Support for client_certificate_enabled, gateway_disabled, `min_ap…

…i_version` and `zones` in `azurerm_api_management` (#12125) Fix #8529 #12126
hashicorp · Jun 15, 2021 · 46ffd6a · 46ffd6a
1 parent 21e2bbb
commit 46ffd6a
Show file tree

Hide file tree

Showing 3 changed files with 305 additions and 1 deletion.
diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go
@@ -151,6 +151,24 @@ func resourceApiManagementService() *pluginsdk.Resource {
 				},
 			},
 
+			"client_certificate_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
+			"gateway_disabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
+			"min_api_version": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+
 			"notification_sender_email": {
 				Type:     pluginsdk.TypeString,
 				Optional: true,
@@ -485,6 +503,8 @@ func resourceApiManagementService() *pluginsdk.Resource {
 				},
 			},
 
+			"zones": azure.SchemaZones(),
+
 			"gateway_url": {
 				Type:     pluginsdk.TypeString,
 				Computed: true,
@@ -667,6 +687,33 @@ func resourceApiManagementServiceCreateUpdate(d *pluginsdk.ResourceData, meta in
 		}
 	}
 
+	if d.HasChange("client_certificate_enabled") {
+		enableClientCertificate := d.Get("client_certificate_enabled").(bool)
+		if enableClientCertificate && sku.Name != apimanagement.SkuTypeConsumption {
+			return fmt.Errorf("`client_certificate_enabled` is only supported when sku type is `Consumption`")
+		}
+		properties.ServiceProperties.EnableClientCertificate = utils.Bool(enableClientCertificate)
+	}
+
+	gateWayDisabled := d.Get("gateway_disabled").(bool)
+	if gateWayDisabled && len(*properties.AdditionalLocations) == 0 {
+		return fmt.Errorf("`gateway_disabled` is only supported when `additional_location` is set")
+	}
+	properties.ServiceProperties.DisableGateway = utils.Bool(gateWayDisabled)
+
+	if v, ok := d.GetOk("min_api_version"); ok {
+		properties.ServiceProperties.APIVersionConstraint = &apimanagement.APIVersionConstraint{
+			MinAPIVersion: utils.String(v.(string)),
+		}
+	}
+
+	if v := d.Get("zones").([]interface{}); len(v) > 0 {
+		if sku.Name != apimanagement.SkuTypePremium {
+			return fmt.Errorf("`zones` is only supported when sku type is `Premium`")
+		}
+		properties.Zones = azure.ExpandZones(v)
+	}
+
 	future, err := client.CreateOrUpdate(ctx, resourceGroup, name, properties)
 	if err != nil {
 		return fmt.Errorf("creating/updating API Management Service %q (Resource Group %q): %+v", name, resourceGroup, err)
@@ -814,6 +861,8 @@ func resourceApiManagementServiceRead(d *pluginsdk.ResourceData, meta interface{
 		d.Set("public_ip_addresses", props.PublicIPAddresses)
 		d.Set("private_ip_addresses", props.PrivateIPAddresses)
 		d.Set("virtual_network_type", props.VirtualNetworkType)
+		d.Set("client_certificate_enabled", props.EnableClientCertificate)
+		d.Set("gateway_disabled", props.DisableGateway)
 
 		if resp.Sku != nil && resp.Sku.Name != "" {
 			if err := d.Set("security", flattenApiManagementSecurityCustomProperties(props.CustomProperties, resp.Sku.Name == apimanagement.SkuTypeConsumption)); err != nil {
@@ -838,6 +887,12 @@ func resourceApiManagementServiceRead(d *pluginsdk.ResourceData, meta interface{
 		if err := d.Set("virtual_network_configuration", flattenApiManagementVirtualNetworkConfiguration(props.VirtualNetworkConfiguration)); err != nil {
 			return fmt.Errorf("setting `virtual_network_configuration`: %+v", err)
 		}
+
+		var minApiVersion string
+		if props.APIVersionConstraint != nil && props.APIVersionConstraint.MinAPIVersion != nil {
+			minApiVersion = *props.APIVersionConstraint.MinAPIVersion
+		}
+		d.Set("min_api_version", minApiVersion)
 	}
 
 	if err := d.Set("sku_name", flattenApiManagementServiceSkuName(resp.Sku)); err != nil {
@@ -848,6 +903,8 @@ func resourceApiManagementServiceRead(d *pluginsdk.ResourceData, meta interface{
 		return fmt.Errorf("setting `policy`: %+v", err)
 	}
 
