Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_container_group - Supports CMK with user assigned identity #23332

Merged
merged 2 commits into from
Sep 21, 2023

Conversation

magodo
Copy link
Collaborator

@magodo magodo commented Sep 20, 2023

This PR adds a new property key_vault_user_identity_id to azurerm_container_group to support CMK with user assigned identity.

Fix #23305.

Copy link
Member

@stephybun stephybun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this @magodo. I left a few suggestions in-line. Could you please take a look at them? Thanks!

if kvProps.Identity != nil {
uai = *kvProps.Identity
}
d.Set("key_vault_user_identity_id", uai)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can become

Suggested change
d.Set("key_vault_user_identity_id", uai)
d.Set("key_vault_user_identity_id", pointer.From(kvProps.Identity))

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I'll change it.

@@ -99,6 +99,8 @@ The following arguments are supported:

* `key_vault_key_id` - (Optional) The Key Vault key URI for CMK encryption. Changing this forces a new resource to be created.

* `key_vault_user_identity_id` - (Optional) The user assigned identity that has access to the Key Vault Key. If not specified, the RP principal named "Azure Container Instance Service" will be used instead. Make sure the identity has the proper `key_permissions` set, at least with `Get`, `UnwrapKey`, `WrapKey` and `GetRotationPolicy`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ordering of the sentences here is a little confusing, are the key_permissions that are needed for the RP Principal or for key_vault_user_identity_id? Or both?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be both identities.

@@ -553,6 +553,12 @@ func resourceContainerGroup() *pluginsdk.Resource {
ForceNew: true,
ValidateFunc: keyVaultValidate.NestedItemId,
},

"key_vault_user_identity_id": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently the identity properties for CMK are inconsistent across the provider, some are called identity_id, primary_user_assigned_identity_id or user_assigned_identity_id. We might want to consider standardising these for the next major release and having a commonschema for them like we do for identities.

All this to say, I think for the time being this might benefit from being called key_vault_user_assigned_identity_id since it's clear at first glance what type of ID it is and is also closer to what we currently have in the provider.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed.

@magodo
Copy link
Collaborator Author

magodo commented Sep 21, 2023

@stephybun Thank you for the review! I've changed the code per your comment, please take another look!

Copy link
Member

@stephybun stephybun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this @magodo LGTM 💯

@stephybun stephybun merged commit 62d0259 into hashicorp:main Sep 21, 2023
@github-actions github-actions bot added this to the v3.74.0 milestone Sep 21, 2023
stephybun added a commit that referenced this pull request Sep 21, 2023
dduportal pushed a commit to jenkins-infra/azure that referenced this pull request Sep 23, 2023
<Actions>
<action
id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669">
        <h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>&#34;hashicorp/azurerm&#34; updated from &#34;3.73.0&#34; to
&#34;3.74.0&#34; in file &#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>3.74.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.74.0&#xA;NOTES:&#xA;&#xA;*
`azurerm_synapse_sql_pool` - users that have imported
`azurerm_synapse_sql_pool` resources that were created outside of
Terraform using an `LRS` storage account type will need to use
`ignore_changes` to avoid the resource from being destroyed and
recreated.&#xA;&#xA;FEATURES:&#xA;&#xA;* **New Resource**:
`azurerm_arc_resource_bridge_appliance`
([#23108](hashicorp/terraform-provider-azurerm#23108
**New Resource**: `azurerm_data_factory_dataset_azure_sql_table`
([#23264](hashicorp/terraform-provider-azurerm#23264
**New Resource**: `azurerm_function_app_connection`
([#23127](https://github.com/hashicorp/terraform-provider-azurerm/issues/23127))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
dependencies: updating to `v0.20230918.1115907` of
`github.com/hashicorp/go-azure-sdk`
([#23337](hashicorp/terraform-provider-azurerm#23337
dependencies: downgrading to `v1.12.5` of `github.com/rickb777/date`
([#23296](hashicorp/terraform-provider-azurerm#23296
`mysql`: updating to use API Version `2022-01-01`
([#23320](hashicorp/terraform-provider-azurerm#23320
`azurerm_app_configuration` - support for the `replica` block
([#22452](hashicorp/terraform-provider-azurerm#22452
`azurerm_bot_channel_directline` - support for `user_upload_enabled`,
`endpoint_parameters_enabled`, and `storage_enabled`
([#23149](hashicorp/terraform-provider-azurerm#23149
`azurerm_container_app` - support for scale rules
([#23294](hashicorp/terraform-provider-azurerm#23294
`azurerm_container_app_environment` - support for zone redundancy
([#23313](hashicorp/terraform-provider-azurerm#23313
`azurerm_container_group` - support for the `key_vault_user_identity_id`
property for Customer Managed Keys
([#23332](hashicorp/terraform-provider-azurerm#23332
`azurerm_cosmosdb_account` - support for MongoDB connection strings
([#23331](hashicorp/terraform-provider-azurerm#23331
`azurerm_data_factory_dataset_delimited_text` - support for the
`dynamic_file_system_enabled`, `dynamic_path_enabled`, and
`dynamic_filename_enabled` properties
([#23261](hashicorp/terraform-provider-azurerm#23261
`azurerm_data_factory_dataset_parquet` - support for the
`azure_blob_fs_location` block
([#23261](hashicorp/terraform-provider-azurerm#23261
`azurerm_monitor_diagnostic_setting` - validation to ensure either
`category` or `category_group` are supplied in `enabled_log` and `log`
blocks
([#23308](hashicorp/terraform-provider-azurerm#23308
`azurerm_network_interface` - support for the `auxiliary_mode` and
`auxiliary_sku` properties
([#22979](hashicorp/terraform-provider-azurerm#22979
`azurerm_postgresql_flexible_server` - increased the maximum supported
value for `storage_mb`
([#23277](hashicorp/terraform-provider-azurerm#23277
`azurerm_shared_image_version` - support for the
`replicated_region_deletion_enabled` and
`target_region.exclude_from_latest_enabled` properties
([#23147](hashicorp/terraform-provider-azurerm#23147
`azurerm_storage_account` - support for setting `domain_name` and
`domain_guid` for `AADKERB`
([#22833](hashicorp/terraform-provider-azurerm#22833
`azurerm_storage_account_customer_managed_key` - support for
cross-tenant customer-managed keys with the
`federated_identity_client_id`, and `key_vault_uri` properties
([#20356](hashicorp/terraform-provider-azurerm#20356
`azurerm_web_application_firewall_policy` - support for the
`rate_limit_duration`, `rate_limit_threshold`, `group_rate_limit_by`,
and `request_body_inspect_limit_in_kb` properties
([#23239](https://github.com/hashicorp/terraform-provider-azurerm/issues/23239))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* Data Source: `azurerm_container_app_environment`: fix
`log_analytics_workspace_name` output to correct value
([#23298](hashicorp/terraform-provider-azurerm#23298
`azurerm_api_management_api` - set the `service_url` property when
importing the resource
([#23011](hashicorp/terraform-provider-azurerm#23011
`azurerm_app_configuration` - prevent crash by nil checking the
encryption configuration
([#23302](hashicorp/terraform-provider-azurerm#23302
`azurerm_app_configuration_feature` - update `percentage_filter_value`
to accept correct type of float
