azurerm_storage_account_customer_managed_key - support for cross-tenant customer-managed keys
#20356
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sewci0
changed the title
azurerm_storage_account_customer_managed_key - support for cross-tenant customer-managed keys
github-actions
bot
added
documentation
service/storage
size/M
size/XL
and removed
size/M
labels
Sewci0
force-pushed
the
feature/federated_cmk
branch
from
04701eb
to
78be7da
Compare
magodo
previously requested changes
Feb 15, 2023
website/docs/r/storage_account_customer_managed_key.html.markdown
Outdated
Show resolved
Hide resolved
internal/services/storage/storage_account_customer_managed_key_resource.go
Show resolved
Hide resolved
internal/services/storage/storage_account_customer_managed_key_resource.go
Outdated
Show resolved
Hide resolved
github-actions
bot
added
waiting-response
size/XL
and removed
waiting-response
size/M
labels
|
Thank you @magodo for looking into it, I've replied to your comment and fixed the rest of the issues. I've also added acceptance tests but these are super tricky to run as you need to set up two separate tenants. |
|
@Sewci0 Thank you for the update! It now LGTM! |
katbyte
previously requested changes
Feb 24, 2023
There was a problem hiding this comment.
We have some test failures:
------- Stdout: -------
=== RUN TestAccStorageAccountCustomerManagedKey_updateKey
=== PAUSE TestAccStorageAccountCustomerManagedKey_updateKey
=== CONT TestAccStorageAccountCustomerManagedKey_updateKey
testcase.go:110: Step 1/4 error: After applying this test step, the plan was not empty.
stdout:
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# azurerm_storage_account_customer_managed_key.test will be updated in-place
~ resource "azurerm_storage_account_customer_managed_key" "test" {
id = "/subscriptions/*******/resourceGroups/acctestRG-230224173716578224/providers/Microsoft.Storage/storageAccounts/acctestsai40tk"
- key_vault_uri = "https://acctestkvi40tk.vault.azure.net/" -> null
# (4 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccStorageAccountCustomerManagedKey_updateKey (380.72s)
FAIL
|
Hi, do you know if this PR is being actively worked on? |
Sewci0
force-pushed
the
feature/federated_cmk
branch
from
3671c14
to
5bb43e2
Compare
|
Hi @magodo, apologies it has taken so long but I've just fixed the tests and rerun them locally. It should be ready to go. Thanks! |
|
@tombuildsstuff @magodo @manicminer -- any idea if this PR is being looked at activtely and will be incorporated? This has been pending for quite a long time now with more and more people awaiting its release. Thank you in advance! |
github-actions
bot
added
waiting-response
size/L
and removed
waiting-response
size/XL
labels
manicminer
force-pushed
the
feature/federated_cmk
branch
from
8053077
to
f5182a5
Compare
manicminer
force-pushed
the
feature/federated_cmk
branch
from
f5182a5
to
490a9aa
Compare
manicminer
approved these changes
Sep 21, 2023
There was a problem hiding this comment.
@Sewci0 Thank you for keeping the branch updated and for your patience whilst we update our testing infrastructure. I've pushed a few minor changes to the test config and it LGTM!
Since I've updated our TeamCity configuration, I'll let another maintainer look over those changes before merging.
|
TeamCity config changes for additional review: 707a94b |
manicminer
dismissed stale reviews from magodo, tombuildsstuff, and katbyte
Changes made
stephybun
approved these changes
Sep 21, 2023
There was a problem hiding this comment.
Tests look good. Thanks for this @Sewci0 and @manicminer! LGTM 🎉
|
@manicminer This is very exciting. Thank you! |
dduportal
pushed a commit
to jenkins-infra/azure
that referenced
this pull request
Sep 23, 2023
<Actions>
<action
id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669">
<h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
<summary>Update Terraform lock file</summary>
<p>"hashicorp/azurerm" updated from "3.73.0" to
"3.74.0" in file ".terraform.lock.hcl"</p>
<details>
<summary>3.74.0</summary>
<pre>Changelog retrieved
from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.74.0
NOTES:

*
`azurerm_synapse_sql_pool` - users that have imported
`azurerm_synapse_sql_pool` resources that were created outside of
Terraform using an `LRS` storage account type will need to use
`ignore_changes` to avoid the resource from being destroyed and
recreated.

