From 6522a316a4be88045e95940b5f1958ab20a5a3b9 Mon Sep 17 00:00:00 2001 From: Vladimir Lazarenko Date: Wed, 9 Jun 2021 11:58:19 +0200 Subject: [PATCH] `azurerm_data_factory_linked_service_azure_sql_database`: add `key_vault_connection_string_property` ``` $ TF_ACC=1 go test -v ./azurerm/internal/services/datafactory -timeout=1000m -run='TestAccDataFactoryLinkedServiceAzureSQLDatabase' 2021/06/09 11:53:35 [DEBUG] not using binary driver name, it's no longer needed 2021/06/09 11:53:35 [DEBUG] not using binary driver name, it's no longer needed === RUN TestAccDataFactoryLinkedServiceAzureSQLDatabase_basic === PAUSE TestAccDataFactoryLinkedServiceAzureSQLDatabase_basic === RUN TestAccDataFactoryLinkedServiceAzureSQLDatabase_update === PAUSE TestAccDataFactoryLinkedServiceAzureSQLDatabase_update === RUN TestAccDataFactoryLinkedServiceAzureSQLDatabase_managed_id === PAUSE TestAccDataFactoryLinkedServiceAzureSQLDatabase_managed_id === RUN TestAccDataFactoryLinkedServiceAzureSQLDatabase_PasswordKeyVaultReference === PAUSE TestAccDataFactoryLinkedServiceAzureSQLDatabase_PasswordKeyVaultReference === RUN TestAccDataFactoryLinkedServiceAzureSQLDatabase_ConnectionStringKeyVaultReference === PAUSE TestAccDataFactoryLinkedServiceAzureSQLDatabase_ConnectionStringKeyVaultReference === CONT TestAccDataFactoryLinkedServiceAzureSQLDatabase_basic === CONT TestAccDataFactoryLinkedServiceAzureSQLDatabase_ConnectionStringKeyVaultReference === CONT TestAccDataFactoryLinkedServiceAzureSQLDatabase_PasswordKeyVaultReference === CONT TestAccDataFactoryLinkedServiceAzureSQLDatabase_managed_id === CONT TestAccDataFactoryLinkedServiceAzureSQLDatabase_update --- PASS: TestAccDataFactoryLinkedServiceAzureSQLDatabase_managed_id (107.99s) --- PASS: TestAccDataFactoryLinkedServiceAzureSQLDatabase_basic (120.47s) --- PASS: TestAccDataFactoryLinkedServiceAzureSQLDatabase_update (165.46s) --- PASS: TestAccDataFactoryLinkedServiceAzureSQLDatabase_PasswordKeyVaultReference (277.65s) --- PASS: TestAccDataFactoryLinkedServiceAzureSQLDatabase_ConnectionStringKeyVaultReference (277.87s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/datafactory 279.235s ``` --- ...ked_service_azure_sql_database_resource.go | 39 +++++++++- ...ervice_azure_sql_database_resource_test.go | 73 ++++++++++++++++++- ...d_service_azure_sql_database.html.markdown | 12 ++- website/docs/r/role_assignment.html.markdown | 2 +- 4 files changed, 122 insertions(+), 4 deletions(-) diff --git a/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource.go b/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource.go index 2625afb6824a..f2de65cd9c6a 100644 --- a/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource.go +++ b/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource.go @@ -54,7 +54,8 @@ func resourceDataFactoryLinkedServiceAzureSQLDatabase() *pluginsdk.Resource { "connection_string": { Type: pluginsdk.TypeString, - Required: true, + Optional: true, + ExactlyOneOf: []string{"connection_string", "key_vault_connection_string"}, DiffSuppressFunc: azureRmDataFactoryLinkedServiceConnectionStringDiff, ValidateFunc: validation.StringIsNotEmpty, }, @@ -65,6 +66,28 @@ func resourceDataFactoryLinkedServiceAzureSQLDatabase() *pluginsdk.Resource { ValidateFunc: validation.StringIsNotEmpty, }, + "key_vault_connection_string": { + Type: pluginsdk.TypeList, + Optional: true, + ExactlyOneOf: []string{"connection_string", "key_vault_connection_string"}, + MaxItems: 1, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "linked_service_name": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + + "secret_name": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringIsNotEmpty, + }, + }, + }, + }, + "key_vault_password": { Type: pluginsdk.TypeList, Optional: true, @@ -182,6 +205,10 @@ func resourceDataFactoryLinkedServiceAzureSQLDatabaseCreateUpdate(d *pluginsdk.R } } + if v, ok := d.GetOk("key_vault_connection_string"); ok { + sqlDatabaseProperties.ConnectionString = expandAzureKeyVaultSecretReference(v.([]interface{})) + } + if d.Get("use_managed_identity").(bool) { sqlDatabaseProperties.Tenant = utils.String(d.Get("tenant_id").(string)) } else { @@ -287,6 +314,16 @@ func resourceDataFactoryLinkedServiceAzureSQLDatabaseRead(d *pluginsdk.ResourceD } } + if sql.ConnectionString != nil { + if val, ok := sql.ConnectionString.(map[string]interface{}); ok { + if val["type"] != "SecureString" { + if err := d.Set("key_vault_connection_string", flattenAzureKeyVaultConnectionString(val)); err != nil { + return fmt.Errorf("setting `key_vault_connection_string`: %+v", err) + } + } + } + } + d.Set("additional_properties", sql.AdditionalProperties) d.Set("description", sql.Description) diff --git a/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource_test.go b/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource_test.go index fccb70e2c7a1..180a06702223 100644 --- a/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource_test.go +++ b/azurerm/internal/services/datafactory/data_factory_linked_service_azure_sql_database_resource_test.go @@ -76,7 +76,7 @@ func TestAccDataFactoryLinkedServiceAzureSQLDatabase_managed_id(t *testing.T) { }) } -func TestAccDataFactoryLinkedServiceAzureSQLDatabase_KeyVaultReference(t *testing.T) { +func TestAccDataFactoryLinkedServiceAzureSQLDatabase_PasswordKeyVaultReference(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_data_factory_linked_service_azure_sql_database", "test") r := LinkedServiceAzureSQLDatabaseResource{} @@ -94,6 +94,25 @@ func TestAccDataFactoryLinkedServiceAzureSQLDatabase_KeyVaultReference(t *testin }) } +func TestAccDataFactoryLinkedServiceAzureSQLDatabase_ConnectionStringKeyVaultReference(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_data_factory_linked_service_azure_sql_database", "test") + r := LinkedServiceAzureSQLDatabaseResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.connection_string_key_vault_reference(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + check.That(data.ResourceName).Key("key_vault_connection_string.0.linked_service_name").HasValue("linkkv"), + check.That(data.ResourceName).Key("key_vault_connection_string.0.secret_name").HasValue("connection_string"), + check.That(data.ResourceName).Key("key_vault_password.0.linked_service_name").HasValue("linkkv"), + check.That(data.ResourceName).Key("key_vault_password.0.secret_name").HasValue("password"), + ), + }, + data.ImportStep(), + }) +} + func (t LinkedServiceAzureSQLDatabaseResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { id, err := azure.ParseAzureResourceID(state.ID) if err != nil { @@ -289,3 +308,55 @@ resource "azurerm_data_factory_linked_service_azure_sql_database" "test" { } `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) } + +func (LinkedServiceAzureSQLDatabaseResource) connection_string_key_vault_reference(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-df-%d" + location = "%s" +} + +resource "azurerm_key_vault" "test" { + name = "acctkv%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "standard" +} + +resource "azurerm_data_factory" "test" { + name = "acctestdf%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name +} + +resource "azurerm_data_factory_linked_service_key_vault" "test" { + name = "linkkv" + resource_group_name = azurerm_resource_group.test.name + data_factory_name = azurerm_data_factory.test.name + key_vault_id = azurerm_key_vault.test.id +} + +resource "azurerm_data_factory_linked_service_azure_sql_database" "test" { + name = "acctestlssql%d" + resource_group_name = azurerm_resource_group.test.name + data_factory_name = azurerm_data_factory.test.name + + key_vault_connection_string { + linked_service_name = azurerm_data_factory_linked_service_key_vault.test.name + secret_name = "connection_string" + } + + key_vault_password { + linked_service_name = azurerm_data_factory_linked_service_key_vault.test.name + secret_name = "password" + } +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) +} diff --git a/website/docs/r/data_factory_linked_service_azure_sql_database.html.markdown b/website/docs/r/data_factory_linked_service_azure_sql_database.html.markdown index e91882e78e58..687f2348128e 100644 --- a/website/docs/r/data_factory_linked_service_azure_sql_database.html.markdown +++ b/website/docs/r/data_factory_linked_service_azure_sql_database.html.markdown @@ -45,7 +45,7 @@ The following arguments are supported: * `data_factory_name` - (Required) The Data Factory name in which to associate the Linked Service with. Changing this forces a new resource to be created. -* `connection_string` - (Required) The connection string in which to authenticate with Azure SQL Database. +* `connection_string` - (Required) The connection string in which to authenticate with Azure SQL Database. Exactly one of either `connection_string` or `key_vault_connection_string` is required. * `use_managed_identity` - (Optional) Whether to use the Data Factory's managed identity to authenticate against the Azure SQL Database. Incompatible with `service_principal_id` and `service_principal_key` @@ -65,10 +65,20 @@ The following arguments are supported: * `additional_properties` - (Optional) A map of additional properties to associate with the Data Factory Linked Service Azure SQL Database. +* `key_vault_connection_string` - (Optional) A `key_vault_connection_string` block as defined below. Use this argument to store Azure SQL Database connection string in an existing Key Vault. It needs an existing Key Vault Data Factory Linked Service. Exactly one of either `connection_string` or `key_vault_connection_string` is required. + * `key_vault_password` - (Optional) A `key_vault_password` block as defined below. Use this argument to store SQL Server password in an existing Key Vault. It needs an existing Key Vault Data Factory Linked Service. --- +A `key_vault_connection_string` block supports the following: + +* `linked_service_name` - (Required) Specifies the name of an existing Key Vault Data Factory Linked Service. + +* `secret_name` - (Required) Specifies the secret name in Azure Key Vault that stores SQL Server connection string. + +--- + A `key_vault_password` block supports the following: * `linked_service_name` - (Required) Specifies the name of an existing Key Vault Data Factory Linked Service. diff --git a/website/docs/r/role_assignment.html.markdown b/website/docs/r/role_assignment.html.markdown index 68add9934dac..c414f31d2248 100644 --- a/website/docs/r/role_assignment.html.markdown +++ b/website/docs/r/role_assignment.html.markdown @@ -187,4 +187,4 @@ terraform import azurerm_role_assignment.example /subscriptions/00000000-0000-00 ~> **NOTE:** for cross tenant scenario, the format of `resource id` is composed of azure resource id and tenantId. for example: ``` /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000|00000000-0000-0000-0000-000000000000 -``` \ No newline at end of file +```