Merge branch 'master' into Fix455NetworkSecurityRulesIssue

Stavrus · Mar 1, 2018 · dbc3b66 · dbc3b66
2 parents f63acf2 + e3fccc1
commit dbc3b66
Show file tree

Hide file tree

Showing 47 changed files with 2,841 additions and 349 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,15 +2,27 @@
 
 FEATURES:
 
-* `azurerm_container_group` - added `dns_name_label` and `FQDN` properties [GH-877]
-* `azurerm_servicebus_subscription` - added support for the `forward_to` property [GH-861]
-* `azurerm_storage_account` - adding support for `account_kind` being `StorageV2` [GH-851]
+* **New Data Source:** `azurerm_application_security_group` [GH-914]
+* **New Resource:** `azurerm_application_security_group` [GH-905]
+* **New Resource:** `azurerm_servicebus_topic_authorization_rule` [GH-736]
 
 BUG FIXES:
 
+* `azurerm_kubernetes_cluster` - an empty `linux_profile.ssh_key.keydata` no longer causes a crash [GH-903]
+* `azurerm_kubernetes_cluster` - the `linux_profile.admin_username` and `linux_profile.ssh_key.keydata` fields now force a new resource [GH-895]
 * `azurerm_virtual_machine_scale_set` - the `computer_name_prefix` field now forces a new resource [GH-871]
 * `azurerm_network_interface` - the `subnet_id` field is now case insensitive [GH-866]
 
+IMPROVEMENTS:
+
+* authentication: adding support for Managed Service Identity [GH-639]
+* `azurerm_container_group` - added `dns_name_label` and `FQDN` properties [GH-877]
+* `azurerm_network_interface` - support for attaching to Application Security Groups [GH-911]
+* `azurerm_network_security_group` - support for augmented security rules [GH-781]
+* `azurerm_servicebus_subscription` - added support for the `forward_to` property [GH-861]
+* `azurerm_storage_account` - adding support for `account_kind` being `StorageV2` [GH-851]
+* `azurerm_virtual_network_gateway_connection` - support for IPsec/IKE Policies [GH-834]
+
 ## 1.1.2 (February 19, 2018)
 
 FEATURES:

diff --git a/azurerm/config.go b/azurerm/config.go
@@ -133,23 +133,24 @@ type ArmClient struct {
 	monitorAlertRulesClient insights.AlertRulesClient
 
 	// Networking
-	applicationGatewayClient     network.ApplicationGatewaysClient
-	expressRouteCircuitClient    network.ExpressRouteCircuitsClient
-	ifaceClient                  network.InterfacesClient
-	loadBalancerClient           network.LoadBalancersClient
-	localNetConnClient           network.LocalNetworkGatewaysClient
-	publicIPClient               network.PublicIPAddressesClient
-	routesClient                 network.RoutesClient
-	routeTablesClient            network.RouteTablesClient
-	secGroupClient               network.SecurityGroupsClient
-	secRuleClient                network.SecurityRulesClient
-	subnetClient                 network.SubnetsClient
-	netUsageClient               network.UsagesClient
-	vnetGatewayConnectionsClient network.VirtualNetworkGatewayConnectionsClient
-	vnetGatewayClient            network.VirtualNetworkGatewaysClient
-	vnetClient                   network.VirtualNetworksClient
-	vnetPeeringsClient           network.VirtualNetworkPeeringsClient
-	watcherClient                network.WatchersClient
+	applicationGatewayClient        network.ApplicationGatewaysClient
+	applicationSecurityGroupsClient network.ApplicationSecurityGroupsClient
+	expressRouteCircuitClient       network.ExpressRouteCircuitsClient
+	ifaceClient                     network.InterfacesClient
+	loadBalancerClient              network.LoadBalancersClient
+	localNetConnClient              network.LocalNetworkGatewaysClient
+	publicIPClient                  network.PublicIPAddressesClient
+	routesClient                    network.RoutesClient
+	routeTablesClient               network.RouteTablesClient
+	secGroupClient                  network.SecurityGroupsClient
+	secRuleClient                   network.SecurityRulesClient
+	subnetClient                    network.SubnetsClient
+	netUsageClient                  network.UsagesClient
+	vnetGatewayConnectionsClient    network.VirtualNetworkGatewayConnectionsClient
+	vnetGatewayClient               network.VirtualNetworkGatewaysClient
+	vnetClient                      network.VirtualNetworksClient
+	vnetPeeringsClient              network.VirtualNetworkPeeringsClient
+	watcherClient                   network.WatchersClient
 
 	// Resources
 	managementLocksClient locks.ManagementLocksClient
@@ -246,6 +247,15 @@ func getAuthorizationToken(c *authentication.Config, oauthConfig *adal.OAuthConf
 		return auth, nil
 	}
 
