hashicorp · jackofallops · Aug 17, 2020 · Jul 8, 2020 · Jul 8, 2020 · Jul 8, 2020
diff --git a/azurerm/internal/services/apimanagement/api_management_api_resource.go b/azurerm/internal/services/apimanagement/api_management_api_resource.go
@@ -175,6 +175,53 @@ func resourceArmApiManagementApi() *schema.Resource {
 				Default:  false,
 			},
 
+			"oauth2_authorization": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"authorization_server_name": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validate.ApiManagementChildName,
+						},
+						"scope": {
+							Type:     schema.TypeString,
+							Optional: true,
+							// There is currently no validation, as any length and characters can be used in the field
+						},
+					},
+				},
+			},
+
+			"openid_authentication": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"openid_provider_name": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validate.ApiManagementChildName,
+						},
+						"bearer_token_sending_methods": {
+							Type:         schema.TypeSet,
+							Optional:     true,
+							ValidateFunc: nil,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+								ValidateFunc: validation.StringInSlice([]string{
+									string(apimanagement.BearerTokenSendingMethodsAuthorizationHeader),
+									string(apimanagement.BearerTokenSendingMethodsQuery),
+								}, false),
+							},
+						},
+					},
+				},
+			},
+
 			// Computed
 			"is_current": {
 				Type:     schema.TypeBool,
@@ -306,6 +353,24 @@ func resourceArmApiManagementApiCreateUpdate(d *schema.ResourceData, meta interf
 	subscriptionKeyParameterNamesRaw := d.Get("subscription_key_parameter_names").([]interface{})
 	subscriptionKeyParameterNames := expandApiManagementApiSubscriptionKeyParamNames(subscriptionKeyParameterNamesRaw)
 
+	authenticationSettings := &apimanagement.AuthenticationSettingsContract{}
+	if vs, hasOAuth2Authorization := d.GetOk("oauth2_authorization"); hasOAuth2Authorization {
+		oAuth2AuthorizationVs := vs.([]interface{})
+		oAuth2AuthorizationV := oAuth2AuthorizationVs[0].(map[string]interface{})
+		authenticationSettings.OAuth2 = &apimanagement.OAuth2AuthenticationSettingsContract{
+			AuthorizationServerID: utils.String(oAuth2AuthorizationV["authorization_server_name"].(string)),
+			Scope:                 utils.String(oAuth2AuthorizationV["scope"].(string)),
+		}
+	}
+	if vs, hasOpenIDAuthorization := d.GetOk("openid_authentication"); hasOpenIDAuthorization {
+		openIDAuthorizationVs := vs.([]interface{})
+		openIDAuthorizationV := openIDAuthorizationVs[0].(map[string]interface{})
+		authenticationSettings.Openid = &apimanagement.OpenIDAuthenticationSettingsContract{
+			OpenidProviderID:          utils.String(openIDAuthorizationV["openid_provider_name"].(string)),
+			BearerTokenSendingMethods: expandApiManagementOpenIDAuthenticationSettingsBearerTokenSendingMethods(openIDAuthorizationV["bearer_token_sending_methods"].([]interface{})),
+		}
+	}
+
 	params := apimanagement.APICreateOrUpdateParameter{
 		APICreateOrUpdateProperties: &apimanagement.APICreateOrUpdateProperties{
 			APIType:                       apiType,
@@ -318,6 +383,7 @@ func resourceArmApiManagementApiCreateUpdate(d *schema.ResourceData, meta interf
 			SubscriptionKeyParameterNames: subscriptionKeyParameterNames,
 			APIVersion:                    utils.String(version),
 			SubscriptionRequired:          &subscriptionRequired,
+			AuthenticationSettings:        authenticationSettings,
 		},
 	}
 
