Enhancement: azurerm_key_vault: Add support for soft delete, purge protection, and purge on destroy

azurerm/helpers/azure/key_vault.go

@@ -3,8 +3,10 @@ package azure
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2018-02-14/keyvault"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
 )
 
@@ -118,3 +120,46 @@ func KeyVaultExists(ctx context.Context, client *keyvault.VaultsClient, keyVault
 
 	return true, nil
 }
+
+func KeyVaultCustomizeDiff(d *schema.ResourceDiff, _ interface{}) error {
+	if d.HasChange("soft_delete_enabled") {
+		if old, new := d.GetChange("soft_delete_enabled"); old.(bool) && !new.(bool) {
+			return fmt.Errorf("the property 'soft_delete_enabled' cannot be set to false, enabling the soft delete for a vault is an irreversible action")
+		}
+	}
+
+	if d.HasChange("purge_protection_enabled") {
+		if old, new := d.GetChange("purge_protection_enabled"); old.(bool) && !new.(bool) {
+			return fmt.Errorf("the property 'purge_protection_enabled' cannot be set to false, enabling the purge protection for a vault is an irreversible action")
+		}
+	}
+
+	return nil
+}
+
+func KeyVaultGetSoftDeletedState(ctx context.Context, client *keyvault.VaultsClient, name string, location string) (deleteDate interface{}, purgeDate interface{}, err error) {
+	softDel, err := client.GetDeleted(ctx, name, location)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to get soft delete state information: %+v", err)
+	}
+
+	// the logic is this way because the GetDeleted call will return an existing key vault
+	// that is not soft deleted, but the Deleted Vault properties will be nil
+	if props := softDel.Properties; props != nil {
+		var delDate interface{}
+		var purgeDate interface{}
+
+		if dd := props.DeletionDate; dd != nil {
+			delDate = (*dd).Format(time.RFC3339)
+		}
+		if pg := props.ScheduledPurgeDate; pg != nil {
+			purgeDate = (*pg).Format(time.RFC3339)
+		}
+		if delDate != nil && purgeDate != nil {
+			return delDate, purgeDate, nil
+		}
+	}
+
+	// this means we found an existing key vault that is not soft deleted
+	return nil, nil, nil
+}

azurerm/helpers/validate/bool.go

@@ -0,0 +1,23 @@
+package validate
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func BoolIsTrue() schema.SchemaValidateFunc {
+	return func(i interface{}, k string) (_ []string, errors []error) {
+		v, ok := i.(bool)
+		if !ok {
+			errors = append(errors, fmt.Errorf("expected type of %q to be bool", k))
+			return
+		}
+
+		if !v {
+			errors = append(errors, fmt.Errorf("%q can only be set to true, if not required remove key", k))
+			return
+		}
+		return
+	}
+}

azurerm/helpers/validate/bool_test.go

@@ -0,0 +1,35 @@
+package validate
+
+import "testing"
+
+func TestBoolIsTrue(t *testing.T) {
+	testCases := []struct {
+		Value           bool
+		ShouldHaveError bool
+	}{
+		{
+			Value:           true,
+			ShouldHaveError: false,
+		}, {
+			Value:           false,
+			ShouldHaveError: true,
+		},
+	}
+
+	t.Run("TestBoolIsTrue", func(t *testing.T) {
+		for _, value := range testCases {
+			_, errors := BoolIsTrue()(value.Value, "dummy")
+			hasErrors := len(errors) > 0
+
+			if value.ShouldHaveError && !hasErrors {
+				t.Fatalf("Expected an error but didn't get one for %t", value.Value)
+				return
+			}
+
+			if !value.ShouldHaveError && hasErrors {
+				t.Fatalf("Expected %t to return no errors, but got some %+v", value.Value, errors)
+				return
+			}
+		}
+	})
+}

azurerm/internal/features/user_flags.go

@@ -3,6 +3,7 @@ package features
 type UserFeatures struct {
 	VirtualMachine         VirtualMachineFeatures
 	VirtualMachineScaleSet VirtualMachineScaleSetFeatures
+	KeyVault               KeyVaultFeatures
 }
 
 type VirtualMachineFeatures struct {
@@ -12,3 +13,7 @@ type VirtualMachineFeatures struct {
 type VirtualMachineScaleSetFeatures struct {
 	RollInstancesWhenRequired bool
 }
+
+type KeyVaultFeatures struct {
+	PurgeSoftDeleteOnDestroy bool
+}

azurerm/internal/provider/features.go

@@ -36,6 +36,20 @@ func schemaFeatures() *schema.Schema {
 				},
 			},
 		},
+
+		"key_vault": {
+			Type:     schema.TypeList,
+			Optional: true,
+			MaxItems: 1,
+			Elem: &schema.Resource{
+				Schema: map[string]*schema.Schema{
+					"purge_soft_delete_on_destroy": {
+						Type:     schema.TypeBool,
+						Required: true,
+					},
+				},
+			},
+		},
 	}
 
 	runningAcceptanceTests := os.Getenv("TF_ACC") != ""
@@ -70,6 +84,9 @@ func expandFeatures(input []interface{}) features.UserFeatures {
 		VirtualMachineScaleSet: features.VirtualMachineScaleSetFeatures{
 			RollInstancesWhenRequired: true,
 		},
+		KeyVault: features.KeyVaultFeatures{
+			PurgeSoftDeleteOnDestroy: true,
+		},
 	}
 
 	if len(input) == 0 || input[0] == nil {
@@ -98,5 +115,15 @@ func expandFeatures(input []interface{}) features.UserFeatures {
 		}
 	}
 
