Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New data source azurerm_key_vault_certificate #7285

Merged
merged 5 commits into from Jun 11, 2020
Merged

New data source azurerm_key_vault_certificate #7285

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d10dfc7
added kv cert ds, tests and docs
jackofallops Jun 10, 2020
b2faa2a
additional test for generated cert
jackofallops Jun 10, 2020
cc561da
updated schema sets to lists
jackofallops Jun 11, 2020
259074d
doc fixes
jackofallops Jun 11, 2020
18a1eb4
additional doc fixes
jackofallops Jun 11, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
290 changes: 290 additions & 0 deletions azurerm/internal/services/keyvault/key_vault_certificate_data_source.go
View file
Open in desktop
@@ -0,0 +1,290 @@
package keyvault

import (
"encoding/base64"
"encoding/hex"
"fmt"
"log"
"strings"
"time"

"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tags"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/timeouts"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
)

func dataSourceArmKeyVaultCertificate() *schema.Resource {
return &schema.Resource{
Read: dataSourceArmKeyVaultCertificateRead,

Timeouts: &schema.ResourceTimeout{
Read: schema.DefaultTimeout(5 * time.Minute),
},

Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
ValidateFunc: azure.ValidateKeyVaultChildName,
},

"key_vault_id": {
Type: schema.TypeString,
Required: true,
ValidateFunc: azure.ValidateResourceID,
},

"version": {
Type: schema.TypeString,
Optional: true,
Computed: true,
},

// Computed
"certificate_policy": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"issuer_parameters": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Computed: true,
},
},
},
},
"key_properties": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"exportable": {
Type: schema.TypeBool,
Computed: true,
},
"key_size": {
Type: schema.TypeInt,
Computed: true,
},
"key_type": {
Type: schema.TypeString,
Computed: true,
},
"reuse_key": {
Type: schema.TypeBool,
Computed: true,
},
},
},
},

"lifetime_action": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"action": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"action_type": {
Type: schema.TypeString,
Computed: true,
},
},
},
},
"trigger": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"days_before_expiry": {
Type: schema.TypeInt,
Computed: true,
},
"lifetime_percentage": {
Type: schema.TypeInt,
Computed: true,
},
},
},
},
},
},
},

"secret_properties": {
Type: schema.TypeList,
Required: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"content_type": {
Type: schema.TypeString,
Computed: true,
},
},
},
},

"x509_certificate_properties": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"extended_key_usage": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"key_usage": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"subject": {
Type: schema.TypeString,
Computed: true,
},
"subject_alternative_names": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"emails": {
Type: schema.TypeSet,
jackofallops marked this conversation as resolved.
Show resolved Hide resolved
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Set: schema.HashString,
},
"dns_names": {
Type: schema.TypeSet,
jackofallops marked this conversation as resolved.
Show resolved Hide resolved
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Set: schema.HashString,
},
"upns": {
Type: schema.TypeSet,
jackofallops marked this conversation as resolved.
Show resolved Hide resolved
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Set: schema.HashString,
},
},
},
},
"validity_in_months": {
Type: schema.TypeInt,
Computed: true,
},
},
},
},
},
},
},

"secret_id": {
Type: schema.TypeString,
Computed: true,
},

"certificate_data": {
Type: schema.TypeString,
Computed: true,
},

"thumbprint": {
Type: schema.TypeString,
Computed: true,
},

"tags": tags.SchemaDataSource(),
},
}
}

func dataSourceArmKeyVaultCertificateRead(d *schema.ResourceData, meta interface{}) error {
vaultClient := meta.(*clients.Client).KeyVault.VaultsClient
client := meta.(*clients.Client).KeyVault.ManagementClient
ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
defer cancel()

name := d.Get("name").(string)
keyVaultId := d.Get("key_vault_id").(string)
version := d.Get("version").(string)

keyVaultBaseUri, err := azure.GetKeyVaultBaseUrlFromID(ctx, vaultClient, keyVaultId)
if err != nil {
return fmt.Errorf("Error looking up Key %q vault url from id %q: %+v", name, keyVaultId, err)
}

cert, err := client.GetCertificate(ctx, keyVaultBaseUri, name, version)
if err != nil {
if utils.ResponseWasNotFound(cert.Response) {
log.Printf("[DEBUG] Certificate %q was not found in Key Vault at URI %q - removing from state", name, keyVaultBaseUri)
d.SetId("")
return nil
}

return fmt.Errorf("Error reading Key Vault Certificate: %+v", err)
}

if cert.ID == nil || *cert.ID == "" {
return fmt.Errorf("failure reading Key Vault Certificate ID for %q", name)
}

d.SetId(*cert.ID)