@@ -403,6 +469,14 @@ func resourceArmApiManagementApiRead(d *schema.ResourceData, meta interface{}) e
 		if err := d.Set("subscription_key_parameter_names", flattenApiManagementApiSubscriptionKeyParamNames(props.SubscriptionKeyParameterNames)); err != nil {
 			return fmt.Errorf("setting `subscription_key_parameter_names`: %+v", err)
 		}
+
+		if err := d.Set("oauth2_authorization", flattenApiManagementOAuth2Authorization(props.AuthenticationSettings.OAuth2)); err != nil {
+			return fmt.Errorf("setting `oauth2_authorization`: %+v", err)
+		}
+
+		if err := d.Set("openid_authentication", flattenApiManagementOpenidAuthentication(props.AuthenticationSettings.Openid)); err != nil {
+			return fmt.Errorf("setting `openid_authentication`: %+v", err)
+		}
 	}
 
 	return nil
@@ -494,3 +568,52 @@ func flattenApiManagementApiSubscriptionKeyParamNames(paramNames *apimanagement.
 
 	return []interface{}{result}
 }
+
+func expandApiManagementOpenIDAuthenticationSettingsBearerTokenSendingMethods(input interface{}) *[]apimanagement.BearerTokenSendingMethods {
+	if input == nil {
+		return nil
+	}
+	results := make([]apimanagement.BearerTokenSendingMethods, 0)
+
+	vs := input.(*schema.Set).List()
+	for _, v := range vs {
+		results = append(results, apimanagement.BearerTokenSendingMethods(v.(string)))
+	}
+
+	return &results
+}
+
+func flattenApiManagementOAuth2Authorization(input *apimanagement.OAuth2AuthenticationSettingsContract) []interface{} {
+	if input == nil {
+		return make([]interface{}, 0)
+	}
+
+	result := make(map[string]interface{})
+
+	result["authorization_server_name"] = *input.AuthorizationServerID
+	if input.Scope != nil {
+		result["scope"] = *input.Scope
+	}
+
+	return []interface{}{result}
+}
+
+func flattenApiManagementOpenidAuthentication(input *apimanagement.OpenIDAuthenticationSettingsContract) []interface{} {
+	if input == nil {
+		return make([]interface{}, 0)
+	}
+
+	result := make(map[string]interface{})
+
+	result["openid_provider_name"] = *input.OpenidProviderID
+
+	bearerTokenSendingMethods := make([]interface{}, 0)
+	if s := input.BearerTokenSendingMethods; s != nil {
+		for _, v := range *s {
+			bearerTokenSendingMethods = append(bearerTokenSendingMethods, v)
+		}
+	}
+	result["bearer_token_sending_methods"] = schema.NewSet(schema.HashString, bearerTokenSendingMethods)
+
+	return []interface{}{result}
+}
diff --git a/azurerm/internal/services/apimanagement/tests/api_management_api_resource_test.go b/azurerm/internal/services/apimanagement/tests/api_management_api_resource_test.go
@@ -34,8 +34,27 @@ func TestAccAzureRMApiManagementApi_basic(t *testing.T) {
 	})
 }
 
-// Remove in 2.0
-func TestAccAzureRMApiManagementApi_basicClassic(t *testing.T) {
+func TestAccAzureRMApiManagementApi_wordRevision(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_api_management_api", "test")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMApiManagementApiDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMApiManagementApi_wordRevision(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMApiManagementApiExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "revision", "one-point-oh"),
+				),
+			},
+			data.ImportStep(),
+		},
+	})
+}
+
+func TestAccAzureRMApiManagementApi_blankPath(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_api_management_api", "test")
 
 	resource.Test(t, resource.TestCase{
@@ -44,20 +63,21 @@ func TestAccAzureRMApiManagementApi_basicClassic(t *testing.T) {
 		CheckDestroy: testCheckAzureRMApiManagementApiDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAzureRMApiManagementApi_basicClassic(data),
+				Config: testAccAzureRMApiManagementApi_blankPath(data),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMApiManagementApiExists(data.ResourceName),
 					resource.TestCheckResourceAttr(data.ResourceName, "soap_pass_through", "false"),
 					resource.TestCheckResourceAttr(data.ResourceName, "is_current", "true"),
 					resource.TestCheckResourceAttr(data.ResourceName, "is_online", "false"),
+					resource.TestCheckResourceAttr(data.ResourceName, "path", ""),
 				),
 			},
 			data.ImportStep(),
 		},
 	})
 }
 