+	d.Set("zones", azure.FlattenZones(resp.Zones))
+
 	if resp.Sku.Name != apimanagement.SkuTypeConsumption {
 		signInSettings, err := signInClient.Get(ctx, resourceGroup, name)
 		if err != nil {

diff --git a/azurerm/internal/services/apimanagement/api_management_resource_test.go b/azurerm/internal/services/apimanagement/api_management_resource_test.go
@@ -292,6 +292,100 @@ func TestAccApiManagement_consumption(t *testing.T) {
 	})
 }
 
+func TestAccApiManagement_clientCertificate(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_api_management", "test")
+	r := ApiManagementResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.consumption(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.consumptionClientCertificateEnabled(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.consumptionClientCertificateDisabled(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccApiManagement_gatewayDiabled(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_api_management", "test")
+	r := ApiManagementResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.multipleLocations(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.gatewayDiabled(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.multipleLocations(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccApiManagement_minApiVersion(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_api_management", "test")
+	r := ApiManagementResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.consumption(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.consumptionMinApiVersion(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.consumptionMinApiVersionUpdate(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.consumption(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (ApiManagementResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := parse.ApiManagementID(state.ID)
 	if err != nil {
@@ -870,7 +964,9 @@ resource "azurerm_api_management" "test" {
     }
   }
 
-  sku_name = "Premium_1"
+  sku_name = "Premium_2"
+
+  zones = [1, 2]
 
   tags = {
     "Acceptance" = "Test"
@@ -1421,6 +1517,149 @@ resource "azurerm_api_management" "test" {
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }
 
+func (ApiManagementResource) consumptionClientCertificateEnabled(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_api_management" "test" {
+  name                       = "acctestAM-%d"
+  location                   = azurerm_resource_group.test.location
+  resource_group_name        = azurerm_resource_group.test.name
+  publisher_name             = "pub1"
+  publisher_email            = "[email protected]"
+  sku_name                   = "Consumption_0"
+  client_certificate_enabled = true
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
+
+func (ApiManagementResource) consumptionClientCertificateDisabled(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_api_management" "test" {
+  name                       = "acctestAM-%d"
+  location                   = azurerm_resource_group.test.location
+  resource_group_name        = azurerm_resource_group.test.name
+  publisher_name             = "pub1"
+  publisher_email            = "[email protected]"
+  sku_name                   = "Consumption_0"
+  client_certificate_enabled = false
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
+
+func (ApiManagementResource) multipleLocations(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_api_management" "test" {
+  name                = "acctestAM-%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  publisher_name      = "pub1"
+  publisher_email     = "[email protected]"
+  sku_name            = "Premium_1"
+  additional_location {
+    location = "%s"
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.Locations.Secondary)
+}
+
+func (ApiManagementResource) gatewayDiabled(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_api_management" "test" {
+  name                = "acctestAM-%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  publisher_name      = "pub1"
+  publisher_email     = "[email protected]"
+  sku_name            = "Premium_1"
+  gateway_disabled    = true
+  additional_location {
+    location = "%s"
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.Locations.Secondary)
+}
+
+func (ApiManagementResource) consumptionMinApiVersion(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_api_management" "test" {
+  name                = "acctestAM-%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  publisher_name      = "pub1"
+  publisher_email     = "[email protected]"
+  sku_name            = "Consumption_0"
+  min_api_version     = "2019-12-01"
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
+
+func (ApiManagementResource) consumptionMinApiVersionUpdate(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_api_management" "test" {
+  name                = "acctestAM-%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  publisher_name      = "pub1"
+  publisher_email     = "[email protected]"
+  sku_name            = "Consumption_0"
+  min_api_version     = "2020-12-01"
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
+
 func (ApiManagementResource) tenantAccess(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {

diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown
@@ -67,6 +67,14 @@ The following arguments are supported:
 
 * `certificate` - (Optional) One or more (up to 10) `certificate` blocks as defined below.
 
+* `client_certificate_enabled` - (Optional) Enforce a client certificate to be presented on each request to the gateway? This is only supported when sku type is `Consumption`.
+
+* `gateway_disabled` - (Optional) Disable the gateway in master region? This is only supported when `additional_location` is set.
+
+* `min_api_version` - (Optional)  The version which the control plane API calls to API Management service are limited with version equal to or newer than.
+
+* `zones` - (Optional) A list of availability zones.
+
 * `identity` - (Optional) An `identity` block is documented below.
 
 * `hostname_configuration` - (Optional) A `hostname_configuration` block as defined below.