-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storage Account: Add identity property #1323
Storage Account: Add identity property #1323
Conversation
@@ -495,6 +500,11 @@ func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) err | |||
} | |||
d.Set("account_kind", resp.Kind) | |||
|
|||
log.Printf("[INFO] Identity is %q", resp.Identity) | |||
if identity := resp.Identity; identity != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lstolyarov you'll want to use resp.[XX]Properties.Identity
here - since the top level fields resp.Identity
isn't guaranteed to have a value, unfortunately. These fields exist primarily for the older API's where the responses aren't guaranteed in the properties
block in the JSON
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tombuildsstuff what do you mean by [XX]Properties
? There is an AccountProperties
filed in resp
but that does not have an Identity
field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tombuildsstuff what do you mean by
[XX]Properties
? There is anAccountProperties
filed inresp
but that does not have anIdentity
field
The properties
field is prefixed with the name of the struct, so it's different (hence [XX]Properties
, sorry I should have looked this up).
I don't see any option to enable this in the Portal - is this feature in Preview?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well it is not really a feature. This PR is to be able to extract the Object ID (or Principal ID as it is referred to in the SDK). I don't think there is any anyway to get this information out in the portal - it could be extracted with powershell.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, I was referring to pulling this out via the API/SDK - I'm not sure if you've seen it but the Azure Resources Explorer can be really helpful here.
In other API's (e.g. App Service) the identity
block won't be returned from the API until it's enabled, which can be done by sending the following Request (in the Create/Update):
Identity: &storage.Identity{
Type: utils.String("SystemAssigned"),
},
Once the Identity's assigned, the identity
block returned from the API SDK as Principal ID/Object ID. That said, given this isn't available in the Portal yet - and I can't see any reference to it online; I have a feeling this may be in Preview?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, that makes more sense now.
Thanks for the Azure Resources Explorer - its really useful.
I am not sure if it would technically count as a preview feature or not. My understanding that behind the scenes all resources have object ids and this is required as input for key vault. It is not really useful in the portal as when you enable storage account encryption and select the key vault you want to use that object id gets populated automatically.
Related issue: #658 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @lstolyarov,
Thank you for opening this PR. It mostly LGTM and I've let a couple of comments inline. Once those are sorted I look forward to merging this for you 🙂
} | ||
|
||
result := make(map[string]interface{}) | ||
result["type"] = *identity.Type |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we also check identity.Type for nil
?
|
||
* `tenant_id` - The Tenant ID for the Service Principal associated with the Identity of this Storage Account. | ||
|
||
-> You can access the Principal ID via `${azurerm_storage_account.test.identity.0.principal_id}` and the Tenant ID via `${azurerm_storage_account.test.identity.0.tenant_id}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need this? There is nothing special required to access these properties
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is still useful for the user to be able to see an example on how to access the property. However, if you still think it's not required - I can remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally I think it should be removed but its very minor and not a blocker
|
||
* `type` - (Required) Specifies the identity type of the Storage Account. At this time the only allowed value is `SystemAssigned`. | ||
|
||
~> The assigned `principal_id` and `tenant_id` can be retrieved after the Storage Account has been created. More details are available below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might it be worth explaining these properties won't be assigned until the identity type value is set to SystemAssigned
?
Any idea on when this will be released? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @lstolyarov,
Thank you for the updates, this LGTM now however running the tests I am consistently getting this failure:
------- Stdout: -------
=== RUN TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity
--- FAIL: TestAccAzureRMStorageAccount_updateResourceByEnablingIdentity (93.41s)
testing.go:513: Step 1 error: Check failed: Check 3/4 error: azurerm_storage_account.testsa: Attribute 'identity.0.principal_id' didn't match "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-4[a-fA-F0-9]{3}-[8|9|aA|bB][a-fA-F0-9]{3}-[a-fA-F0-9]{12}$", got ""
FAIL
Additionally, could you please merge/rebase to resolve the merge conflicts?
Hey @katbyte, This should be ready for another review now. Tests are passing & merge conflicts are resolved. |
Removed some lines that were accidentally merged back in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @lstolyarov,
Thank you for the updates, LGTM 👍
fix go fmt issues
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
Hey @tombuildsstuff,
This PR adds the object id as an output of a storage account. At the moment
resp.Identity
is returningnil
. Any ideas why?