Implement Automatic AzureRM Service Connection (#277)

* Add automatic option

* Save

* Fix tests

* Add acc tests

* Change case

* Update docs

* Add tests

* Remove secret hash

* Format

* Fix acceptance test

* Fix tests

* Lint

* Return hash

* Lint

* Add missing tests

* Feedback

Co-authored-by: Nicholas M. Iodice <niiodice@microsoft.com>

Author: logachev

azuredevops/crud/serviceendpoint/crud_service_endpoint.go

@@ -54,6 +54,7 @@ func genBaseSchema() map[string]*schema.Schema {
 			Type:         schema.TypeString,
 			Required:     true,
 			ValidateFunc: validate.NoEmptyStrings,
+			ForceNew:     true,
 		},
 		"description": {
 			Type:     schema.TypeString,

azuredevops/resource_serviceendpoint_azurerm.go

@@ -1,6 +1,9 @@
 package azuredevops
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/microsoft/azure-devops-go-api/azuredevops/serviceendpoint"
 	crud "github.com/microsoft/terraform-provider-azuredevops/azuredevops/crud/serviceendpoint"
@@ -10,48 +13,116 @@ import (
 
 func resourceServiceEndpointAzureRM() *schema.Resource {
 	r := crud.GenBaseServiceEndpointResource(flattenServiceEndpointAzureRM, expandServiceEndpointAzureRM, parseImportedProjectIDAndServiceEndpointID)
-	crud.MakeUnprotectedSchema(r, "azurerm_spn_clientid", "ARM_CLIENT_ID", "The service principal id which should be used.")
-	crud.MakeProtectedSchema(r, "azurerm_spn_clientsecret", "ARM_CLIENT_SECRET", "The service principal secret which should be used.")
 	crud.MakeUnprotectedSchema(r, "azurerm_spn_tenantid", "ARM_TENANT_ID", "The service principal tenant id which should be used.")
 	crud.MakeUnprotectedSchema(r, "azurerm_subscription_id", "ARM_SUBSCRIPTION_ID", "The Azure subscription Id which should be used.")
 	crud.MakeUnprotectedSchema(r, "azurerm_subscription_name", "ARM_SUBSCRIPTION_NAME", "The Azure subscription name which should be used.")
-	crud.MakeUnprotectedSchema(r, "azurerm_scope", "ARM_SCOPE", "The Azure scope which should be used by the spn.")
+
+	r.Schema["resource_group"] = &schema.Schema{
+		Type:          schema.TypeString,
+		Optional:      true,
+		ForceNew:      true,
+		Description:   "Scope Resource Group",
+		ConflictsWith: []string{"credentials"},
+	}
+
+	secretHashKey, secretHashSchema := tfhelper.GenerateSecreteMemoSchema("serviceprincipalkey")
+	r.Schema["credentials"] = &schema.Schema{
+		Type:          schema.TypeList,
+		Optional:      true,
+		MaxItems:      1,
+		ForceNew:      true,
+		ConflictsWith: []string{"resource_group"},
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"serviceprincipalid": {
+					Type:        schema.TypeString,
+					Required:    true,
+					Description: "The service principal id which should be used.",
+				},
+				"serviceprincipalkey": {
+					Type:             schema.TypeString,
+					Required:         true,
+					Description:      "The service principal secret which should be used.",
+					Sensitive:        true,
+					DiffSuppressFunc: tfhelper.DiffFuncSuppressSecretChanged,
+				},
+				secretHashKey: secretHashSchema,
+			},
+		},
+	}
+
 	return r
 }
 
