github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/azurerm/resource_arm_key_vault.go (about)

     1  package azurerm
     2  
     3  import (
     4  	"fmt"
     5  	"log"
     6  	"net/http"
     7  
     8  	"github.com/Azure/azure-sdk-for-go/arm/keyvault"
     9  	"github.com/hashicorp/terraform/helper/schema"
    10  	"github.com/hashicorp/terraform/helper/validation"
    11  	"github.com/satori/uuid"
    12  )
    13  
    14  // As can be seen in the API definition, the Sku Family only supports the value
    15  // `A` and is a required field
    16  // https://github.com/Azure/azure-rest-api-specs/blob/master/arm-keyvault/2015-06-01/swagger/keyvault.json#L239
    17  var armKeyVaultSkuFamily = "A"
    18  
    19  func resourceArmKeyVault() *schema.Resource {
    20  	return &schema.Resource{
    21  		Create: resourceArmKeyVaultCreate,
    22  		Read:   resourceArmKeyVaultRead,
    23  		Update: resourceArmKeyVaultCreate,
    24  		Delete: resourceArmKeyVaultDelete,
    25  		Importer: &schema.ResourceImporter{
    26  			State: schema.ImportStatePassthrough,
    27  		},
    28  
    29  		Schema: map[string]*schema.Schema{
    30  			"name": {
    31  				Type:     schema.TypeString,
    32  				Required: true,
    33  				ForceNew: true,
    34  			},
    35  
    36  			"location": locationSchema(),
    37  
    38  			"resource_group_name": {
    39  				Type:     schema.TypeString,
    40  				Required: true,
    41  				ForceNew: true,
    42  			},
    43  
    44  			"sku": {
    45  				Type:     schema.TypeSet,
    46  				Required: true,
    47  				Elem: &schema.Resource{
    48  					Schema: map[string]*schema.Schema{
    49  						"name": {
    50  							Type:     schema.TypeString,
    51  							Required: true,
    52  							ValidateFunc: validation.StringInSlice([]string{
    53  								string(keyvault.Standard),
    54  								string(keyvault.Premium),
    55  							}, false),
    56  						},
    57  					},
    58  				},
    59  			},
    60  
    61  			"vault_uri": {
    62  				Type:     schema.TypeString,
    63  				Computed: true,
    64  			},
    65  
    66  			"tenant_id": {
    67  				Type:         schema.TypeString,
    68  				Required:     true,
    69  				ValidateFunc: validateUUID,
    70  			},
    71  
    72  			"access_policy": {
    73  				Type:     schema.TypeList,
    74  				Optional: true,
    75  				MinItems: 1,
    76  				Elem: &schema.Resource{
    77  					Schema: map[string]*schema.Schema{
    78  						"tenant_id": {
    79  							Type:         schema.TypeString,
    80  							Required:     true,
    81  							ValidateFunc: validateUUID,
    82  						},
    83  						"object_id": {
    84  							Type:         schema.TypeString,
    85  							Required:     true,
    86  							ValidateFunc: validateUUID,
    87  						},
    88  						"key_permissions": {
    89  							Type:     schema.TypeList,
    90  							Required: true,
    91  							Elem: &schema.Schema{
    92  								Type: schema.TypeString,
    93  								ValidateFunc: validation.StringInSlice([]string{
    94  									string(keyvault.KeyPermissionsAll),
    95  									string(keyvault.KeyPermissionsBackup),
    96  									string(keyvault.KeyPermissionsCreate),
    97  									string(keyvault.KeyPermissionsDecrypt),
    98  									string(keyvault.KeyPermissionsDelete),
    99  									string(keyvault.KeyPermissionsEncrypt),
   100  									string(keyvault.KeyPermissionsGet),
   101  									string(keyvault.KeyPermissionsImport),
   102  									string(keyvault.KeyPermissionsList),
   103  									string(keyvault.KeyPermissionsRestore),
   104  									string(keyvault.KeyPermissionsSign),
   105  									string(keyvault.KeyPermissionsUnwrapKey),
   106  									string(keyvault.KeyPermissionsUpdate),
   107  									string(keyvault.KeyPermissionsVerify),
   108  									string(keyvault.KeyPermissionsWrapKey),
   109  								}, false),
   110  							},
   111  						},
   112  						"secret_permissions": {
   113  							Type:     schema.TypeList,
   114  							Required: true,
   115  							Elem: &schema.Schema{
   116  								Type: schema.TypeString,
   117  								ValidateFunc: validation.StringInSlice([]string{
   118  									string(keyvault.SecretPermissionsAll),
   119  									string(keyvault.SecretPermissionsDelete),
   120  									string(keyvault.SecretPermissionsGet),
   121  									string(keyvault.SecretPermissionsList),
   122  									string(keyvault.SecretPermissionsSet),
   123  								}, false),
   124  							},
   125  						},
   126  					},
   127  				},
   128  			},
   129  
   130  			"enabled_for_deployment": {
   131  				Type:     schema.TypeBool,
   132  				Optional: true,
   133  			},
   134  
   135  			"enabled_for_disk_encryption": {
   136  				Type:     schema.TypeBool,
   137  				Optional: true,
   138  			},
   139  
   140  			"enabled_for_template_deployment": {
   141  				Type:     schema.TypeBool,
   142  				Optional: true,
   143  			},
   144  
   145  			"tags": tagsSchema(),
   146  		},
   147  	}
   148  }
   149  
   150  func resourceArmKeyVaultCreate(d *schema.ResourceData, meta interface{}) error {
   151  	client := meta.(*ArmClient).keyVaultClient
   152  	log.Printf("[INFO] preparing arguments for Azure ARM KeyVault creation.")