-func TestAccAzureRMApiManagementApi_wordRevision(t *testing.T) {
+func TestAccAzureRMApiManagementApi_version(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_api_management_api", "test")
 
 	resource.Test(t, resource.TestCase{
@@ -66,18 +86,18 @@ func TestAccAzureRMApiManagementApi_wordRevision(t *testing.T) {
 		CheckDestroy: testCheckAzureRMApiManagementApiDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAzureRMApiManagementApi_wordRevision(data),
+				Config: testAccAzureRMApiManagementApi_versionSet(data),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMApiManagementApiExists(data.ResourceName),
-					resource.TestCheckResourceAttr(data.ResourceName, "revision", "one-point-oh"),
+					resource.TestCheckResourceAttr(data.ResourceName, "version", "v1"),
 				),
 			},
 			data.ImportStep(),
 		},
 	})
 }
 
-func TestAccAzureRMApiManagementApi_blankPath(t *testing.T) {
+func TestAccAzureRMApiManagementApi_oauth2Authorization(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_api_management_api", "test")
 
 	resource.Test(t, resource.TestCase{
@@ -86,21 +106,17 @@ func TestAccAzureRMApiManagementApi_blankPath(t *testing.T) {
 		CheckDestroy: testCheckAzureRMApiManagementApiDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAzureRMApiManagementApi_blankPath(data),
+				Config: testAccAzureRMApiManagementApi_oauth2Authorization(data),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMApiManagementApiExists(data.ResourceName),
-					resource.TestCheckResourceAttr(data.ResourceName, "soap_pass_through", "false"),
-					resource.TestCheckResourceAttr(data.ResourceName, "is_current", "true"),
-					resource.TestCheckResourceAttr(data.ResourceName, "is_online", "false"),
-					resource.TestCheckResourceAttr(data.ResourceName, "path", ""),
 				),
 			},
 			data.ImportStep(),
 		},
 	})
 }
 
-func TestAccAzureRMApiManagementApi_version(t *testing.T) {
+func TestAccAzureRMApiManagementApi_openidAuthentication(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_api_management_api", "test")
 
 	resource.Test(t, resource.TestCase{
@@ -109,10 +125,9 @@ func TestAccAzureRMApiManagementApi_version(t *testing.T) {
 		CheckDestroy: testCheckAzureRMApiManagementApiDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAzureRMApiManagementApi_versionSet(data),
+				Config: testAccAzureRMApiManagementApi_openidAuthentication(data),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMApiManagementApiExists(data.ResourceName),
-					resource.TestCheckResourceAttr(data.ResourceName, "version", "v1"),
 				),
 			},
 			data.ImportStep(),
@@ -370,24 +385,6 @@ resource "azurerm_api_management_api" "test" {
 `, template, data.RandomInteger)
 }
 
-// Remove in 2.0
-func testAccAzureRMApiManagementApi_basicClassic(data acceptance.TestData) string {
-	template := testAccAzureRMApiManagementApi_templateClassic(data)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_api_management_api" "test" {
-  name                = "acctestapi-%d"
-  resource_group_name = azurerm_resource_group.test.name
-  api_management_name = azurerm_api_management.test.name
-  display_name        = "api1"
-  path                = "api1"
-  protocols           = ["https"]
-  revision            = "1"
-}
-`, template, data.RandomInteger)
-}
-
 func testAccAzureRMApiManagementApi_blankPath(data acceptance.TestData) string {
 	template := testAccAzureRMApiManagementApi_template(data)
 	return fmt.Sprintf(`
@@ -575,31 +572,82 @@ resource "azurerm_api_management_api" "test" {
 `, template, data.RandomInteger, data.RandomInteger)
 }
 
