Add stand-alone resource to edit Key Vault access policies

[day-jeff]

This new resource allows access policies to be set on existing Key Vaults without creating/destroying the KV instance. This allows new resources (e.g. VMs) to be given access to keys, secrets and certificates stored in KV.

This PR was created in order to allow new VMs (stand-alone or in a scale set) to read/write secrets and certificates from/to an existing Key Vault.

[day-jeff]

Ping... Any way to get a review going on this PR?

[monkey-jeff]

I didn't notice this PR when I opened #1149 this weekend. I didn't see any PRs associated with #754 which is the issue i was looking at.

I just want this feature added, so lets pool resources. I see several issues with this PR and will comment inline pointing them out. To avoid duplicate work lets collaborate here.

[monkey-jeff]

Just a few issues I currently see with this. Sorry if it seems like I am being harsh, definitely not my intention.

[monkey-jeff]

Doing this will make it look just like a Key Vault resource so the examples you have wouldn't follow this pater. This resource would have to look like

resource "azurerm_key_vault" "test" {
  name                = "testvault"
  resource_group_name = "${azurerm_resource_group.test.name}"

  tenant_id = "d6e396d0-5584-41dc-9fc0-268df99bc610"

  access_policy {
    tenant_id = "d6e396d0-5584-41dc-9fc0-268df99bc610"
    object_id = "d746815a-0433-4a21-b95d-fc437d2d475b"

    key_permissions = [
      "get",
    ]

    secret_permissions = [
      "get",
    ]
  }

Which wouldn't really be allowing you to attach it to an existing keyvault.

[day-jeff]

I missed that the SDK has the UpdateAccessPolicy function. I therefore intentionally reused the KV resource with the idea of reading all its existing properties and editing only the access policies. Given that UpdateAccessPolicy is there, I will quickly reassess approaches and write back.

[monkey-jeff]

There is a call in the sdk to only update the policy

client.UpdateAccessPolicy(ctx, resGroup, name, action, parameters)

[monkey-jeff]

As noted above, the written code would allow for resources that look like this.

[monkey-jeff]

Probably shouldn't import the entire vault for just the access policies.

[monkey-jeff]

This terraform is malformed and the tests fail due to this, should be

resource "azurerm_key_vault_access_policy" "test"

Or something like that

[monkey-jeff]

This should be used to ensure that resources setup by your acceptance tests are detroyed.

[monkey-jeff]

Should reference your tests policy resource

[monkey-jeff]

Should reference your test policy resource

[day-jeff]

Jeff, this is simple--your implementation is correct, this one is not. I will close this PR in favor of yours. I missed that the Go SDK has a function to update access policies, so I implemented a workaround. I reviewed and tested your code, and it looks great.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!