udpate acc test for managed hsm key

hashicorp · Nov 1, 2024 · 3f24aa5 · 3f24aa5
1 parent 688b85b
commit 3f24aa5
Showing 1 changed file with 273 additions and 40 deletions.
diff --git a/internal/services/databricks/databricks_workspace_resource_test.go b/internal/services/databricks/databricks_workspace_resource_test.go
@@ -385,6 +385,53 @@ func TestAccDatabricksWorkspace_altSubscriptionCmkServicesOnly(t *testing.T) {
 	})
 }
 
+func TestAccDatabricksWorkspace_CmkManagedHSMServicesOnly(t *testing.T) {
+	acceptance.RunTestsInSequence(t, map[string]map[string]func(t *testing.T){
+		"managed_hsm": {
+			"current_subscription": testAccDatabricksWorkspace_CmkManagedHSMServicesOnly,
+			"alt_subscription":     testAccDatabricksWorkspace_CmkManagedHSMServicesOnlyAltSubscription,
+		},
+	})
+}
+
+func testAccDatabricksWorkspace_CmkManagedHSMServicesOnly(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_databricks_workspace", "test")
+	databricksPrincipalID := getDatabricksPrincipalId(data.Client().SubscriptionID)
+	r := DatabricksWorkspaceResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.altSubscriptionCmkHSMServicesOnly(data, databricksPrincipalID, nil),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func testAccDatabricksWorkspace_CmkManagedHSMServicesOnlyAltSubscription(t *testing.T) {
+	altSubscription := altSubscriptionCheck()
+
+	if altSubscription == nil {
+		t.Skip("Skipping: Test requires `ARM_SUBSCRIPTION_ID_ALT` and `ARM_TENANT_ID` environment variables to be specified")
+	}
+
+	data := acceptance.BuildTestData(t, "azurerm_databricks_workspace", "test")
+	databricksPrincipalID := getDatabricksPrincipalId(data.Client().SubscriptionID)
+	r := DatabricksWorkspaceResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.altSubscriptionCmkHSMServicesOnly(data, databricksPrincipalID, altSubscription),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccDatabricksWorkspace_altSubscriptionCmkDiskOnly(t *testing.T) {
 	altSubscription := altSubscriptionCheck()
 
@@ -2536,7 +2583,26 @@ resource "azurerm_key_vault_access_policy" "managedAlt" {
 `, data.RandomInteger, data.Locations.Secondary, data.RandomString, databricksPrincipalID, alt.tenant_id, alt.subscription_id)
 }
 
-func (DatabricksWorkspaceResource) altSubscriptionCmkServicesOnly(data acceptance.TestData, databricksPrincipalID string, alt *DatabricksWorkspaceAlternateSubscription) string {
+func (d DatabricksWorkspaceResource) cmkBaseTemplate(data acceptance.TestData, alt *DatabricksWorkspaceAlternateSubscription) string {
+	altConfig := ""
+	if alt != nil {
+		altConfig = fmt.Sprintf(`
+provider "azurerm-alt" {
+  features {}
+
+  tenant_id       = "%[2]s"
+  subscription_id = "%[3]s"
+}
+
+resource "azurerm_resource_group" "alt" {
+  provider = azurerm-alt
+
+  name     = "acctestRG-databricks-alt-sub-services-%[1]d"
+  location = "West Europe"
+}
+`, data.RandomInteger, alt.tenant_id, alt.subscription_id)
+	}
+
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {
@@ -2546,52 +2612,29 @@ provider "azurerm" {
   }
 }
 
-provider "azurerm-alt" {
-  features {}
-
-  tenant_id       = "%[5]s"
-  subscription_id = "%[6]s"
-}
-
 data "azurerm_client_config" "current" {}
 
 resource "azurerm_resource_group" "test" {
   name     = "acctestRG-databricks-pri-sub-services-%[1]d"
   location = "West Europe"
 }
 
-resource "azurerm_resource_group" "keyVault" {
-  provider = azurerm-alt
-
-  name     = "acctestRG-databricks-alt-sub-services-%[1]d"
-  location = "West Europe"
+%s
+`, data.RandomInteger, altConfig)
 }
 
