Skip to content

Commit

Permalink
Merge pull request #10593 from terraform-providers/b/normalizing-key-…
Browse files Browse the repository at this point in the history 
…vault-casing

keyvault: normalizing the casing of the permissions
  • Loading branch information
@tombuildsstuff
tombuildsstuff authored Feb 16, 2021
2 parents e646c55 + 6c1f1a9 commit c5e681b
Show file tree
Hide file tree
Showing 5 changed files with 157 additions and 101 deletions.
203 changes: 133 additions & 70 deletions azurerm/internal/services/keyvault/access_policy_schema.go
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,136 @@
package keyvault

import (
"strings"

"github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
uuid "github.com/satori/go.uuid"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/suppress"
)

func certificatePermissions() []string {
return []string{
"Backup",
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"Recover",
"Restore",
"SetIssuers",
"Update",
}
}

func flattenCertificatePermission(input string) string {
for _, permission := range certificatePermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func keyPermissions() []string {
return []string{
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
}
}

func flattenKeyPermission(input string) string {
for _, permission := range keyPermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func secretPermissions() []string {
return []string{
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
}
}

func flattenSecretPermission(input string) string {
for _, permission := range secretPermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func storagePermissions() []string {
return []string{
"Backup",
"Delete",
"DeleteSAS",
"Get",
"GetSAS",
"List",
"ListSAS",
"Purge",
"Recover",
"RegenerateKey",
"Restore",
"Set",
"SetSAS",
"Update",
}
}

func flattenStoragePermission(input string) string {
for _, permission := range storagePermissions() {
if strings.EqualFold(input, permission) {
return permission
}
}

return input
}

func schemaCertificatePermissions() *schema.Schema {
return &schema.Schema{
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.Backup),
string(keyvault.Create),
string(keyvault.Delete),
string(keyvault.Deleteissuers),
string(keyvault.Get),
string(keyvault.Getissuers),
string(keyvault.Import),
string(keyvault.List),
string(keyvault.Listissuers),
string(keyvault.Managecontacts),
string(keyvault.Manageissuers),
string(keyvault.Purge),
string(keyvault.Recover),
string(keyvault.Restore),
string(keyvault.Setissuers),
string(keyvault.Update),
}, true),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(certificatePermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
Expand All @@ -42,25 +141,8 @@ func schemaKeyPermissions() *schema.Schema {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.KeyPermissionsBackup),
string(keyvault.KeyPermissionsCreate),
string(keyvault.KeyPermissionsDecrypt),
string(keyvault.KeyPermissionsDelete),
string(keyvault.KeyPermissionsEncrypt),
string(keyvault.KeyPermissionsGet),
string(keyvault.KeyPermissionsImport),
string(keyvault.KeyPermissionsList),
string(keyvault.KeyPermissionsPurge),
string(keyvault.KeyPermissionsRecover),
string(keyvault.KeyPermissionsRestore),
string(keyvault.KeyPermissionsSign),
string(keyvault.KeyPermissionsUnwrapKey),
string(keyvault.KeyPermissionsUpdate),
string(keyvault.KeyPermissionsVerify),
string(keyvault.KeyPermissionsWrapKey),
}, true),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(keyPermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
Expand All @@ -71,17 +153,8 @@ func schemaSecretPermissions() *schema.Schema {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.SecretPermissionsBackup),
string(keyvault.SecretPermissionsDelete),
string(keyvault.SecretPermissionsGet),
string(keyvault.SecretPermissionsList),
string(keyvault.SecretPermissionsPurge),
string(keyvault.SecretPermissionsRecover),
string(keyvault.SecretPermissionsRestore),
string(keyvault.SecretPermissionsSet),
}, true),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(secretPermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
Expand All @@ -92,23 +165,9 @@ func schemaStoragePermissions() *schema.Schema {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
string(keyvault.StoragePermissionsBackup),
string(keyvault.StoragePermissionsDelete),
string(keyvault.StoragePermissionsDeletesas),
string(keyvault.StoragePermissionsGet),
string(keyvault.StoragePermissionsGetsas),
string(keyvault.StoragePermissionsList),
string(keyvault.StoragePermissionsListsas),
string(keyvault.StoragePermissionsPurge),
string(keyvault.StoragePermissionsRecover),
string(keyvault.StoragePermissionsRegeneratekey),
string(keyvault.StoragePermissionsRestore),
string(keyvault.StoragePermissionsSet),
string(keyvault.StoragePermissionsSetsas),
string(keyvault.StoragePermissionsUpdate),
}, false),
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(storagePermissions(), true),
DiffSuppressFunc: suppress.CaseDifference,
},
}
}
Expand Down Expand Up @@ -206,7 +265,8 @@ func flattenCertificatePermissions(input *[]keyvault.CertificatePermissions) []i

if input != nil {
for _, certificatePermission := range *input {
output = append(output, string(certificatePermission))
permission := flattenCertificatePermission(string(certificatePermission))
output = append(output, permission)
}
}

