Merge pull request #1 from terraform-providers/master

Merge base

CHANGELOG.md

@@ -1,15 +1,38 @@
 ## 0.3.0 (Unreleased)
 
+UPGRADE NOTES:
+
+* `azurerm_route_table` - `route` is no longer computed
+
 FEATURES:
 
+* **New Data Source:** `azurerm_builtin_role_definition` [GH-384]
+* **New Data Source:** `azurerm_image` [GH-382]
 * **New Data Source:** `azurerm_platform_image` [GH-375]
+* **New Data Source:** `azurerm_role_definition` [GH-414]
+* **New Data Source:** `azurerm_subnet` [GH-411]
+* **New Resource:** `azurerm_key_vault_certificate` [GH-408]
+* **New Resource:** `azurerm_role_assignment` [GH-414]
+* **New Resource:** `azurerm_role_definition` [GH-414]
 
 IMPROVEMENTS:
 
+* `azurerm_client_config` - updating the data source to work when using AzureCLI auth [GH-393]
+* `azurerm_container_group` - add support for volume mounts [GH-366]
 * `azurerm_key_vault` - fix a crash when no certificate_permissions are defined [GH-374]
+* `azurerm_key_vault` - waiting for the DNS to propagate [GH-401]
+* `azurerm_managed_disk` - support for creating Managed Disks from Platform Images by supporting "FromImage" [GH-399]
+* `azurerm_managed_disk` - support for creating Encrypted Managed Disks [GH-399]
+* `azurerm_mysql_*` - Ensuring we register the MySQL Resource Provider [GH-397]
+* `azurerm_network_interface` - exposing all of the Private IP Addresses assigned to the NIC [GH-409]
+* `azurerm_network_security_group` / `azurerm_network_security_rule` - refactoring [GH-405]
+* `azurerm_route_table` - removing routes when none are specified [GH-403]
+* `azurerm_route_table` - refactoring `route` from a Set to a List [GH-402]
+* `azurerm_route` - refactoring `route` from a Set to a List [GH-402]
 * `azurerm_storage_account` - support for File Encryption [GH-363]
 * `azurerm_storage_account` - support for Custom Domain [GH-363]
 * `azurerm_storage_account` - splitting the storage account Tier and Replication out into separate fields [GH-363]
+* `azurerm_subnet` - making it possible to remove Network Security Groups / Route Tables [GH-411]
 * `azurerm_virtual_machine` - fixing a bug where `additional_unattend_config.content` was being updated unintentionally [GH-377]
 * `azurerm_virtual_machine_scale_set` - fixing a bug where `additional_unattend_config.content` was being updated unintentionally [GH-377]
 

azurerm/config.go

@@ -8,6 +8,7 @@ import (
 	"net/http/httputil"
 
 	"github.com/Azure/azure-sdk-for-go/arm/appinsights"
+	"github.com/Azure/azure-sdk-for-go/arm/authorization"
 	"github.com/Azure/azure-sdk-for-go/arm/automation"
 	"github.com/Azure/azure-sdk-for-go/arm/cdn"
 	"github.com/Azure/azure-sdk-for-go/arm/compute"
@@ -46,10 +47,11 @@ import (
 // ArmClient contains the handles to all the specific Azure Resource Manager
 // resource classes' respective clients.
 type ArmClient struct {
-	clientId       string
-	tenantId       string
-	subscriptionId string
-	environment    azure.Environment
+	clientId              string
+	tenantId              string
+	subscriptionId        string
+	usingServicePrincipal bool
+	environment           azure.Environment
 
 	StopContext context.Context
 
@@ -136,6 +138,9 @@ type ArmClient struct {
 
 	appInsightsClient appinsights.ComponentsClient
 
+	// Authentication
+	roleAssignmentsClient   authorization.RoleAssignmentsClient
+	roleDefinitionsClient   authorization.RoleDefinitionsClient
 	servicePrincipalsClient graphrbac.ServicePrincipalsClient
 
 	// Databases
@@ -232,10 +237,11 @@ func (c *Config) getArmClient() (*ArmClient, error) {
 
 	// client declarations:
 	client := ArmClient{
-		clientId:       c.ClientID,
-		tenantId:       c.TenantID,
-		subscriptionId: c.SubscriptionID,
-		environment:    env,
+		clientId:              c.ClientID,
+		tenantId:              c.TenantID,
+		subscriptionId:        c.SubscriptionID,
+		environment:           env,
+		usingServicePrincipal: c.ClientSecret != "",
 	}
 
 	oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, c.TenantID)
@@ -624,12 +630,6 @@ func (c *Config) getArmClient() (*ArmClient, error) {
 	ai.Sender = sender
 	client.appInsightsClient = ai
 
