Add key_vault_reference_identity_id attribute for `azurerm_function…

…_app` (#13962) This PR adds the key_vault_reference_identity_id attribute for azurerm_function_app. Plus some test cleanup. From the docs: key_vault_reference_identity_id - (Optional) The User Assigned Identity Id used for looking up KeyVault secrets. The identity must be assigned to the application. See Access vaults with a user-assigned identity for more information. Thanks to @patst for #13720. This PR will close #13960 CC: @sebader
hashicorp · Nov 2, 2021 · b45d14b · b45d14b
1 parent af52ca6
commit b45d14b
Show file tree

Hide file tree

Showing 3 changed files with 166 additions and 81 deletions.
diff --git a/internal/services/web/function_app_resource.go b/internal/services/web/function_app_resource.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/azure"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
+	msivalidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/msi/validate"
 	storageValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/storage/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/web/parse"
 	webValidate "github.com/hashicorp/terraform-provider-azurerm/internal/services/web/validate"
@@ -162,6 +163,13 @@ func resourceFunctionApp() *pluginsdk.Resource {
 				}, false),
 			},
 
+			"key_vault_reference_identity_id": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: msivalidate.UserAssignedIdentityID,
+			},
+
 			"site_config": schemaAppServiceFunctionAppSiteConfig(),
 
 			"source_control": schemaAppServiceSiteSourceControl(),
@@ -337,6 +345,10 @@ func resourceFunctionAppCreate(d *pluginsdk.ResourceData, meta interface{}) erro
 		},
 	}
 
+	if v, ok := d.GetOk("key_vault_reference_identity_id"); ok {
+		siteEnvelope.SiteProperties.KeyVaultReferenceIdentity = utils.String(v.(string))
+	}
+
 	if clientCertMode != "" {
 		siteEnvelope.SiteProperties.ClientCertMode = web.ClientCertMode(clientCertMode)
 	}
@@ -475,6 +487,10 @@ func resourceFunctionAppUpdate(d *pluginsdk.ResourceData, meta interface{}) erro
 		},
 	}
 
+	if v, ok := d.GetOk("key_vault_reference_identity_id"); ok {
+		siteEnvelope.SiteProperties.KeyVaultReferenceIdentity = utils.String(v.(string))
+	}
+
 	if clientCertMode != "" {
 		siteEnvelope.SiteProperties.ClientCertMode = web.ClientCertMode(clientCertMode)
 	}
@@ -662,6 +678,10 @@ func resourceFunctionAppRead(d *pluginsdk.ResourceData, meta interface{}) error
 			clientCertMode = string(props.ClientCertMode)
 		}
 		d.Set("client_cert_mode", clientCertMode)
+
+		if props.KeyVaultReferenceIdentity != nil {
+			d.Set("key_vault_reference_identity_id", props.KeyVaultReferenceIdentity)
+		}
 	}
 
 	appServiceTier, err := getFunctionAppServiceTier(ctx, appServicePlanID, meta)