FEATURES:

* **New Resource**:
`azurerm_arc_resource_bridge_appliance`
([#23108](https://github.com/hashicorp/terraform-provider-azurerm/issues/23108))
*
**New Resource**: `azurerm_data_factory_dataset_azure_sql_table`
([#23264](https://github.com/hashicorp/terraform-provider-azurerm/issues/23264))
*
**New Resource**: `azurerm_function_app_connection`
([#23127](https://github.com/hashicorp/terraform-provider-azurerm/issues/23127))

ENHANCEMENTS:

*
dependencies: updating to `v0.20230918.1115907` of
`github.com/hashicorp/go-azure-sdk`
([#23337](https://github.com/hashicorp/terraform-provider-azurerm/issues/23337))
*
dependencies: downgrading to `v1.12.5` of `github.com/rickb777/date`
([#23296](https://github.com/hashicorp/terraform-provider-azurerm/issues/23296))
*
`mysql`: updating to use API Version `2022-01-01`
([#23320](https://github.com/hashicorp/terraform-provider-azurerm/issues/23320))
*
`azurerm_app_configuration` - support for the `replica` block
([#22452](https://github.com/hashicorp/terraform-provider-azurerm/issues/22452))
*
`azurerm_bot_channel_directline` - support for `user_upload_enabled`,
`endpoint_parameters_enabled`, and `storage_enabled`
([#23149](https://github.com/hashicorp/terraform-provider-azurerm/issues/23149))
*
`azurerm_container_app` - support for scale rules
([#23294](https://github.com/hashicorp/terraform-provider-azurerm/issues/23294))
*
`azurerm_container_app_environment` - support for zone redundancy
([#23313](https://github.com/hashicorp/terraform-provider-azurerm/issues/23313))
*
`azurerm_container_group` - support for the `key_vault_user_identity_id`
property for Customer Managed Keys
([#23332](https://github.com/hashicorp/terraform-provider-azurerm/issues/23332))
*
`azurerm_cosmosdb_account` - support for MongoDB connection strings
([#23331](https://github.com/hashicorp/terraform-provider-azurerm/issues/23331))
*
`azurerm_data_factory_dataset_delimited_text` - support for the
`dynamic_file_system_enabled`, `dynamic_path_enabled`, and
`dynamic_filename_enabled` properties
([#23261](https://github.com/hashicorp/terraform-provider-azurerm/issues/23261))
*
`azurerm_data_factory_dataset_parquet` - support for the
`azure_blob_fs_location` block
([#23261](https://github.com/hashicorp/terraform-provider-azurerm/issues/23261))
*
`azurerm_monitor_diagnostic_setting` - validation to ensure either
`category` or `category_group` are supplied in `enabled_log` and `log`
blocks
([#23308](https://github.com/hashicorp/terraform-provider-azurerm/issues/23308))
*
`azurerm_network_interface` - support for the `auxiliary_mode` and
`auxiliary_sku` properties
([#22979](https://github.com/hashicorp/terraform-provider-azurerm/issues/22979))
*
`azurerm_postgresql_flexible_server` - increased the maximum supported
value for `storage_mb`
([#23277](https://github.com/hashicorp/terraform-provider-azurerm/issues/23277))
*
`azurerm_shared_image_version` - support for the
`replicated_region_deletion_enabled` and
`target_region.exclude_from_latest_enabled` properties
([#23147](https://github.com/hashicorp/terraform-provider-azurerm/issues/23147))
*
`azurerm_storage_account` - support for setting `domain_name` and
`domain_guid` for `AADKERB`
([#22833](https://github.com/hashicorp/terraform-provider-azurerm/issues/22833))
*
`azurerm_storage_account_customer_managed_key` - support for
cross-tenant customer-managed keys with the
`federated_identity_client_id`, and `key_vault_uri` properties
([#20356](https://github.com/hashicorp/terraform-provider-azurerm/issues/20356))
*
`azurerm_web_application_firewall_policy` - support for the
`rate_limit_duration`, `rate_limit_threshold`, `group_rate_limit_by`,
and `request_body_inspect_limit_in_kb` properties
([#23239](https://github.com/hashicorp/terraform-provider-azurerm/issues/23239))

BUG
FIXES:

