From f3d6005e281f6de29df814d8ec6a4cef2a48f5b2 Mon Sep 17 00:00:00 2001 From: t3mi Date: Tue, 26 May 2020 23:55:08 +0300 Subject: [PATCH] versionless cert for agw --- .../network/application_gateway_resource.go | 2 +- .../application_gateway_resource_test.go | 181 +++++++++++++++++- 2 files changed, 173 insertions(+), 10 deletions(-) diff --git a/azurerm/internal/services/network/application_gateway_resource.go b/azurerm/internal/services/network/application_gateway_resource.go index b890ea916394..48646624e564 100644 --- a/azurerm/internal/services/network/application_gateway_resource.go +++ b/azurerm/internal/services/network/application_gateway_resource.go @@ -1013,7 +1013,7 @@ func resourceArmApplicationGateway() *schema.Resource { "key_vault_secret_id": { Type: schema.TypeString, Optional: true, - ValidateFunc: azure.ValidateKeyVaultChildId, + ValidateFunc: azure.ValidateKeyVaultChildIdVersionOptional, }, "id": { diff --git a/azurerm/internal/services/network/tests/application_gateway_resource_test.go b/azurerm/internal/services/network/tests/application_gateway_resource_test.go index 23e808d0ffb6..39af394f3fdc 100644 --- a/azurerm/internal/services/network/tests/application_gateway_resource_test.go +++ b/azurerm/internal/services/network/tests/application_gateway_resource_test.go @@ -573,7 +573,7 @@ func TestAccAzureRMApplicationGateway_settingsPickHostNameFromBackendAddress(t * }) } -func TestAccAzureRMApplicationGateway_sslCertificate_keyvault(t *testing.T) { +func TestAccAzureRMApplicationGateway_sslCertificate_keyvault_versionless(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_application_gateway", "test") resource.ParallelTest(t, resource.TestCase{ @@ -582,7 +582,27 @@ func TestAccAzureRMApplicationGateway_sslCertificate_keyvault(t *testing.T) { CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, Steps: []resource.TestStep{ { - Config: testAccAzureRMApplicationGateway_sslCertificate_keyvault(data), + Config: testAccAzureRMApplicationGateway_sslCertificate_keyvault_versionless(data), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMApplicationGatewayExists(data.ResourceName), + resource.TestCheckResourceAttrSet(data.ResourceName, "ssl_certificate.0.key_vault_secret_id"), + ), + }, + data.ImportStep(), + }, + }) +} + +func TestAccAzureRMApplicationGateway_sslCertificate_keyvault_versioned(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_application_gateway", "test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, + CheckDestroy: testCheckAzureRMApplicationGatewayDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMApplicationGateway_sslCertificate_keyvault_versioned(data), Check: resource.ComposeTestCheckFunc( testCheckAzureRMApplicationGatewayExists(data.ResourceName), resource.TestCheckResourceAttrSet(data.ResourceName, "ssl_certificate.0.key_vault_secret_id"), @@ -1776,10 +1796,6 @@ locals { data "azurerm_client_config" "test" {} -data "azuread_service_principal" "test" { - display_name = "Microsoft Azure App Service" -} - resource "azurerm_user_assigned_identity" "test" { resource_group_name = "${azurerm_resource_group.test.name}" location = "${azurerm_resource_group.test.location}" @@ -3196,7 +3212,7 @@ resource "azurerm_application_gateway" "test" { `, template, data.RandomInteger) } -func testAccAzureRMApplicationGateway_sslCertificate_keyvault(data acceptance.TestData) string { +func testAccAzureRMApplicationGateway_sslCertificate_keyvault_versionless(data acceptance.TestData) string { template := testAccAzureRMApplicationGateway_template(data) return fmt.Sprintf(` %s @@ -3215,10 +3231,157 @@ locals { data "azurerm_client_config" "test" {} -data "azuread_service_principal" "test" { - display_name = "Microsoft Azure App Service" +resource "azurerm_user_assigned_identity" "test" { + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + + name = "acctest%[2]d" +} + +resource "azurerm_public_ip" "testStd" { + name = "acctest-PubIpStd-%[2]d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_key_vault" "test" { + name = "acct%[2]d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tenant_id = data.azurerm_client_config.test.tenant_id + sku_name = "standard" + + access_policy { + tenant_id = data.azurerm_client_config.test.tenant_id + object_id = data.azurerm_client_config.test.object_id + secret_permissions = ["delete", "get", "set"] + certificate_permissions = ["create", "delete", "get", "import"] + } + + access_policy { + tenant_id = data.azurerm_client_config.test.tenant_id + object_id = azurerm_user_assigned_identity.test.principal_id + secret_permissions = ["get"] + certificate_permissions = ["get"] + } + + soft_delete_enabled = true +} + +resource "azurerm_key_vault_certificate" "test" { + name = "acctest%[2]d" + key_vault_id = azurerm_key_vault.test.id + + certificate { + contents = filebase64("testdata/app_service_certificate.pfx") + password = "terraform" + } + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = false + } + + secret_properties { + content_type = "application/x-pkcs12" + } + } } +resource "azurerm_application_gateway" "test" { + name = "acctestag-%[2]d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + + sku { + name = "WAF_v2" + tier = "WAF_v2" + capacity = 2 + } + + gateway_ip_configuration { + name = "my-gateway-ip-configuration" + subnet_id = azurerm_subnet.test.id + } + + identity { + identity_ids = [azurerm_user_assigned_identity.test.id] + } + + frontend_port { + name = local.frontend_port_name + port = 443 + } + + frontend_ip_configuration { + name = local.frontend_ip_configuration_name + public_ip_address_id = azurerm_public_ip.testStd.id + } + + backend_address_pool { + name = local.backend_address_pool_name + } + + backend_http_settings { + name = local.http_setting_name + cookie_based_affinity = "Disabled" + port = 80 + protocol = "Http" + request_timeout = 1 + } + + http_listener { + name = local.listener_name + frontend_ip_configuration_name = local.frontend_ip_configuration_name + frontend_port_name = local.frontend_port_name + protocol = "Https" + ssl_certificate_name = local.ssl_certificate_name + } + + request_routing_rule { + name = local.request_routing_rule_name + rule_type = "Basic" + http_listener_name = local.listener_name + backend_address_pool_name = local.backend_address_pool_name + backend_http_settings_name = local.http_setting_name + } + + ssl_certificate { + name = local.ssl_certificate_name + key_vault_secret_id = "${azurerm_key_vault.test.vault_uri}secrets/${azurerm_key_vault_certificate.test.name}" + } +} +`, template, data.RandomInteger) +} + +func testAccAzureRMApplicationGateway_sslCertificate_keyvault_versioned(data acceptance.TestData) string { + template := testAccAzureRMApplicationGateway_template(data) + return fmt.Sprintf(` +%s + +# since these variables are re-used - a locals block makes this more maintainable +locals { + auth_cert_name = "${azurerm_virtual_network.test.name}-auth" + backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap" + frontend_port_name = "${azurerm_virtual_network.test.name}-feport" + frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" + http_setting_name = "${azurerm_virtual_network.test.name}-be-htst" + listener_name = "${azurerm_virtual_network.test.name}-httplstn" + request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt" + ssl_certificate_name = "${azurerm_virtual_network.test.name}-sslcert" +} + +data "azurerm_client_config" "test" {} + resource "azurerm_user_assigned_identity" "test" { resource_group_name = azurerm_resource_group.test.name location = azurerm_resource_group.test.location