r/key_vault: making the network_acls block computed (#5207)

This PR supersedes #4805 by making the network_acls block computed with a default value based on the behaviour of the API $ acctests azurerm TestAccAzureRMKeyVault_networkAcls === RUN TestAccAzureRMKeyVault_networkAcls === PAUSE TestAccAzureRMKeyVault_networkAcls === RUN TestAccAzureRMKeyVault_networkAclsAllowed === PAUSE TestAccAzureRMKeyVault_networkAclsAllowed === CONT TestAccAzureRMKeyVault_networkAcls --- PASS: TestAccAzureRMKeyVault_networkAcls (347.28s) === CONT TestAccAzureRMKeyVault_networkAclsAllowed --- PASS: TestAccAzureRMKeyVault_networkAclsAllowed (247.89s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 595.221s Fixes #2164
hashicorp · Dec 18, 2019 · f7c9985 · f7c9985
1 parent 52d9b9d
commit f7c9985
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 15 deletions.
diff --git a/azurerm/resource_arm_key_vault.go b/azurerm/resource_arm_key_vault.go
@@ -157,6 +157,7 @@ func resourceArmKeyVault() *schema.Resource {
 			"network_acls": {
 				Type:     schema.TypeList,
 				Optional: true,
+				Computed: true,
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
@@ -471,7 +472,14 @@ func flattenKeyVaultSku(sku *keyvault.Sku) []interface{} {
 
 func flattenKeyVaultNetworkAcls(input *keyvault.NetworkRuleSet) []interface{} {
 	if input == nil {
-		return []interface{}{}
+		return []interface{}{
+			map[string]interface{}{
+				"bypass":                     string(keyvault.AzureServices),
+				"default_action":             string(keyvault.Allow),
+				"ip_rules":                   schema.NewSet(schema.HashString, []interface{}{}),
+				"virtual_network_subnet_ids": schema.NewSet(schema.HashString, []interface{}{}),
+			},
+		}
 	}
 
 	output := make(map[string]interface{})

diff --git a/azurerm/resource_arm_key_vault_test.go b/azurerm/resource_arm_key_vault_test.go
@@ -86,7 +86,6 @@ func TestAccAzureRMKeyVault_basic(t *testing.T) {
 				Config: config,
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKeyVaultExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "sku_name", "premium"),
 				),
 			},
@@ -132,7 +131,6 @@ func TestAccAzureRMKeyVault_basicClassic(t *testing.T) {
 				Config: config,
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKeyVaultExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "sku.0.name", "premium"),
 				),
 			},
@@ -164,7 +162,6 @@ func TestAccAzureRMKeyVault_requiresImport(t *testing.T) {
 				Config: testAccAzureRMKeyVault_basic(ri, location),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKeyVaultExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.#", "0"),
 				),
 			},
 			{
@@ -189,24 +186,49 @@ func TestAccAzureRMKeyVault_networkAcls(t *testing.T) {
 				Config: testAccAzureRMKeyVault_networkAcls(ri, location),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKeyVaultExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.bypass", "None"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.default_action", "Deny"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.ip_rules.#", "0"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.virtual_network_subnet_ids.#", "2"),
 				),
 			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 			{
 				Config: testAccAzureRMKeyVault_networkAclsUpdated(ri, location),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMKeyVaultExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.bypass", "AzureServices"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.default_action", "Allow"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.ip_rules.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "network_acls.0.virtual_network_subnet_ids.#", "1"),
 				),
 			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMKeyVault_networkAclsAllowed(t *testing.T) {
+	resourceName := "azurerm_key_vault.test"
+	ri := tf.AccRandTimeInt()
+	location := testLocation()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMKeyVault_networkAclsAllowed(ri, location),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(resourceName),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -673,13 +695,47 @@ resource "azurerm_key_vault" "test" {
   network_acls {
     default_action             = "Allow"
     bypass                     = "AzureServices"
-    ip_rules                   = ["10.0.0.102/32"]
+    ip_rules                   = ["123.0.0.102/32"]
     virtual_network_subnet_ids = ["${azurerm_subnet.test_a.id}"]
   }
 }
 `, template, rInt)
 }
 
+func testAccAzureRMKeyVault_networkAclsAllowed(rInt int, location string) string {
+	template := testAccAzureRMKeyVault_networkAclsTemplate(rInt, location)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_key_vault" "test" {
+  name                = "vault%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"
+
+  sku_name = "premium"
+
+  access_policy {
+    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
+    object_id = "${data.azurerm_client_config.current.client_id}"
+
+    key_permissions = [
+      "create",
+    ]
+
+    secret_permissions = [
+      "set",
+    ]
+  }
+
+  network_acls {
+    default_action = "Allow"
+    bypass         = "AzureServices"
+  }
+}
+`, template, rInt)
+}
+
 func testAccAzureRMKeyVault_update(rInt int, location string) string {
 	return fmt.Sprintf(`
 data "azurerm_client_config" "current" {}