Expand All @@ -227,7 +287,8 @@ func flattenKeyPermissions(input *[]keyvault.KeyPermissions) []interface{} {

if input != nil {
for _, keyPermission := range *input {
output = append(output, string(keyPermission))
permission := flattenKeyPermission(string(keyPermission))
output = append(output, permission)
}
}

Expand All @@ -249,7 +310,8 @@ func flattenSecretPermissions(input *[]keyvault.SecretPermissions) []interface{}

if input != nil {
for _, secretPermission := range *input {
output = append(output, string(secretPermission))
permission := flattenSecretPermission(string(secretPermission))
output = append(output, permission)
}
}

Expand All @@ -271,7 +333,8 @@ func flattenStoragePermissions(input *[]keyvault.StoragePermissions) []interface

if input != nil {
for _, storagePermission := range *input {
output = append(output, string(storagePermission))
permission := flattenStoragePermission(string(storagePermission))
output = append(output, permission)
}
}

Expand Down
12 changes: 6 additions & 6 deletions azurerm/internal/services/keyvault/key_vault_data_source_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ func TestAccDataSourceKeyVault_basic(t *testing.T) {
check.That(data.ResourceName).Key("sku_name").Exists(),
check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"),
check.That(data.ResourceName).Key("tags.%").HasValue("0"),
),
},
Expand All @@ -44,8 +44,8 @@ func TestAccDataSourceKeyVault_complete(t *testing.T) {
check.That(data.ResourceName).Key("sku_name").Exists(),
check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("tags.%").HasValue("1"),
check.That(data.ResourceName).Key("tags.environment").HasValue("Production"),
),
Expand All @@ -65,8 +65,8 @@ func TestAccDataSourceKeyVault_networkAcls(t *testing.T) {
check.That(data.ResourceName).Key("sku_name").Exists(),
check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"),
check.That(data.ResourceName).Key("network_acls.#").HasValue("1"),
check.That(data.ResourceName).Key("network_acls.0.default_action").HasValue("Allow"),
check.That(data.ResourceName).Key("tags.%").HasValue("0"),
Expand Down
10 changes: 5 additions & 5 deletions azurerm/internal/services/keyvault/key_vault_resource_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,16 +141,16 @@ func TestAccKeyVault_update(t *testing.T) {
Config: r.basic(data),
Check: resource.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"),
check.That(data.ResourceName).Key("tags.%").HasValue("0"),
),
},
{
Config: r.update(data),
Check: resource.ComposeTestCheckFunc(
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Get"),
check.That(data.ResourceName).Key("enabled_for_deployment").HasValue("true"),
check.That(data.ResourceName).Key("enabled_for_disk_encryption").HasValue("true"),
check.That(data.ResourceName).Key("enabled_for_template_deployment").HasValue("true"),
Expand Down Expand Up @@ -239,7 +239,7 @@ func TestAccKeyVault_justCert(t *testing.T) {
Config: r.justCert(data),
Check: resource.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("access_policy.0.certificate_permissions.0").HasValue("get"),
check.That(data.ResourceName).Key("access_policy.0.certificate_permissions.0").HasValue("Get"),
),
},
data.ImportStep(),
Expand Down
14 changes: 7 additions & 7 deletions website/docs/r/key_vault.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,15 @@ resource "azurerm_key_vault" "example" {
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get",
"Get",
]
secret_permissions = [
"get",
"Get",
]
storage_permissions = [
"get",
"Get",
]
}
}
Expand Down Expand Up @@ -120,13 +120,13 @@ A `access_policy` block supports the following:

* `application_id` - (Optional) The object ID of an Application in Azure Active Directory.

* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `backup`, `create`, `delete`, `deleteissuers`, `get`, `getissuers`, `import`, `list`, `listissuers`, `managecontacts`, `manageissuers`, `purge`, `recover`, `restore`, `setissuers` and `update`.
* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `Backup`, `Create`, `Delete`, `DeleteIssuers`, `Get`, `GetIssuers`, `Import`, `List`, `ListIssuers`, `ManageContacts`, `ManageIssuers`, `Purge`, `Recover`, `Restore`, `SetIssuers` and `Update`.

* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `purge`, `recover`, `restore`, `sign`, `unwrapKey`, `update`, `verify` and `wrapKey`.
* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `Backup`, `Create`, `Decrypt`, `Delete`, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify` and `WrapKey`.

* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`.
* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `Backup`, `Delete`, `Get`, `List`, `Purge`, `Recover`, `Restore` and `Set`.

* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `backup`, `delete`, `deletesas`, `get`, `getsas`, `list`, `listsas`, `purge`, `recover`, `regeneratekey`, `restore`, `set`, `setsas` and `update`.
* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `Backup`, `Delete`, `DeleteSAS`, `Get`, `GetSAS`, `List`, `ListSAS`, `Purge`, `Recover`, `RegenerateKey`, `Restore`, `Set`, `SetSAS` and `Update`.

---

Expand Down
Loading

0 comments on commit c5e681b

Please sign in to comment.