azurerm_servicebus_namespace supports customer_managed_key
#15601
Conversation
ms-henglu
commented
Feb 25, 2022
•
ms-henglu
commented
ms-henglu
force-pushed
the
ticket-13229868-servicebus-namespace-supports-cmk
branch
from
4f0cd66
to
cfeeb74
Compare
ms-henglu
force-pushed
the
ticket-13229868-servicebus-namespace-supports-cmk
branch
from
cfeeb74
to
9b7ab3c
Compare
|
Hi @katbyte , I've updated the PR, would you please take another look? Thanks! |
There was a problem hiding this comment.
Thanks @ms-henglu - have some test failures now:
<img width="1609" alt="image" src="https://user-images.githubusercontent.com/1638467/157171081-820c2318-8639-4f7b-addb-5c44c3015e5d.png">
9b7ab3c
to
3129b9a
Compare
|
Hi, @katbyte , I've rebased this PR, the tests are passed in my local. |
|
they are still failing in teamcity.. |
There was a problem hiding this comment.
hi @ms-henglu
Thanks for this PR - I've highlighted a major blocker for this PR which'll need to be addressed for us to continue with this. Unfortunately deleting and recreating all of the contents of the ServiceBus Namespace during the deletion of the Key will lead to the loss of all user data with no confirmation - so this needs to be addressed.
Thanks!
| // Since this isn't a real object and it cannot be disabled once Customer Managed Key at rest has been enabled | ||
| // And it must keep at least one key once Customer Managed Key is enabled | ||
| // So for the delete operation, it has to recreate the EventHub Namespace with disabled Customer Managed Key | ||
| deleteFuture, err := client.Delete(ctx, id.ResourceGroup, id.Name) | ||
| if err != nil { | ||
| return fmt.Errorf("deleting %s: %+v", *id, err) | ||
| } | ||
| if err = deleteFuture.WaitForCompletionRef(ctx, client.Client); err != nil { | ||
| if !response.WasNotFound(deleteFuture.Response()) { | ||
| return fmt.Errorf("failed to wait for removal of %q: %+v", id, err) | ||
| } | ||
| } | ||
|
|
||
| namespace := resp | ||
| namespace.Encryption = nil | ||
|
|
||
| future, err := client.CreateOrUpdate(ctx, id.ResourceGroup, id.Name, namespace) | ||
| if err != nil { | ||
| return fmt.Errorf("creating/updating %s: %+v", id, err) | ||
| } | ||
|
|
||
| if err = future.WaitForCompletionRef(ctx, client.Client); err != nil { | ||
| return fmt.Errorf("waiting for create/update of %s: %+v", id, err) | ||
| } |
There was a problem hiding this comment.
Unfortunately this isn't something we can ship - this deletes all messages and other configuration for the ServiceBus Namespace with no confirmation.
Can you reach out to the Service Team about this?
There was a problem hiding this comment.
Unfortunately this feature can't be disabled,
There was a problem hiding this comment.
As suggested above, I'd recommend reaching out to the Service Team here.
Whilst we unintentionally shipped support for this in EventHub Namespace - in 3.0 this resources delete becomes a noop - which isn't ideal and is the only possible alternative instead of removing this resource entirely.
In order to ship this, we'll need a means of disabling this - so I'd suggest chatting with the Service Team here, as deleting all user data and configuration silently within the ServiceBus Namespace isn't something we can ship unfortunately.
There was a problem hiding this comment.
Hi @tombuildsstuff ,
I've confirmed with service team, that CMK can't be disabled and won't support disabling CMK in the future. I've added a a commit to make delete no-op. Please take another look, thanks!
There was a problem hiding this comment.
@ms-henglu since this can't be disabled we'll need to instead inline this within the ServiceBus Namespace resource - whilst that's not ideal (as it means this can't work for System Assigned Identities), it's the only way to make this work given the service limitations here
|
Hi @tombuildsstuff , Thank you for taking time to review the codes. Unfortunately this feature can not be disabled, maybe adding some explanation to the docs can unblock merging this PR? |
ms-henglu
force-pushed
the
ticket-13229868-servicebus-namespace-supports-cmk
branch
from
41a4301
to
251420e
Compare
|
Hi @tombuildsstuff , I've implemented the CMK as a nested block in service bus namespace resource. Would you please take another look? Thanks! |
ms-henglu
changed the title
azurerm_servicebus_namespace_customer_managed_keyazurerm_servicebus_namespace supports customer_managed_key
|
teamcity test results, thouth there's a failed case which is not related. |
| @@ -64,6 +66,19 @@ A `identity` block supports the following: | |||
|
|
|||
| * `identity_ids` - (Optional) A list of User Managed Identity ID's which should be assigned to the ServiceBus Namespace. | |||
|
|
|||
| --- | |||
|
|
|||
| -> **Note:** Once customer-managed key encryption has been enabled, it cannot be disabled. | |||
There was a problem hiding this comment.
should we have a custom diff that forces a new resource if the key is removed?
what happens if we change the key?
There was a problem hiding this comment.
Good idea! I've added the custom diff.
And it allows user to change the key and identity, but can't toggle infrastructure_encryption_enabled, so I added ForceNew to it.
Please take another look, thanks!
ms-henglu
force-pushed
the
ticket-13229868-servicebus-namespace-supports-cmk
branch
from
251420e
to
90c2748
Compare
ms-henglu
force-pushed
the
ticket-13229868-servicebus-namespace-supports-cmk
branch
from
90c2748
to
10020c2
Compare
|
This functionality has been released in v3.1.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