+	if raw, ok := val["key_vault"]; ok {
+		items := raw.([]interface{})
+		if len(items) > 0 {
+			keyVaultRaw := items[0].(map[string]interface{})
+			if v, ok := keyVaultRaw["purge_soft_delete_on_destroy"]; ok {
+				features.KeyVault.PurgeSoftDeleteOnDestroy = v.(bool)
+			}
+		}
+	}
+
 	return features
 }

azurerm/internal/provider/features_test.go

@@ -24,10 +24,13 @@ func TestExpandFeatures(t *testing.T) {
 				VirtualMachineScaleSet: features.VirtualMachineScaleSetFeatures{
 					RollInstancesWhenRequired: true,
 				},
+				KeyVault: features.KeyVaultFeatures{
+					PurgeSoftDeleteOnDestroy: true,
+				},
 			},
 		},
 		{
-			Name: "Complete",
+			Name: "Complete Enabled",
 			Input: []interface{}{
 				map[string]interface{}{
 					"virtual_machine": []interface{}{
@@ -40,6 +43,11 @@ func TestExpandFeatures(t *testing.T) {
 							"roll_instances_when_required": true,
 						},
 					},
+					"key_vault": []interface{}{
+						map[string]interface{}{
+							"purge_soft_delete_on_destroy": true,
+						},
+					},
 				},
 			},
 			Expected: features.UserFeatures{
@@ -49,6 +57,42 @@ func TestExpandFeatures(t *testing.T) {
 				VirtualMachineScaleSet: features.VirtualMachineScaleSetFeatures{
 					RollInstancesWhenRequired: true,
 				},
+				KeyVault: features.KeyVaultFeatures{
+					PurgeSoftDeleteOnDestroy: true,
+				},
+			},
+		},
+		{
+			Name: "Complete Disabled",
+			Input: []interface{}{
+				map[string]interface{}{
+					"virtual_machine": []interface{}{
+						map[string]interface{}{
+							"delete_os_disk_on_deletion": false,
+						},
+					},
+					"virtual_machine_scale_set": []interface{}{
+						map[string]interface{}{
+							"roll_instances_when_required": false,
+						},
+					},
+					"key_vault": []interface{}{
+						map[string]interface{}{
+							"purge_soft_delete_on_destroy": false,
+						},
+					},
+				},
+			},
+			Expected: features.UserFeatures{
+				VirtualMachine: features.VirtualMachineFeatures{
+					DeleteOSDiskOnDeletion: false,
+				},
+				VirtualMachineScaleSet: features.VirtualMachineScaleSetFeatures{
+					RollInstancesWhenRequired: false,
+				},
+				KeyVault: features.KeyVaultFeatures{
+					PurgeSoftDeleteOnDestroy: false,
+				},
 			},
 		},
 	}
@@ -62,6 +106,71 @@ func TestExpandFeatures(t *testing.T) {
 	}
 }
 
+func TestExpandFeaturesKeyVault(t *testing.T) {
+	testData := []struct {
+		Name     string
+		Input    []interface{}
+		EnvVars  map[string]interface{}
+		Expected features.UserFeatures
+	}{
+		{
+			Name: "Empty Block",
+			Input: []interface{}{
+				map[string]interface{}{
+					"key_vault": []interface{}{},
+				},
+			},
+			Expected: features.UserFeatures{
+				KeyVault: features.KeyVaultFeatures{
+					PurgeSoftDeleteOnDestroy: true,
+				},
+			},
+		},
+		{
+			Name: "Purge Soft Delete On Destroy Enabled",
+			Input: []interface{}{
+				map[string]interface{}{
+					"key_vault": []interface{}{
+						map[string]interface{}{
+							"purge_soft_delete_on_destroy": true,
+						},
+					},
+				},
+			},
+			Expected: features.UserFeatures{
+				KeyVault: features.KeyVaultFeatures{
+					PurgeSoftDeleteOnDestroy: true,
+				},
+			},
+		},
+		{
+			Name: "Purge Soft Delete On Destroy Disabled",
+			Input: []interface{}{
+				map[string]interface{}{
+					"key_vault": []interface{}{
+						map[string]interface{}{
+							"purge_soft_delete_on_destroy": false,
+						},
+					},
+				},
+			},
+			Expected: features.UserFeatures{
+				KeyVault: features.KeyVaultFeatures{
+					PurgeSoftDeleteOnDestroy: false,
+				},
+			},
+		},
+	}
+
+	for _, testCase := range testData {
+		t.Logf("[DEBUG] Test Case: %q", testCase.Name)
+		result := expandFeatures(testCase.Input)
+		if !reflect.DeepEqual(result.KeyVault, testCase.Expected.KeyVault) {
+			t.Fatalf("Expected %+v but got %+v", result.KeyVault, testCase.Expected.KeyVault)
+		}
+	}
+}
+
 func TestExpandFeaturesVirtualMachine(t *testing.T) {
 	testData := []struct {
 		Name     string

azurerm/internal/services/keyvault/data_source_key_vault.go

@@ -141,6 +141,16 @@ func dataSourceArmKeyVault() *schema.Resource {
 				},
 			},
 
+			"purge_protection_enabled": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+
+			"soft_delete_enabled": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+
 			"tags": tags.SchemaDataSource(),
 		},
 	}
@@ -175,6 +185,8 @@ func dataSourceArmKeyVaultRead(d *schema.ResourceData, meta interface{}) error {
 		d.Set("enabled_for_deployment", props.EnabledForDeployment)
 		d.Set("enabled_for_disk_encryption", props.EnabledForDiskEncryption)
 		d.Set("enabled_for_template_deployment", props.EnabledForTemplateDeployment)
+		d.Set("soft_delete_enabled", props.EnableSoftDelete)
+		d.Set("purge_protection_enabled", props.EnablePurgeProtection)
 		d.Set("vault_uri", props.VaultURI)
 
 		if sku := props.Sku; sku != nil {