hashicorp · katbyte · Feb 18, 2021 · Feb 4, 2021 · Feb 4, 2021 · Feb 15, 2021
diff --git a/azurerm/internal/services/apimanagement/api_management_resource.go b/azurerm/internal/services/apimanagement/api_management_resource.go
@@ -528,6 +528,35 @@ func resourceApiManagementService() *schema.Resource {
 				Computed: true,
 			},
 
+			"tenant_access": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Required: true,
+						},
+						"tenant_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"primary_key": {
+							Type:      schema.TypeString,
+							Computed:  true,
+							Sensitive: true,
+						},
+						"secondary_key": {
+							Type:      schema.TypeString,
+							Computed:  true,
+							Sensitive: true,
+						},
+					},
+				},
+			},
+
 			"tags": tags.Schema(),
 		},
 
@@ -702,13 +731,23 @@ func resourceApiManagementServiceCreateUpdate(d *schema.ResourceData, meta inter
 		}
 	}
 
+	if d.HasChange("tenant_access") {
+		tenantAccessInformationParametersRaw := d.Get("tenant_access").([]interface{})
+		tenantAccessInformationParameters := expandApiManagementTenantAccessSettings(tenantAccessInformationParametersRaw)
+		tenantAccessClient := meta.(*clients.Client).ApiManagement.TenantAccessClient
+		if _, err := tenantAccessClient.Update(ctx, resourceGroup, name, tenantAccessInformationParameters, ""); err != nil {
+			return fmt.Errorf(" updating tenant access settings for API Management Service %q (Resource Group %q): %+v", name, resourceGroup, err)
+		}
+	}
+
 	return resourceApiManagementServiceRead(d, meta)
 }
 
 func resourceApiManagementServiceRead(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).ApiManagement.ServiceClient
 	signInClient := meta.(*clients.Client).ApiManagement.SignInClient
 	signUpClient := meta.(*clients.Client).ApiManagement.SignUpClient
+	tenantAccessClient := meta.(*clients.Client).ApiManagement.TenantAccessClient
 	environment := meta.(*clients.Client).Account.Environment
 	ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
 	defer cancel()
@@ -824,6 +863,14 @@ func resourceApiManagementServiceRead(d *schema.ResourceData, meta interface{})
 		d.Set("sign_up", []interface{}{})
 	}
 
+	tenantAccessInformationContract, err := tenantAccessClient.ListSecrets(ctx, resourceGroup, name)
+	if err != nil {
+		return fmt.Errorf("retrieving tenant access properties for API Management Service %q (Resource Group %q): %+v", name, resourceGroup, err)
+	}
+	if err := d.Set("tenant_access", flattenApiManagementTenantAccessSettings(tenantAccessInformationContract)); err != nil {
+		return fmt.Errorf("setting `tenant_access`: %+v", err)
+	}
+
 	return tags.FlattenAndSet(d, resp.Tags)
 }
 
@@ -1599,3 +1646,38 @@ func flattenApiManagementPolicies(d *schema.ResourceData, input apimanagement.Po
 
 	return []interface{}{output}
 }
+
+func expandApiManagementTenantAccessSettings(input []interface{}) apimanagement.AccessInformationUpdateParameters {
+	enabled := false
+
+	if len(input) > 0 {
+		vs := input[0].(map[string]interface{})
+		enabled = vs["enabled"].(bool)
+	}
+
+	return apimanagement.AccessInformationUpdateParameters{
+		AccessInformationUpdateParameterProperties: &apimanagement.AccessInformationUpdateParameterProperties{
+			Enabled: utils.Bool(enabled),
+		},
+	}
+}
+
+func flattenApiManagementTenantAccessSettings(input apimanagement.AccessInformationContract) []interface{} {
+	result := make(map[string]interface{})
+
+	result["enabled"] = *input.Enabled
+
+	if input.ID != nil {
+		result["tenant_id"] = *input.ID
+	}
+
+	if input.PrimaryKey != nil {
+		result["primary_key"] = *input.PrimaryKey
+	}
+
+	if input.SecondaryKey != nil {
+		result["secondary_key"] = *input.SecondaryKey
+	}
+
+	return []interface{}{result}
+}
diff --git a/azurerm/internal/services/apimanagement/api_management_resource_test.go b/azurerm/internal/services/apimanagement/api_management_resource_test.go
@@ -501,6 +501,25 @@ func TestAccApiManagement_identitySystemAssignedUserAssignedUpdateUserAssigned(t
 	})
 }
 