([#23263](hashicorp/terraform-provider-azurerm#23263
`azurerm_container_app` - fix an issue with `commands` and `args` being
overwritten when using multiple containers
([#23338](hashicorp/terraform-provider-azurerm#23338
`azurerm_key_vault_certificate` - fix issue where certificates
couldn&#39;t be recovered anymore
([#23204](hashicorp/terraform-provider-azurerm#23204
`azurerm_key_vault_key` - the ForceNew when `expiration_date` is removed
from the config file
([#23327](hashicorp/terraform-provider-azurerm#23327
`azurerm_linux_function_app` - fix a bug in setting the storage settings
when using Elastic Premium plans
([#21212](hashicorp/terraform-provider-azurerm#21212
`azurerm_linux_web_app` - fix docker app stack update
([#23303](hashicorp/terraform-provider-azurerm#23303
`azurerm_linux_web_app` - fix crash in auto heal expansion
([#21328](hashicorp/terraform-provider-azurerm#21328
`azurerm_linux_web_app_slot` - fix docker app stack update
([#23303](hashicorp/terraform-provider-azurerm#23303
`azurerm_linux_web_app_slot` - fix crash in auto heal expansion
([#21328](hashicorp/terraform-provider-azurerm#21328
`azurerm_log_analytics_solution` - fix bug where the resource wasn&#39;t
handling successful creation on subsequent applies
([#23312](hashicorp/terraform-provider-azurerm#23312
`azurerm_management_group_subscription_association` - fix bug to
correctly mark resource as gone if not found during read
([#23335](hashicorp/terraform-provider-azurerm#23335
`azurerm_mssql_elasticpool` - remove check that prevents `license_type`
from being set for certain skus
([#23262](hashicorp/terraform-provider-azurerm#23262
`azurerm_servicebus_queue` - fixing an issue where `auto_delete_on_idle`
couldn&#39;t be set to `P10675199DT2H48M5.4775807S`
([#23296](hashicorp/terraform-provider-azurerm#23296
`azurerm_servicebus_topic` - fixing an issue where `auto_delete_on_idle`
couldn&#39;t be set to `P10675199DT2H48M5.4775807S`
([#23296](hashicorp/terraform-provider-azurerm#23296
`azurerm_storage_account` - prevent sending unsupported blob properties
in payload for `Storage` account kind
([#23288](hashicorp/terraform-provider-azurerm#23288
`azurerm_synapse_sql_pool` - expose `storage_account_type`
([#23217](hashicorp/terraform-provider-azurerm#23217
`azurerm_windows_function_app` - fix a bug in setting the storage
settings when using Elastic Premium plans
([#21212](hashicorp/terraform-provider-azurerm#21212
`azurerm_windows_web_app` - fix docker app stack update
([#23303](hashicorp/terraform-provider-azurerm#23303
`azurerm_windows_web_app_slot` - fix docker app stack update
([#23303](https://github.com/hashicorp/terraform-provider-azurerm/issues/23303))&#xA;&#xA;DEPRECATIONS:&#xA;&#xA;*
`azurerm_application_gateway` - deprecate `Standard` and `WAF` skus
([#23310](hashicorp/terraform-provider-azurerm#23310
`azurerm_bot_channel_web_chat` - deprecate `site_names` in favour of
`site` block
([#23161](hashicorp/terraform-provider-azurerm#23161
`azurerm_monitor_diagnostic_setting` - deprecate `retention_policy` in
favour of `azurerm_storage_management_policy`
([#23260](https://github.com/hashicorp/terraform-provider-azurerm/issues/23260))&#xA;&#xA;&#xA;</pre>
            </details>
        </details>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
dduportal added a commit to jenkins-infra/azure that referenced this pull request Oct 16, 2023
<Actions>
<action
id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669">
        <h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>&#34;hashicorp/azurerm&#34; updated from &#34;3.74.0&#34; to
&#34;3.75.0&#34; in file &#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>3.75.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.75.0&#xA;FEATURES:&#xA;&#xA;*
New Resource: `azurerm_application_load_balancer`
([#22517](hashicorp/terraform-provider-azurerm#22517
New Resource: `azurerm_resource_management_private_link`
([#23098](https://github.com/hashicorp/terraform-provider-azurerm/issues/23098))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
dependencies: `firewall` migrated to `hashicorp/go-azure-sdk`
([#22863](hashicorp/terraform-provider-azurerm#22863
`azurerm_bot_service_azure_bot` - add support for the `icon_url`
property
([#23114](hashicorp/terraform-provider-azurerm#23114
`azurerm_cognitive_deployment` - `capacity` property is now updateable
([#23251](hashicorp/terraform-provider-azurerm#23251
`azurerm_container_group` - added support for
`key_vault_user_identity_id`
([#23332](hashicorp/terraform-provider-azurerm#23332
`azurerm_data_factory` - added support for the `publish_enabled`
property
([#2334](hashicorp/terraform-provider-azurerm#2334
`azurerm_firewall_policy_rule_collection_group` - add support for the
`description` property
([#23354](hashicorp/terraform-provider-azurerm#23354
`azurerm_kubernetes_cluster` - `network_profile.network_policy` can be
