New Resource: azurerm_certificate_order_key_vault_store

[xiaxyi]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

Enable user to bind certificate order to key vault using the api:"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.CertificateRegistration/certificateOrders/{certificateOrderName}/certificates/{name}"

This PR is depending on the fix of the id of the parent resource azurerm_app_service_certificate_order that included in the pr #25428

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

--- PASS: TestAccAppServiceCertificateOrderCertificate_basic (274.54s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/appservice    291.518s
--- PASS: TestAccAppServiceCertificateOrderCertificate_updateKeyVaultId (1964.45s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/appservice  
--- PASS: TestAccAppServiceCertificateOrderCertificate_updateKeyVaultName

Extra information: for online failed acc tests with the error message like "waiting for resource provisioning status to become success", this is expected as the domain verification needs to be performed before binding the cert order to key vault. Tips added in the doc.

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_app_service_certificate_order_certificate - Support key vault binding.

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #0000

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[stephybun]

Thanks @xiaxyi. Would you be able to provide some more detail on what this actually does? I see in the description that it enables binding a certificate order to a key vault, but what does that mean or do in an App Service context?

[xiaxyi]

Thanks @stephybun for the review!

The feature is to configure the key vault information for a purchased app service certificate. After user buy an app service certificate using azurerm_app_service_certificate_order, the certificate configuration isn't completed as displayed in bleow screenshots:

API reference:https://learn.microsoft.com/en-us/rest/api/appservice/app-service-certificate-orders/create-or-update-certificate?view=rest-appservice-2023-01-01&tabs=HTTP
Docs" https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

Let me know if there is anything that's still not clear to you.

[stephybun]

@xiaxyi could you please take a look through the comments and suggestions left in-line. Once those are fixed up we can take another look through this.

[stephybun]

Suggested change

	return fmt.Errorf("retreiving %s: %v", id, err)
	return fmt.Errorf("retrieving %s: %v", id, err)

[stephybun]

Suggested change

	return fmt.Errorf("reading %s: %+v", id, err)
	return fmt.Errorf("retrieving %s: %+v", id, err)

[stephybun]

Suggested change

	return fmt.Errorf("reading %s: %+v", id, err)
	return fmt.Errorf("retrieving %s: %+v", id, err)

[stephybun]

Can we rename this so it's a bit clearer at first glance what this does

Suggested change

	return "azurerm_app_service_certificate_order_certificate"
	return "azurerm_app_service_certificate_order_key_vault_store"

[stephybun]

Could these be replaced by key_vault_secret_id?

[xiaxyi]

I'm afraid not, because we are not referring to a key vault secret, instead, we are creating the secret in the key vault with a name specified.

[stephybun]

Suggested change

	* `certificate_order_id` - (Required) The id of the certificate order in which to configure the certificate. Changing this forces a new resource to be created.
	* `certificate_order_id` - (Required) The ID of the Certificate Order in which to configure the Certificate Key Vault Store Binding. Changing this forces a new resource to be created.

[stephybun]

Suggested change

	* `key_vault_id` - (Required) The id of the key vault in which to bind the certificate order certificate.
	* `key_vault_id` - (Required) The ID of the Key Vault in which to bind the Certificate.

[stephybun]

Suggested change

	* `key_vault_secret_name` - (Required) The name of the key vault secrete in which to bind the certificate order certificate.
	* `key_vault_secret_name` - (Required) The name of the Key Vault Secret to bind to the Certificate.

[stephybun]

Suggested change

	* `location` - The location of the certificate order certificate.
	* `location` - The location of the Certificate.

[stephybun]

Suggested change

	* `type` - The type of the certificate order certificate.
	* `type` - The type of Certificate.

[Gabryel8818]

Hello Guys, any updates for this?

I have used terraform app_service_certificate and missing key store

I am very animated for this resource

[Gabryel8818]

@stephybun Hello, how are you? :D

do you can check this PR with your Request Change?

[igoritos22]

Hi guys, this feature is very important.
Any updates about that?

[stephybun]

Alphabetical ordering

[stephybun]

Alphabetical ordering

[stephybun]

We handle differences in casing by parsing the resource ID insensitively in the read so this doesn't need to be set.

Suggested change

	// TODO -- remove when issue https://github.com/Azure/azure-rest-api-specs/issues/28498 is addressed
	DiffSuppressFunc: suppress.CaseDifference,

[stephybun]

Suggested change

	Name: id.CertificateName,
	}
	certificateOrderId := appservicecertificateorders.NewCertificateOrderID(id.SubscriptionId, id.ResourceGroupName, id.CertificateOrderName)
	state.CertificateOrderId = certificateOrderId.ID()
	Name: id.CertificateName,
	CertificateOrderId: appservicecertificateorders.NewCertificateOrderID(id.SubscriptionId, id.ResourceGroupName, id.CertificateOrderName)
	}

[stephybun]

We don't expose the top level type field for resources, also this isn't defined in the resource's model struct and isn't being set in the read so this should be removed

Suggested change

	"type": {
	Type: pluginsdk.TypeString,
	Computed: true,
	},

[stephybun]

Please update these description to better reflect what the resource does and the resource's name

Suggested change

	Manages an App Service Certificate Order Certificate.
	---
	# azurerm_app_service_certificate_order_key_vault_store
	Manages an App Service Certificate Order Certificate.
	Manages an App Service Certificate Order for Storage in a Key Vault.
	---
	# azurerm_app_service_certificate_order_key_vault_store
	Manages an App Service Certificate Order for Storage in a Key Vault.

[stephybun]

Suggested change

	* `type` - The type of the certificate.
	* `type` - The type of the certificate.

[stephybun]

Suggested change

	* `type` - The type of the certificate.

[stephybun]

Suggested change

	* `location` - The location of the certificate.
	* `location` - The location of the Certificate.

[stephybun]

Suggested change

	* `create` - (Defaults to 30 minutes) Used when creating the App Service Certificate Order Certificate.
	* `update` - (Defaults to 30 minutes) Used when updating the App Service Certificate Order Certificate.
	* `read` - (Defaults to 5 minutes) Used when retrieving the App Service Certificate Order Certificate.
	* `delete` - (Defaults to 30 minutes) Used when deleting the App Service Certificate Order Certificate.
	## Import
	App Service Certificate Order Certificate can be imported using the `resource id`, e.g.
	* `create` - (Defaults to 30 minutes) Used when creating the App Service Certificate Order Key Vault Store.
	* `update` - (Defaults to 30 minutes) Used when updating the App Service Certificate Order Key Vault Store.
	* `read` - (Defaults to 5 minutes) Used when retrieving the App Service Certificate Order Key Vault Store.
	* `delete` - (Defaults to 30 minutes) Used when deleting the App Service Certificate Order Key Vault Store.
	## Import
	An App Service Certificate Order Key Vault Store can be imported using the `resource id`, e.g.