-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_container_group
- Supports CMK with user assigned identity
#23332
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @magodo. I left a few suggestions in-line. Could you please take a look at them? Thanks!
if kvProps.Identity != nil { | ||
uai = *kvProps.Identity | ||
} | ||
d.Set("key_vault_user_identity_id", uai) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can become
d.Set("key_vault_user_identity_id", uai) | |
d.Set("key_vault_user_identity_id", pointer.From(kvProps.Identity)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'll change it.
@@ -99,6 +99,8 @@ The following arguments are supported: | |||
|
|||
* `key_vault_key_id` - (Optional) The Key Vault key URI for CMK encryption. Changing this forces a new resource to be created. | |||
|
|||
* `key_vault_user_identity_id` - (Optional) The user assigned identity that has access to the Key Vault Key. If not specified, the RP principal named "Azure Container Instance Service" will be used instead. Make sure the identity has the proper `key_permissions` set, at least with `Get`, `UnwrapKey`, `WrapKey` and `GetRotationPolicy`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ordering of the sentences here is a little confusing, are the key_permissions
that are needed for the RP Principal or for key_vault_user_identity_id
? Or both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be both identities.
@@ -553,6 +553,12 @@ func resourceContainerGroup() *pluginsdk.Resource { | |||
ForceNew: true, | |||
ValidateFunc: keyVaultValidate.NestedItemId, | |||
}, | |||
|
|||
"key_vault_user_identity_id": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently the identity properties for CMK are inconsistent across the provider, some are called identity_id
, primary_user_assigned_identity_id
or user_assigned_identity_id
. We might want to consider standardising these for the next major release and having a commonschema
for them like we do for identities.
All this to say, I think for the time being this might benefit from being called key_vault_user_assigned_identity_id
since it's clear at first glance what type of ID it is and is also closer to what we currently have in the provider.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed.
@stephybun Thank you for the review! I've changed the code per your comment, please take another look! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @magodo LGTM 💯
<Actions> <action id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669"> <h3>Bump Terraform `azurerm` provider version</h3> <details id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24"> <summary>Update Terraform lock file</summary> <p>"hashicorp/azurerm" updated from "3.73.0" to "3.74.0" in file ".terraform.lock.hcl"</p> <details> <summary>3.74.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.74.0
NOTES:

* `azurerm_synapse_sql_pool` - users that have imported `azurerm_synapse_sql_pool` resources that were created outside of Terraform using an `LRS` storage account type will need to use `ignore_changes` to avoid the resource from being destroyed and recreated.

FEATURES:

* **New Resource**: `azurerm_arc_resource_bridge_appliance` ([#23108](hashicorp/terraform-provider-azurerm#23108 **New Resource**: `azurerm_data_factory_dataset_azure_sql_table` ([#23264](hashicorp/terraform-provider-azurerm#23264 **New Resource**: `azurerm_function_app_connection` ([#23127](https://github.com/hashicorp/terraform-provider-azurerm/issues/23127))

ENHANCEMENTS:

* dependencies: updating to `v0.20230918.1115907` of `github.com/hashicorp/go-azure-sdk` ([#23337](hashicorp/terraform-provider-azurerm#23337 dependencies: downgrading to `v1.12.5` of `github.com/rickb777/date` ([#23296](hashicorp/terraform-provider-azurerm#23296 `mysql`: updating to use API Version `2022-01-01` ([#23320](hashicorp/terraform-provider-azurerm#23320 `azurerm_app_configuration` - support for the `replica` block ([#22452](hashicorp/terraform-provider-azurerm#22452 `azurerm_bot_channel_directline` - support for `user_upload_enabled`, `endpoint_parameters_enabled`, and `storage_enabled` ([#23149](hashicorp/terraform-provider-azurerm#23149 `azurerm_container_app` - support for scale rules ([#23294](hashicorp/terraform-provider-azurerm#23294 `azurerm_container_app_environment` - support for zone redundancy ([#23313](hashicorp/terraform-provider-azurerm#23313 `azurerm_container_group` - support for the `key_vault_user_identity_id` property for Customer Managed Keys ([#23332](hashicorp/terraform-provider-azurerm#23332 `azurerm_cosmosdb_account` - support for MongoDB connection strings ([#23331](hashicorp/terraform-provider-azurerm#23331 `azurerm_data_factory_dataset_delimited_text` - support for the `dynamic_file_system_enabled`, `dynamic_path_enabled`, and `dynamic_filename_enabled` properties ([#23261](hashicorp/terraform-provider-azurerm#23261 `azurerm_data_factory_dataset_parquet` - support for the `azure_blob_fs_location` block ([#23261](hashicorp/terraform-provider-azurerm#23261 `azurerm_monitor_diagnostic_setting` - validation to ensure either `category` or `category_group` are supplied in `enabled_log` and `log` blocks ([#23308](hashicorp/terraform-provider-azurerm#23308 `azurerm_network_interface` - support for the `auxiliary_mode` and `auxiliary_sku` properties ([#22979](hashicorp/terraform-provider-azurerm#22979 `azurerm_postgresql_flexible_server` - increased the maximum supported value for `storage_mb` ([#23277](hashicorp/terraform-provider-azurerm#23277 `azurerm_shared_image_version` - support for the `replicated_region_deletion_enabled` and `target_region.exclude_from_latest_enabled` properties ([#23147](hashicorp/terraform-provider-azurerm#23147 `azurerm_storage_account` - support for setting `domain_name` and `domain_guid` for `AADKERB` ([#22833](hashicorp/terraform-provider-azurerm#22833 `azurerm_storage_account_customer_managed_key` - support for cross-tenant customer-managed keys with the `federated_identity_client_id`, and `key_vault_uri` properties ([#20356](hashicorp/terraform-provider-azurerm#20356 `azurerm_web_application_firewall_policy` - support for the `rate_limit_duration`, `rate_limit_threshold`, `group_rate_limit_by`, and `request_body_inspect_limit_in_kb` properties ([#23239](https://github.com/hashicorp/terraform-provider-azurerm/issues/23239))

BUG FIXES:

* Data Source: `azurerm_container_app_environment`: fix `log_analytics_workspace_name` output to correct value ([#23298](hashicorp/terraform-provider-azurerm#23298 `azurerm_api_management_api` - set the `service_url` property when importing the resource ([#23011](hashicorp/terraform-provider-azurerm#23011 `azurerm_app_configuration` - prevent crash by nil checking the encryption configuration ([#23302](hashicorp/terraform-provider-azurerm#23302 `azurerm_app_configuration_feature` - update `percentage_filter_value` to accept correct type of float ([#23263](hashicorp/terraform-provider-azurerm#23263 `azurerm_container_app` - fix an issue with `commands` and `args` being overwritten when using multiple containers ([#23338](hashicorp/terraform-provider-azurerm#23338 `azurerm_key_vault_certificate` - fix issue where certificates couldn't be recovered anymore ([#23204](hashicorp/terraform-provider-azurerm#23204 `azurerm_key_vault_key` - the ForceNew when `expiration_date` is removed from the config file ([#23327](hashicorp/terraform-provider-azurerm#23327 `azurerm_linux_function_app` - fix a bug in setting the storage settings when using Elastic Premium plans ([#21212](hashicorp/terraform-provider-azurerm#21212 `azurerm_linux_web_app` - fix docker app stack update ([#23303](hashicorp/terraform-provider-azurerm#23303 `azurerm_linux_web_app` - fix crash in auto heal expansion ([#21328](hashicorp/terraform-provider-azurerm#21328 `azurerm_linux_web_app_slot` - fix docker app stack update ([#23303](hashicorp/terraform-provider-azurerm#23303 `azurerm_linux_web_app_slot` - fix crash in auto heal expansion ([#21328](hashicorp/terraform-provider-azurerm#21328 `azurerm_log_analytics_solution` - fix bug where the resource wasn't handling successful creation on subsequent applies ([#23312](hashicorp/terraform-provider-azurerm#23312 `azurerm_management_group_subscription_association` - fix bug to correctly mark resource as gone if not found during read ([#23335](hashicorp/terraform-provider-azurerm#23335 `azurerm_mssql_elasticpool` - remove check that prevents `license_type` from being set for certain skus ([#23262](hashicorp/terraform-provider-azurerm#23262 `azurerm_servicebus_queue` - fixing an issue where `auto_delete_on_idle` couldn't be set to `P10675199DT2H48M5.4775807S` ([#23296](hashicorp/terraform-provider-azurerm#23296 `azurerm_servicebus_topic` - fixing an issue where `auto_delete_on_idle` couldn't be set to `P10675199DT2H48M5.4775807S` ([#23296](hashicorp/terraform-provider-azurerm#23296 `azurerm_storage_account` - prevent sending unsupported blob properties in payload for `Storage` account kind ([#23288](hashicorp/terraform-provider-azurerm#23288 `azurerm_synapse_sql_pool` - expose `storage_account_type` ([#23217](hashicorp/terraform-provider-azurerm#23217 `azurerm_windows_function_app` - fix a bug in setting the storage settings when using Elastic Premium plans ([#21212](hashicorp/terraform-provider-azurerm#21212 `azurerm_windows_web_app` - fix docker app stack update ([#23303](hashicorp/terraform-provider-azurerm#23303 `azurerm_windows_web_app_slot` - fix docker app stack update ([#23303](https://github.com/hashicorp/terraform-provider-azurerm/issues/23303))

DEPRECATIONS:

* `azurerm_application_gateway` - deprecate `Standard` and `WAF` skus ([#23310](hashicorp/terraform-provider-azurerm#23310 `azurerm_bot_channel_web_chat` - deprecate `site_names` in favour of `site` block ([#23161](hashicorp/terraform-provider-azurerm#23161 `azurerm_monitor_diagnostic_setting` - deprecate `retention_policy` in favour of `azurerm_storage_management_policy` ([#23260](https://github.com/hashicorp/terraform-provider-azurerm/issues/23260))


</pre> </details> </details> </action> </Actions> --- <table> <tr> <td width="77"> <img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli logo" width="50" height="50"> </td> <td> <p> Created automatically by <a href="https://www.updatecli.io/">Updatecli</a> </p> <details><summary>Options:</summary> <br /> <p>Most of Updatecli configuration is done via <a href="https://www.updatecli.io/docs/prologue/quick-start/">its manifest(s)</a>.</p> <ul> <li>If you close this pull request, Updatecli will automatically reopen it, the next time it runs.</li> <li>If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made.</li> </ul> <p> Feel free to report any issues at <a href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br /> If you find this tool useful, do not hesitate to star <a href="https://github.com/updatecli/updatecli/stargazers">our GitHub repository</a> as a sign of appreciation, and/or to tell us directly on our <a href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>! </p> </details> </td> </tr> </table> Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
<Actions> <action id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669"> <h3>Bump Terraform `azurerm` provider version</h3> <details id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24"> <summary>Update Terraform lock file</summary> <p>"hashicorp/azurerm" updated from "3.74.0" to "3.75.0" in file ".terraform.lock.hcl"</p> <details> <summary>3.75.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.75.0
FEATURES:

* New Resource: `azurerm_application_load_balancer` ([#22517](hashicorp/terraform-provider-azurerm#22517 New Resource: `azurerm_resource_management_private_link` ([#23098](https://github.com/hashicorp/terraform-provider-azurerm/issues/23098))

ENHANCEMENTS:

* dependencies: `firewall` migrated to `hashicorp/go-azure-sdk` ([#22863](hashicorp/terraform-provider-azurerm#22863 `azurerm_bot_service_azure_bot` - add support for the `icon_url` property ([#23114](hashicorp/terraform-provider-azurerm#23114 `azurerm_cognitive_deployment` - `capacity` property is now updateable ([#23251](hashicorp/terraform-provider-azurerm#23251 `azurerm_container_group` - added support for `key_vault_user_identity_id` ([#23332](hashicorp/terraform-provider-azurerm#23332 `azurerm_data_factory` - added support for the `publish_enabled` property ([#2334](hashicorp/terraform-provider-azurerm#2334 `azurerm_firewall_policy_rule_collection_group` - add support for the `description` property ([#23354](hashicorp/terraform-provider-azurerm#23354 `azurerm_kubernetes_cluster` - `network_profile.network_policy` can be migrated to `cilium` ([#23342](hashicorp/terraform-provider-azurerm#23342 `azurerm_log_analytics_workspace` - add support for the `data_collection_rule_id` property ([#23347](hashicorp/terraform-provider-azurerm#23347 `azurerm_mysql_flexible_server` - add support for the `io_scaling_enabled` property ([#23329](https://github.com/hashicorp/terraform-provider-azurerm/issues/23329))

BUG FIXES:

