Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyvault: normalizing the casing of the permissions #10593

Merged
merged 3 commits into from Feb 16, 2021
Merged

keyvault: normalizing the casing of the permissions #10593

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d2450fe
r/key_vault: ignoring casing on the key vault items
tombuildsstuff Feb 15, 2021
df2dda5
r/key_vault: normalizing the casing on the Key Vault Access Policies
tombuildsstuff Feb 15, 2021
6c1f1a9
key_vault: fixing the test assertions
tombuildsstuff Feb 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
203 changes: 133 additions & 70 deletions azurerm/internal/services/keyvault/access_policy_schema.go
View file
Open in desktop
@@ -1,37 +1,136 @@
package keyvault

import (
"strings"

"github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
uuid "github.com/satori/go.uuid"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/suppress"
)

func certificatePermissions() []string {
return []string{
"Backup",
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"Recover",
"Restore",
"SetIssuers",
"Update",
}
}

func flattenCertificatePermission(input string) string {
for _, permission := range certificatePermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func keyPermissions() []string {
return []string{
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
}
}

func flattenKeyPermission(input string) string {
for _, permission := range keyPermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func secretPermissions() []string {
return []string{
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
}
}

func flattenSecretPermission(input string) string {
for _, permission := range secretPermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func storagePermissions() []string {
return []string{
"Backup",
"Delete",
"DeleteSAS",
"Get",
"GetSAS",
"List",
"ListSAS",
"Purge",
"Recover",
"RegenerateKey",
"Restore",
"Set",
"SetSAS",
"Update",
}
}

func flattenStoragePermission(input string) string {
for _, permission := range storagePermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func schemaCertificatePermissions() *schema.Schema {
return &schema.Schema{
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.Backup),
string(keyvault.Create),
string(keyvault.Delete),
string(keyvault.Deleteissuers),
string(keyvault.Get),
string(keyvault.Getissuers),
string(keyvault.Import),
string(keyvault.List),
string(keyvault.Listissuers),
string(keyvault.Managecontacts),
string(keyvault.Manageissuers),
string(keyvault.Purge),
string(keyvault.Recover),
string(keyvault.Restore),
string(keyvault.Setissuers),
string(keyvault.Update),
}, true),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(certificatePermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
Expand All @@ -42,25 +141,8 @@ func schemaKeyPermissions() *schema.Schema {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.KeyPermissionsBackup),
string(keyvault.KeyPermissionsCreate),
string(keyvault.KeyPermissionsDecrypt),
string(keyvault.KeyPermissionsDelete),
string(keyvault.KeyPermissionsEncrypt),
string(keyvault.KeyPermissionsGet),
string(keyvault.KeyPermissionsImport),
string(keyvault.KeyPermissionsList),
string(keyvault.KeyPermissionsPurge),
string(keyvault.KeyPermissionsRecover),
string(keyvault.KeyPermissionsRestore),
string(keyvault.KeyPermissionsSign),
string(keyvault.KeyPermissionsUnwrapKey),
string(keyvault.KeyPermissionsUpdate),
string(keyvault.KeyPermissionsVerify),
string(keyvault.KeyPermissionsWrapKey),
}, true),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(keyPermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
Expand All @@ -71,17 +153,8 @@ func schemaSecretPermissions() *schema.Schema {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.SecretPermissionsBackup),
string(keyvault.SecretPermissionsDelete),
string(keyvault.SecretPermissionsGet),
string(keyvault.SecretPermissionsList),
string(keyvault.SecretPermissionsPurge),
string(keyvault.SecretPermissionsRecover),
string(keyvault.SecretPermissionsRestore),
string(keyvault.SecretPermissionsSet),
}, true),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(secretPermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
Expand All @@ -92,23 +165,9 @@ func schemaStoragePermissions() *schema.Schema {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.StoragePermissionsBackup),
string(keyvault.StoragePermissionsDelete),
string(keyvault.StoragePermissionsDeletesas),
string(keyvault.StoragePermissionsGet),
string(keyvault.StoragePermissionsGetsas),
string(keyvault.StoragePermissionsList),
string(keyvault.StoragePermissionsListsas),
string(keyvault.StoragePermissionsPurge),
string(keyvault.StoragePermissionsRecover),
string(keyvault.StoragePermissionsRegeneratekey),
string(keyvault.StoragePermissionsRestore),
string(keyvault.StoragePermissionsSet),
string(keyvault.StoragePermissionsSetsas),
string(keyvault.StoragePermissionsUpdate),
}, false),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(storagePermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
}
Expand Down Expand Up @@ -206,7 +265,8 @@ func flattenCertificatePermissions(input *[]keyvault.CertificatePermissions) []i

if input != nil {
for _, certificatePermission := range *input {
output = append(output, string(certificatePermission))
permission := flattenCertificatePermission(string(certificatePermission))
output = append(output, permission)
}
}