id, err := azure.ParseKeyVaultChildID(*cert.ID)
if err != nil {
return err
}

d.Set("name", id.Name)

certificatePolicy := flattenKeyVaultCertificatePolicy(cert.Policy)
if err := d.Set("certificate_policy", certificatePolicy); err != nil {
return fmt.Errorf("Error setting Key Vault Certificate Policy: %+v", err)
}

d.Set("version", id.Version)
d.Set("secret_id", cert.Sid)

certificateData := ""
if contents := cert.Cer; contents != nil {
certificateData = strings.ToUpper(hex.EncodeToString(*contents))
}
d.Set("certificate_data", certificateData)

thumbprint := ""
if v := cert.X509Thumbprint; v != nil {
x509Thumbprint, err := base64.RawURLEncoding.DecodeString(*v)
if err != nil {
return err
}

thumbprint = strings.ToUpper(hex.EncodeToString(x509Thumbprint))
}
d.Set("thumbprint", thumbprint)

return tags.FlattenAndSet(d, cert.Tags)
}
1 change: 1 addition & 0 deletions azurerm/internal/services/keyvault/registration.go
View file
Open in desktop
Expand Up @@ -22,6 +22,7 @@ func (r Registration) WebsiteCategories() []string {
func (r Registration) SupportedDataSources() map[string]*schema.Resource {
return map[string]*schema.Resource{
"azurerm_key_vault_access_policy": dataSourceArmKeyVaultAccessPolicy(),
"azurerm_key_vault_certificate": dataSourceArmKeyVaultCertificate(),
"azurerm_key_vault_key": dataSourceArmKeyVaultKey(),
"azurerm_key_vault_secret": dataSourceArmKeyVaultSecret(),
"azurerm_key_vault": dataSourceArmKeyVault(),
Expand Down
79 changes: 79 additions & 0 deletions azurerm/internal/services/keyvault/tests/key_vault_certificate_data_source_test.go
View file
Open in desktop
@@ -0,0 +1,79 @@
package tests

import (
"fmt"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance"
)

func TestAccDataSourceAzureRMKeyVaultCertificate_basic(t *testing.T) {
data := acceptance.BuildTestData(t, "data.azurerm_key_vault_certificate", "test")

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceAzureRMKeyVaultCertificate_basic(data),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrSet(data.ResourceName, "certificate_data"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.key_properties.0.key_size", "2048"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.key_properties.0.key_type", "RSA"),
),
},
},
})
}

func TestAccDataSourceAzureRMKeyVaultCertificate_generated(t *testing.T) {
data := acceptance.BuildTestData(t, "data.azurerm_key_vault_certificate", "test")

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceAzureRMKeyVaultCertificate_generated(data),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrSet(data.ResourceName, "certificate_data"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.issuer_parameters.0.name", "Self"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.key_properties.0.exportable", "true"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.key_properties.0.key_size", "2048"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.key_properties.0.key_type", "RSA"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.key_properties.0.reuse_key", "true"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.lifetime_action.0.action.0.action_type", "AutoRenew"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.lifetime_action.0.trigger.0.days_before_expiry", "30"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.secret_properties.0.content_type", "application/x-pkcs12"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.x509_certificate_properties.0.subject", "CN=hello-world"),
resource.TestCheckResourceAttr(data.ResourceName, "certificate_policy.0.x509_certificate_properties.0.validity_in_months", "12"),
),
},
},
})
}

func testAccDataSourceAzureRMKeyVaultCertificate_basic(data acceptance.TestData) string {
template := testAccAzureRMKeyVaultCertificate_basicImportPFX(data)
return fmt.Sprintf(`
%s

data "azurerm_key_vault_certificate" "test" {
name = azurerm_key_vault_certificate.test.name
key_vault_id = azurerm_key_vault.test.id
}
`, template)
}

func testAccDataSourceAzureRMKeyVaultCertificate_generated(data acceptance.TestData) string {
template := testAccAzureRMKeyVaultCertificate_basicGenerate(data)
return fmt.Sprintf(`
%s

data "azurerm_key_vault_certificate" "test" {
name = azurerm_key_vault_certificate.test.name
key_vault_id = azurerm_key_vault.test.id
}
`, template)
}
4 changes: 4 additions & 0 deletions website/azurerm.erb
View file
Open in desktop
Expand Up @@ -293,6 +293,10 @@
<a href="/docs/providers/azurerm/d/key_vault_access_policy.html">azurerm_key_vault_access_policy</a>
</li>

<li>
<a href="/docs/providers/azurerm/d/key_vault_certificate.html">azurerm_key_vault_certificate</a>
</li>

<li>
<a href="/docs/providers/azurerm/d/key_vault_key.html">azurerm_key_vault_key</a>
</li>
Expand Down