 // Convert internal Terraform data structure to an AzDO data structure
 func expandServiceEndpointAzureRM(d *schema.ResourceData) (*serviceendpoint.ServiceEndpoint, *string) {
 	serviceEndpoint, projectID := crud.DoBaseExpansion(d)
+
+	scope := fmt.Sprintf("/subscriptions/%s", d.Get("azurerm_subscription_id"))
+	scopeLevel := "Subscription"
+	if _, ok := d.GetOk("resource_group"); ok {
+		scope += fmt.Sprintf("/resourcegroups/%s", d.Get("resource_group"))
+		scopeLevel = "ResourceGroup"
+	}
+
 	serviceEndpoint.Authorization = &serviceendpoint.EndpointAuthorization{
 		Parameters: &map[string]string{
 			"authenticationType":  "spnKey",
-			"scope":               d.Get("azurerm_scope").(string),
-			"serviceprincipalid":  d.Get("azurerm_spn_clientid").(string),
-			"serviceprincipalkey": d.Get("azurerm_spn_clientsecret").(string),
+			"serviceprincipalid":  "",
+			"serviceprincipalkey": "",
 			"tenantid":            d.Get("azurerm_spn_tenantid").(string),
 		},
 		Scheme: converter.String("ServicePrincipal"),
 	}
 	serviceEndpoint.Data = &map[string]string{
-		"creationMode":     "Manual",
+		"creationMode":     "Automatic",
 		"environment":      "AzureCloud",
 		"scopeLevel":       "Subscription",
-		"SubscriptionId":   d.Get("azurerm_subscription_id").(string),
-		"SubscriptionName": d.Get("azurerm_subscription_name").(string),
+		"subscriptionId":   d.Get("azurerm_subscription_id").(string),
+		"subscriptionName": d.Get("azurerm_subscription_name").(string),
+	}
+
+	if scopeLevel == "ResourceGroup" {
+		(*serviceEndpoint.Authorization.Parameters)["scope"] = scope
+	}
+
+	if _, ok := d.GetOk("credentials"); ok {
+		credentials := d.Get("credentials").([]interface{})[0].(map[string]interface{})
+		(*serviceEndpoint.Authorization.Parameters)["serviceprincipalid"] = credentials["serviceprincipalid"].(string)
+		(*serviceEndpoint.Authorization.Parameters)["serviceprincipalkey"] = credentials["serviceprincipalkey"].(string)
+		(*serviceEndpoint.Data)["creationMode"] = "Manual"
 	}
+
 	serviceEndpoint.Type = converter.String("azurerm")
 	serviceEndpoint.Url = converter.String("https://management.azure.com/")
 	return serviceEndpoint, projectID
 }
 
+func flattenCredentials(serviceEndpoint *serviceendpoint.ServiceEndpoint, hashKey string, hashValue string) interface{} {
+	return []map[string]interface{}{{
+		"serviceprincipalid":  (*serviceEndpoint.Authorization.Parameters)["serviceprincipalid"],
+		"serviceprincipalkey": (*serviceEndpoint.Authorization.Parameters)["serviceprincipalkey"],
+		hashKey:               hashValue,
+	}}
+}
+
 // Convert AzDO data structure to internal Terraform data structure
 func flattenServiceEndpointAzureRM(d *schema.ResourceData, serviceEndpoint *serviceendpoint.ServiceEndpoint, projectID *string) {
 	crud.DoBaseFlattening(d, serviceEndpoint, projectID)
-	d.Set("azurerm_scope", (*serviceEndpoint.Authorization.Parameters)["scope"])
-	d.Set("azurerm_spn_clientid", (*serviceEndpoint.Authorization.Parameters)["serviceprincipalid"])
-	tfhelper.HelpFlattenSecret(d, "azurerm_spn_clientsecret")
+	scope := (*serviceEndpoint.Authorization.Parameters)["scope"]
+
+	if (*serviceEndpoint.Data)["creationMode"] == "Manual" {
+		newHash, hashKey := tfhelper.HelpFlattenSecretNested(d, "credentials", d.Get("credentials.0").(map[string]interface{}), "serviceprincipalkey")
+		credentials := flattenCredentials(serviceEndpoint, hashKey, newHash)
+		d.Set("credentials", credentials)
+	}
+
+	s := strings.SplitN(scope, "/", -1)
+	if len(s) == 5 {
+		d.Set("resource_group", s[4])
+	}
+
 	d.Set("azurerm_spn_tenantid", (*serviceEndpoint.Authorization.Parameters)["tenantid"])
-	d.Set("azurerm_spn_clientsecret", (*serviceEndpoint.Authorization.Parameters)["serviceprincipalkey"])
-	d.Set("azurerm_subscription_id", (*serviceEndpoint.Data)["SubscriptionId"])
-	d.Set("azurerm_subscription_name", (*serviceEndpoint.Data)["SubscriptionName"])
+	d.Set("azurerm_subscription_id", (*serviceEndpoint.Data)["subscriptionId"])
+	d.Set("azurerm_subscription_name", (*serviceEndpoint.Data)["subscriptionName"])
 }