Expand All @@ -227,7 +287,8 @@ func flattenKeyPermissions(input *[]keyvault.KeyPermissions) []interface{} {

if input != nil {
for _, keyPermission := range *input {
output = append(output, string(keyPermission))
permission := flattenKeyPermission(string(keyPermission))
output = append(output, permission)
}
}

Expand All @@ -249,7 +310,8 @@ func flattenSecretPermissions(input *[]keyvault.SecretPermissions) []interface{}

if input != nil {
for _, secretPermission := range *input {
output = append(output, string(secretPermission))
permission := flattenSecretPermission(string(secretPermission))
output = append(output, permission)
}
}

Expand All @@ -271,7 +333,8 @@ func flattenStoragePermissions(input *[]keyvault.StoragePermissions) []interface

if input != nil {
for _, storagePermission := range *input {
output = append(output, string(storagePermission))
permission := flattenStoragePermission(string(storagePermission))
output = append(output, permission)
}
}

Expand Down
12 changes: 6 additions & 6 deletions azurerm/internal/services/keyvault/key_vault_data_source_test.go
View file
Open in desktop
Expand Up @@ -24,8 +24,8 @@ func TestAccDataSourceKeyVault_basic(t *testing.T) {
check.That(data.ResourceName).Key("sku_name").Exists(),
check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"),
check.That(data.ResourceName).Key("tags.%").HasValue("0"),
),
},
Expand All @@ -44,8 +44,8 @@ func TestAccDataSourceKeyVault_complete(t *testing.T) {
check.That(data.ResourceName).Key("sku_name").Exists(),
check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("tags.%").HasValue("1"),
check.That(data.ResourceName).Key("tags.environment").HasValue("Production"),
),
Expand All @@ -65,8 +65,8 @@ func TestAccDataSourceKeyVault_networkAcls(t *testing.T) {
check.That(data.ResourceName).Key("sku_name").Exists(),
check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"),
check.That(data.ResourceName).Key("network_acls.#").HasValue("1"),
check.That(data.ResourceName).Key("network_acls.0.default_action").HasValue("Allow"),
check.That(data.ResourceName).Key("tags.%").HasValue("0"),
Expand Down
10 changes: 5 additions & 5 deletions azurerm/internal/services/keyvault/key_vault_resource_test.go
View file
Open in desktop
Expand Up @@ -141,16 +141,16 @@ func TestAccKeyVault_update(t *testing.T) {
Config: r.basic(data),
Check: resource.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"),
check.That(data.ResourceName).Key("tags.%").HasValue("0"),
),
},
{
Config: r.update(data),
Check: resource.ComposeTestCheckFunc(
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("enabled_for_deployment").HasValue("true"),
check.That(data.ResourceName).Key("enabled_for_disk_encryption").HasValue("true"),
check.That(data.ResourceName).Key("enabled_for_template_deployment").HasValue("true"),
Expand Down Expand Up @@ -239,7 +239,7 @@ func TestAccKeyVault_justCert(t *testing.T) {
Config: r.justCert(data),
Check: resource.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("access_policy.0.certificate_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.certificate_permissions.0").HasValue("Get"),
),
},
data.ImportStep(),
Expand Down
14 changes: 7 additions & 7 deletions website/docs/r/key_vault.html.markdown
View file
Open in desktop
Expand Up @@ -52,15 +52,15 @@ resource "azurerm_key_vault" "example" {
object_id = data.azurerm_client_config.current.object_id

key_permissions = [
"get",
"Get",
]

secret_permissions = [
"get",
"Get",
]

storage_permissions = [
"get",
"Get",
]
}
}
Expand Down Expand Up @@ -120,13 +120,13 @@ A `access_policy` block supports the following:

* `application_id` - (Optional) The object ID of an Application in Azure Active Directory.

* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `backup`, `create`, `delete`, `deleteissuers`, `get`, `getissuers`, `import`, `list`, `listissuers`, `managecontacts`, `manageissuers`, `purge`, `recover`, `restore`, `setissuers` and `update`.
* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `Backup`, `Create`, `Delete`, `DeleteIssuers`, `Get`, `GetIssuers`, `Import`, `List`, `ListIssuers`, `ManageContacts`, `ManageIssuers`, `Purge`, `Recover`, `Restore`, `SetIssuers` and `Update`.

* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `purge`, `recover`, `restore`, `sign`, `unwrapKey`, `update`, `verify` and `wrapKey`.
* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `Backup`, `Create`, `Decrypt`, `Delete`, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify` and `WrapKey`.

* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`.
* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `Backup`, `Delete`, `Get`, `List`, `Purge`, `Recover`, `Restore` and `Set`.

* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `backup`, `delete`, `deletesas`, `get`, `getsas`, `list`, `listsas`, `purge`, `recover`, `regeneratekey`, `restore`, `set`, `setsas` and `update`.
* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `Backup`, `Delete`, `DeleteSAS`, `Get`, `GetSAS`, `List`, `ListSAS`, `Purge`, `Recover`, `RegenerateKey`, `Restore`, `Set`, `SetSAS` and `Update`.

---

Expand Down