   153  
   154  	name := d.Get("name").(string)
   155  	location := d.Get("location").(string)
   156  	resGroup := d.Get("resource_group_name").(string)
   157  	tenantUUID := uuid.FromStringOrNil(d.Get("tenant_id").(string))
   158  	enabledForDeployment := d.Get("enabled_for_deployment").(bool)
   159  	enabledForDiskEncryption := d.Get("enabled_for_disk_encryption").(bool)
   160  	enabledForTemplateDeployment := d.Get("enabled_for_template_deployment").(bool)
   161  	tags := d.Get("tags").(map[string]interface{})
   162  
   163  	parameters := keyvault.VaultCreateOrUpdateParameters{
   164  		Location: &location,
   165  		Properties: &keyvault.VaultProperties{
   166  			TenantID:                     &tenantUUID,
   167  			Sku:                          expandKeyVaultSku(d),
   168  			AccessPolicies:               expandKeyVaultAccessPolicies(d),
   169  			EnabledForDeployment:         &enabledForDeployment,
   170  			EnabledForDiskEncryption:     &enabledForDiskEncryption,
   171  			EnabledForTemplateDeployment: &enabledForTemplateDeployment,
   172  		},
   173  		Tags: expandTags(tags),
   174  	}
   175  
   176  	_, err := client.CreateOrUpdate(resGroup, name, parameters)
   177  	if err != nil {
   178  		return err
   179  	}
   180  
   181  	read, err := client.Get(resGroup, name)
   182  	if err != nil {
   183  		return err
   184  	}
   185  	if read.ID == nil {
   186  		return fmt.Errorf("Cannot read KeyVault %s (resource group %s) ID", name, resGroup)
   187  	}
   188  
   189  	d.SetId(*read.ID)
   190  
   191  	return resourceArmKeyVaultRead(d, meta)
   192  }
   193  
   194  func resourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error {
   195  	client := meta.(*ArmClient).keyVaultClient
   196  
   197  	id, err := parseAzureResourceID(d.Id())
   198  	if err != nil {
   199  		return err
   200  	}
   201  	resGroup := id.ResourceGroup
   202  	name := id.Path["vaults"]
   203  
   204  	resp, err := client.Get(resGroup, name)
   205  	if err != nil {
   206  		return fmt.Errorf("Error making Read request on Azure KeyVault %s: %s", name, err)
   207  	}
   208  	if resp.StatusCode == http.StatusNotFound {
   209  		d.SetId("")
   210  		return nil
   211  	}
   212  
   213  	d.Set("name", resp.Name)
   214  	d.Set("resource_group_name", resGroup)
   215  	d.Set("location", azureRMNormalizeLocation(*resp.Location))
   216  	d.Set("tenant_id", resp.Properties.TenantID.String())
   217  	d.Set("enabled_for_deployment", resp.Properties.EnabledForDeployment)
   218  	d.Set("enabled_for_disk_encryption", resp.Properties.EnabledForDiskEncryption)
   219  	d.Set("enabled_for_template_deployment", resp.Properties.EnabledForTemplateDeployment)
   220  	d.Set("sku", flattenKeyVaultSku(resp.Properties.Sku))
   221  	d.Set("access_policy", flattenKeyVaultAccessPolicies(resp.Properties.AccessPolicies))
   222  	d.Set("vault_uri", resp.Properties.VaultURI)
   223  
   224  	flattenAndSetTags(d, resp.Tags)
   225  
   226  	return nil
   227  }
   228  
   229  func resourceArmKeyVaultDelete(d *schema.ResourceData, meta interface{}) error {
   230  	client := meta.(*ArmClient).keyVaultClient
   231  
   232  	id, err := parseAzureResourceID(d.Id())
   233  	if err != nil {
   234  		return err
   235  	}
   236  	resGroup := id.ResourceGroup
   237  	name := id.Path["vaults"]
