azurerm_logic_app_standard - support for the key_vault_reference_identity_id proerty

internal/services/logic/logic_app_standard_resource.go

@@ -33,30 +33,31 @@ import (
 type LogicAppResource struct{}
 
 type LogicAppResourceModel struct {
-	Name                       string                                     `tfschema:"name"`
-	ResourceGroupName          string                                     `tfschema:"resource_group_name"`
-	Location                   string                                     `tfschema:"location"`
-	AppServicePlanId           string                                     `tfschema:"app_service_plan_id"`
-	AppSettings                map[string]string                          `tfschema:"app_settings"`
-	UseExtensionBundle         bool                                       `tfschema:"use_extension_bundle"`
-	BundleVersion              string                                     `tfschema:"bundle_version"`
-	ClientAffinityEnabled      bool                                       `tfschema:"client_affinity_enabled"`
-	ClientCertificateMode      string                                     `tfschema:"client_certificate_mode"`
-	Enabled                    bool                                       `tfschema:"enabled"`
-	FtpPublishBasicAuthEnabled bool                                       `tfschema:"ftp_publish_basic_authentication_enabled"`
-	HTTPSOnly                  bool                                       `tfschema:"https_only"`
-	Identity                   []identity.ModelSystemAssignedUserAssigned `tfschema:"identity"`
-	SCMPublishBasicAuthEnabled bool                                       `tfschema:"scm_publish_basic_authentication_enabled"`
-	SiteConfig                 []helpers.LogicAppSiteConfig               `tfschema:"site_config"`
-	ConnectionStrings          []helpers.ConnectionString                 `tfschema:"connection_string"`
-	StorageAccountName         string                                     `tfschema:"storage_account_name"`
-	StorageAccountAccessKey    string                                     `tfschema:"storage_account_access_key"`
-	PublicNetworkAccess        string                                     `tfschema:"public_network_access"`
-	StorageAccountShareName    string                                     `tfschema:"storage_account_share_name"`
-	Version                    string                                     `tfschema:"version"`
-	VNETContentShareEnabled    bool                                       `tfschema:"vnet_content_share_enabled"`
-	VirtualNetworkSubnetId     string                                     `tfschema:"virtual_network_subnet_id"`
-	Tags                       map[string]string                          `tfschema:"tags"`
+	Name                        string                                     `tfschema:"name"`
+	ResourceGroupName           string                                     `tfschema:"resource_group_name"`
+	Location                    string                                     `tfschema:"location"`
+	AppServicePlanId            string                                     `tfschema:"app_service_plan_id"`
+	AppSettings                 map[string]string                          `tfschema:"app_settings"`
+	UseExtensionBundle          bool                                       `tfschema:"use_extension_bundle"`
+	BundleVersion               string                                     `tfschema:"bundle_version"`
+	ClientAffinityEnabled       bool                                       `tfschema:"client_affinity_enabled"`
+	ClientCertificateMode       string                                     `tfschema:"client_certificate_mode"`
+	Enabled                     bool                                       `tfschema:"enabled"`
+	FtpPublishBasicAuthEnabled  bool                                       `tfschema:"ftp_publish_basic_authentication_enabled"`
+	HTTPSOnly                   bool                                       `tfschema:"https_only"`
+	Identity                    []identity.ModelSystemAssignedUserAssigned `tfschema:"identity"`
+	KeyvaultReferenceIdentityId string                                     `tfschema:"key_vault_reference_identity_id"`
+	SCMPublishBasicAuthEnabled  bool                                       `tfschema:"scm_publish_basic_authentication_enabled"`
+	SiteConfig                  []helpers.LogicAppSiteConfig               `tfschema:"site_config"`
+	ConnectionStrings           []helpers.ConnectionString                 `tfschema:"connection_string"`
+	StorageAccountName          string                                     `tfschema:"storage_account_name"`
+	StorageAccountAccessKey     string                                     `tfschema:"storage_account_access_key"`
+	PublicNetworkAccess         string                                     `tfschema:"public_network_access"`
+	StorageAccountShareName     string                                     `tfschema:"storage_account_share_name"`
+	Version                     string                                     `tfschema:"version"`
+	VNETContentShareEnabled     bool                                       `tfschema:"vnet_content_share_enabled"`
+	VirtualNetworkSubnetId      string                                     `tfschema:"virtual_network_subnet_id"`
+	Tags                        map[string]string                          `tfschema:"tags"`
 
 	CustomDomainVerificationId  string                           `tfschema:"custom_domain_verification_id"`
 	DefaultHostname             string                           `tfschema:"default_hostname"`
@@ -212,6 +213,18 @@ func (r LogicAppResource) Arguments() map[string]*pluginsdk.Schema {
 			ValidateFunc: validation.NoZeroValues,
 		},
 
