diff --git a/azurerm/internal/services/keyvault/access_policy_schema.go b/azurerm/internal/services/keyvault/access_policy_schema.go index 96c90778bae0..c5d237c2fe70 100644 --- a/azurerm/internal/services/keyvault/access_policy_schema.go +++ b/azurerm/internal/services/keyvault/access_policy_schema.go @@ -1,6 +1,8 @@ package keyvault import ( + "strings" + "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/helper/validation" @@ -8,30 +10,127 @@ import ( "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/suppress" ) +func certificatePermissions() []string { + return []string{ + "Backup", + "Create", + "Delete", + "DeleteIssuers", + "Get", + "GetIssuers", + "Import", + "List", + "ListIssuers", + "ManageContacts", + "ManageIssuers", + "Purge", + "Recover", + "Restore", + "SetIssuers", + "Update", + } +} + +func flattenCertificatePermission(input string) string { + for _, permission := range certificatePermissions() { + if strings.EqualFold(input, permission) { + return permission + } + } + + return input +} + +func keyPermissions() []string { + return []string{ + "Backup", + "Create", + "Decrypt", + "Delete", + "Encrypt", + "Get", + "Import", + "List", + "Purge", + "Recover", + "Restore", + "Sign", + "UnwrapKey", + "Update", + "Verify", + "WrapKey", + } +} + +func flattenKeyPermission(input string) string { + for _, permission := range keyPermissions() { + if strings.EqualFold(input, permission) { + return permission + } + } + + return input +} + +func secretPermissions() []string { + return []string{ + "Backup", + "Delete", + "Get", + "List", + "Purge", + "Recover", + "Restore", + "Set", + } +} + +func flattenSecretPermission(input string) string { + for _, permission := range secretPermissions() { + if strings.EqualFold(input, permission) { + return permission + } + } + + return input +} + +func storagePermissions() []string { + return []string{ + "Backup", + "Delete", + "DeleteSAS", + "Get", + "GetSAS", + "List", + "ListSAS", + "Purge", + "Recover", + "RegenerateKey", + "Restore", + "Set", + "SetSAS", + "Update", + } +} + +func flattenStoragePermission(input string) string { + for _, permission := range storagePermissions() { + if strings.EqualFold(input, permission) { + return permission + } + } + + return input +} + func schemaCertificatePermissions() *schema.Schema { return &schema.Schema{ Type: schema.TypeList, Optional: true, Elem: &schema.Schema{ - Type: schema.TypeString, - ValidateFunc: validation.StringInSlice([]string{ - string(keyvault.Backup), - string(keyvault.Create), - string(keyvault.Delete), - string(keyvault.Deleteissuers), - string(keyvault.Get), - string(keyvault.Getissuers), - string(keyvault.Import), - string(keyvault.List), - string(keyvault.Listissuers), - string(keyvault.Managecontacts), - string(keyvault.Manageissuers), - string(keyvault.Purge), - string(keyvault.Recover), - string(keyvault.Restore), - string(keyvault.Setissuers), - string(keyvault.Update), - }, true), + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice(certificatePermissions(), true), DiffSuppressFunc: suppress.CaseDifference, }, } @@ -42,25 +141,8 @@ func schemaKeyPermissions() *schema.Schema { Type: schema.TypeList, Optional: true, Elem: &schema.Schema{ - Type: schema.TypeString, - ValidateFunc: validation.StringInSlice([]string{ - string(keyvault.KeyPermissionsBackup), - string(keyvault.KeyPermissionsCreate), - string(keyvault.KeyPermissionsDecrypt), - string(keyvault.KeyPermissionsDelete), - string(keyvault.KeyPermissionsEncrypt), - string(keyvault.KeyPermissionsGet), - string(keyvault.KeyPermissionsImport), - string(keyvault.KeyPermissionsList), - string(keyvault.KeyPermissionsPurge), - string(keyvault.KeyPermissionsRecover), - string(keyvault.KeyPermissionsRestore), - string(keyvault.KeyPermissionsSign), - string(keyvault.KeyPermissionsUnwrapKey), - string(keyvault.KeyPermissionsUpdate), - string(keyvault.KeyPermissionsVerify), - string(keyvault.KeyPermissionsWrapKey), - }, true), + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice(keyPermissions(), true), DiffSuppressFunc: suppress.CaseDifference, }, } @@ -71,17 +153,8 @@ func schemaSecretPermissions() *schema.Schema { Type: schema.TypeList, Optional: true, Elem: &schema.Schema{ - Type: schema.TypeString, - ValidateFunc: validation.StringInSlice([]string{ - string(keyvault.SecretPermissionsBackup), - string(keyvault.SecretPermissionsDelete), - string(keyvault.SecretPermissionsGet), - string(keyvault.SecretPermissionsList), - string(keyvault.SecretPermissionsPurge), - string(keyvault.SecretPermissionsRecover), - string(keyvault.SecretPermissionsRestore), - string(keyvault.SecretPermissionsSet), - }, true), + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice(secretPermissions(), true), DiffSuppressFunc: suppress.CaseDifference, }, } @@ -92,23 +165,9 @@ func schemaStoragePermissions() *schema.Schema { Type: schema.TypeList, Optional: true, Elem: &schema.Schema{ - Type: schema.TypeString, - ValidateFunc: validation.StringInSlice([]string{ - string(keyvault.StoragePermissionsBackup), - string(keyvault.StoragePermissionsDelete), - string(keyvault.StoragePermissionsDeletesas), - string(keyvault.StoragePermissionsGet), - string(keyvault.StoragePermissionsGetsas), - string(keyvault.StoragePermissionsList), - string(keyvault.StoragePermissionsListsas), - string(keyvault.StoragePermissionsPurge), - string(keyvault.StoragePermissionsRecover), - string(keyvault.StoragePermissionsRegeneratekey), - string(keyvault.StoragePermissionsRestore), - string(keyvault.StoragePermissionsSet), - string(keyvault.StoragePermissionsSetsas), - string(keyvault.StoragePermissionsUpdate), - }, false), + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice(storagePermissions(), true), + DiffSuppressFunc: suppress.CaseDifference, }, } } @@ -206,7 +265,8 @@ func flattenCertificatePermissions(input *[]keyvault.CertificatePermissions) []i if input != nil { for _, certificatePermission := range *input { - output = append(output, string(certificatePermission)) + permission := flattenCertificatePermission(string(certificatePermission)) + output = append(output, permission) } } @@ -227,7 +287,8 @@ func flattenKeyPermissions(input *[]keyvault.KeyPermissions) []interface{} { if input != nil { for _, keyPermission := range *input { - output = append(output, string(keyPermission)) + permission := flattenKeyPermission(string(keyPermission)) + output = append(output, permission) } } @@ -249,7 +310,8 @@ func flattenSecretPermissions(input *[]keyvault.SecretPermissions) []interface{} if input != nil { for _, secretPermission := range *input { - output = append(output, string(secretPermission)) + permission := flattenSecretPermission(string(secretPermission)) + output = append(output, permission) } } @@ -271,7 +333,8 @@ func flattenStoragePermissions(input *[]keyvault.StoragePermissions) []interface if input != nil { for _, storagePermission := range *input { - output = append(output, string(storagePermission)) + permission := flattenStoragePermission(string(storagePermission)) + output = append(output, permission) } } diff --git a/azurerm/internal/services/keyvault/key_vault_data_source_test.go b/azurerm/internal/services/keyvault/key_vault_data_source_test.go index c2fd2ab2dee0..4c29af4ddf5e 100644 --- a/azurerm/internal/services/keyvault/key_vault_data_source_test.go +++ b/azurerm/internal/services/keyvault/key_vault_data_source_test.go @@ -24,8 +24,8 @@ func TestAccDataSourceKeyVault_basic(t *testing.T) { check.That(data.ResourceName).Key("sku_name").Exists(), check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(), check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(), - check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"), - check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"), + check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"), + check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"), check.That(data.ResourceName).Key("tags.