-resource "azurerm_databricks_workspace" "test" {
-  depends_on = [azurerm_key_vault_access_policy.managed]
-
-  name                        = "acctest-databricks-pri-sub-%[1]d"
-  resource_group_name         = azurerm_resource_group.test.name
-  location                    = azurerm_resource_group.test.location
-  sku                         = "premium"
-  managed_resource_group_name = "databricks-pri-sub-managed-rg-%[1]d"
-
-  managed_services_cmk_key_vault_id     = azurerm_key_vault.keyVault.id
-  managed_services_cmk_key_vault_key_id = azurerm_key_vault_key.services.id
+func (d DatabricksWorkspaceResource) altSubscriptionCmkKeyVaultTemplate(data acceptance.TestData, databricksPrincipalID string, alt *DatabricksWorkspaceAlternateSubscription) string {
+	return fmt.Sprintf(`
+%[1]s
 
-  tags = {
-    Environment = "Sandbox"
-    Pricing     = "Premium"
-  }
-}
 
 # Create this in a different subscription...
 resource "azurerm_key_vault" "keyVault" {
   provider = azurerm-alt
 
-  name                = "kv-altsub-%[3]s"
-  location            = azurerm_resource_group.keyVault.location
-  resource_group_name = azurerm_resource_group.keyVault.name
+  name                = "kv-altsub-%[2]s"
+  location            = azurerm_resource_group.alt.location
+  resource_group_name = azurerm_resource_group.alt.name
   tenant_id           = data.azurerm_client_config.current.tenant_id
   sku_name            = "premium"
 
@@ -2628,12 +2671,6 @@ resource "azurerm_key_vault_access_policy" "terraform" {
     "Get",
     "List",
     "Create",
-    "Decrypt",
-    "Encrypt",
-    "Sign",
-    "UnwrapKey",
-    "Verify",
-    "WrapKey",
     "Delete",
     "Restore",
     "Recover",
@@ -2649,7 +2686,7 @@ resource "azurerm_key_vault_access_policy" "managed" {
 
   key_vault_id = azurerm_key_vault.keyVault.id
   tenant_id    = azurerm_key_vault.keyVault.tenant_id
-  object_id    = "%[4]s"
+  object_id    = "%[3]s"
 