+	if c.UseMsi {
+		spt, err := adal.NewServicePrincipalTokenFromMSI(c.MsiEndpoint, endpoint)
+		if err != nil {
+			return nil, err
+		}
+		auth := autorest.NewBearerAuthorizer(spt)
+		return auth, nil
+	}
+
 	if c.IsCloudShell {
 		// load the refreshed tokens from the Azure CLI
 		err := c.LoadTokensFromAzureCLI()
@@ -323,22 +333,15 @@ func getArmClient(c *authentication.Config) (*ArmClient, error) {
 		return keyVaultSpt, nil
 	})
 
-	csc := containerservice.NewContainerServicesClientWithBaseURI(endpoint, c.SubscriptionID)
-	setUserAgent(&csc.Client)
-	csc.Authorizer = auth
-	csc.Sender = sender
-	csc.SkipResourceProviderRegistration = c.SkipProviderRegistration
-	client.containerServicesClient = csc
-
 	client.registerAppInsightsClients(endpoint, c.SubscriptionID, auth, sender)
 	client.registerAutomationClients(endpoint, c.SubscriptionID, auth, sender)
 	client.registerAuthentication(endpoint, graphEndpoint, c.SubscriptionID, c.TenantID, auth, graphAuth, sender)
 	client.registerCDNClients(endpoint, c.SubscriptionID, auth, sender)
 	client.registerComputeClients(endpoint, c.SubscriptionID, auth, sender)
-	client.registerContainerServicesClients(endpoint, c.SubscriptionID, auth)
-	client.registerCosmosDBClients(endpoint, c.SubscriptionID, auth, sender)
 	client.registerContainerInstanceClients(endpoint, c.SubscriptionID, auth, sender)
 	client.registerContainerRegistryClients(endpoint, c.SubscriptionID, auth, sender)
+	client.registerContainerServicesClients(endpoint, c.SubscriptionID, auth)
+	client.registerCosmosDBClients(endpoint, c.SubscriptionID, auth, sender)
 	client.registerDatabases(endpoint, c.SubscriptionID, auth, sender)
 	client.registerDNSClients(endpoint, c.SubscriptionID, auth, sender)
 	client.registerEventGridClients(endpoint, c.SubscriptionID, auth, sender)
@@ -656,6 +659,10 @@ func (c *ArmClient) registerNetworkingClients(endpoint, subscriptionId string, a
 	c.configureClient(&applicationGatewaysClient.Client, auth)
 	c.applicationGatewayClient = applicationGatewaysClient
 
+	appSecurityGroupsClient := network.NewApplicationSecurityGroupsClientWithBaseURI(endpoint, subscriptionId)
+	c.configureClient(&appSecurityGroupsClient.Client, auth)
+	c.applicationSecurityGroupsClient = appSecurityGroupsClient
+
 	expressRouteCircuitsClient := network.NewExpressRouteCircuitsClientWithBaseURI(endpoint, subscriptionId)
 	c.configureClient(&expressRouteCircuitsClient.Client, auth)
 	c.expressRouteCircuitClient = expressRouteCircuitsClient

diff --git a/azurerm/data_source_application_security_group.go b/azurerm/data_source_application_security_group.go
@@ -0,0 +1,57 @@
+package azurerm
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+func dataSourceArmApplicationSecurityGroup() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceArmApplicationSecurityGroupRead,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+
+			"location": locationForDataSourceSchema(),
+
+			"resource_group_name": resourceGroupNameForDataSourceSchema(),
+
+			"tags": tagsForDataSourceSchema(),
+		},
+	}
+}
+
+func dataSourceArmApplicationSecurityGroupRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).applicationSecurityGroupsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	resourceGroup := d.Get("resource_group_name").(string)
+	name := d.Get("name").(string)
+
+	resp, err := client.Get(ctx, resourceGroup, name)
+	if err != nil {
+		if utils.ResponseWasNotFound(resp.Response) {
+			d.SetId("")
+			return nil
+		}
+
+		return fmt.Errorf("Error making Read request on Application Security Group %q (Resource Group %q): %+v", name, resourceGroup, err)
+	}
+
+	d.SetId(*resp.ID)
+
+	d.Set("name", resp.Name)
+	d.Set("location", azureRMNormalizeLocation(*resp.Location))
+	d.Set("resource_group_name", resourceGroup)
+	flattenAndSetTags(d, resp.Tags)
+
+	return nil
+}
diff --git a/azurerm/data_source_application_security_group_test.go b/azurerm/data_source_application_security_group_test.go
@@ -0,0 +1,93 @@
+package azurerm
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccDataSourceAzureRMApplicationSecurityGroup_basic(t *testing.T) {
+	dataSourceName := "data.azurerm_application_security_group.test"
+	ri := acctest.RandInt()
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceApplicationSecurityGroup_basic(ri, testLocation()),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(dataSourceName, "location"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "name"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "resource_group_name"),
+					resource.TestCheckResourceAttr(dataSourceName, "tags.%", "0"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMApplicationSecurityGroup_complete(t *testing.T) {
+	dataSourceName := "data.azurerm_application_security_group.test"
+	ri := acctest.RandInt()
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceApplicationSecurityGroup_complete(ri, testLocation()),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(dataSourceName, "location"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "name"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "resource_group_name"),
+					resource.TestCheckResourceAttr(dataSourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "tags.Hello", "World"),
+				),
+			},
+		},
+	})
+}
+
+func testAccDataSourceApplicationSecurityGroup_basic(rInt int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+ name = "acctestRG-%d"
+ location = "%s"
+}
+
+resource "azurerm_application_security_group" "test" {
+  name                = "acctest-%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+data "azurerm_application_security_group" "test" {
+  name = "${azurerm_application_security_group.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+`, rInt, location, rInt)
+}
+
+func testAccDataSourceApplicationSecurityGroup_complete(rInt int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+ name = "acctestRG-%d"
+ location = "%s"
+}
+
+resource "azurerm_application_security_group" "test" {
+  name                = "acctest-%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  tags {
+	"Hello" = "World"
+  }
+}
+
+data "azurerm_application_security_group" "test" {
+  name = "${azurerm_application_security_group.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+`, rInt, location, rInt)
+}
diff --git a/azurerm/data_source_network_security_group.go b/azurerm/data_source_network_security_group.go
@@ -105,7 +105,10 @@ func dataSourceArmNetworkSecurityGroupRead(d *schema.ResourceData, meta interfac
 	d.Set("location", azureRMNormalizeLocation(*resp.Location))
 
