resource "azurerm_key_vault" "test" { network_acls { default_action = "Allow" bypass = "AzureServices" - ip_rules = ["10.0.0.102/32"] + ip_rules = ["123.0.0.102/32"] virtual_network_subnet_ids = ["${azurerm_subnet.test_a.id}"] } }