azurerm_key_vault_certificate: Support curve property for EC keys #10867
Conversation
ghost
added
simonbrady
changed the title
simonbrady
changed the title
|
Minor merge conflicts with #10873 which updates the keyvault/mgmt API, but I can easily rebase this if that one's merged first. |
|
Rebased off master, questions in #10868 still to be resolved. |
There was a problem hiding this comment.
Hi @simonbrady, thanks for this PR! Overall this looks good and the tests are passing, but where possible we need to ensure that existing configurations are not broken. I have some suggestions inline.
If you want to compute the key_size property, you should be able to do this if you move the logic in your gist into the expandKeyVaultCertificatePolicy() function - just be sure to prefer the value set in configuration to prevent unwanted diffs. Also add the Computed flag to the key_size property to let Terraform know.
| @@ -102,9 +102,9 @@ func resourceKeyVaultKey() *schema.Resource { | |||
| ForceNew: true, | |||
| ValidateFunc: validation.StringInSlice([]string{ | |||
| string(keyvault.P256), | |||
| string(keyvault.P256K), | |||
| string(keyvault.P384), | |||
| string(keyvault.P521), | |||
There was a problem hiding this comment.
Can we add the old value as a hardcoded string, and translate it in the expandKeyVaultCertificatePolicy() function so that existing configurations continue to work?
You will probably need to use CustomizeDiff to suppress the new value in the event the old value is used.
We can add a TODO to remove it in v3.0.
| string(keyvault.P521), | |
| string(keyvault.P521), | |
| "SECP256K1", // TODO: remove this in v3.0 as it was renamed to keyvault.P256K |
| string(keyvault.ECHSM), | ||
| string(keyvault.RSA), | ||
| string(keyvault.RSAHSM), | ||
| }, false), |
There was a problem hiding this comment.
We should be case-insensitive here until v3.0 to avoid breaking existing configs
| }, false), | |
| }, true), // TODO: make this case-sensitive in v3.0 |
|
@simonbrady I hope you don't mind, I've pushed the changes detailed in my earlier review including making the |
…avoid breaking existing configurations
…able value depending on key_type and curve
|
Rebased, now re-running tests |
|
Tests passing (service flapping, passed on second run)
|
|
Thanks for all the assistance @manicminer - I hadn't had time to get to this, but I'm going to claim that's exactly what I would've done :) |
|
This has been released in version 2.57.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.57.0"
}
# ... other configuration ... |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
The
azurerm_key_vault_certificateresource allows for ECDSA certificates with a key type ofEC, but unlikeazurerm_key_vault_keyit doesn't let the user specify which elliptic curve to use.The v7.1 Create Certificate API adds a
crvattribute to the KeyProperties type, so this PR updates thekeyvaultservice to the v7.1 API and addscurveto the allowed key properties, matching the behaviour ofazurerm_key_vault_keywherever possible.All the
keyvaultacceptance tests pass (including new coverage forcurve), but I'm raising this as a draft PR to get feedback on some implications of the change.