Enhancement: azurerm_key_vault: Add support for soft delete, purge protection, and purge on destroy

azurerm/helpers/validate/bool.go

@@ -0,0 +1,23 @@
+package validate
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func BoolIsTrue() schema.SchemaValidateFunc {
+	return func(i interface{}, k string) (_ []string, errors []error) {
+		v, ok := i.(bool)
+		if !ok {
+			errors = append(errors, fmt.Errorf("expected type of %q to be bool", k))
+			return
+		}
+
+		if !v {
+			errors = append(errors, fmt.Errorf("%q can only be set to true, if not required remove key", k))
+			return
+		}
+		return
+	}
+}

azurerm/helpers/validate/bool_test.go

@@ -0,0 +1,35 @@
+package validate
+
+import "testing"
+
+func TestBoolIsTrue(t *testing.T) {
+	testCases := []struct {
+		Value           bool
+		ShouldHaveError bool
+	}{
+		{
+			Value:           true,
+			ShouldHaveError: false,
+		}, {
+			Value:           false,
+			ShouldHaveError: true,
+		},
+	}
+
+	t.Run("TestBoolIsTrue", func(t *testing.T) {
+		for _, value := range testCases {
+			_, errors := BoolIsTrue()(value.Value, "dummy")
+			hasErrors := len(errors) > 0
+
+			if value.ShouldHaveError && !hasErrors {
+				t.Fatalf("Expected an error but didn't get one for %t", value.Value)
+				return
+			}
+
+			if !value.ShouldHaveError && hasErrors {
+				t.Fatalf("Expected %t to return no errors, but got some %+v", value.Value, errors)
+				return
+			}
+		}
+	})
+}

azurerm/internal/services/keyvault/data_source_key_vault.go

@@ -156,6 +156,16 @@ func dataSourceArmKeyVault() *schema.Resource {
 				},
 			},
 
+			"enabled_for_soft_delete": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+
+			"enabled_for_purge_protection": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+
 			"tags": tags.SchemaDataSource(),
 		},
 	}
@@ -190,6 +200,8 @@ func dataSourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error {
 		d.Set("enabled_for_deployment", props.EnabledForDeployment)
 		d.Set("enabled_for_disk_encryption", props.EnabledForDiskEncryption)
 		d.Set("enabled_for_template_deployment", props.EnabledForTemplateDeployment)
+		d.Set("enabled_for_soft_delete", props.EnableSoftDelete)
+		d.Set("enabled_for_purge_protection", props.EnablePurgeProtection)
 		d.Set("vault_uri", props.VaultURI)
 
 		if sku := props.Sku; sku != nil {

azurerm/internal/services/keyvault/resource_arm_key_vault.go

@@ -157,6 +157,25 @@ func resourceArmKeyVault() *schema.Resource {
 				Optional: true,
 			},
 
+			"enabled_for_soft_delete": {
+				Type:         schema.TypeBool,
+				Optional:     true,
+				ValidateFunc: validate.BoolIsTrue(),
+			},
+
+			"enabled_for_purge_protection": {
+				Type:         schema.TypeBool,
+				Optional:     true,
+				ValidateFunc: validate.BoolIsTrue(),
+			},
+
+			"purge_on_delete": {
+				Type:          schema.TypeBool,
+				Optional:      true,
+				Default:       false,
+				ConflictsWith: []string{"enabled_for_purge_protection"},
+			},
+
 			"network_acls": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -252,6 +271,8 @@ func resourceArmKeyVaultCreateUpdate(d *schema.ResourceData, meta interface{}) e
 	enabledForDeployment := d.Get("enabled_for_deployment").(bool)
 	enabledForDiskEncryption := d.Get("enabled_for_disk_encryption").(bool)
 	enabledForTemplateDeployment := d.Get("enabled_for_template_deployment").(bool)
+	enabledForSoftDelete := d.Get("enabled_for_soft_delete").(bool)
+	enabledForPurgeProtection := d.Get("enabled_for_purge_protection").(bool)
 	t := d.Get("tags").(map[string]interface{})
 
 	networkAclsRaw := d.Get("network_acls").([]interface{})
@@ -277,6 +298,16 @@ func resourceArmKeyVaultCreateUpdate(d *schema.ResourceData, meta interface{}) e
 		Tags: tags.Expand(t),
 	}
 
