Skip to content

Commit

Permalink
azurerm_storage_account - CMK allows SystemAssigned, UserAssigned
Browse files Browse the repository at this point in the history
… identity type (hashicorp#24923)
  • Loading branch information
magodo authored and rizkybiz committed Feb 21, 2024
1 parent e466940 commit ac6f11e
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 2 deletions.
4 changes: 2 additions & 2 deletions internal/services/storage/storage_account_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -1462,8 +1462,8 @@ func resourceStorageAccountCreate(d *pluginsdk.ResourceData, meta interface{}) e
if accountTier != string(storage.AccessTierPremium) && accountKind != string(storage.KindStorageV2) {
return fmt.Errorf("customer managed key can only be used with account kind `StorageV2` or account tier `Premium`")
}
if storageAccountIdentity.Type != storage.IdentityTypeUserAssigned {
return fmt.Errorf("customer managed key can only be used with identity type `UserAssigned`")
if storageAccountIdentity.Type != storage.IdentityTypeUserAssigned && storageAccountIdentity.Type != storage.IdentityTypeSystemAssignedUserAssigned {
return fmt.Errorf("customer managed key can only be used with identity type `UserAssigned` or `SystemAssigned, UserAssigned`")
}
encryption, err = expandStorageAccountCustomerManagedKey(ctx, keyVaultClient, id.SubscriptionId, v.([]interface{}))
if err != nil {
Expand Down
50 changes: 50 additions & 0 deletions internal/services/storage/storage_account_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1266,6 +1266,21 @@ func TestAccStorageAccount_customerManagedKey(t *testing.T) {
})
}

func TestAccStorageAccount_customerManagedKeyForSUAI(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_storage_account", "test")
r := StorageAccountResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.customerManagedKeyForSUAI(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
})
}

func TestAccStorageAccount_customerManagedKeyAutoRotation(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_storage_account", "test")
r := StorageAccountResource{}
Expand Down Expand Up @@ -4057,6 +4072,41 @@ resource "azurerm_storage_account" "test" {
`, r.cmkTemplate(data), data.RandomString, data.RandomString)
}

// The only difference between this and "customerManagedKey" is the "identity.type"
func (r StorageAccountResource) customerManagedKeyForSUAI(data acceptance.TestData) string {
return fmt.Sprintf(`
%s
resource "azurerm_storage_account" "test" {
name = "unlikely23exst2acct%s"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
account_tier = "Standard"
account_replication_type = "LRS"
account_kind = "StorageV2"
identity {
type = "SystemAssigned, UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.test.id,
]
}
customer_managed_key {
key_vault_key_id = azurerm_key_vault_key.test.id
user_assigned_identity_id = azurerm_user_assigned_identity.test.id
}
infrastructure_encryption_enabled = true
table_encryption_key_type = "Account"
queue_encryption_key_type = "Account"
tags = {
environment = "production"
}
}
`, r.cmkTemplate(data), data.RandomString)
}

func (r StorageAccountResource) customerManagedKeyAutoRotation(data acceptance.TestData) string {
return fmt.Sprintf(`
%s
Expand Down

0 comments on commit ac6f11e

Please sign in to comment.