migrated to `cilium`
([#23342](hashicorp/terraform-provider-azurerm#23342
`azurerm_log_analytics_workspace` - add support for the
`data_collection_rule_id` property
([#23347](hashicorp/terraform-provider-azurerm#23347
`azurerm_mysql_flexible_server` - add support for the
`io_scaling_enabled` property
([#23329](https://github.com/hashicorp/terraform-provider-azurerm/issues/23329))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* `azurerm_api_management_api` - fix importing `openapi`
format content file issue
([#23348](hashicorp/terraform-provider-azurerm#23348
`azurerm_cdn_frontdoor_rule` - allow a `cache_duration` of `00:00:00`
([#23384](hashicorp/terraform-provider-azurerm#23384
`azurerm_cosmosdb_cassandra_datacenter` - `sku_name` is now updatable
([#23419](hashicorp/terraform-provider-azurerm#23419
`azurerm_key_vault_certificate` - fix a bug that prevented soft-deleted
certificates from being recovered
([#23204](hashicorp/terraform-provider-azurerm#23204
`azurerm_log_analytics_solution` - fix create and update lifecycle of
resource by splitting methods
([#23333](hashicorp/terraform-provider-azurerm#23333
`azurerm_management_group_subscription_association` - mark resource as
gone correctly if not found when retrieving
([#23335](hashicorp/terraform-provider-azurerm#23335
`azurerm_management_lock` - add polling after create and delete to check
for RP propagation
([#23345](hashicorp/terraform-provider-azurerm#23345
`azurerm_monitor_diagnostic_setting` - added validation to ensure at
least one of `category` or `category_group` is supplied
([#23308](hashicorp/terraform-provider-azurerm#23308
`azurerm_palo_alto_local_rulestack_prefix_list` - fix rulestack not
being committed on delete
([#23362](hashicorp/terraform-provider-azurerm#23362
`azurerm_palo_alto_local_rulestack_fqdn_list` - fix rulestack not being
committed on delete
([#23362](hashicorp/terraform-provider-azurerm#23362
`security_center_subscription_pricing_resource` - disabled extensions
logic now works as expected
([#22997](https://github.com/hashicorp/terraform-provider-azurerm/issues/22997))&#xA;&#xA;&#xA;&#xA;</pre>
            </details>
            <details>
                <summary>3.76.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.76.0&#xA;FEATURES:&#xA;&#xA;*
New Resource: `azurerm_security_center_storage_defender`
([#23242](hashicorp/terraform-provider-azurerm#23242
New Resource:
`azurerm_spring_cloud_application_insights_application_performance_monitoring`
([#23107](https://github.com/hashicorp/terraform-provider-azurerm/issues/23107))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
provider: updating to build using Go `1.21.3`
([#23514](hashicorp/terraform-provider-azurerm#23514
provider: the `roll_instances_when_required` provider feature in the
`virtual_machine_scale_set` block is now optional
([#22976](hashicorp/terraform-provider-azurerm#22976
dependencies: updating to `v0.20231012.1141427` of
`github.com/hashicorp/go-azure-sdk`
([#23534](hashicorp/terraform-provider-azurerm#23534
Data Source: `azurerm_application_gateway` - support for
`backend_http_settings`, `global`, `gateway_ip_configuration` and
additional attributes
([#23318](hashicorp/terraform-provider-azurerm#23318
Data Source: `azurerm_network_service_tags` - export the `name`
attribute
([#23382](hashicorp/terraform-provider-azurerm#23382
`azurerm_cosmosdb_postgresql_cluster` - add support for `sql_version` of
`16` and `citus_version` of `12.1`
([#23476](hashicorp/terraform-provider-azurerm#23476
`azurerm_palo_alto_local_rulestack` - correctly normalize the `location`
property
([#23483](hashicorp/terraform-provider-azurerm#23483
`azurerm_static_site` - add support for `app_settings`
([#23421](https://github.com/hashicorp/terraform-provider-azurerm/issues/23421))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* `azurerm_automation_schedule` - fix a bug when
updating `start_time`
([#23494](hashicorp/terraform-provider-azurerm#23494
`azurerm_eventhub` - remove ForceNew and check `partition_count` is not
decreased
([#23499](hashicorp/terraform-provider-azurerm#23499
`azurerm_managed_lustre_file_system` - update validation for
`storage_capacity_in_tb` according to `sku_name` in use
([#23428](hashicorp/terraform-provider-azurerm#23428
`azurerm_virtual_machine` - fix a crash when the API response for the
`os_profile` block contains nil properties
([#23535](https://github.com/hashicorp/terraform-provider-azurerm/issues/23535))&#xA;&#xA;&#xA;</pre>
            </details>
        </details>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

---------

Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
Co-authored-by: Damien Duportal <damien.duportal@gmail.com>
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Error when deploying azurerm_container_group with CMK using key_vault_key_id setting
2 participants