hashicorp · katbyte · Jul 12, 2019 · May 28, 2019 · May 29, 2019 · May 29, 2019
diff --git a/azurerm/data_source_batch_account.go b/azurerm/data_source_batch_account.go
@@ -3,6 +3,8 @@ package azurerm
 import (
 	"fmt"
 
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+
 	"github.com/Azure/azure-sdk-for-go/services/batch/mgmt/2018-12-01/batch"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
@@ -29,6 +31,22 @@ func dataSourceArmBatchAccount() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"key_vault_reference": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"url": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
 			"primary_access_key": {
 				Type:      schema.TypeString,
 				Sensitive: true,
@@ -78,17 +96,24 @@ func dataSourceArmBatchAccountRead(d *schema.ResourceData, meta interface{}) err
 			d.Set("storage_account_id", autoStorage.StorageAccountID)
 		}
 		d.Set("pool_allocation_mode", props.PoolAllocationMode)
-	}
-
-	if d.Get("pool_allocation_mode").(string) == string(batch.BatchService) {
-		keys, err := client.GetKeys(ctx, resourceGroup, name)
-
-		if err != nil {
-			return fmt.Errorf("Cannot read keys for Batch account %q (resource group %q): %v", name, resourceGroup, err)
+		poolAllocationMode := d.Get("pool_allocation_mode").(string)
+
+		if poolAllocationMode == string(batch.BatchService) {
+			keys, err := client.GetKeys(ctx, resourceGroup, name)
+
+			if err != nil {
+				return fmt.Errorf("Cannot read keys for Batch account %q (resource group %q): %v", name, resourceGroup, err)
+			}
+
+			d.Set("primary_access_key", keys.Primary)
+			d.Set("secondary_access_key", keys.Secondary)
+		} else if poolAllocationMode == string(batch.UserSubscription) {
+			if keyVaultReference := props.KeyVaultReference; keyVaultReference != nil {
+				if err := d.Set("key_vault_reference", azure.FlattenBatchAccountKeyvaultReference(keyVaultReference)); err != nil {
+					return fmt.Errorf("Error flattening `key_vault_reference`: %+v", err)
+				}
+			}
 		}
-
-		d.Set("primary_access_key", keys.Primary)
-		d.Set("secondary_access_key", keys.Secondary)
 	}
 
 	flattenAndSetTags(d, resp.Tags)

diff --git a/azurerm/data_source_batch_account_test.go b/azurerm/data_source_batch_account_test.go
@@ -57,6 +57,30 @@ func TestAccDataSourceAzureRMBatchAccount_complete(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceAzureRMBatchAccount_userSubscription(t *testing.T) {
+	dataSourceName := "data.azurerm_batch_account.test"
+	ri := tf.AccRandTimeInt()
+	rs := acctest.RandString(4)
+	location := testLocation()
+	config := testAccDataSourceAzureBatchAccount_userSubscription(ri, rs, location)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(dataSourceName, "name", fmt.Sprintf("testaccbatch%s", rs)),
+					resource.TestCheckResourceAttr(dataSourceName, "location", azureRMNormalizeLocation(location)),
+					resource.TestCheckResourceAttr(dataSourceName, "pool_allocation_mode", "UserSubscription"),
+					resource.TestCheckResourceAttr(dataSourceName, "key_vault_reference.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func testAccDataSourceAzureRMBatchAccount_basic(rInt int, rString string, location string) string {
 	return fmt.Sprintf(`
 resource "azurerm_resource_group" "test" {
@@ -111,3 +135,36 @@ data "azurerm_batch_account" "test" {
 }
 `, rInt, location, rString, rString)
 }
+
+func testAccDataSourceAzureBatchAccount_userSubscription(rInt int, rString string, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "testaccRG-%d-batchaccount"
+  location = "%s"
+}
+
+# assuming that you have an existing keyvault and configured for Microsoft Azure Batch for this test to pass
+data "azurerm_key_vault" "test" {
+  name                = "azurebatchkv"
+  resource_group_name = "batch-custom-img-rg"
+}
+
+resource "azurerm_batch_account" "test" {
+  name                 = "testaccbatch%s"
+  resource_group_name  = "${azurerm_resource_group.test.name}"
+  location             = "${azurerm_resource_group.test.location}"
+
+  pool_allocation_mode = "UserSubscription"
+
+  key_vault_reference {
+	id  = "${data.azurerm_key_vault.test.id}"
+	url = "${data.azurerm_key_vault.test.vault_uri}"
+  }
+}
+
+data "azurerm_batch_account" "test" {
+  name                = "${azurerm_batch_account.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+`, rInt, location, rString)
+}
diff --git a/azurerm/helpers/azure/batch_account.go b/azurerm/helpers/azure/batch_account.go
@@ -0,0 +1,45 @@
+package azure
+
+import (
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/services/batch/mgmt/2018-12-01/batch"
+)
+
+// ExpandBatchAccountKeyVaultReference expands Batch account KeyVault reference
+func ExpandBatchAccountKeyVaultReference(list []interface{}) (*batch.KeyVaultReference, error) {
+	if len(list) == 0 {
+		return nil, fmt.Errorf("Error: key vault reference should be defined")
+	}
+
+	keyVaultRef := list[0].(map[string]interface{})
+
+	keyVaultRefID := keyVaultRef["id"].(string)
+	keyVaultRefURL := keyVaultRef["url"].(string)
+
+	ref := &batch.KeyVaultReference{
+		ID:  &keyVaultRefID,
+		URL: &keyVaultRefURL,
+	}
+
+	return ref, nil
+}
+
+// FlattenBatchAccountKeyvaultReference flattens a Batch account keyvault reference
+func FlattenBatchAccountKeyvaultReference(keyVaultReference *batch.KeyVaultReference) interface{} {
+	result := make(map[string]interface{})
+
+	if keyVaultReference == nil {
+		return nil
-		return nil
+		return []interface{}{}
-		return nil
+		return []interface{}{}
+	}
+
+	if keyVaultReference.ID != nil {
+		result["id"] = *keyVaultReference.ID
+	}
+
+	if keyVaultReference.URL != nil {
+		result["url"] = *keyVaultReference.URL
+	}
+
+	return []interface{}{result}
+}
diff --git a/azurerm/resource_arm_batch_account.go b/azurerm/resource_arm_batch_account.go
@@ -5,6 +5,8 @@ import (
 	"log"
 	"regexp"
 
