Support for managed service identity #482
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tombuildsstuff
approved these changes
Nov 17, 2017
There was a problem hiding this comment.
Hey @hbuckle
Thanks for this PR - apologies for the delay reviewing this!
I've taken a look through and this looks really good - I've left two really minor comments for which I'll push a commit to fix (so that we can get this merged); but I'm going to kick off the tests now :)
Thanks!
| Schema: map[string]*schema.Schema{ | ||
| "type": { | ||
| Type: schema.TypeString, | ||
| Required: true, |
There was a problem hiding this comment.
it'd be good to add some validation (and a case-insensitive check) for this field, even if there's only one allowable value at this time:
ValidateFunc: validation.StringInSlice([]string { "SystemAssigned", true),
DiffSuppressFunc: ignoreCaseDiffSuppressFunc,
| @@ -323,6 +324,36 @@ resource "azurerm_virtual_machine" "test" { | |||
| 3. Contains a numeric digit | |||
| 4. Contains a special character | |||
|
|
|||
| `identity` supports the following: | |||
|
|
|||
| * `type` - (Required) Specifies the identity type of the virtual machine. The only allowable value is `SystemAssigned`. To enable Managed Service Identity the ManagedIdentityExtension must also be added to the virtual machine. The Principal ID can be retrieved after the virtual machine has been created, e.g. | |||
There was a problem hiding this comment.
minor I think it'd be worth quoting the ManagedIdentityExtension extension name here
|
tweaks added |
|
Does MSI works for App Service as well ? (other than virtual machines). |
|
@gunzip This is only for virtual machines - I hadn't noticed it was available for app service as well. Once this gets merged I can open a new PR for app service as well |
| @@ -647,6 +675,10 @@ func resourceArmVirtualMachineRead(d *schema.ResourceData, meta interface{}) err | |||
| } | |||
| } | |||
|
|
|||
| if resp.Identity != nil { | |||
| d.Set("identity", flattenAzureRmVirtualMachineIdentity(resp.Identity)) | |||
| } | |||
There was a problem hiding this comment.
apologies, I've just noticed I didn't post the output of the acceptance tests in here. After running the VM acceptance tests - the acceptance tests without this field specified currently fail:
------- Stdout: -------
=== RUN TestAccAzureRMVirtualMachine_tags
--- FAIL: TestAccAzureRMVirtualMachine_tags (416.59s)
testing.go:459: Step 0 error: After applying this step, the plan was not empty:
DIFF:
UPDATE: azurerm_virtual_machine.test
identity.#: "" => "<computed>"
STATE:
...
In order to work around this - the field needs to be set to an empty object when there's no Identity returned - as such I've pushed a commit to fix this
There was a problem hiding this comment.
I've re-run all the VM tests and this now looks good - apologies for the delayed re-review here!