%").HasValue("0"), ), }, @@ -44,8 +44,8 @@ func TestAccDataSourceKeyVault_complete(t *testing.T) { check.That(data.ResourceName).Key("sku_name").Exists(), check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(), check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(), - check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("get"), - check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("get"), + check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Get"), + check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Get"), check.That(data.ResourceName).Key("tags.%").HasValue("1"), check.That(data.ResourceName).Key("tags.environment").HasValue("Production"), ), @@ -65,8 +65,8 @@ func TestAccDataSourceKeyVault_networkAcls(t *testing.T) { check.That(data.ResourceName).Key("sku_name").Exists(), check.That(data.ResourceName).Key("access_policy.0.tenant_id").Exists(), check.That(data.ResourceName).Key("access_policy.0.object_id").Exists(), - check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"), - check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"), + check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"), + check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"), check.That(data.ResourceName).Key("network_acls.#").HasValue("1"), check.That(data.ResourceName).Key("network_acls.0.default_action").HasValue("Allow"), check.That(data.ResourceName).Key("tags.%").HasValue("0"), diff --git a/azurerm/internal/services/keyvault/key_vault_resource_test.go b/azurerm/internal/services/keyvault/key_vault_resource_test.go index 8bb98ca4c16f..18a5162a6ed5 100644 --- a/azurerm/internal/services/keyvault/key_vault_resource_test.go +++ b/azurerm/internal/services/keyvault/key_vault_resource_test.go @@ -141,16 +141,16 @@ func TestAccKeyVault_update(t *testing.T) { Config: r.basic(data), Check: resource.ComposeTestCheckFunc( check.That(data.ResourceName).ExistsInAzure(r), - check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("create"), - check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("set"), + check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Create"), + check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Set"), check.That(data.ResourceName).Key("tags.%").HasValue("0"), ), }, { Config: r.update(data), Check: resource.ComposeTestCheckFunc( - check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("get"), - check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("get"), + check.That(data.ResourceName).Key("access_policy.0.key_permissions.0").HasValue("Get"), + check.That(data.ResourceName).Key("access_policy.0.secret_permissions.0").HasValue("Get"), check.That(data.ResourceName).Key("enabled_for_deployment").HasValue("true"), check.That(data.ResourceName).Key("enabled_for_disk_encryption").HasValue("true"), check.That(data.ResourceName).Key("enabled_for_template_deployment").HasValue("true"), @@ -239,7 +239,7 @@ func TestAccKeyVault_justCert(t *testing.T) { Config: r.justCert(data), Check: resource.ComposeTestCheckFunc( check.That(data.ResourceName).ExistsInAzure(r), - check.That(data.ResourceName).Key("access_policy.0.certificate_permissions.0").HasValue("get"), + check.That(data.ResourceName).Key("access_policy.0.certificate_permissions.0").HasValue("Get"), ), }, data.ImportStep(), diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown index 95d1afac9fda..681868732e75 100644 --- a/website/docs/r/key_vault.html.markdown +++ b/website/docs/r/key_vault.html.markdown @@ -52,15 +52,15 @@ resource "azurerm_key_vault" "example" { object_id = data.azurerm_client_config.current.object_id key_permissions = [ - "get", + "Get", ] secret_permissions = [ - "get", + "Get", ] storage_permissions = [ - "get", + "Get", ] } } @@ -120,13 +120,13 @@ A `access_policy` block supports the following: * `application_id` - (Optional) The object ID of an Application in Azure Active Directory. -* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `backup`, `create`, `delete`, `deleteissuers`, `get`, `getissuers`, `import`, `list`, `listissuers`, `managecontacts`, `manageissuers`, `purge`, `recover`, `restore`, `setissuers` and `update`. +* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `Backup`, `Create`, `Delete`, `DeleteIssuers`, `Get`, `GetIssuers`, `Import`, `List`, `ListIssuers`, `ManageContacts`, `ManageIssuers`, `Purge`, `Recover`, `Restore`, `SetIssuers` and `Update`. -* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `purge`, `recover`, `restore`, `sign`, `unwrapKey`, `update`, `verify` and `wrapKey`. +* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `Backup`, `Create`, `Decrypt`, `Delete`, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify` and `WrapKey`. -* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`. +* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `Backup`, `Delete`, `Get`, `List`, `Purge`, `Recover`, `Restore` and `Set`. -* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `backup`, `delete`, `deletesas`, `get`, `getsas`, `list`, `listsas`, `purge`, `recover`, `regeneratekey`, `restore`, `set`, `setsas` and `update`. +* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `Backup`, `Delete`, `DeleteSAS`, `Get`, `GetSAS`, `List`, `ListSAS`, `Purge`, `Recover`, `RegenerateKey`, `Restore`, `Set`, `SetSAS` and `Update`. --- diff --git a/website/docs/r/key_vault_access_policy.html.markdown b/website/docs/r/key_vault_access_policy.html.markdown index ab946fdbe862..b7d22ec62082 100644 --- a/website/docs/r/key_vault_access_policy.html.markdown +++ b/website/docs/r/key_vault_access_policy.html.markdown @@ -38,11 +38,11 @@ resource "azurerm_key_vault_access_policy" "example" { object_id = data.azurerm_client_config.current.object_id key_permissions = [ - "get", + "Get", ] secret_permissions = [ - "get", + "Get", ] } ``` @@ -65,18 +65,13 @@ The following arguments are supported: * `application_id` - (Optional) The object ID of an Application in Azure Active Directory. -* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from - the following: `backup`, `create`, `delete`, `deleteissuers`, `get`, `getissuers`, `import`, `list`, `listissuers`, - `managecontacts`, `manageissuers`, `purge`, `recover`, `restore`, `setissuers` and `update`. +* `certificate_permissions` - (Optional) List of certificate permissions, must be one or more from the following: `Backup`, `Create`, `Delete`, `DeleteIssuers`, `Get`, `GetIssuers`, `Import`, `List`, `ListIssuers`, `ManageContacts`, `ManageIssuers`, `Purge`, `Recover`, `Restore`, `SetIssuers` and `Update`. -* `key_permissions` - (Optional) List of key permissions, must be one or more from - the following: `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `purge`, - `recover`, `restore`, `sign`, `unwrapKey`, `update`, `verify` and `wrapKey`. +* `key_permissions` - (Optional) List of key permissions, must be one or more from the following: `Backup`, `Create`, `Decrypt`, `Delete`, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify` and `WrapKey`. -* `secret_permissions` - (Optional) List of secret permissions, must be one or more - from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`. +* `secret_permissions` - (Optional) List of secret permissions, must be one or more from the following: `Backup`, `Delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`. -* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `backup`, `delete`, `deletesas`, `get`, `getsas`, `list`, `listsas`, `purge`, `recover`, `regeneratekey`, `restore`, `set`, `setsas` and `update`. +* `storage_permissions` - (Optional) List of storage permissions, must be one or more from the following: `Backup`, `Delete`, `DeleteSAS`, `Get`, `GetSAS`, `List`, `ListSAS`, `Purge`, `Recover`, `RegenerateKey`, `Restore`, `Set`, `SetSAS` and `Update`. ## Attributes Reference @@ -88,8 +83,6 @@ The following attributes are exported: ## Timeouts - - The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: * `create` - (Defaults to 30 minutes) Used when creating the Key Vault Access Policy.