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate"
+
 	"github.com/Azure/azure-sdk-for-go/services/batch/mgmt/2018-12-01/batch"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/helper/validation"
@@ -52,6 +54,25 @@ func resourceArmBatchAccount() *schema.Resource {
 					string(batch.UserSubscription),
 				}, false),
 			},
+			"key_vault_reference": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: azure.ValidateResourceID,
+						},
+						"url": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validate.URLIsHTTPS,
+						},
+					},
+				},
+			},
 			"primary_access_key": {
 				Type:      schema.TypeString,
 				Sensitive: true,
@@ -105,6 +126,21 @@ func resourceArmBatchAccountCreate(d *schema.ResourceData, meta interface{}) err
 		Tags: expandTags(tags),
 	}
 
+	// if pool allocation mode is UserSubscription, a key vault reference needs to be set
+	if poolAllocationMode == string(batch.UserSubscription) {
+		keyVaultReferenceSet := d.Get("key_vault_reference").([]interface{})
+		keyVaultReference, err := azure.ExpandBatchAccountKeyVaultReference(keyVaultReferenceSet)
+		if err != nil {
+			return fmt.Errorf("Error creating Batch account %q (Resource Group %q): %+v", name, resourceGroup, err)
+		}
+
+		if keyVaultReference == nil {
+			return fmt.Errorf("Error creating Batch account %q (Resource Group %q): When setting pool allocation mode to UserSubscription, a Key Vault reference needs to be set", name, resourceGroup)
+		}
+
+		parameters.KeyVaultReference = keyVaultReference
+	}
+
 	if storageAccountId != "" {
 		parameters.AccountCreateProperties.AutoStorage = &batch.AutoStorageBaseProperties{
 			StorageAccountID: &storageAccountId,

diff --git a/azurerm/resource_arm_batch_account_test.go b/azurerm/resource_arm_batch_account_test.go
@@ -130,6 +130,30 @@ func TestAccAzureRMBatchAccount_complete(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMBatchAccount_userSubscription(t *testing.T) {
+	resourceName := "azurerm_batch_account.test"
+	ri := tf.AccRandTimeInt()
+	rs := acctest.RandString(4)
+	location := testLocation()
+
+	config := testAccAzureRMBatchAccount_userSubscription(ri, rs, location)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMBatchAccountDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMBatchAccountExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "pool_allocation_mode", "UserSubscription"),
+				),
+			},
+		},
+	})
+}
+
 func testCheckAzureRMBatchAccountExists(resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		// Ensure we have enough information in state to look up in API
@@ -270,3 +294,30 @@ resource "azurerm_batch_account" "test" {
 }
 `, rInt, location, rString, rString)
 }
+
+func testAccAzureRMBatchAccount_userSubscription(rInt int, batchAccountSuffix string, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "testaccRG-%d-batchaccount"
+  location = "%s"
+}
+
+data "azurerm_key_vault" "test" {
+  name                = "azurebatchkv"
+  resource_group_name = "batch-custom-img-rg"
+}
+
+resource "azurerm_batch_account" "test" {
+  name                 = "testaccbatch%s"
+  resource_group_name  = "${azurerm_resource_group.test.name}"
+  location             = "${azurerm_resource_group.test.location}"
+
+  pool_allocation_mode = "UserSubscription"
+
+  key_vault_reference {
+	  id  = "${data.azurerm_key_vault.test.id}"
+    url = "${data.azurerm_key_vault.test.vault_uri}"
+  }
+}
+`, rInt, location, batchAccountSuffix)
+}
diff --git a/website/docs/d/batch_account.html.markdown b/website/docs/d/batch_account.html.markdown
@@ -50,6 +50,18 @@ The following attributes are exported:
 
 * `account_endpoint` - The account endpoint used to interact with the Batch service.
 
+* `key_vault_reference` - The `key_vault_reference` block that describes the Azure KeyVault reference to use when deploying the Azure Batch account using the `UserSubscription` pool allocation mode. 
+
 * `tags` - A map of tags assigned to the Batch account.
 
-~> **NOTE:** Primary and secondary access keys are only available when `pool_allocation_mode` is set to `BatchService`. See [documentation](https://docs.microsoft.com/en-us/azure/batch/batch-api-basics) for more information.
+~> **NOTE:** Primary and secondary access keys are only available when `pool_allocation_mode` is set to `BatchService`. See [documentation](https://docs.microsoft.com/en-us/azure/batch/batch-api-basics) for more information.
+
+---
+
+A `key_vault_reference` block have the following proporties:
+
+* `id` - The Azure identifier of the Azure KeyVault reference.
+
+* `url` - The HTTPS URL of the Azure KeyVault reference.
+
+---