+	// This setting can only be set if it is true, if set when value is false API returns errors
+	if enabledForSoftDelete {
+		parameters.Properties.EnableSoftDelete = &enabledForSoftDelete
+	}
+
+	// This setting can only be set if it is true, if set when value is false API returns errors
+	if enabledForPurgeProtection {
+		parameters.Properties.EnablePurgeProtection = &enabledForPurgeProtection
+	}
+
 	// Locking this resource so we don't make modifications to it at the same time if there is a
 	// key vault access policy trying to update it as well
 	locks.ByName(name, keyVaultResourceName)
@@ -375,6 +406,8 @@ func resourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error {
 		d.Set("enabled_for_deployment", props.EnabledForDeployment)
 		d.Set("enabled_for_disk_encryption", props.EnabledForDiskEncryption)
 		d.Set("enabled_for_template_deployment", props.EnabledForTemplateDeployment)
+		d.Set("enabled_for_soft_delete", props.EnableSoftDelete)
+		d.Set("enabled_for_purge_protection", props.EnablePurgeProtection)
 		d.Set("vault_uri", props.VaultURI)
 
 		if sku := props.Sku; sku != nil {
@@ -461,6 +494,22 @@ func resourceArmKeyVaultDelete(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	if d.Get("purge_on_delete").(bool) && d.Get("enabled_for_soft_delete").(bool) && err == nil {
+		log.Printf("[DEBUG] KeyVault %s marked for purge, executing purge", name)
+		location := d.Get("location").(string)
+
+		future, err := client.PurgeDeleted(ctx, name, location)
+		if err != nil {
+			return err
+		}
+
+		log.Printf("[DEBUG] Waiting for purge of KeyVault %s", name)
+		err = future.WaitForCompletionRef(ctx, client.Client)
+		if err != nil {
+			return fmt.Errorf("Error purging Key Vault %q (Resource Group %q): %+v", name, resourceGroup, err)
+		}
+	}
+
 	return nil
 }
 

azurerm/internal/services/keyvault/tests/data_source_key_vault_test.go

@@ -111,6 +111,26 @@ func TestAccDataSourceAzureRMKeyVault_networkAcls(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceAzureRMKeyVault_enable_soft_delete(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_key_vault", "test")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceAzureRMKeyVault_enable_soft_delete(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "enabled_for_soft_delete", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "enabled_for_purge_protection", "false"),
+				),
+			},
+		},
+	})
+}
+
 func testAccDataSourceAzureRMKeyVault_basic(data acceptance.TestData) string {
 	r := testAccAzureRMKeyVault_basic(data)
 	return fmt.Sprintf(`
@@ -146,3 +166,15 @@ data "azurerm_key_vault" "test" {
 }
 `, r)
 }
+
+func testAccDataSourceAzureRMKeyVault_enable_soft_delete(data acceptance.TestData) string {
+	r := testAccAzureRMKeyVault_enable_soft_delete(data)
+	return fmt.Sprintf(` 
+%s 
+
+data "azurerm_key_vault" "test" { 
+  name                = "${azurerm_key_vault.test.name}" 
+  resource_group_name = "${azurerm_key_vault.test.resource_group_name}" 
+} 
+`, r)
+}

azurerm/internal/services/keyvault/tests/resource_arm_key_vault_test.go

@@ -331,6 +331,55 @@ func TestAccAzureRMKeyVault_justCert(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVault_soft_delete(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_key_vault", "test")
+	expectedError := fmt.Sprintf("^Check failed: Check 1/1 error: Not found: %s", data.ResourceName)
+	errorRegEx, _ := regexp.Compile(expectedError)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMKeyVault_basic(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "access_policy.0.key_permissions.0", "create"),
+					resource.TestCheckResourceAttr(data.ResourceName, "access_policy.0.secret_permissions.0", "set"),
+					resource.TestCheckResourceAttr(data.ResourceName, "tags.environment", "Production"),
+				),
+			},
+			{
+				Config: testAccAzureRMKeyVault_enable_soft_delete(data),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(data.ResourceName, "access_policy.0.key_permissions.0", "get"),
+					resource.TestCheckResourceAttr(data.ResourceName, "access_policy.0.secret_permissions.0", "get"),
+					resource.TestCheckResourceAttr(data.ResourceName, "enabled_for_soft_delete", "true"),
+					resource.TestCheckResourceAttr(data.ResourceName, "enabled_for_purge_protection", "false"),
+					resource.TestCheckResourceAttr(data.ResourceName, "tags.environment", "Production"),
+				),
+			},
+			{
+				Config:      testAccAzureRMKeyVault_purge_vault(data),
+				ExpectError: errorRegEx,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(data.ResourceName),
+				),
+			},
+			{
+				Config: testAccAzureRMKeyVault_basic(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "access_policy.0.key_permissions.0", "create"),
+					resource.TestCheckResourceAttr(data.ResourceName, "access_policy.0.secret_permissions.0", "set"),
+					resource.TestCheckResourceAttr(data.ResourceName, "tags.environment", "Production"),
+				),
+			},
+		},
+	})
+}
+
 func testCheckAzureRMKeyVaultDestroy(s *terraform.State) error {
 	client := acceptance.AzureProvider.Meta().(*clients.Client).KeyVault.VaultsClient
 	ctx := acceptance.AzureProvider.Meta().(*clients.Client).StopContext
@@ -446,6 +495,10 @@ resource "azurerm_key_vault" "test" {
       "set",
     ]
   }
+
+  tags = {
+    environment = "Production"
+  }
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }
@@ -787,6 +840,59 @@ resource "azurerm_key_vault" "test" {
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }
 
+func testAccAzureRMKeyVault_enable_soft_delete(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_key_vault" "test" {
+  name                = "vault%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"
+
+  sku {
+    name = "premium"
+	}
+
+	access_policy {
+    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
+    object_id = "${data.azurerm_client_config.current.client_id}"
+
+    key_permissions = [
+      "get",
+    ]
+
+    secret_permissions = [
+      "get",
+    ]
+  }
+
+	enabled_for_soft_delete = true
+  purge_on_delete         = true
+
+  tags = {
+    environment = "Production"
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
+
+func testAccAzureRMKeyVault_purge_vault(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+`, data.RandomInteger, data.Locations.Primary)
+}
+
 func testAccAzureRMKeyVault_complete(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 data "azurerm_client_config" "current" {}

website/docs/d/key_vault.html.markdown

@@ -54,6 +54,10 @@ The following attributes are exported:
 
 * `enabled_for_template_deployment` - Can Azure Resource Manager retrieve secrets from the Key Vault?
 
+* `enabled_for_soft_delete` -  Is soft delete enabled on this Key Vault? 
+
+* `enabled_for_purge_protection` - Is purge protection enabled on this Key Vault?
+
 * `tags` - A mapping of tags assigned to the Key Vault.
 
 A `sku` block exports the following:

website/docs/r/key_vault.html.markdown

@@ -84,6 +84,12 @@ The following arguments are supported:
 
 * `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to `false`.
 
+* `enabled_for_soft_delete` - (Optional) Boolean flag to specify whether the key vault is enabled for soft delete. Once enabled you can not disable this setting.
+
+* `purge_on_delete` - (Optional) Boolean flag to specify if the KeyVault should be purged on delete. This purges KeyVaults enabled for soft delete on resource deletition.
+
+* `enabled_for_purge_protection` - (Optional) Boolean flag to specify whether the key vault is enabled for purge protection, this conflicts with `purge_on_delete`. Once enabled you can not disable this setting.
+
 * `network_acls` - (Optional) A `network_acls` block as defined below.
 
 * `tags` - (Optional) A mapping of tags to assign to the resource.