   238  
   239  	_, err = client.Delete(resGroup, name)
   240  
   241  	return err
   242  }
   243  
   244  func expandKeyVaultSku(d *schema.ResourceData) *keyvault.Sku {
   245  	skuSets := d.Get("sku").(*schema.Set).List()
   246  	sku := skuSets[0].(map[string]interface{})
   247  
   248  	return &keyvault.Sku{
   249  		Family: &armKeyVaultSkuFamily,
   250  		Name:   keyvault.SkuName(sku["name"].(string)),
   251  	}
   252  }
   253  
   254  func expandKeyVaultAccessPolicies(d *schema.ResourceData) *[]keyvault.AccessPolicyEntry {
   255  	policies := d.Get("access_policy").([]interface{})
   256  	result := make([]keyvault.AccessPolicyEntry, 0, len(policies))
   257  
   258  	for _, policySet := range policies {
   259  		policyRaw := policySet.(map[string]interface{})
   260  
   261  		keyPermissionsRaw := policyRaw["key_permissions"].([]interface{})
   262  		keyPermissions := []keyvault.KeyPermissions{}
   263  		for _, permission := range keyPermissionsRaw {
   264  			keyPermissions = append(keyPermissions, keyvault.KeyPermissions(permission.(string)))
   265  		}
   266  
   267  		secretPermissionsRaw := policyRaw["secret_permissions"].([]interface{})
   268  		secretPermissions := []keyvault.SecretPermissions{}
   269  		for _, permission := range secretPermissionsRaw {
   270  			secretPermissions = append(secretPermissions, keyvault.SecretPermissions(permission.(string)))
   271  		}
   272  
   273  		policy := keyvault.AccessPolicyEntry{
   274  			Permissions: &keyvault.Permissions{
   275  				Keys:    &keyPermissions,
   276  				Secrets: &secretPermissions,
   277  			},
   278  		}
   279  
   280  		tenantUUID := uuid.FromStringOrNil(policyRaw["tenant_id"].(string))
   281  		policy.TenantID = &tenantUUID
   282  		objectUUID := policyRaw["object_id"].(string)
   283  		policy.ObjectID = &objectUUID
   284  
   285  		result = append(result, policy)
   286  	}
   287  
   288  	return &result
   289  }
   290  
   291  func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} {
   292  	result := map[string]interface{}{
   293  		"name": string(sku.Name),
   294  	}
   295  
   296  	return []interface{}{result}
   297  }
   298  
   299  func flattenKeyVaultAccessPolicies(policies *[]keyvault.AccessPolicyEntry) []interface{} {
   300  	result := make([]interface{}, 0, len(*policies))
   301  
   302  	for _, policy := range *policies {
   303  		policyRaw := make(map[string]interface{})
   304  
   305  		keyPermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Keys))
   306  		for _, keyPermission := range *policy.Permissions.Keys {
   307  			keyPermissionsRaw = append(keyPermissionsRaw, string(keyPermission))
   308  		}
   309  
   310  		secretPermissionsRaw := make([]interface{}, 0, len(*policy.Permissions.Secrets))
   311  		for _, secretPermission := range *policy.Permissions.Secrets {
   312  			secretPermissionsRaw = append(secretPermissionsRaw, string(secretPermission))
   313  		}
   314  
   315  		policyRaw["tenant_id"] = policy.TenantID.String()
   316  		policyRaw["object_id"] = policy.ObjectID
   317  		policyRaw["key_permissions"] = keyPermissionsRaw
   318  		policyRaw["secret_permissions"] = secretPermissionsRaw
   319  
   320  		result = append(result, policyRaw)
   321  	}
   322  
   323  	return result
   324  }