 	if props := resp.SecurityGroupPropertiesFormat; props != nil {
-		d.Set("security_rule", flattenNetworkSecurityRules(props.SecurityRules))
+		flattenedRules := flattenNetworkSecurityRules(props.SecurityRules)
+		if err := d.Set("security_rule", flattenedRules); err != nil {
+			return fmt.Errorf("Error flattening `security_rule`: %+v", err)
+		}
 	}
 
 	flattenAndSetTags(d, resp.Tags)

diff --git a/azurerm/helpers/authentication/config.go b/azurerm/helpers/authentication/config.go
@@ -28,6 +28,8 @@ type Config struct {
 	// Bearer Auth
 	AccessToken  *adal.Token
 	IsCloudShell bool
+	UseMsi       bool
+	MsiEndpoint  string
 }
 
 func (c *Config) LoadTokensFromAzureCLI() error {

diff --git a/azurerm/helpers/authentication/validation.go b/azurerm/helpers/authentication/validation.go
@@ -49,3 +49,22 @@ func (c *Config) ValidateServicePrincipal() error {
 
 	return err.ErrorOrNil()
 }
+
+func (c *Config) ValidateMsi() error {
+	var err *multierror.Error
+
+	if c.SubscriptionID == "" {
+		err = multierror.Append(err, fmt.Errorf("Subscription ID must be configured for the AzureRM provider"))
+	}
+	if c.TenantID == "" {
+		err = multierror.Append(err, fmt.Errorf("Tenant ID must be configured for the AzureRM provider"))
+	}
+	if c.Environment == "" {
+		err = multierror.Append(err, fmt.Errorf("Environment must be configured for the AzureRM provider"))
+	}
+	if c.MsiEndpoint == "" {
+		err = multierror.Append(err, fmt.Errorf("MSI endpoint must be configured for the AzureRM provider"))
+	}
+
+	return err.ErrorOrNil()
+}
diff --git a/azurerm/helpers/authentication/validation_test.go b/azurerm/helpers/authentication/validation_test.go
@@ -164,3 +164,75 @@ func TestAzureValidateServicePrincipal(t *testing.T) {
 		}
 	}
 }
+
+func TestAzureValidateMsi(t *testing.T) {
+	cases := []struct {
+		Description string
+		Config      Config
+		ExpectError bool
+	}{
+		{
+			Description: "Empty Configuration",
+			Config:      Config{},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing Subscription ID",
+			Config: Config{
+				MsiEndpoint: "http://localhost:50342/oauth2/token",
+				TenantID:    "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+				Environment: "public",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing Tenant ID",
+			Config: Config{
+				MsiEndpoint:    "http://localhost:50342/oauth2/token",
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				Environment:    "public",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing Environment",
+			Config: Config{
+				MsiEndpoint:    "http://localhost:50342/oauth2/token",
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				TenantID:       "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing MSI Endpoint",
+			Config: Config{
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				TenantID:       "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+				Environment:    "public",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Valid Configuration",
+			Config: Config{
+				MsiEndpoint:    "http://localhost:50342/oauth2/token",
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				TenantID:       "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+				Environment:    "public",
+			},
+			ExpectError: false,
+		},
+	}
+
+	for _, v := range cases {
+		err := v.Config.ValidateMsi()
+
+		if v.ExpectError && err == nil {
+			t.Fatalf("Expected an error for %q: didn't get one", v.Description)
+		}
+
+		if !v.ExpectError && err != nil {
+			t.Fatalf("Expected there to be no error for %q - but got: %v", v.Description, err)
+		}
+	}
+}