New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_servicebus_namespace
supports customer_managed_key
#15601
azurerm_servicebus_namespace
supports customer_managed_key
#15601
Conversation
ms-henglu
commented
Feb 25, 2022
•
edited
edited
4f0cd66
to
cfeeb74
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cfeeb74
to
9b7ab3c
Compare
Hi @katbyte , I've updated the PR, would you please take another look? Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ms-henglu - have some test failures now:
<img width="1609" alt="image" src="https://user-images.githubusercontent.com/1638467/157171081-820c2318-8639-4f7b-addb-5c44c3015e5d.png">
9b7ab3c
to
3129b9a
Compare
Hi, @katbyte , I've rebased this PR, the tests are passed in my local. |
they are still failing in teamcity..
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @ms-henglu
Thanks for this PR - I've highlighted a major blocker for this PR which'll need to be addressed for us to continue with this. Unfortunately deleting and recreating all of the contents of the ServiceBus Namespace during the deletion of the Key will lead to the loss of all user data with no confirmation - so this needs to be addressed.
Thanks!
// Since this isn't a real object and it cannot be disabled once Customer Managed Key at rest has been enabled | ||
// And it must keep at least one key once Customer Managed Key is enabled | ||
// So for the delete operation, it has to recreate the EventHub Namespace with disabled Customer Managed Key | ||
deleteFuture, err := client.Delete(ctx, id.ResourceGroup, id.Name) | ||
if err != nil { | ||
return fmt.Errorf("deleting %s: %+v", *id, err) | ||
} | ||
if err = deleteFuture.WaitForCompletionRef(ctx, client.Client); err != nil { | ||
if !response.WasNotFound(deleteFuture.Response()) { | ||
return fmt.Errorf("failed to wait for removal of %q: %+v", id, err) | ||
} | ||
} | ||
|
||
namespace := resp | ||
namespace.Encryption = nil | ||
|
||
future, err := client.CreateOrUpdate(ctx, id.ResourceGroup, id.Name, namespace) | ||
if err != nil { | ||
return fmt.Errorf("creating/updating %s: %+v", id, err) | ||
} | ||
|
||
if err = future.WaitForCompletionRef(ctx, client.Client); err != nil { | ||
return fmt.Errorf("waiting for create/update of %s: %+v", id, err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately this isn't something we can ship - this deletes all messages and other configuration for the ServiceBus Namespace with no confirmation.
Can you reach out to the Service Team about this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As suggested above, I'd recommend reaching out to the Service Team here.
Whilst we unintentionally shipped support for this in EventHub Namespace - in 3.0 this resources delete becomes a noop - which isn't ideal and is the only possible alternative instead of removing this resource entirely.
In order to ship this, we'll need a means of disabling this - so I'd suggest chatting with the Service Team here, as deleting all user data and configuration silently within the ServiceBus Namespace isn't something we can ship unfortunately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @tombuildsstuff ,
I've confirmed with service team, that CMK can't be disabled and won't support disabling CMK in the future. I've added a a commit to make delete no-op. Please take another look, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ms-henglu since this can't be disabled we'll need to instead inline this within the ServiceBus Namespace resource - whilst that's not ideal (as it means this can't work for System Assigned Identities), it's the only way to make this work given the service limitations here
Hi @tombuildsstuff , Thank you for taking time to review the codes. Unfortunately this feature can not be disabled, maybe adding some explanation to the docs can unblock merging this PR? |
41a4301
to
251420e
Compare
Hi @tombuildsstuff , I've implemented the CMK as a nested block in service bus namespace resource. Would you please take another look? Thanks! |
azurerm_servicebus_namespace_customer_managed_key
azurerm_servicebus_namespace
supports customer_managed_key
@@ -64,6 +66,19 @@ A `identity` block supports the following: | |||
|
|||
* `identity_ids` - (Optional) A list of User Managed Identity ID's which should be assigned to the ServiceBus Namespace. | |||
|
|||
--- | |||
|
|||
-> **Note:** Once customer-managed key encryption has been enabled, it cannot be disabled. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we have a custom diff that forces a new resource if the key is removed?
what happens if we change the key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea! I've added the custom diff.
And it allows user to change the key and identity, but can't toggle infrastructure_encryption_enabled
, so I added ForceNew
to it.
Please take another look, thanks!
251420e
to
90c2748
Compare
90c2748
to
10020c2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ms-henglu - LGTM now 🚜
This functionality has been released in v3.1.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |