Merge pull request #3389 from code-haven/master

Add support to disable authentication for Azure Redis caches
hashicorp · May 14, 2019 · 9734cf3 · 9734cf3
2 parents 7e87b5b + d0feef1
commit 9734cf3
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 4 deletions.
diff --git a/azurerm/resource_arm_redis_cache.go b/azurerm/resource_arm_redis_cache.go
@@ -187,6 +187,11 @@ func resourceArmRedisCache() *schema.Resource {
 							Optional:  true,
 							Sensitive: true,
 						},
+						"enable_authentication": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Default:  true,
+						},
 					},
 				},
 			},
@@ -279,6 +284,11 @@ func resourceArmRedisCacheCreate(d *schema.ResourceData, meta interface{}) error
 		return fmt.Errorf("Error parsing Patch Schedule: %+v", err)
 	}
 
+	redisConfiguration, err := expandRedisConfiguration(d)
+	if err != nil {
+		return fmt.Errorf("Error parsing Redis Configuration: %+v", err)
+	}
+
 	parameters := redis.CreateParameters{
 		Location: utils.String(location),
 		CreateProperties: &redis.CreateProperties{
@@ -289,7 +299,7 @@ func resourceArmRedisCacheCreate(d *schema.ResourceData, meta interface{}) error
 				Name:     sku,
 			},
 			MinimumTLSVersion:  redis.TLSVersion(d.Get("minimum_tls_version").(string)),
-			RedisConfiguration: expandRedisConfiguration(d),
+			RedisConfiguration: redisConfiguration,
 		},
 		Tags: expandedTags,
 	}
@@ -401,7 +411,11 @@ func resourceArmRedisCacheUpdate(d *schema.ResourceData, meta interface{}) error
 	}
 
 	if d.HasChange("redis_configuration") {
-		parameters.RedisConfiguration = expandRedisConfiguration(d)
+		redisConfiguration, err := expandRedisConfiguration(d)
+		if err != nil {
+			return fmt.Errorf("Error parsing Redis Configuration: %+v", err)
+		}
+		parameters.RedisConfiguration = redisConfiguration
 	}
 
 	if _, err := client.Update(ctx, resGroup, name, parameters); err != nil {
@@ -595,7 +609,7 @@ func redisStateRefreshFunc(ctx context.Context, client redis.Client, resourceGro
 	}
 }
 
-func expandRedisConfiguration(d *schema.ResourceData) map[string]*string {
+func expandRedisConfiguration(d *schema.ResourceData) (map[string]*string, error) {
 	output := make(map[string]*string)
 
 	if v, ok := d.GetOk("redis_configuration.0.maxclients"); ok {
@@ -660,7 +674,21 @@ func expandRedisConfiguration(d *schema.ResourceData) map[string]*string {
 		output["aof-storage-connection-string-1"] = utils.String(v.(string))
 	}
 
-	return output
+	if v, ok := d.GetOkExists("redis_configuration.0.enable_authentication"); ok {
+		authEnabled := v.(bool)
+		_, isPrivate := d.GetOk("subnet_id")
+
+		// Redis authentication can only be disabled if it is launched inside a VNET.
+		if !isPrivate {
+			if !authEnabled {
+				return nil, fmt.Errorf("Cannot set `enable_authentication` to `false` when `subnet_id` is not set")
+			}
+		} else {
+			value := isAuthNotRequiredAsString(authEnabled)
+			output["authnotrequired"] = utils.String(value)
+		}
+	}
+	return output, nil
 }
 
 func expandRedisPatchSchedule(d *schema.ResourceData) (*redis.PatchSchedule, error) {
@@ -770,9 +798,32 @@ func flattenRedisConfiguration(input map[string]*string) ([]interface{}, error)
 		outputs["aof_storage_connection_string_1"] = *v
 	}
 
+	// `authnotrequired` is not set for instances launched outside a VNET
+	outputs["enable_authentication"] = true
+	if v := input["authnotrequired"]; v != nil {
+		outputs["enable_authentication"] = isAuthRequiredAsBool(*v)
+	}
+
 	return []interface{}{outputs}, nil
 }
 
+func isAuthRequiredAsBool(not_required string) bool {
+	value := strings.ToLower(not_required)
+	output := map[string]bool{
+		"yes": false,
+		"no":  true,
+	}
+	return output[value]
+}
+
+func isAuthNotRequiredAsString(auth_required bool) string {
+	output := map[bool]string{
+		true:  "no",
+		false: "yes",
+	}
+	return output[auth_required]
+}
+
 func flattenRedisPatchSchedules(schedule redis.PatchSchedule) []interface{} {
 	outputs := make([]interface{}, 0)
 

diff --git a/azurerm/resource_arm_redis_cache_test.go b/azurerm/resource_arm_redis_cache_test.go
@@ -640,6 +640,27 @@ func TestAccAzureRMRedisCache_SubscribeAllEvents(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMRedisCache_WithoutAuth(t *testing.T) {
+	resourceName := "azurerm_redis_cache.test"
+	ri := tf.AccRandTimeInt()
+	config := testAccAzureRMRedisCacheWithoutAuth(ri, testLocation())
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMRedisCacheDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMRedisCacheExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "redis_configuration.0.enable_authentication", "false"),
+				),
+			},
+		},
+	})
+}
+
 func testAccAzureRMRedisCache_basic(rInt int, location string) string {
 	return fmt.Sprintf(`
 resource "azurerm_resource_group" "test" {
@@ -1095,3 +1116,40 @@ resource "azurerm_redis_cache" "test" {
 }
 `, ri, location, ri, ri)
 }
+
+func testAccAzureRMRedisCacheWithoutAuth(ri int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_virtual_network" "test" {
+  name                = "acctestnw-%d"
+  address_space       = ["10.0.0.0/16"]
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_subnet" "test" {
+  name                 = "testsubnet"
+  resource_group_name  = "${azurerm_resource_group.test.name}"
+  virtual_network_name = "${azurerm_virtual_network.test.name}"
+  address_prefix       = "10.0.1.0/24"
+}
+
+resource "azurerm_redis_cache" "test" {
+  name                = "acctestRedis-%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  capacity            = 1
+  family              = "P"
+  sku_name            = "Premium"
+  enable_non_ssl_port = false
+  subnet_id           = "${azurerm_subnet.test.id}"
+  redis_configuration {
+		enable_authentication = false
+	}
+}
+`, ri, location, ri, ri)
+}
diff --git a/website/docs/r/redis_cache.html.markdown b/website/docs/r/redis_cache.html.markdown
@@ -80,6 +80,10 @@ The following arguments are supported:
 
 A `redis_configuration` block supports the following:
 
+* `enable_authentication` - (Optional) If set to `false`, the Redis instance will be accessible without authentication. Defaults to `true`.
+
+-> **NOTE:** `enable_authentication` can only be set to `false` if a `subnet_id` is specified; and only works if there aren't existing instances within the subnet with `enable_authentication` set to `true`.
+
 * `maxmemory_reserved` - (Optional) Value in megabytes reserved for non-cache usage e.g. failover. Defaults are shown below.
 * `maxmemory_delta` - (Optional) The max-memory delta for this Redis instance. Defaults are shown below.
 * `maxmemory_policy` - (Optional) How Redis will select what to remove when `maxmemory` is reached. Defaults are shown below.
@@ -114,6 +118,7 @@ redis_configuration {
 
 | Redis Value                     | Basic        | Standard     | Premium      |
 | ------------------------------- | ------------ | ------------ | ------------ |
+| enable_authentication           | true         | true         | true         |
 | maxmemory_reserved              | 2            | 50           | 200          |
 | maxfragmentationmemory_reserved | 2            | 50           | 200          |
 | maxmemory_delta                 | 2            | 50           | 200          |