-func testAccAzureRMApiManagementApi_template(data acceptance.TestData) string {
+func testAccAzureRMApiManagementApi_oauth2Authorization(data acceptance.TestData) string {
+	template := testAccAzureRMApiManagementApi_template(data)
 	return fmt.Sprintf(`
-provider "azurerm" {
-  features {}
+%s
+
+resource "azurerm_api_management_authorization_server" "test" {
+  name                         = "acctestauthsrv-%d"
+  resource_group_name          = azurerm_resource_group.test.name
+  api_management_name          = azurerm_api_management.test.name
+  display_name                 = "Test Group"
+  authorization_endpoint       = "https://azacctest.hashicorptest.com/client/authorize"
+  client_id                    = "42424242-4242-4242-4242-424242424242"
+  client_registration_endpoint = "https://azacctest.hashicorptest.com/client/register"
+
+  grant_types = [
+    "implicit",
+  ]
+
+  authorization_methods = [
+    "GET",
+  ]
 }
 
-resource "azurerm_resource_group" "test" {
-  name     = "acctestRG-%d"
-  location = "%s"
+resource "azurerm_api_management_api" "test" {
+  name                = "acctestapi-%d"
+  resource_group_name = azurerm_resource_group.test.name
+  api_management_name = azurerm_api_management.test.name
+  display_name        = "api1"
+  path                = "api1"
+  protocols           = ["https"]
+  revision            = "1"
+  version             = "v1"
+  oauth2_authorization {
+    authorization_server_name = azurerm_api_management_authorization_server.test.name
+    scope                     = "acctest"
+  }
+}
+`, template, data.RandomInteger, data.RandomInteger)
 }
 
-resource "azurerm_api_management" "test" {
-  name                = "acctestAM-%d"
-  location            = azurerm_resource_group.test.location
+func testAccAzureRMApiManagementApi_openidAuthentication(data acceptance.TestData) string {
+	template := testAccAzureRMApiManagementApi_template(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_api_management_openid_connect_provider" "test" {
+  name                = "acctest-%d"
+  api_management_name = azurerm_api_management.test.name
   resource_group_name = azurerm_resource_group.test.name
-  publisher_name      = "pub1"
-  publisher_email     = "[email protected]"
+  client_id           = "00001111-2222-3333-%d"
+  client_secret       = "%d-cwdavsxbacsaxZX-%d"
+  display_name        = "Initial Name"
+  metadata_endpoint   = "https://azacctest.hashicorptest.com/example/foo"
+}
 
-  sku_name = "Developer_1"
+resource "azurerm_api_management_api" "test" {
+  name                = "acctestapi-%d"
+  resource_group_name = azurerm_resource_group.test.name
+  api_management_name = azurerm_api_management.test.name
+  display_name        = "api1"
+  path                = "api1"
+  protocols           = ["https"]
+  revision            = "1"
+  version             = "v1"
+  openid_authentication {
+    openid_provider_name = azurerm_api_management_openid_connect_provider.test.name
+    bearer_token_sending_methods = [
+      "authorizationHeader",
+      "query",
+    ]
+  }
 }
-`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+`, template, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.RandomInteger)
 }
 
-// Remove in 2.0
-func testAccAzureRMApiManagementApi_templateClassic(data acceptance.TestData) string {
+func testAccAzureRMApiManagementApi_template(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {}
@@ -616,7 +664,8 @@ resource "azurerm_api_management" "test" {
   resource_group_name = azurerm_resource_group.test.name
   publisher_name      = "pub1"
   publisher_email     = "[email protected]"
-  sku_name            = "Developer_1"
+
+  sku_name = "Developer_1"
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }