Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Key vault add soft delete #1517

Closed
wants to merge 107 commits into from

Conversation

janboll
Copy link

@janboll janboll commented Jul 9, 2018

Make it possible to enable soft delete via Terraform.
This would fix #1329.

Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @janboll

Thanks for this PR :)

I've taken a look through and this mostly LGTM - if we can fix up the merge conflicts / comments then we should be able to run the tests and get this merged :)

Thanks!

"enabled_for_soft_delete": {
Type: schema.TypeBool,
Optional: true,
ValidateFunc: validate.BoolIsTrue(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given the code below ignores this if it's not set to true - I think we can safely remove this validation function? This allows users to define this variable optionally using a variable e.g.

resource "azurerm_key_vault" "test" {
  count = 2
  enabled_for_soft_delete = "${count.index == 0 ? true : false}"
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given the comment in the docs Once enabled you can not disable this setting anymore! can we add ForceNew: true here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to use ForceNew, but changing from soft delete true to soft delete false yields following error:
azurerm_key_vault.test: Error updating Key Vault "vault5353625459524355837" (Resource Group "acctestRG-5353625459524355837"): keyvault.VaultsClient#CreateOrUpdate: Failure sending request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="ConflictError" Message="Exist soft deleted vault with the same name. "
On the other hand, switching soft delete on works in place without issue.

I thought about adding the purge to the delete function, but the PurgeDeleted function also has some limitations: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete. So this would potentially break as well.

I suspect that removing the validation function and adding ForceNew: true could not work due to the way soft deleted key vaults are handled on Azure side.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about adding the purge to the delete function, but the PurgeDeleted function also has some limitations: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete. So this would potentially break as well.

in which case I think we'd want to purge the Key Vault if it exists at deletion time, via an opt-in flag? If users don't opt-into that and delete a soft-deleted KeyVault then they'll get this error, at which point it's up to them to recover the vault and import it into Terraform's Statefile to be able to proceed. What do you think?

We have a similar opt-in property in the VM resource where we optionally delete the OS and Data Disks when the VM is deleted.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like a good idea 👍 I added an option to toggle the purge behaviour and also updated the tests support this.

"enabled_for_purge_protection": {
Type: schema.TypeBool,
Optional: true,
ValidateFunc: validate.BoolIsTrue(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given the code below ignores this if it's not set to true - I think we can safely remove this validation function?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given the comment in the docs Once enabled you can not disable this setting anymore! can we add ForceNew: true here?

@@ -216,7 +220,7 @@ resource "azurerm_key_vault" "test" {

sku {
name = "premium"
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor can we revert this?

@@ -295,6 +305,9 @@ resource "azurerm_key_vault" "test" {
sku {
name = "premium"
}

enabled_for_soft_delete = "True"
enabled_for_purge_protection = "True"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor can we remove the quotes around these values?

}
}

enabled_for_soft_delete = "True"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor can we remove the quotes around this value?

the key vault is enabled for soft delete. Once enabled you can not disable this setting anymore!

* `enabled_for_purge_protection` - (Optional) Boolean flag to specify whether
the key vault is enabled for purge protection. Once enabled you can not disable this setting anymore!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we replace Once enabled you can not disable this setting anymore! with Changing this forces a new resource to be created.

@@ -136,6 +138,8 @@ func TestAccAzureRMKeyVault_update(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "enabled_for_deployment", "true"),
resource.TestCheckResourceAttr(resourceName, "enabled_for_disk_encryption", "true"),
resource.TestCheckResourceAttr(resourceName, "enabled_for_template_deployment", "true"),
resource.TestCheckResourceAttr(resourceName, "enabled_for_soft_delete", "true"),
resource.TestCheckResourceAttr(resourceName, "enabled_for_purge_protection", "false"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given changing this value will force a new resource, it'll break this test - can we check for this value in a new test?

@@ -102,6 +102,8 @@ func TestAccAzureRMKeyVault_complete(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMKeyVaultExists(resourceName),
resource.TestCheckResourceAttrSet(resourceName, "access_policy.0.application_id"),
resource.TestCheckResourceAttr(resourceName, "enabled_for_soft_delete", "true"),
resource.TestCheckResourceAttr(resourceName, "enabled_for_purge_protection", "true"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rather than modifying this test - can we check these values in a new test?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created a seperate test for this: TestAccAzureRMKeyVault_enable_soft_delete

@janboll janboll force-pushed the KeyVault-Add-SoftDelete branch from c31abe7 to b7c8110 Compare July 9, 2018 10:14
@tombuildsstuff tombuildsstuff added this to the 1.11.0 milestone Jul 19, 2018
@katbyte katbyte modified the milestones: 1.11.0, 1.12.0 Jul 25, 2018
Matt Betts and others added 4 commits July 27, 2018 22:44
There's an extra underscore in the header/title, and it doesn't match the actual name of the resource.
docs/kubernetes_cluster: Fix inaccurate kube_config_raw description
rrudduck and others added 4 commits August 3, 2018 05:48
…icorp#1706)

* tokens invalid when az and terraform run on different timezones

* tokens invalid when az and terraform run on different timezones

More specifically,
- adapt @tombuildsstuff's (thanks, that's better) stylistic requests.
…hicorp#1713)

* update VMSS docs to include ip_forwarding (fixes hashicorp#1709)

* Updating to include the default value
@tombuildsstuff tombuildsstuff modified the milestones: 1.12.0, 1.13.0 Aug 3, 2018
Copy link
Collaborator

@WodansSon WodansSon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@janboll thanks for the PR, I've looked it over an have a question I left you in the comments.

* `enabled_for_soft_delete` - Is soft delete enabled on this Key Vault?

* `enabled_for_purge_protection` - Is purge protection enabled on this Key Vault?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have updated the data source documentation but I did not see the data_source_key_vault.go in the PR, shouldn't also expose these new fields in the data source as well?

hbuckle and others added 17 commits August 19, 2018 07:36
Fix: Corrected regexp for eventhub name
* 🐛 (Network profile of AKS.) Remove client side validation for azure network plugin.

Non-empty podCidr string validation for azure network plugin should be handled by ASK service.

* 📝 (Network profile of AKS.) Add more explainations for network_profile.

Add more explainations on default network_profile and `azure` specific validation requirement.

* Updating to better match the other docs
…1789)

* issues:1743 | Added support for EventHub compatible EndPoints and Paths

* issues:1743 | Updated documentation for EventHub compatible EndPoints and Paths

* Updating the documentation to list fields explicitly
@janboll
Copy link
Author

janboll commented Aug 21, 2018

I made a mistake while rebasing and broke the branch, will create a new one with reference to this one

@janboll
Copy link
Author

janboll commented Aug 21, 2018

Opened a new PR, I am sorry for the mess :-(

@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Missing soft delete option in azurerm_key_vault