New Resource: Key Vault Access Policy

[monkey-jeff]

Hello everyone.

This is to address #754 which allows for separating our Key Vault Policies from the Key Vault Resource. This is also a feature I wanted as it allows me to pass in N number of policies for a Key Vault where N is not a constant. I can now add 'count' to the policy resource to create multiple at once.

The resource looks like below allowing you to update the policy of an existing policy.

resource "azurerm_key_vault_policy" "test" {
  vault_name                   = "NAME_OF_VAULT"
  vault_resource_group  = "RESOURCE_GROUP_OF_VAULT"

  object_id 		= "OBJECT_ID of service principal"
  tenant_id		= "TENANT_ID of service principal"
  application_id 	= "APPLICATION_ID if granting access to an application"

  key_permissions = [
    "create",
    "get"
  ]

  secret_permissions = [
    "get",
    "delete"
  ]
  certificate_permissions = [
    "create", 
    "delete"
  ]
}

This PR changes some behavior of the existing resrouce

• Minimum Access Policy blocks in a key vault resource has been reduced to 0
• Checking the access policies has been removed from the refresh of the Key Vault Resource (this is to prevent it from removing policies added by a policy resource object)

The way the new Key Vault resource interacts with these is as follows

• If the object id / tenant id pair already exists in the access policy there will be no failure and in effect that resource will be imported into the terraform state (Hence the lacking of the ability to import since it already works seamlessly) //Question. Should I add something similar to this to the doc section explaining why there isn't an import?
• If the access policy is removed outside of the terraform plan the refresh will want to add it back on a plan

I also moved the access policy definitions into its own file so there is a single place to update this.

Let me know what changes if any you guys would like me to make here. I do apologize if my go code is sloppy, this is my first time contributing to terraform and my first time writing in go, so I am sure there will be some issues to resolve.

-Jeff

[day-jeff]

Reviewed and tested this code. The implementation is solid, and everything worked perfectly in my real-world test. Thanks for this!

[monkey-jeff]

This was removed due to it only being used in a refresh. Refresh the access policies on the key vault resource causes a fight between key vault and key vault policy over ownership of the resource (basically doing this during a keyvault refresh it wants to remove resources created by a key vault policy

I note this because the merge conflict is now due to content that has been changes in the function that I had removed.

[tombuildsstuff]

that's intentional - we can instead make the field access_policy Optional + Computed - which means that the value will be used from the API unless it's set locally (in which case diff's will be detected)

[tiwood]

Any updates on this? I have some use cases for this new resource type.

Thanks for your contribution.

[pixelicous]

This is cool! Looking forward to seeing it implemented as well

[JunyiYi]

Since it is optional, you might just remove this line (MinItems: 0).

[monkey-jeff]

Removed.

[JunyiYi]

If it is not used, remove this line.

[monkey-jeff]

Removed

[JunyiYi]

Typically we don't read terraform resources after it is deleted, and we don't set its ID either.

[monkey-jeff]

Added a check that we aren't deleting it.

[JunyiYi]

if action != keyvault.Remove {
  d.SetId(*read.ID)
  return resourceArmKeyVaultRead(d, meta)
} else {
  return nil
}

[monkey-jeff]

Good point, fixed

[tombuildsstuff]

we can actually make this:

if d.IsNewResource() {
  d.SetID(*read.ID)
}

since the ID won't change post-creation

[monkey-jeff]

Is there anything I need to do here right now? Have 2 approvals and a couple of pending. Sorry this is my first PR against terraform. Just curious as to what the normal process is from here as the CONTRIBUTING.md is a bit vague around this point of the process.

Also thanks for looking this over as well as the great platform/product that is terraform!

-Jeff

[achandmsft]

@tombuildsstuff could you please merge?

[tiwood]

I'm really desperate to get this functionality, is there a way to help or do we just need to wait for the reviews?

[monkey-jeff]

I think at this point it is waiting for reviews. It is not a small PR so it would take a little bit longer...hopefully tom and kat can get to it soon, but they are both very busy and have a lot to review....best think you can do is upvote this PR in my opinion.

[day-jeff]

@tiwood: Another option is to clone and build Jeff's branch: sophos-jeff:feature/key_vault_policy

[tombuildsstuff]

@sophos-jeff apologies for the delayed re-review here; I'm still trying to catch up from a few weeks AFK - I'll be taking another look through this shortly :)

[tombuildsstuff]

@sophos-jeff I've been spending some time on this resource this afternoon testing this/working out what's needed to get this merged and have made a few commits (mostly fixing the locking/refactoring/tests) - I hope you don't mind but I'm going to push these so that we can run the tests.

Once the tests pass (which the Access Policy tests have locally) - we'll do some edge case testing (probably Monday) and then we should be good to merge this :)

changes have been pushed

[tombuildsstuff]

Key Vault Access Policy Tests pass:

$ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_

=== RUN   TestAccAzureRMKeyVaultAccessPolicy_basic
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_basic (222.29s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_multiple
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_multiple (228.28s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_update
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_update (238.59s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	689.209s

$ acctests azurerm TestAccAzureRMKeyVaultAccessPolicy_import

=== RUN   TestAccAzureRMKeyVaultAccessPolicy_importBasic
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_importBasic (225.81s)
=== RUN   TestAccAzureRMKeyVaultAccessPolicy_importMultiple
--- PASS: TestAccAzureRMKeyVaultAccessPolicy_importMultiple (218.71s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	444.557s

[tombuildsstuff]

Ignoring an existing failing test in Key Vault - the tests pass:

[tombuildsstuff]

This now LGTM / seems fine with some edge-case testing 👍🏻

Thanks for this @sophos-jeff (hope you don't mind me pushing a few commits to finish this off!) :)

[monkey-jeff]

Not at all Tom. Thanks for getting this merged :D Glad to see this feature available soon :D

[jmeisner3]

@sophos-jeff thanks a lot for working on this!

[pixelicous]

@tombuildsstuff Great work! This would be very useful to us and anyone else using azure, finally this is merged!! 😋 👍 🥇