* Data Source: `azurerm_container_app_environment`: fix
`log_analytics_workspace_name` output to correct value
([#23298](https://github.com/hashicorp/terraform-provider-azurerm/issues/23298))
*
`azurerm_api_management_api` - set the `service_url` property when
importing the resource
([#23011](https://github.com/hashicorp/terraform-provider-azurerm/issues/23011))
*
`azurerm_app_configuration` - prevent crash by nil checking the
encryption configuration
([#23302](https://github.com/hashicorp/terraform-provider-azurerm/issues/23302))
*
`azurerm_app_configuration_feature` - update `percentage_filter_value`
to accept correct type of float
([#23263](https://github.com/hashicorp/terraform-provider-azurerm/issues/23263))
*
`azurerm_container_app` - fix an issue with `commands` and `args` being
overwritten when using multiple containers
([#23338](https://github.com/hashicorp/terraform-provider-azurerm/issues/23338))
*
`azurerm_key_vault_certificate` - fix issue where certificates
couldn't be recovered anymore
([#23204](https://github.com/hashicorp/terraform-provider-azurerm/issues/23204))
*
`azurerm_key_vault_key` - the ForceNew when `expiration_date` is removed
from the config file
([#23327](https://github.com/hashicorp/terraform-provider-azurerm/issues/23327))
*
`azurerm_linux_function_app` - fix a bug in setting the storage settings
when using Elastic Premium plans
([#21212](https://github.com/hashicorp/terraform-provider-azurerm/issues/21212))
*
`azurerm_linux_web_app` - fix docker app stack update
([#23303](https://github.com/hashicorp/terraform-provider-azurerm/issues/23303))
*
`azurerm_linux_web_app` - fix crash in auto heal expansion
([#21328](https://github.com/hashicorp/terraform-provider-azurerm/issues/21328))
*
`azurerm_linux_web_app_slot` - fix docker app stack update
([#23303](https://github.com/hashicorp/terraform-provider-azurerm/issues/23303))
*
`azurerm_linux_web_app_slot` - fix crash in auto heal expansion
([#21328](https://github.com/hashicorp/terraform-provider-azurerm/issues/21328))
*
`azurerm_log_analytics_solution` - fix bug where the resource wasn't
handling successful creation on subsequent applies
([#23312](https://github.com/hashicorp/terraform-provider-azurerm/issues/23312))
*
`azurerm_management_group_subscription_association` - fix bug to
correctly mark resource as gone if not found during read
([#23335](https://github.com/hashicorp/terraform-provider-azurerm/issues/23335))
*
`azurerm_mssql_elasticpool` - remove check that prevents `license_type`
from being set for certain skus
([#23262](https://github.com/hashicorp/terraform-provider-azurerm/issues/23262))
*
`azurerm_servicebus_queue` - fixing an issue where `auto_delete_on_idle`
couldn't be set to `P10675199DT2H48M5.4775807S`
([#23296](https://github.com/hashicorp/terraform-provider-azurerm/issues/23296))
*
`azurerm_servicebus_topic` - fixing an issue where `auto_delete_on_idle`
couldn't be set to `P10675199DT2H48M5.4775807S`
([#23296](https://github.com/hashicorp/terraform-provider-azurerm/issues/23296))
*
`azurerm_storage_account` - prevent sending unsupported blob properties
in payload for `Storage` account kind
([#23288](https://github.com/hashicorp/terraform-provider-azurerm/issues/23288))
*
`azurerm_synapse_sql_pool` - expose `storage_account_type`
([#23217](https://github.com/hashicorp/terraform-provider-azurerm/issues/23217))
*
`azurerm_windows_function_app` - fix a bug in setting the storage
settings when using Elastic Premium plans
([#21212](https://github.com/hashicorp/terraform-provider-azurerm/issues/21212))
*
`azurerm_windows_web_app` - fix docker app stack update
([#23303](https://github.com/hashicorp/terraform-provider-azurerm/issues/23303))
*
`azurerm_windows_web_app_slot` - fix docker app stack update
([#23303](https://github.com/hashicorp/terraform-provider-azurerm/issues/23303))

DEPRECATIONS:

*
`azurerm_application_gateway` - deprecate `Standard` and `WAF` skus
([#23310](https://github.com/hashicorp/terraform-provider-azurerm/issues/23310))
*
`azurerm_bot_channel_web_chat` - deprecate `site_names` in favour of
`site` block
([#23161](https://github.com/hashicorp/terraform-provider-azurerm/issues/23161))
*
`azurerm_monitor_diagnostic_setting` - deprecate `retention_policy` in
favour of `azurerm_storage_management_policy`
([#23260](https://github.com/hashicorp/terraform-provider-azurerm/issues/23260))


</pre>
</details>
</details>
</action>
</Actions>
---
<table>
<tr>
<td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
</td>
<td>
<p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
</p>
<details><summary>Options:</summary>
<br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
<ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
</ul>
<p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
</p>
</details>
</td>
</tr>
</table>
Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds support for Cross Tenant CMK
https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account
Introduces two new properties:
key_vault_uri- used when the SP has no access to the vault that stores the CMKfederated_identity_client_id- points at the appID used for federated access