+func TestAccApiManagement_tenantAccess(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_api_management", "test")
+	r := ApiManagementResource{}
+
+	data.ResourceTest(t, r, []resource.TestStep{
+		{
+			Config: r.tenantAccess(data),
+			Check: resource.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("tenant_access.0.enabled").HasValue("true"),
+				check.That(data.ResourceName).Key("tenant_access.0.tenant_id").Exists(),
+				check.That(data.ResourceName).Key("tenant_access.0.primary_key").Exists(),
+				check.That(data.ResourceName).Key("tenant_access.0.secondary_key").Exists(),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (ApiManagementResource) basic(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
@@ -1248,3 +1267,30 @@ resource "azurerm_api_management" "test" {
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }
+
+func (ApiManagementResource) tenantAccess(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_api_management" "test" {
+  name                = "acctestAM-%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  publisher_name      = "pub1"
+  publisher_email     = "[email protected]"
+
+  sku_name = "Developer_1"
+
+  tenant_access {
+    enabled = true
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
diff --git a/azurerm/internal/services/apimanagement/client/client.go b/azurerm/internal/services/apimanagement/client/client.go
@@ -32,6 +32,7 @@ type Client struct {
 	SignInClient               *apimanagement.SignInSettingsClient
 	SignUpClient               *apimanagement.SignUpSettingsClient
 	SubscriptionsClient        *apimanagement.SubscriptionClient
+	TenantAccessClient         *apimanagement.TenantAccessClient
 	UsersClient                *apimanagement.UserClient
 }
 
@@ -114,6 +115,9 @@ func NewClient(o *common.ClientOptions) *Client {
 	subscriptionsClient := apimanagement.NewSubscriptionClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
 	o.ConfigureClient(&subscriptionsClient.Client, o.ResourceManagerAuthorizer)
 
+	tenantAccessClient := apimanagement.NewTenantAccessClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
+	o.ConfigureClient(&tenantAccessClient.Client, o.ResourceManagerAuthorizer)
+
 	usersClient := apimanagement.NewUserClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
 	o.ConfigureClient(&usersClient.Client, o.ResourceManagerAuthorizer)
 
@@ -144,6 +148,7 @@ func NewClient(o *common.ClientOptions) *Client {
 		SignInClient:               &signInClient,
 		SignUpClient:               &signUpClient,
 		SubscriptionsClient:        &subscriptionsClient,
+		TenantAccessClient:         &tenantAccessClient,
 		UsersClient:                &usersClient,
 	}
 }
diff --git a/website/docs/r/api_management.html.markdown b/website/docs/r/api_management.html.markdown
@@ -83,6 +83,8 @@ The following arguments are supported:
 
 * `sign_up` - (Optional) A `sign_up` block as defined below.
 
+* `tenant_access` - (Optional) A `tenant_access` block as defined below.
+
 * `virtual_network_type` - (Optional) The type of virtual network you want to use, valid values include: `None`, `External`, `Internal`. 
 > **NOTE:** Please ensure that in the subnet, inbound port 3443 is open when `virtual_network_type` is `Internal` or `External`. And please ensure other necessary ports are open according to [api management network configuration](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#-common-network-configuration-issues).
 
@@ -299,6 +301,12 @@ A `sign_up` block supports the following:
 
 ---
 
+A `tenant_access` block supports the following:
+
+* `enabled` - (Required) Should the access to the management api be enabled?
+
+---
+
 A `virtual_network_configuration` block supports the following:
 
 * `subnet_id` - (Required) The id of the subnet that will be used for the API Management.
@@ -340,6 +348,8 @@ In addition to all arguments above, the following attributes are exported:
 
 * `scm_url` - The URL for the SCM (Source Code Management) Endpoint associated with this API Management service.
 
+* `tenant_access` - The `tenant_access` block as documented below.
+
 ---
 
 An `additional_location` block exports the following:
@@ -358,6 +368,16 @@ An `identity` block exports the following:
 
 * `tenant_id` - The Tenant ID associated with this Managed Service Identity.
 
+---
+
+A `tenant_access` block exports the following:
+
+* `tenant_id` - The identifier for the tenant access information contract.
+
+* `primary_key` - Primary access key for the tenant access information contract.
+
+* `secondary_key` - Secondary access key for the tenant access information contract.
+
 ## Timeouts
 
 The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: