hashicorp · mbfrahry · Jan 19, 2024 · Oct 13, 2023 · Oct 18, 2023 · Oct 18, 2023
@@ -0,0 +1,5 @@
+## Example: NetApp Files Customer-Managed Keys Volume Encryption
+
+This example shows how to create an Azure NetApp volume with Customer-Managed Key Encryption enabled.
+
+For more information, please refer to [Configure customer-managed keys for Azure NetApp Files volume encryption](https://learn.microsoft.com/en-us/azure/azure-netapp-files/configure-customer-managed-keys).
@@ -0,0 +1,184 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_client_config" "current" {
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-resources"
+  location = var.location
+}
+
+resource "azurerm_virtual_network" "example" {
+  name                = "${var.prefix}-vnet"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  address_space       = ["10.6.0.0/16"]
+}
+
+resource "azurerm_subnet" "example-delegated" {
+  name                 = "${var.prefix}-delegated-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.6.1.0/24"]
+
+  delegation {
+    name = "exampledelegation"
+
+    service_delegation {
+      name    = "Microsoft.Netapp/volumes"
+      actions = ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"]
+    }
+  }
+}
+
+resource "azurerm_subnet" "example-non-delegated" {
+  name                 = "${var.prefix}-non-delegated-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.6.0.0/24"]
+}
+
+resource "azurerm_key_vault" "example" {
+  name                            = "${var.prefix}anfakv"
+  location                        = azurerm_resource_group.example.location
+  resource_group_name             = azurerm_resource_group.example.name
+  enabled_for_disk_encryption     = true
+  enabled_for_deployment          = true
+  enabled_for_template_deployment = true
+  purge_protection_enabled        = true
+  tenant_id                       = var.tenant_id
+
+  sku_name = "standard"
+
+  access_policy {
+    tenant_id = var.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+
+    key_permissions = [
+      "Get",
+      "Create",
+      "Delete",
+      "WrapKey",
+      "UnwrapKey",
+      "GetRotationPolicy",
+      "SetRotationPolicy",
+    ]
+  }
+
+  access_policy {
+    tenant_id = var.tenant_id
+    object_id = azurerm_user_assigned_identity.example.principal_id
+
+    key_permissions = [
+      "Get",
+      "Encrypt",
+      "Decrypt"
+    ]
+  }
+}
+
+resource "azurerm_key_vault_key" "example" {
+  name         = "${var.prefix}anfenckey"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+resource "azurerm_private_endpoint" "example" {
+  name                = "${var.prefix}-pe-akv"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  subnet_id           = azurerm_subnet.example-non-delegated.id
+
+  private_service_connection {
+    name                           = "${var.prefix}-pe-sc-akv"
+    private_connection_resource_id = azurerm_key_vault.example.id
+    is_manual_connection           = false
+    subresource_names              = ["Vault"]
+  }
+}
+
+resource "azurerm_user_assigned_identity" "example" {
+  name                = "${var.prefix}-user-assigned-identity"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_netapp_account" "example" {
+  name                = "${var.prefix}-netappaccount"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  identity {
+    type = "UserAssigned"
+    identity_ids = [
+      azurerm_user_assigned_identity.example.id
+    ]
+  }
+}
+
+resource "azurerm_netapp_account_encryption" "example" {
+  netapp_account_id = azurerm_netapp_account.example.id
+
+  user_assigned_identity_id = azurerm_user_assigned_identity.example.id
+
+  encryption {
+    key_vault_key_id = azurerm_key_vault_key.example.versionless_id
+  }
+}
+
+resource "azurerm_netapp_pool" "example" {
+  name                = "${var.prefix}-pool"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  account_name        = azurerm_netapp_account.example.name
+  service_level       = "Standard"
+  size_in_tb          = 4
+
+  depends_on = [
+    azurerm_netapp_account_encryption.example
+  ]
+}
+
+resource "azurerm_netapp_volume" "example" {
+  name                          = "${var.prefix}-vol"
+  location                      = azurerm_resource_group.example.location
+  resource_group_name           = azurerm_resource_group.example.name
+  account_name                  = azurerm_netapp_account.example.name
+  pool_name                     = azurerm_netapp_pool.example.name
+  volume_path                   = "${var.prefix}-my-unique-file-path-vol"
+  service_level                 = "Standard"
+  subnet_id                     = azurerm_subnet.example-delegated.id
+  storage_quota_in_gb           = 100
+  network_features              = "Standard"
+  encryption_key_source         = "Microsoft.KeyVault"
+  key_vault_private_endpoint_id = azurerm_private_endpoint.example.id
+
+  export_policy_rule {
+    rule_index          = 1
+    allowed_clients     = ["0.0.0.0/0"]
+    protocols_enabled   = ["NFSv3"]
+    unix_read_only      = false
+    unix_read_write     = true
+    root_access_enabled = true
+  }
+
+  depends_on = [
+    azurerm_netapp_account_encryption.example,
+    azurerm_private_endpoint.example
+  ]
+}
@@ -0,0 +1,14 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+variable "location" {
+  description = "The Azure location where all resources in this example should be created."
+}
+
+variable "prefix" {
+  description = "The prefix used for all resources used by this NetApp Volume"
+}
+
+variable "tenant_id" {
+  description = "The Azure tenant ID used to create the user-assigned identity"
+}
@@ -7,6 +7,24 @@ const (
 	MaxQuotaTargetIDSizeInKiB int64 = 4294967295
 )
 
+type NetAppAccountEncryption struct {
+	NetAppAccountID                   string                         `tfschema:"netapp_account_id"`
+	UserAssignedIdentityID            string                         `tfschema:"user_assigned_identity_id"`
+	SystemAssignedIdentityPrincipalID string                         `tfschema:"system_assigned_identity_principal_id"`
+	Encryption                        []NetAppAccountEncryptionModel `tfschema:"encryption"`
+}
+
+type NetAppAccountEncryptionDataSourceModel struct {
+	NetAppAccountID                   string                         `tfschema:"netapp_account_id"`
+	UserAssignedIdentityID            string                         `tfschema:"user_assigned_identity_id"`
+	SystemAssignedIdentityPrincipalID string                         `tfschema:"system_assigned_identity_principal_id"`
+	Encryption                        []NetAppAccountEncryptionModel `tfschema:"encryption"`
+}
+
+type NetAppAccountEncryptionModel struct {
+	KeyVaultKeyID string `tfschema:"key_vault_key_id"`
+}
+
 type NetAppVolumeGroupVolume struct {
 	Id                           string                         `tfschema:"id"`
 	Name                         string                         `tfschema:"name"`

@@ -9,7 +9,9 @@ import (
 
 	"github.com/hashicorp/go-azure-helpers/lang/response"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
+	"github.com/hashicorp/go-azure-helpers/resourcemanager/identity"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/location"
+	"github.com/hashicorp/go-azure-helpers/resourcemanager/tags"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/netapp/2023-05-01/netappaccounts"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/netapp/validate"
@@ -36,7 +38,9 @@ func dataSourceNetAppAccount() *pluginsdk.Resource {
 
 			"location": commonschema.LocationComputed(),
 
-			// TODO: add Tags now that https://github.com/Azure/azure-rest-api-specs/issues/7447 has been fixed
+			"identity": commonschema.SystemOrUserAssignedIdentityOptional(),
+
+			"tags": commonschema.TagsDataSource(),
 		},
 	}
 }
@@ -63,6 +67,18 @@ func dataSourceNetAppAccountRead(d *pluginsdk.ResourceData, meta interface{}) er
 
 	if model := resp.Model; model != nil {
 		d.Set("location", location.NormalizeNilable(&model.Location))
+
+		identity, err := identity.FlattenLegacySystemAndUserAssignedMap(model.Identity)
+		if err != nil {
+			return fmt.Errorf("flattening `identity`: %+v", err)
+		}
+		if err := d.Set("identity", identity); err != nil {
+			return fmt.Errorf("setting `identity`: %+v", err)
+		}
+
+		if err := tags.FlattenAndSet(d, model.Tags); err != nil {
+			return fmt.Errorf("setting `tags`: %+v", err)
+		}
 	}
 
 	return nil

@@ -13,7 +13,7 @@ import (
 
 type NetAppAccountDataSource struct{}
 
-func testAccDataSourceNetAppAccount_basic(t *testing.T) {
+func TestAccDataSourceNetAppAccount_basic(t *testing.T) {
 	data := acceptance.BuildTestData(t, "data.azurerm_netapp_account", "test")
 	r := NetAppAccountDataSource{}
 
@@ -28,6 +28,22 @@ func testAccDataSourceNetAppAccount_basic(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceNetAppAccount_systemAssignedManagedIdentity(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_netapp_account", "test")
+	r := NetAppAccountDataSource{}
+
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: r.systemAssignedManagedIdentityConfig(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("resource_group_name").Exists(),
+				check.That(data.ResourceName).Key("name").Exists(),
+				check.That(data.ResourceName).Key("identity.0.type").HasValue("SystemAssigned"),
+			),
+		},
+	})
+}
+
 func (r NetAppAccountDataSource) basicConfig(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
@@ -38,3 +54,14 @@ data "azurerm_netapp_account" "test" {
 }
 `, NetAppAccountResource{}.basicConfig(data))
 }
+
+func (r NetAppAccountDataSource) systemAssignedManagedIdentityConfig(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+data "azurerm_netapp_account" "test" {
+  resource_group_name = azurerm_netapp_account.test.resource_group_name
+  name                = azurerm_netapp_account.test.name
+}
+`, NetAppAccountResource{}.systemAssignedManagedIdentity(data))
+}