Fix issue #2164: Add check for network_acls not set in keyvault resource

hashicorp · Nov 5, 2019 · edba0e0 · edba0e0
1 parent ccb5f4f
commit edba0e0
Showing 1 changed file with 22 additions and 3 deletions.
diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go
@@ -155,9 +155,10 @@ func resourceArmKeyVault() *schema.Resource {
 			},
 
 			"network_acls": {
-				Type:     schema.TypeList,
-				Optional: true,
-				MaxItems: 1,
+				Type:             schema.TypeList,
+				Optional:         true,
+				MaxItems:         1,
+				DiffSuppressFunc: suppressDefaultActionAllow,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"default_action": {
@@ -573,3 +574,21 @@ func expandKeyVaultNetworkAcls(input []interface{}) (*keyvault.NetworkRuleSet, [
 	}
 	return &ruleSet, subnetIds
 }
+
+func suppressDefaultActionAllow(k, old, new string, d *schema.ResourceData) bool {
+	// Azure backend will discard "Allow" network_acls, resulting in bug #2164:
+	// https://github.com/terraform-providers/terraform-provider-azurerm/issues/2164
+	// Here we suppress the diff when Azure backend returns empty network_acls
+	// and Terraform config sets network_acls with default_action "Allow"
+	if k == "network_acls.#" && old == "0" && new == "1" {
+		networkAclsRaw := d.Get("network_acls").([]interface{})
+		networkAcls, _ := expandKeyVaultNetworkAcls(networkAclsRaw)
+
+		if networkAcls != nil && networkAcls.DefaultAction == keyvault.Allow {
+			log.Print("[INFO] Setting network_acls from nil to NetworkRuleSet with default_action=\"Allow\" has no effect. Diff is suppressed.")
+			return true
+		}
+	}
+
+	return false
+}