+		// Once this property is set, it can not be removed.
+		// tracked on https://github.com/Azure/azure-rest-api-specs/issues/37553
+		"key_vault_reference_identity_id": {
+			Type:     pluginsdk.TypeString,
+			Optional: true,
+			Computed: true, // When the `identity` is specified as `SystemAssigned`, the service will add `SystemAssigned` to this `key_vault_reference_identity_id` property.
+			ValidateFunc: validation.Any(
+				commonids.ValidateUserAssignedIdentityID,
+				validation.StringInSlice([]string{"SystemAssigned"}, false),
+			),
+		},
+
 		"public_network_access": {
 			Type:     pluginsdk.TypeString,
 			Optional: true,
@@ -478,6 +491,10 @@ func (r LogicAppResource) Create() sdk.ResourceFunc {
 				siteEnvelope.Properties.VirtualNetworkSubnetId = pointer.To(data.VirtualNetworkSubnetId)
 			}
 
+			if data.KeyvaultReferenceIdentityId != "" {
+				siteEnvelope.Properties.KeyVaultReferenceIdentity = pointer.To(data.KeyvaultReferenceIdentityId)
+			}
+
 			if err = client.CreateOrUpdateThenPoll(ctx, id, siteEnvelope); err != nil {
 				return fmt.Errorf("creating %s: %+v", id, err)
 			}
@@ -570,6 +587,7 @@ func (r LogicAppResource) Read() sdk.ResourceFunc {
 					state.VirtualNetworkSubnetId = pointer.From(props.VirtualNetworkSubnetId)
 					state.VNETContentShareEnabled = pointer.From(props.VnetContentShareEnabled)
 					state.PublicNetworkAccess = pointer.From(props.PublicNetworkAccess)
+					state.KeyvaultReferenceIdentityId = pointer.From(props.KeyVaultReferenceIdentity)
 					// Note this is a bug - the Service defaults to `Required` regardless of the Enabled value
 					if !features.FivePointOh() {
 						if pointer.From(props.ClientCertEnabled) {
@@ -840,6 +858,10 @@ func (r LogicAppResource) Update() sdk.ResourceFunc {
 				existing.Model.Identity = expandedIdentity
 			}
 
+			if metadata.ResourceData.HasChange("key_vault_reference_identity_id") {
+				siteEnvelope.KeyVaultReferenceIdentity = pointer.To(data.KeyvaultReferenceIdentityId)
+			}
+
 			existing.Model.Properties = pointer.To(siteEnvelope)
 
 			if metadata.ResourceData.HasChange("tags") {

internal/services/logic/logic_app_standard_resource_test.go

@@ -1111,6 +1111,40 @@ func TestAccLogicAppStandard_vnetContentShareEnabled(t *testing.T) {
 	})
 }
 
+func TestAccLogicAppStandard_keyVaultReferenceIdentity(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_logic_app_standard", "test")
+	r := LogicAppStandardResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.basicIdentity(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("key_vault_reference_identity_id").HasValue("SystemAssigned"),
+			),
+		},
+		data.ImportStep(),
+		{
+			// Once the `key_vault_reference_identity_id` is set, it can not be reset
+			// Even if the SystemAssigned identity is removed, the property can not be reset till a new value is set.
+			Config: r.userAssignedIdentity(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("key_vault_reference_identity_id").HasValue("SystemAssigned"),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.keyVaultReferenceIdentity(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("key_vault_reference_identity_id").IsNotEmpty(),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (r LogicAppStandardResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := commonids.ParseLogicAppId(state.ID)
 	if err != nil {
@@ -2653,3 +2687,31 @@ resource "azurerm_logic_app_standard" "test" {
 }
 `, r.template(data), data.RandomInteger, enabled)
 }
+
+func (r LogicAppStandardResource) keyVaultReferenceIdentity(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_user_assigned_identity" "kv" {
+  name                = "acctest-kv-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+}
+
+resource "azurerm_logic_app_standard" "test" {
+  name                       = "acctest-%[2]d-func"
+  location                   = azurerm_resource_group.test.location
+  resource_group_name        = azurerm_resource_group.test.name
+  app_service_plan_id        = azurerm_app_service_plan.test.id
+  storage_account_name       = azurerm_storage_account.test.name
+  storage_account_access_key = azurerm_storage_account.test.primary_access_key
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.kv.id]
+  }
+
+  key_vault_reference_identity_id = azurerm_user_assigned_identity.kv.id
+}
+`, r.template(data), data.RandomInteger)
+}

website/docs/r/logic_app_standard.html.markdown

@@ -141,6 +141,8 @@ The following arguments are supported:
 
 * `identity` - (Optional) An `identity` block as defined below.
 
+* `key_vault_reference_identity_id` - (Optional) The User Assigned Identity ID used for accessing KeyVault secrets. The identity must be assigned to the Logic App in the `identity` block. [For more information see - Access vaults with a user-assigned identity](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references#access-vaults-with-a-user-assigned-identity)
+
 * `public_network_access` - (Optional) Whether Public Network Access should be enabled or not. Possible values are `Enabled` and `Disabled`. Defaults to `Enabled`.
 
 ~> **Note:** Setting this property will also set it in the Site Config.