|
I've re-run the VM acceptance tests and these now pass:
|
|
@hbuckle apologies for the delay in re-reviewing this - but thanks for this PR this LGTM :) |
tombuildsstuff
added a commit
that referenced
this pull request
Dec 4, 2017
sebastus
added a commit
to sebastus/terraform-provider-azurerm
that referenced
this pull request
Dec 8, 2017
* Provision sample for ASP.NET on azure_rm_app_service * Added vnet datasource * add identity property to vm * refactor, tests and docs * added vnet_peering * changing to TypeMap * Updating the Provider block * Variable consistency and removing unused variables * Changed to azure_virtual_network, added crash control and added documentation. * vmss: Support for updating the customData field Fixes hashicorp#61 Fixes hashicorp#490 * Updating to include hashicorp#559 * Support for Auto Inflating ``` $ acctests azurerm TestAccAzureRMEventHubNamespace_maximumThroughputUnits === RUN TestAccAzureRMEventHubNamespace_maximumThroughputUnits --- PASS: TestAccAzureRMEventHubNamespace_maximumThroughputUnits (202.41s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 202.432s ``` * New Resource: `azurerm_network_watcher` ``` $ acctests azurerm TestAccAzureRMNetworkWatcher_ === RUN TestAccAzureRMNetworkWatcher_importBasic --- PASS: TestAccAzureRMNetworkWatcher_importBasic (75.79s) === RUN TestAccAzureRMNetworkWatcher_importComplete --- PASS: TestAccAzureRMNetworkWatcher_importComplete (69.85s) === RUN TestAccAzureRMNetworkWatcher_basic --- PASS: TestAccAzureRMNetworkWatcher_basic (69.62s) === RUN TestAccAzureRMNetworkWatcher_complete --- PASS: TestAccAzureRMNetworkWatcher_complete (72.16s) === RUN TestAccAzureRMNetworkWatcher_update --- PASS: TestAccAzureRMNetworkWatcher_update (81.75s) === RUN TestAccAzureRMNetworkWatcher_disappears --- PASS: TestAccAzureRMNetworkWatcher_disappears (94.38s) PASS ok ``` * Updating to include hashicorp#569 * Hotfix: upgrade packages under go-autorest to be v9.4.1. Intergrate with latest version of go-autorest to read access tokens through new way customized through environment variable. The old behavior on local shell will be kept. Notice: for Azure Cloud Shell user, please make sure that they're using latest patched provider. * Vendoring the Locks SDK * New Resource: `azurerm_management_lock` Note: As the Subscription specific Locks will break other tests; these tests need to be run individually. As such I've introduced the `TF_ACC_SUBSCRIPTION_PARALLEL_LOCK` environment variable for this purpose. Tests pass: ``` $ TF_ACC_SUBSCRIPTION_PARALLEL_LOCK=1 acctests azurerm TestAccAzureRMManagementLock_ === RUN TestAccAzureRMManagementLock_importResourceGroupReadOnlyBasic --- PASS: TestAccAzureRMManagementLock_importResourceGroupReadOnlyBasic (61.52s) === RUN TestAccAzureRMManagementLock_importResourceGroupReadOnlyComplete --- PASS: TestAccAzureRMManagementLock_importResourceGroupReadOnlyComplete (58.75s) === RUN TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteBasic --- PASS: TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteBasic (53.38s) === RUN TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteComplete --- PASS: TestAccAzureRMManagementLock_importResourceGroupCanNotDeleteComplete (46.87s) === RUN TestAccAzureRMManagementLock_importPublicIPCanNotDeleteBasic --- PASS: TestAccAzureRMManagementLock_importPublicIPCanNotDeleteBasic (80.46s) === RUN TestAccAzureRMManagementLock_importPublicIPReadOnlyBasic --- PASS: TestAccAzureRMManagementLock_importPublicIPReadOnlyBasic (68.53s) === RUN TestAccAzureRMManagementLock_resourceGroupReadOnlyBasic --- PASS: TestAccAzureRMManagementLock_resourceGroupReadOnlyBasic (61.24s) === RUN TestAccAzureRMManagementLock_resourceGroupReadOnlyComplete --- PASS: TestAccAzureRMManagementLock_resourceGroupReadOnlyComplete (64.10s) === RUN TestAccAzureRMManagementLock_resourceGroupCanNotDeleteBasic --- PASS: TestAccAzureRMManagementLock_resourceGroupCanNotDeleteBasic (72.49s) === RUN TestAccAzureRMManagementLock_resourceGroupCanNotDeleteComplete --- PASS: TestAccAzureRMManagementLock_resourceGroupCanNotDeleteComplete (113.71s) === RUN TestAccAzureRMManagementLock_publicIPReadOnlyBasic --- PASS: TestAccAzureRMManagementLock_publicIPReadOnlyBasic (64.05s) === RUN TestAccAzureRMManagementLock_publicIPCanNotDeleteBasic --- PASS: TestAccAzureRMManagementLock_publicIPCanNotDeleteBasic (94.53s) === RUN TestAccAzureRMManagementLock_subscriptionReadOnlyBasic --- PASS: TestAccAzureRMManagementLock_subscriptionReadOnlyBasic (17.98s) === RUN TestAccAzureRMManagementLock_subscriptionCanNotDeleteBasic --- PASS: TestAccAzureRMManagementLock_subscriptionCanNotDeleteBasic (15.20s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 872.839s ``` Fixes hashicorp#23 * Updating to include hashicorp#573 * Updating to include hashicorp#571 * Adding validation for the locks name Tests: ``` $ acctests azurerm TestValidateManagementLockName === RUN TestValidateManagementLockName --- PASS: TestValidateManagementLockName (0.00s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 0.020s ``` * Linting * Updating to include hashicorp#575 * Updating the changelog for consistency * removed tabs, used spaces * add test for issue hashicorp#450 * Updated the way user agent string gets assigned. * Changed code to make it more readable. * pr tweaks * Avoid out of index errors when flattening image data disks. * Updating to include hashicorp#587 * Updating to include hashicorp#589 * Conditional loading of the Subscription ID / Tenant ID / Environment * Refactoring the provider block to support determining the TenantID/Environment from the SubscriptionID Splitting out the authentication logic into a helpers folder Also adding unit tests for these - which pass: ``` $ go test . -v === RUN TestAzureFindValidAccessTokenForTenant_InvalidDate --- PASS: TestAzureFindValidAccessTokenForTenant_InvalidDate (0.00s) === RUN TestAzureFindValidAccessTokenForTenant_Expired 2017/11/30 15:02:01 [DEBUG] Token "7cabcf30-8dca-43f9-91e6-fd56dfb8632f" has expired --- PASS: TestAzureFindValidAccessTokenForTenant_Expired (0.00s) === RUN TestAzureFindValidAccessTokenForTenant_ExpiringIn --- PASS: TestAzureFindValidAccessTokenForTenant_ExpiringIn (0.00s) === RUN TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain 2017/11/30 15:02:01 [DEBUG] Resource "https://portal.azure.com/" isn't a management domain --- PASS: TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain (0.00s) === RUN TestAzureFindValidAccessTokenForTenant_DifferentTenant 2017/11/30 15:02:01 [DEBUG] Resource "https://management.core.windows.net/" isn't for the correct Tenant --- PASS: TestAzureFindValidAccessTokenForTenant_DifferentTenant (0.00s) === RUN TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell --- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell (0.00s) === RUN TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI --- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI (0.00s) === RUN TestAzureFindValidAccessTokenForTenant_NoTokens --- PASS: TestAzureFindValidAccessTokenForTenant_NoTokens (0.00s) === RUN TestAzureCLIProfileFindDefaultSubscription --- PASS: TestAzureCLIProfileFindDefaultSubscription (0.00s) === RUN TestAzureCLIProfileFindSubscription --- PASS: TestAzureCLIProfileFindSubscription (0.00s) === RUN TestAzurePopulateSubscriptionFromCLIProfile_Missing --- PASS: TestAzurePopulateSubscriptionFromCLIProfile_Missing (0.00s) === RUN TestAzurePopulateSubscriptionFromCLIProfile_NoDefault --- PASS: TestAzurePopulateSubscriptionFromCLIProfile_NoDefault (0.00s) === RUN TestAzurePopulateSubscriptionFromCLIProfile_Default --- PASS: TestAzurePopulateSubscriptionFromCLIProfile_Default (0.00s) === RUN TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Empty --- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Empty (0.00s) === RUN TestAzurePopulateTenantAndEnvironmentFromCLIProfile_MissingSubscription --- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_MissingSubscription (0.00s) === RUN TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateEnvironment --- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateEnvironment (0.00s) === RUN TestAzurePopulateTenantAndEnvironmentFromCLIProfile_NormaliseAndPopulateEnvironment --- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_NormaliseAndPopulateEnvironment (0.00s) === RUN TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateTenantId --- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_PopulateTenantId (0.00s) === RUN TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Complete --- PASS: TestAzurePopulateTenantAndEnvironmentFromCLIProfile_Complete (0.00s) === RUN TestAzurePopulateFromAccessToken_Missing --- PASS: TestAzurePopulateFromAccessToken_Missing (0.00s) === RUN TestAzurePopulateFromAccessToken_Exists --- PASS: TestAzurePopulateFromAccessToken_Exists (0.00s) === RUN TestAzureEnvironmentNames --- PASS: TestAzureEnvironmentNames (0.00s) === RUN TestAzureValidateBearerAuth --- PASS: TestAzureValidateBearerAuth (0.00s) === RUN TestAzureValidateServicePrincipal --- PASS: TestAzureValidateServicePrincipal (0.00s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/authentication 0.012s ``` * Fixing the build * Remove the field marked as "Removed" according to hashicorp#572. * Upgrading to v11.2.2-beta of the Azure SDK for Go * Updating to include hashicorp#593 * Fixing the Management Lock validation * Adding a default value for the identity field * Updating to include hashicorp#482 * Updating to include hashicorp#574 * Adding settings to the hash Test passes: ``` $ acctests azurerm TestAccAzureRMVirtualMachineScaleSet_extensionUpdate === RUN TestAccAzureRMVirtualMachineScaleSet_extensionUpdate --- PASS: TestAccAzureRMVirtualMachineScaleSet_extensionUpdate (593.13s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 593.153s ``` * Updating to include hashicorp#609 * Local Network Gateways: support for BGP Settings ``` $ acctests azurerm TestAccAzureRMLocalNetworkGateway_ === RUN TestAccAzureRMLocalNetworkGateway_importBasic --- PASS: TestAccAzureRMLocalNetworkGateway_importBasic (82.23s) === RUN TestAccAzureRMLocalNetworkGateway_basic --- PASS: TestAccAzureRMLocalNetworkGateway_basic (81.29s) === RUN TestAccAzureRMLocalNetworkGateway_disappears --- PASS: TestAccAzureRMLocalNetworkGateway_disappears (79.17s) === RUN TestAccAzureRMLocalNetworkGateway_bgpSettings --- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettings (78.70s) === RUN TestAccAzureRMLocalNetworkGateway_bgpSettingsDisable --- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettingsDisable (96.18s) === RUN TestAccAzureRMLocalNetworkGateway_bgpSettingsEnable --- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettingsEnable (97.39s) === RUN TestAccAzureRMLocalNetworkGateway_bgpSettingsComplete --- PASS: TestAccAzureRMLocalNetworkGateway_bgpSettingsComplete (79.68s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 594.680s ``` * Refactoring * Adding an import test for BGP Settings: ``` $ acctests azurerm TestAccAzureRMLocalNetworkGateway_importBGPSettingsComplete === RUN TestAccAzureRMLocalNetworkGateway_importBGPSettingsComplete --- PASS: TestAccAzureRMLocalNetworkGateway_importBGPSettingsComplete (80.96s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 80.987s ``` * Splitting the data source out into it's own step * Minor refactoring * Updating to include hashicorp#533 * Exporting the Default Hostname field * Updating the App Service example to be complete This removes support for Publishing, since the SCM URL's aren't consistent across Sovereign Clouds (China/Germany/Govt etc) Switches to using the new `default_site_hostname` field introduced in hashicorp#612 rather than assuming what it is * Updating to include hashicorp#594 * Updating to include hashicorp#611 * Updating to include hashicorp#612 * Remove leading line break from key_vault_key docs Leading line break causes page metadata to be ignored.
|
can we add this support for keyvaults as well? |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds the identity property to virtual machines so that managed service identity can be enabled:
https://docs.microsoft.com/en-us/azure/active-directory/msi-overview