* `azurerm_api_management_api` - fix importing `openapi` format content file issue ([#23348](hashicorp/terraform-provider-azurerm#23348 `azurerm_cdn_frontdoor_rule` - allow a `cache_duration` of `00:00:00` ([#23384](hashicorp/terraform-provider-azurerm#23384 `azurerm_cosmosdb_cassandra_datacenter` - `sku_name` is now updatable ([#23419](hashicorp/terraform-provider-azurerm#23419 `azurerm_key_vault_certificate` - fix a bug that prevented soft-deleted certificates from being recovered ([#23204](hashicorp/terraform-provider-azurerm#23204 `azurerm_log_analytics_solution` - fix create and update lifecycle of resource by splitting methods ([#23333](hashicorp/terraform-provider-azurerm#23333 `azurerm_management_group_subscription_association` - mark resource as gone correctly if not found when retrieving ([#23335](hashicorp/terraform-provider-azurerm#23335 `azurerm_management_lock` - add polling after create and delete to check for RP propagation ([#23345](hashicorp/terraform-provider-azurerm#23345 `azurerm_monitor_diagnostic_setting` - added validation to ensure at least one of `category` or `category_group` is supplied ([#23308](hashicorp/terraform-provider-azurerm#23308 `azurerm_palo_alto_local_rulestack_prefix_list` - fix rulestack not being committed on delete ([#23362](hashicorp/terraform-provider-azurerm#23362 `azurerm_palo_alto_local_rulestack_fqdn_list` - fix rulestack not being committed on delete ([#23362](hashicorp/terraform-provider-azurerm#23362 `security_center_subscription_pricing_resource` - disabled extensions logic now works as expected ([#22997](https://github.com/hashicorp/terraform-provider-azurerm/issues/22997))



</pre> </details> <details> <summary>3.76.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.76.0
FEATURES:

* New Resource: `azurerm_security_center_storage_defender` ([#23242](hashicorp/terraform-provider-azurerm#23242 New Resource: `azurerm_spring_cloud_application_insights_application_performance_monitoring` ([#23107](https://github.com/hashicorp/terraform-provider-azurerm/issues/23107))

ENHANCEMENTS:

* provider: updating to build using Go `1.21.3` ([#23514](hashicorp/terraform-provider-azurerm#23514 provider: the `roll_instances_when_required` provider feature in the `virtual_machine_scale_set` block is now optional ([#22976](hashicorp/terraform-provider-azurerm#22976 dependencies: updating to `v0.20231012.1141427` of `github.com/hashicorp/go-azure-sdk` ([#23534](hashicorp/terraform-provider-azurerm#23534 Data Source: `azurerm_application_gateway` - support for `backend_http_settings`, `global`, `gateway_ip_configuration` and additional attributes ([#23318](hashicorp/terraform-provider-azurerm#23318 Data Source: `azurerm_network_service_tags` - export the `name` attribute ([#23382](hashicorp/terraform-provider-azurerm#23382 `azurerm_cosmosdb_postgresql_cluster` - add support for `sql_version` of `16` and `citus_version` of `12.1` ([#23476](hashicorp/terraform-provider-azurerm#23476 `azurerm_palo_alto_local_rulestack` - correctly normalize the `location` property ([#23483](hashicorp/terraform-provider-azurerm#23483 `azurerm_static_site` - add support for `app_settings` ([#23421](https://github.com/hashicorp/terraform-provider-azurerm/issues/23421))

BUG FIXES:

* `azurerm_automation_schedule` - fix a bug when updating `start_time` ([#23494](hashicorp/terraform-provider-azurerm#23494 `azurerm_eventhub` - remove ForceNew and check `partition_count` is not decreased ([#23499](hashicorp/terraform-provider-azurerm#23499 `azurerm_managed_lustre_file_system` - update validation for `storage_capacity_in_tb` according to `sku_name` in use ([#23428](hashicorp/terraform-provider-azurerm#23428 `azurerm_virtual_machine` - fix a crash when the API response for the `os_profile` block contains nil properties ([#23535](https://github.com/hashicorp/terraform-provider-azurerm/issues/23535))


</pre> </details> </details> </action> </Actions> --- <table> <tr> <td width="77"> <img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli logo" width="50" height="50"> </td> <td> <p> Created automatically by <a href="https://www.updatecli.io/">Updatecli</a> </p> <details><summary>Options:</summary> <br /> <p>Most of Updatecli configuration is done via <a href="https://www.updatecli.io/docs/prologue/quick-start/">its manifest(s)</a>.</p> <ul> <li>If you close this pull request, Updatecli will automatically reopen it, the next time it runs.</li> <li>If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made.</li> </ul> <p> Feel free to report any issues at <a href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br /> If you find this tool useful, do not hesitate to star <a href="https://github.com/updatecli/updatecli/stargazers">our GitHub repository</a> as a sign of appreciation, and/or to tell us directly on our <a href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>! </p> </details> </td> </tr> </table> --------- Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com> Co-authored-by: Damien Duportal <damien.duportal@gmail.com>
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR adds a new property
key_vault_user_identity_id
toazurerm_container_group
to support CMK with user assigned identity.Fix #23305.