Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_key_vault_secret - support for not_before_date and expiration_date #4873

Merged
merged 3 commits into from
Nov 19, 2019
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 70 additions & 8 deletions azurerm/resource_arm_key_vault_secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"time"

"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
"github.com/Azure/go-autorest/autorest/date"
"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
Expand Down Expand Up @@ -72,6 +73,18 @@ func resourceArmKeyVaultSecret() *schema.Resource {
Optional: true,
},

"not_before_date": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validate.RFC3339Time,
},

"expiration_date": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validate.RFC3339Time,
},

"version": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -131,9 +144,28 @@ func resourceArmKeyVaultSecretCreate(d *schema.ResourceData, meta interface{}) e
t := d.Get("tags").(map[string]interface{})

parameters := keyvault.SecretSetParameters{
Value: utils.String(value),
ContentType: utils.String(contentType),
Tags: tags.Expand(t),
Value: utils.String(value),
ContentType: utils.String(contentType),
Tags: tags.Expand(t),
SecretAttributes: &keyvault.SecretAttributes{},
}

if v, ok := d.GetOk("not_before_date"); ok {
notBeforeDate, err := time.Parse(time.RFC3339, v.(string))
if err != nil {
return fmt.Errorf("error parsing `not_before_date` time: %s", err)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically we don't need to check for an error here because the validation function should catch all non valid time strings

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense, removed 👍

notBeforeUnixTime := date.UnixTime(notBeforeDate)
parameters.SecretAttributes.NotBefore = &notBeforeUnixTime
}

if v, ok := d.GetOk("expiration_date"); ok {
expirationDate, err := time.Parse(time.RFC3339, v.(string))
if err != nil {
return fmt.Errorf("error parsing `expiration_date` time: %s", err)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TestAccAzureRMPostgreSQLDatabase_collationWithHyphen

expirationUnixTime := date.UnixTime(expirationDate)
parameters.SecretAttributes.Expires = &expirationUnixTime
}

if _, err := client.SetSecret(ctx, keyVaultBaseUrl, name, parameters); err != nil {
Expand Down Expand Up @@ -188,12 +220,33 @@ func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) e
contentType := d.Get("content_type").(string)
t := d.Get("tags").(map[string]interface{})

secretAttributes := &keyvault.SecretAttributes{}

if v, ok := d.GetOk("not_before_date"); ok {
notBeforeDate, err := time.Parse(time.RFC3339, v.(string))
if err != nil {
return fmt.Errorf("error parsing `not_before_date` time: %s", err)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TestAccAzureRMPostgreSQLDatabase_collationWithHyphen

notBeforeUnixTime := date.UnixTime(notBeforeDate)
secretAttributes.NotBefore = &notBeforeUnixTime
}

if v, ok := d.GetOk("expiration_date"); ok {
expirationDate, err := time.Parse(time.RFC3339, v.(string))
if err != nil {
return fmt.Errorf("error parsing `expiration_date` time: %s", err)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TestAccAzureRMPostgreSQLDatabase_collationWithHyphen

expirationUnixTime := date.UnixTime(expirationDate)
secretAttributes.Expires = &expirationUnixTime
}

if d.HasChange("value") {
// for changing the value of the secret we need to create a new version
parameters := keyvault.SecretSetParameters{
Value: utils.String(value),
ContentType: utils.String(contentType),
Tags: tags.Expand(t),
Value: utils.String(value),
ContentType: utils.String(contentType),
Tags: tags.Expand(t),
SecretAttributes: secretAttributes,
}

if _, err = client.SetSecret(ctx, id.KeyVaultBaseUrl, id.Name, parameters); err != nil {
Expand All @@ -214,8 +267,9 @@ func resourceArmKeyVaultSecretUpdate(d *schema.ResourceData, meta interface{}) e
d.SetId(*read.ID)
} else {
parameters := keyvault.SecretUpdateParameters{
ContentType: utils.String(contentType),
Tags: tags.Expand(t),
ContentType: utils.String(contentType),
Tags: tags.Expand(t),
SecretAttributes: secretAttributes,
}

if _, err = client.UpdateSecret(ctx, id.KeyVaultBaseUrl, id.Name, id.Version, parameters); err != nil {
Expand Down Expand Up @@ -280,6 +334,14 @@ func resourceArmKeyVaultSecretRead(d *schema.ResourceData, meta interface{}) err
d.Set("version", respID.Version)
d.Set("content_type", resp.ContentType)

if v := resp.Attributes.NotBefore; v != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attributes has the potential to be nil so we should that it isn't nil before referencing NotBefore and Expires

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call, added a nil check for Attributes

d.Set("not_before_date", time.Time(*v).Format(time.RFC3339))
}

if v := resp.Attributes.Expires; v != nil {
d.Set("expiration_date", time.Time(*v).Format(time.RFC3339))
}

return tags.FlattenAndSet(d, resp.Tags)
}

Expand Down
13 changes: 9 additions & 4 deletions azurerm/resource_arm_key_vault_secret_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,9 @@ func TestAccAzureRMKeyVaultSecret_complete(t *testing.T) {
Config: config,
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMKeyVaultSecretExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "not_before_date", "2019-01-01T01:02:03Z"),
resource.TestCheckResourceAttr(resourceName, "expiration_date", "2020-01-01T01:02:03Z"),
resource.TestCheckResourceAttr(resourceName, "tags.hello", "world"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same check is done just a couple lines below. Can we remove this one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoops, removed!

resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
resource.TestCheckResourceAttr(resourceName, "tags.hello", "world"),
),
Expand Down Expand Up @@ -445,10 +448,12 @@ resource "azurerm_key_vault" "test" {
}

resource "azurerm_key_vault_secret" "test" {
name = "secret-%s"
value = "<rick><morty /></rick>"
key_vault_id = "${azurerm_key_vault.test.id}"
content_type = "application/xml"
name = "secret-%s"
value = "<rick><morty /></rick>"
key_vault_id = "${azurerm_key_vault.test.id}"
content_type = "application/xml"
not_before_date = "2019-01-01T01:02:03Z"
expiration_date = "2020-01-01T01:02:03Z"

tags = {
"hello" = "world"
Expand Down
6 changes: 5 additions & 1 deletion website/docs/r/key_vault_secret.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,18 @@ The following arguments are supported:

* `value` - (Required) Specifies the value of the Key Vault Secret.

~> **Note:** Key Vault strips newlines. To preserve newlines in multi-line secrets try replacing them with `\n` or by base 64 encoding them with `replace(file("my_secret_file"), "/\n/", "\n")` or `base64encode(file("my_secret_file"))`, respectively.
~> **Note:** Key Vault strips newlines. To preserve newlines in multi-line secrets try replacing them with `\n` or by base 64 encoding them with `replace(file("my_secret_file"), "/\n/", "\n")` or `base64encode(file("my_secret_file"))`, respectively.

* `key_vault_id` - (Required) The ID of the Key Vault where the Secret should be created.

* `content_type` - (Optional) Specifies the content type for the Key Vault Secret.

* `tags` - (Optional) A mapping of tags to assign to the resource.

* `not_before_date` - (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

* `expiration_date` - (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

## Attributes Reference

The following attributes are exported:
Expand Down