   key_permissions = [
     "Get",
@@ -2659,7 +2696,203 @@ resource "azurerm_key_vault_access_policy" "managed" {
     "SetRotationPolicy",
   ]
 }
-`, data.RandomInteger, data.Locations.Secondary, data.RandomString, databricksPrincipalID, alt.tenant_id, alt.subscription_id)
+`, d.cmkBaseTemplate(data, alt), data.RandomString, databricksPrincipalID)
+}
+
+func (d DatabricksWorkspaceResource) cmkManagedHSMTemplate(data acceptance.TestData, databricksPrincipalID string, alt *DatabricksWorkspaceAlternateSubscription) string {
+	alt_provider := ""
+	rg_name := "test"
+	if alt != nil {
+		alt_provider = "provider = azurerm-alt"
+		rg_name = "alt"
+	}
+
+	return fmt.Sprintf(`
+%[1]s
+
+
+resource "azurerm_key_vault" "test" {
+  %[2]s
+  name                       = "acckv%[3]d"
+  location                   = azurerm_resource_group.%[6]s.location
+  resource_group_name        = azurerm_resource_group.%[6]s.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = "standard"
+  soft_delete_retention_days = 7
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+    key_permissions = [
+      "Create",
+      "Delete",
+      "Get",
+      "Purge",
+      "Recover",
+      "Update",
+      "GetRotationPolicy",
+    ]
+    secret_permissions = [
+      "Delete",
+      "Get",
+      "Set",
+    ]
+    certificate_permissions = [
+      "Create",
+      "Delete",
+      "DeleteIssuers",
+      "Get",
+      "Purge",
+      "Update"
+    ]
+  }
+  tags = {
+    environment = "Production"
+  }
+}
+resource "azurerm_key_vault_certificate" "cert" {
+  %[2]s
+  count        = 3
+  name         = "acchsmcert${count.index}"
+  key_vault_id = azurerm_key_vault.test.id
+  certificate_policy {
+    issuer_parameters {
+      name = "Self"
+    }
+    key_properties {
+      exportable = true
+      key_size   = 2048
+      key_type   = "RSA"
+      reuse_key  = true
+    }
+    lifetime_action {
+      action {
+        action_type = "AutoRenew"
+      }
+      trigger {
+        days_before_expiry = 30
+      }
+    }
+    secret_properties {
+      content_type = "application/x-pkcs12"
+    }
+    x509_certificate_properties {
+      extended_key_usage = []
+      key_usage = [
+        "cRLSign",
+        "dataEncipherment",
+        "digitalSignature",
+        "keyAgreement",
+        "keyCertSign",
+        "keyEncipherment",
+      ]
+      subject            = "CN=hello-world"
+      validity_in_months = 12
+    }
+  }
+}
+resource "azurerm_key_vault_managed_hardware_security_module" "test" {
+  %[2]s
+  name                     = "kvHsm%[3]d"
+  resource_group_name      = azurerm_resource_group.%[6]s.name
+  location                 = azurerm_resource_group.%[6]s.location
+  sku_name                 = "Standard_B1"
+  tenant_id                = data.azurerm_client_config.current.tenant_id
+  admin_object_ids         = [data.azurerm_client_config.current.object_id]
+  purge_protection_enabled = false
+
+  security_domain_key_vault_certificate_ids = [for cert in azurerm_key_vault_certificate.cert : cert.id]
+  security_domain_quorum                    = 3
+}
+
+resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "cryptor" {
+  %[2]s
+  managed_hsm_id     = azurerm_key_vault_managed_hardware_security_module.test.id
+  name               = "1e243909-064c-6ac3-84e9-1c8bf8d6ad22"
+  scope              = "/keys"
+  role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b"
+  principal_id       = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "officer" {
+  %[2]s
+  managed_hsm_id     = azurerm_key_vault_managed_hardware_security_module.test.id
+  name               = "1e243909-064c-6ac3-84e9-1c8bf8d6ad23"
+  scope              = "/keys"
+  role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778"
+  principal_id       = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "db" {
+  %[2]s
+  managed_hsm_id     = azurerm_key_vault_managed_hardware_security_module.test.id
+  name               = "1e243909-064c-6ac3-84e9-1c8bf8d6ad23"
+  scope              = "/keys"
+  role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778"
+  principal_id       = "%[5]s"
+}
+
+resource "azurerm_key_vault_managed_hardware_security_module_key" "services" {
+  %[2]s
+  name           = "acctestHSMK-%[4]s"
+  managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id
+  key_type       = "EC-HSM"
+  curve          = "P-521"
+  key_opts       = ["sign"]
+
+  depends_on = [
+    azurerm_key_vault_managed_hardware_security_module_role_assignment.officer,
+    azurerm_key_vault_managed_hardware_security_module_role_assignment.cryptor,
+    azurerm_key_vault_managed_hardware_security_module_role_assignment.db
+  ]
+}
+`, d.cmkBaseTemplate(data, alt), alt_provider, data.RandomInteger, data.RandomString, databricksPrincipalID, rg_name)
+}
+
+func (d DatabricksWorkspaceResource) altSubscriptionCmkServicesOnly(data acceptance.TestData, databricksPrincipalID string, alt *DatabricksWorkspaceAlternateSubscription) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_databricks_workspace" "test" {
+  depends_on = [azurerm_key_vault_access_policy.managed]
+
+  name                        = "acctest-databricks-pri-sub-%[2]d"
+  resource_group_name         = azurerm_resource_group.test.name
+  location                    = azurerm_resource_group.test.location
+  sku                         = "premium"
+  managed_resource_group_name = "databricks-pri-sub-managed-rg-%[2]d"
+
+  // managed_services_cmk_key_vault_id     = azurerm_key_vault.keyVault.id
+  managed_services_cmk_key_vault_key_id = azurerm_key_vault_key.services.id
+
+  tags = {
+    Environment = "Sandbox"
+    Pricing     = "Premium"
+  }
+}
+`, d.altSubscriptionCmkKeyVaultTemplate(data, databricksPrincipalID, alt), data.RandomInteger)
+}
+
+func (d DatabricksWorkspaceResource) altSubscriptionCmkHSMServicesOnly(data acceptance.TestData, databricksPrincipalID string, alt *DatabricksWorkspaceAlternateSubscription) string {
+	return fmt.Sprintf(`
+
+%[1]s
+
+resource "azurerm_databricks_workspace" "test" {
+  name                        = "acctest-databricks-pri-sub-%[2]d"
+  resource_group_name         = azurerm_resource_group.test.name
+  location                    = azurerm_resource_group.test.location
+  sku                         = "premium"
+  managed_resource_group_name = "databricks-pri-sub-managed-rg-%[2]d"
+
+  managed_services_cmk_managed_hsm_key_id = azurerm_key_vault_managed_hardware_security_module_key.services.id
+
+  tags = {
+    Environment = "Sandbox"
+    Pricing     = "Premium"
+  }
+}
+
+`, d.cmkManagedHSMTemplate(data, databricksPrincipalID, alt), data.RandomInteger)
 }
 
 func (DatabricksWorkspaceResource) altSubscriptionCmkDiskOnly(data acceptance.TestData, databricksPrincipalID string, alt *DatabricksWorkspaceAlternateSubscription) string {