Skip to content

Commit

Permalink
Refactor internal resources (#13)
Browse files Browse the repository at this point in the history
* add refactor and CHANGELOG

* fix to secret output

* fixes to tests

* some fixes to tftest

* fix to azurerm_key_vault_key.keys in tftest.hcl
  • Loading branch information
gareda authored Mar 3, 2024
1 parent b762af8 commit 6829365
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 58 deletions.
20 changes: 20 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,24 @@
<!-- markdownlint-disable MD041 MD013 -->
## 2.0.0 (March 03, 2024)

BREAKING CHANGES:

* dependencies: updating to `v1.3.0` minimum of `terraform`
* dependencies: updating to `v3.69.0` minimum of `hashicorp/azurerm` provider.
* The internal name by which the `azurerm_key_vault` resource is defined was defined as `vault`. This has been changed by `kv` to maintain the internal consistency of the module, so the resources deployed in the previous version of the module are not compatible with this new version.
* The internal name by which the `azurerm_key_vault_key` resource is defined was defined as `vault`. This has been changed by `keys` to maintain the internal consistency of the module, so the resources deployed in the previous version of the module are not compatible with this new version.
* The internal name by which the `azurerm_key_vault_secret` resource is defined was defined as `vault`. This has been changed by `secrets` to maintain the internal consistency of the module, so the resources deployed in the previous version of the module are not compatible with this new version.

ENHANCEMENTS:

* Internal changes that do not modify the operation of the module.
* Internal changes that change the way data is received by child parameters, but do not change the behavior of the module.

BUG FIXES:

* Output `keys`: The wrong parameter output.
* Output `secrets`: The wrong parameter output.

## 1.1.0 (February 11, 2021)

FEATURES:
Expand Down
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

| Module version | Terraform version | AzureRM version |
| -------------- | ----------------- | --------------- |
| >= 2.x.x | >= 1.3.x | >= 3.69.0 |
| >= 1.x.x | >= 0.13.x | >= 2.34.0 |

<!-- BEGIN_TF_DOCS -->
Expand Down Expand Up @@ -89,8 +90,8 @@ The following outputs are exported:
|resource_group_name|The name of the resource group in which to create the virtual network.|no|
|location|The location/region where the virtual network is created.|no|
|tags|The tags assigned to the resource.|no|
|contacts|Blocks containing each contact.|no|
|access_policies|Blocks containing configuration of each access policy.|no|
|keys|Blocks containing configuration of each key.|no|
|secrets|Blocks containing configuration of each secret.|no|
|contacts|Blocks containing each contact.|no|
<!-- END_TF_DOCS -->
30 changes: 15 additions & 15 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
resource "azurerm_key_vault" "vault" {
resource "azurerm_key_vault" "kv" {
name = var.name
resource_group_name = var.resource_group_name
location = var.location
Expand All @@ -12,6 +12,16 @@ resource "azurerm_key_vault" "vault" {
enabled_for_template_deployment = var.enabled_for_template_deployment
enable_rbac_authorization = var.enable_rbac_authorization

dynamic "contact" {
for_each = var.contacts

content {
email = contact.value.email
name = contact.value.name
phone = contact.value.phone
}
}

dynamic "access_policy" {
for_each = var.access_policies

Expand All @@ -25,21 +35,11 @@ resource "azurerm_key_vault" "vault" {
storage_permissions = access_policy.value.storage_permissions
}
}

dynamic "contact" {
for_each = var.contacts

content {
email = contact.value.email
name = contact.value.name
phone = contact.value.phone
}
}
}

resource "azurerm_key_vault_key" "vault" {
resource "azurerm_key_vault_key" "keys" {
for_each = { for key in var.keys : key.name => key }
key_vault_id = azurerm_key_vault.vault.id
key_vault_id = azurerm_key_vault.kv.id
name = each.value.name
key_type = each.value.key_type
key_size = each.value.key_size
Expand All @@ -49,9 +49,9 @@ resource "azurerm_key_vault_key" "vault" {
expiration_date = each.value.expiration_date
}

resource "azurerm_key_vault_secret" "vault" {
resource "azurerm_key_vault_secret" "secrets" {
for_each = { for secret in var.secrets : secret.name => secret }
key_vault_id = azurerm_key_vault.vault.id
key_vault_id = azurerm_key_vault.kv.id
name = each.value.name
value = each.value.value
content_type = each.value.content_type
Expand Down
29 changes: 16 additions & 13 deletions output.tf
Original file line number Diff line number Diff line change
@@ -1,44 +1,47 @@
output "id" {
value = azurerm_key_vault.vault.id
value = azurerm_key_vault.kv.id
description = "The virtual network configuration ID."
}

output "name" {
value = azurerm_key_vault.vault.name
value = azurerm_key_vault.kv.name
description = "The name of the virtual network."
}

output "resource_group_name" {
value = azurerm_key_vault.vault.resource_group_name
value = azurerm_key_vault.kv.resource_group_name
description = "The name of the resource group in which to create the virtual network."
}

output "location" {
value = azurerm_key_vault.vault.location
value = azurerm_key_vault.kv.location
description = "The location/region where the virtual network is created."
}

output "tags" {
value = azurerm_key_vault.vault.tags
value = azurerm_key_vault.kv.tags
description = "The tags assigned to the resource."
}

output "contacts" {
value = azurerm_key_vault.kv.contact
description = "Blocks containing each contact."
}

output "access_policies" {
value = azurerm_key_vault.vault.access_policy
value = azurerm_key_vault.kv.access_policy
description = "Blocks containing configuration of each access policy."
}

output "keys" {
value = azurerm_key_vault.vault.access_policy
value = { for key in azurerm_key_vault_key.keys : key.name => key }
description = "Blocks containing configuration of each key."
# module.MODULE_NAME.keys["KEY_NAME"].id
}

output "secrets" {
value = azurerm_key_vault.vault.access_policy
value = { for secret in azurerm_key_vault_secret.secrets : secret.name => secret }
description = "Blocks containing configuration of each secret."
}

output "contacts" {
value = azurerm_key_vault.vault.contact
description = "Blocks containing each contact."
sensitive = true
# module.MODULE_NAME.keys["SECRET_NAME"].id
}
56 changes: 28 additions & 28 deletions tests/testing.tftest.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -63,142 +63,142 @@ run "plan" {
}

assert {
condition = azurerm_key_vault.vault.name == run.setup.workspace_id
condition = azurerm_key_vault.kv.name == run.setup.workspace_id
error_message = "The key vault name input variable is being modified."
}

assert {
condition = azurerm_key_vault.vault.resource_group_name == run.setup.resource_group_name
condition = azurerm_key_vault.kv.resource_group_name == run.setup.resource_group_name
error_message = "The key vault resource group input variable is being modified."
}

assert {
condition = azurerm_key_vault.vault.location == run.setup.resource_group_location
condition = azurerm_key_vault.kv.location == run.setup.resource_group_location
error_message = "The key vault location input variable is being modified."
}

assert {
condition = azurerm_key_vault.vault.sku_name == lower(var.sku_name)
condition = azurerm_key_vault.kv.sku_name == lower(var.sku_name)
error_message = "The key vault sku input variable is being modified."
}

assert {
condition = azurerm_key_vault.vault.tenant_id == run.setup.tenant_id
condition = azurerm_key_vault.kv.tenant_id == run.setup.tenant_id
error_message = "The tenant id of key vault is being modified."
}

assert {
condition = azurerm_key_vault.vault.soft_delete_retention_days == var.soft_delete_retention_days
condition = azurerm_key_vault.kv.soft_delete_retention_days == var.soft_delete_retention_days
error_message = "The soft delete retention days of key vault is being modified."
}

assert {
condition = azurerm_key_vault.vault.purge_protection_enabled == var.purge_protection_enabled
condition = azurerm_key_vault.kv.purge_protection_enabled == var.purge_protection_enabled
error_message = "The purge protection of key vault is being modified."
}

assert {
condition = azurerm_key_vault.vault.enabled_for_deployment == var.enabled_for_deployment
condition = azurerm_key_vault.kv.enabled_for_deployment == var.enabled_for_deployment
error_message = "The enabled for deployment of key vault is being modified."
}

assert {
condition = azurerm_key_vault.vault.enabled_for_disk_encryption == var.enabled_for_disk_encryption
condition = azurerm_key_vault.kv.enabled_for_disk_encryption == var.enabled_for_disk_encryption
error_message = "The enabled for disk encryption of key vault is being modified."
}

assert {
condition = azurerm_key_vault.vault.enabled_for_template_deployment == var.enabled_for_template_deployment
condition = azurerm_key_vault.kv.enabled_for_template_deployment == var.enabled_for_template_deployment
error_message = "The enabled for template deployment of key vault is being modified."
}

assert {
condition = azurerm_key_vault.vault.enable_rbac_authorization == var.enable_rbac_authorization
condition = azurerm_key_vault.kv.enable_rbac_authorization == var.enable_rbac_authorization
error_message = "The enable rbac authorization of key vault is being modified."
}

assert {
condition = ({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.user1_object_id].object_id == run.setup.user1_object_id
condition = ({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.user1_object_id].object_id == run.setup.user1_object_id
error_message = "The object id of the access policy of user 1 is being modified."
}

assert {
condition = tolist(({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.user1_object_id].secret_permissions) == tolist(["Get", "List", "Set", "Delete", "Recover", "Backup"])
condition = tolist(({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.user1_object_id].secret_permissions) == tolist(["Get", "List", "Set", "Delete", "Recover", "Backup"])
error_message = "The secret permissions of the access policy of user 1 is being modified."
}

