Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_api_management - support key_vault_id's without a version #6723

Merged
merged 2 commits into from May 14, 2020
Merged

azurerm_api_management - support key_vault_id's without a version #6723

merged 2 commits into from May 14, 2020

Conversation

sirlatrom
Copy link
Contributor

Fixes #4408.

@ghost ghost added the size/L label Apr 30, 2020
@sirlatrom
Copy link
Contributor Author

@katbyte As with previous PRs, I've not been able to run acceptance tests but have verified functionality within my org's tenant.

tombuildsstuff
tombuildsstuff requested changes May 10, 2020
View reviewed changes
Copy link
Member

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @sirlatrom

Thanks for this PR - taking a look through this mostly LGTM, however can we add an acceptance test covering provisioning with a versionless secret to confirm that this works?

Thanks!

azurerm/internal/services/apimanagement/resource_arm_api_management.go Outdated Show resolved Hide resolved
@sirlatrom
Copy link
Contributor Author

sirlatrom commented May 10, 2020
edited

Hey @sirlatrom

Thanks for this PR - taking a look through this mostly LGTM, however can we add an acceptance test covering provisioning with a versionless secret to confirm that this works?

Thanks!

I'd like to, but there's a catch 22: Currently, only System Assigned Identity is used against the Key Vault, and you can of course use an azurerm_key_vault_access_policy to grant the API Management service's System Assigned Identity access to the Key Vault.

But if you create the API Management service with the Key Vault references, versioned or not, they are evaluated during creation of the API Management service, preventing us from creating the access policy ahead of time.

I've tried with User Assigned Identity and confirmed it is not used for Key Vault access. I've got the impression that User Assigned Identity is currently only used to access API backends.

Is there a way that I can have two phases in the acceptance test? In our pipeline we're currently working around the issue by using a variable to conditionally set the key_vault_idhostname_configurations field the first time, conditional on the existence of the relevant azurerm_key_vault_access_policy resource.

@ghost ghost removed the waiting-response label May 10, 2020
@ghost ghost added size/XL and removed size/L labels May 13, 2020
@sirlatrom
Copy link
Contributor Author

@tombuildsstuff In 31e4993, I've added acceptance tests setting the key_vault_uri to either a versioned or a versionless URI.

@sirlatrom
Support versionless Key Vault Child ID in azurerm_api_management
703976a 
Signed-off-by: Sune Keller <absukl@almbrand.dk>
@sirlatrom
Test versioned and version-less URI to certificate in Key Vault
e4f5b70 
Signed-off-by: Sune Keller <absukl@almbrand.dk>
@sirlatrom
Copy link
Contributor Author

@tombuildsstuff @katbyte Rebased this on master after other tests were merged, should apply cleanly now.

katbyte
katbyte approved these changes May 14, 2020
View reviewed changes
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sirlatrom! LGLTM 👍

@katbyte katbyte changed the title Support versionless Key Vault Child ID in azurerm_api_management azurerm_api_management - support key_vault_id's without a version May 14, 2020
katbyte added a commit that referenced this pull request May 14, 2020
@katbyte
update CHANGELOG.md to include #6723
a061bca
@katbyte katbyte merged commit 7a9a656 into hashicorp:master May 14, 2020
@katbyte katbyte added this to the v2.10.0 milestone May 14, 2020
@ghost
Copy link

ghost commented May 15, 2020

This has been released in version 2.10.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.10.0"
}
# ... other configuration ...

@ghost
Copy link

ghost commented Jun 14, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@hashicorp hashicorp locked and limited conversation to collaborators Jun 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@katbyte katbyte katbyte approved these changes

@tombuildsstuff tombuildsstuff Awaiting requested review from tombuildsstuff

Assignees
No one assigned
Labels
enhancement service/api-management size/XL
Projects
None yet
Milestone
v2.10.0
Development

Successfully merging this pull request may close these issues.

API Management custom domain key vault address incorrectly validates
3 participants
@sirlatrom @tombuildsstuff @katbyte