-	spc := graphrbac.NewServicePrincipalsClientWithBaseURI(graphEndpoint, c.TenantID)
-	setUserAgent(&spc.Client)
-	spc.Authorizer = graphAuth
-	spc.Sender = sender
-	client.servicePrincipalsClient = spc
-
 	aadb := automation.NewAccountClientWithBaseURI(endpoint, c.SubscriptionID)
 	setUserAgent(&aadb.Client)
 	aadb.Authorizer = auth
@@ -654,13 +654,33 @@ func (c *Config) getArmClient() (*ArmClient, error) {
 	aschc.Sender = sender
 	client.automationScheduleClient = aschc
 
-	client.registerKeyVaultClients(endpoint, c.SubscriptionID, auth, keyVaultAuth, sender)
-
+	client.registerAuthentication(endpoint, graphEndpoint, c.SubscriptionID, c.TenantID, auth, graphAuth, sender)
 	client.registerDatabases(endpoint, c.SubscriptionID, auth, sender)
+	client.registerKeyVaultClients(endpoint, c.SubscriptionID, auth, keyVaultAuth, sender)
 
 	return &client, nil
 }
 
+func (c *ArmClient) registerAuthentication(endpoint, graphEndpoint, subscriptionId, tenantId string, auth, graphAuth autorest.Authorizer, sender autorest.Sender) {
+	spc := graphrbac.NewServicePrincipalsClientWithBaseURI(graphEndpoint, tenantId)
+	setUserAgent(&spc.Client)
+	spc.Authorizer = graphAuth
+	spc.Sender = sender
+	c.servicePrincipalsClient = spc
+
+	rac := authorization.NewRoleAssignmentsClientWithBaseURI(endpoint, subscriptionId)
+	setUserAgent(&rac.Client)
+	rac.Authorizer = auth
+	rac.Sender = sender
+	c.roleAssignmentsClient = rac
+
+	rdc := authorization.NewRoleDefinitionsClientWithBaseURI(endpoint, subscriptionId)
+	setUserAgent(&rdc.Client)
+	rdc.Authorizer = auth
+	rdc.Sender = sender
+	c.roleDefinitionsClient = rdc
+}
+
 func (c *ArmClient) registerDatabases(endpoint, subscriptionId string, auth autorest.Authorizer, sender autorest.Sender) {
 	// MySQL
 	mysqlConfigClient := mysql.NewConfigurationsClientWithBaseURI(endpoint, subscriptionId)

azurerm/data_source_builtin_role_definition.go

@@ -0,0 +1,102 @@
+package azurerm
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
+)
+
+func dataSourceArmBuiltInRoleDefinition() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceArmBuiltInRoleDefinitionRead,
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"Contributor",
+					"Reader",
+					"Owner",
+					"VirtualMachineContributor",
+				}, false),
+			},
+
+			// Computed
+			"description": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"type": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"permissions": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"actions": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+						"not_actions": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+					},
+				},
+			},
+			"assignable_scopes": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+		},
+	}
+}
+
+func dataSourceArmBuiltInRoleDefinitionRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).roleDefinitionsClient
+	name := d.Get("name").(string)
+	roleDefinitionIds := map[string]string{
+		"Contributor":               "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
+		"Owner":                     "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
+		"Reader":                    "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
+		"VirtualMachineContributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
+	}
+	roleDefinitionId := roleDefinitionIds[name]
+
+	d.SetId(roleDefinitionId)
+
+	role, err := client.GetByID(roleDefinitionId)
+	if err != nil {
+		return fmt.Errorf("Error loadng Role Definition: %+v", err)
+	}
+
+	if props := role.Properties; props != nil {
+		d.Set("name", props.RoleName)
+		d.Set("description", props.Description)
+		d.Set("type", props.Type)
+
+		permissions := flattenRoleDefinitionPermissions(props.Permissions)
+		if err := d.Set("permissions", permissions); err != nil {
+			return err
+		}
+
+		assignableScopes := flattenRoleDefinitionAssignableScopes(props.AssignableScopes)
+		if err := d.Set("assignable_scopes", assignableScopes); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

azurerm/data_source_builtin_role_definition_test.go

@@ -0,0 +1,108 @@
+package azurerm
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_contributor(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("Contributor"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "description"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "type"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "*"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "3"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.0", "Microsoft.Authorization/*/Delete"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.1", "Microsoft.Authorization/*/Write"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.2", "Microsoft.Authorization/elevateAccess/Action"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_owner(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("Owner"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "description"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "type"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "*"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "0"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_reader(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("Reader"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "description"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "type"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "*/read"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "0"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_virtualMachineContributor(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("VirtualMachineContributor"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "description"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "type"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "17"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "Microsoft.Authorization/*/read"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.15", "Microsoft.Resources/subscriptions/resourceGroups/read"),
+					resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "0"),
+				),
+			},
+		},
+	})
+}
+
+func testAccDataSourceBuiltInRoleDefinition(name string) string {
+	return fmt.Sprintf(`
+data "azurerm_builtin_role_definition" "test" {
+  name = "%s"
+}
+`, name)
+}