assert {
condition = tolist(({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.user1_object_id].storage_permissions) == tolist(["Get", "List", "Update", "Set", "Delete", "Recover", "Backup"])
condition = tolist(({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.user1_object_id].storage_permissions) == tolist(["Get", "List", "Update", "Set", "Delete", "Recover", "Backup"])
error_message = "The storage permissions of the access policy of user 1 is being modified."
}

assert {
condition = ({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.user2_object_id].object_id == run.setup.user2_object_id
condition = ({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.user2_object_id].object_id == run.setup.user2_object_id
error_message = "The object id of the access policy of user 2 is being modified."
}

assert {
condition = ({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.user2_object_id].application_id == run.setup.app1_object_id
condition = ({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.user2_object_id].application_id == run.setup.app1_object_id
error_message = "The application id of the access policy of user 2 is being modified."
}

assert {
condition = tolist(({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.user2_object_id].key_permissions) == tolist(["Get", "List", "Update", "Create", "Import", "Delete"])
condition = tolist(({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.user2_object_id].key_permissions) == tolist(["Get", "List", "Update", "Create", "Import", "Delete"])
error_message = "The key permissions of the access policy of user 1 is being modified."
}

assert {
condition = ({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.app2_object_id].object_id == run.setup.app2_object_id
condition = ({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.app2_object_id].object_id == run.setup.app2_object_id
error_message = "The object id of the access policy of app 2 is being modified."
}

assert {
condition = tolist(({ for p in azurerm_key_vault.vault.access_policy : p.object_id => p })[run.setup.app2_object_id].certificate_permissions) == tolist(["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup"])
condition = tolist(({ for p in azurerm_key_vault.kv.access_policy : p.object_id => p })[run.setup.app2_object_id].certificate_permissions) == tolist(["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup"])
error_message = "The certificate permissions of the access policy of user 1 is being modified."
}

assert {
condition = ({ for k in azurerm_key_vault_key.vault : k.name => k })["KeyTest1"].name == "KeyTest1"
condition = ({ for k in azurerm_key_vault_key.keys : k.name => k })["KeyTest1"].name == "KeyTest1"
error_message = "The name of the access policy of key 1 is being modified."
}

assert {
condition = ({ for k in azurerm_key_vault_key.vault : k.name => k })["KeyTest1"].key_type == "EC"
condition = ({ for k in azurerm_key_vault_key.keys : k.name => k })["KeyTest1"].key_type == "EC"
error_message = "The key type of the access policy of key 1 is being modified."
}

assert {
condition = ({ for k in azurerm_key_vault_key.vault : k.name => k })["KeyTest1"].curve == "P-384"
condition = ({ for k in azurerm_key_vault_key.keys : k.name => k })["KeyTest1"].curve == "P-384"
error_message = "The curve of the access policy of key 1 is being modified."
}

assert {
condition = ({ for k in azurerm_key_vault_key.vault : k.name => k })["KeyTest2"].name == "KeyTest2"
condition = ({ for k in azurerm_key_vault_key.keys : k.name => k })["KeyTest2"].name == "KeyTest2"
error_message = "The name of the access policy of key 2 is being modified."
}

assert {
condition = ({ for k in azurerm_key_vault_key.vault : k.name => k })["KeyTest2"].key_type == "RSA"
condition = ({ for k in azurerm_key_vault_key.keys : k.name => k })["KeyTest2"].key_type == "RSA"
error_message = "The key type of the access policy of key 2 is being modified."
}

assert {
condition = ({ for k in azurerm_key_vault_key.vault : k.name => k })["KeyTest2"].key_size == 2048
condition = ({ for k in azurerm_key_vault_key.keys : k.name => k })["KeyTest2"].key_size == 2048
error_message = "The key size of the access policy of key 1 is being modified."
}

assert {
condition = ({ for s in azurerm_key_vault_secret.vault : s.name => s })["Secret1"].name == "Secret1"
condition = ({ for s in azurerm_key_vault_secret.secrets : s.name => s })["Secret1"].name == "Secret1"
error_message = "The name of the access policy of secret 1 is being modified."
}

assert {
condition = ({ for s in azurerm_key_vault_secret.vault : s.name => s })["Secret1"].value == "password"
condition = ({ for s in azurerm_key_vault_secret.secrets : s.name => s })["Secret1"].value == "password"
error_message = "The value of the access policy of secret 1 is being modified."
}

assert {
condition = ({ for s in azurerm_key_vault_secret.vault : s.name => s })["Secret1"].content_type == "description"
condition = ({ for s in azurerm_key_vault_secret.secrets : s.name => s })["Secret1"].content_type == "description"
error_message = "The content type of the access policy of secret 1 is being modified."
}
}
Expand Down
2 changes: 1 addition & 1 deletion version.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=2.34.0"
version = ">=3.69.0"
}
}
}

0 comments on commit 6829365

Please sign in to comment.