terraform/builtin/providers/azurerm/resource_arm_storage_accoun...

455 lines
13 KiB
Go

package azurerm
import (
"fmt"
"log"
"net/http"
"regexp"
"strings"
"time"
"github.com/Azure/azure-sdk-for-go/arm/storage"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
)
// The KeySource of storage.Encryption appears to require this value
// for Encryption services to work
var storageAccountEncryptionSource = "Microsoft.Storage"
const blobStorageAccountDefaultAccessTier = "Hot"
func resourceArmStorageAccount() *schema.Resource {
return &schema.Resource{
Create: resourceArmStorageAccountCreate,
Read: resourceArmStorageAccountRead,
Update: resourceArmStorageAccountUpdate,
Delete: resourceArmStorageAccountDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validateArmStorageAccountName,
},
"resource_group_name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
DiffSuppressFunc: resourceAzurermResourceGroupNameDiffSuppress,
},
"location": locationSchema(),
"account_kind": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ValidateFunc: validation.StringInSlice([]string{
string(storage.Storage),
string(storage.BlobStorage),
}, true),
Default: string(storage.Storage),
},
"account_type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateArmStorageAccountType,
},
// Only valid for BlobStorage accounts, defaults to "Hot" in create function
"access_tier": {
Type: schema.TypeString,
Optional: true,
Computed: true,
ValidateFunc: validation.StringInSlice([]string{
string(storage.Cool),
string(storage.Hot),
}, true),
},
"enable_blob_encryption": {
Type: schema.TypeBool,
Optional: true,
},
"primary_location": {
Type: schema.TypeString,
Computed: true,
},
"secondary_location": {
Type: schema.TypeString,
Computed: true,
},
"primary_blob_endpoint": {
Type: schema.TypeString,
Computed: true,
},
"secondary_blob_endpoint": {
Type: schema.TypeString,
Computed: true,
},
"primary_queue_endpoint": {
Type: schema.TypeString,
Computed: true,
},
"secondary_queue_endpoint": {
Type: schema.TypeString,
Computed: true,
},
"primary_table_endpoint": {
Type: schema.TypeString,
Computed: true,
},
"secondary_table_endpoint": {
Type: schema.TypeString,
Computed: true,
},
// NOTE: The API does not appear to expose a secondary file endpoint
"primary_file_endpoint": {
Type: schema.TypeString,
Computed: true,
},
"primary_access_key": {
Type: schema.TypeString,
Computed: true,
},
"secondary_access_key": {
Type: schema.TypeString,
Computed: true,
},
"tags": tagsSchema(),
},
}
}
func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient)
storageClient := client.storageServiceClient
resourceGroupName := d.Get("resource_group_name").(string)
storageAccountName := d.Get("name").(string)
accountKind := d.Get("account_kind").(string)
accountType := d.Get("account_type").(string)
location := d.Get("location").(string)
tags := d.Get("tags").(map[string]interface{})
enableBlobEncryption := d.Get("enable_blob_encryption").(bool)
sku := storage.Sku{
Name: storage.SkuName(accountType),
}
opts := storage.AccountCreateParameters{
Location: &location,
Sku: &sku,
Tags: expandTags(tags),
Kind: storage.Kind(accountKind),
AccountPropertiesCreateParameters: &storage.AccountPropertiesCreateParameters{
Encryption: &storage.Encryption{
Services: &storage.EncryptionServices{
Blob: &storage.EncryptionService{
Enabled: &enableBlobEncryption,
},
},
KeySource: &storageAccountEncryptionSource,
},
},
}
// AccessTier is only valid for BlobStorage accounts
if accountKind == string(storage.BlobStorage) {
accessTier, ok := d.GetOk("access_tier")
if !ok {
// default to "Hot"
accessTier = blobStorageAccountDefaultAccessTier
}
opts.AccountPropertiesCreateParameters.AccessTier = storage.AccessTier(accessTier.(string))
}
// Create
_, createErr := storageClient.Create(
resourceGroupName, storageAccountName, opts, make(chan struct{}))
// The only way to get the ID back apparently is to read the resource again
read, err := storageClient.GetProperties(resourceGroupName, storageAccountName)
// Set the ID right away if we have one
if err == nil && read.ID != nil {
log.Printf("[INFO] storage account %q ID: %q", storageAccountName, *read.ID)
d.SetId(*read.ID)
}
// If we had a create error earlier then we return with that error now.
// We do this later here so that we can grab the ID above is possible.
if createErr != nil {
return fmt.Errorf(
"Error creating Azure Storage Account '%s': %s",
storageAccountName, createErr)
}
// Check the read error now that we know it would exist without a create err
if err != nil {
return err
}
// If we got no ID then the resource group doesn't yet exist
if read.ID == nil {
return fmt.Errorf("Cannot read Storage Account %s (resource group %s) ID",
storageAccountName, resourceGroupName)
}
log.Printf("[DEBUG] Waiting for Storage Account (%s) to become available", storageAccountName)
stateConf := &resource.StateChangeConf{
Pending: []string{"Updating", "Creating"},
Target: []string{"Succeeded"},
Refresh: storageAccountStateRefreshFunc(client, resourceGroupName, storageAccountName),
Timeout: 30 * time.Minute,
MinTimeout: 15 * time.Second,
}
if _, err := stateConf.WaitForState(); err != nil {
return fmt.Errorf("Error waiting for Storage Account (%s) to become available: %s", storageAccountName, err)
}
return resourceArmStorageAccountRead(d, meta)
}
// resourceArmStorageAccountUpdate is unusual in the ARM API where most resources have a combined
// and idempotent operation for CreateOrUpdate. In particular updating all of the parameters
// available requires a call to Update per parameter...
func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient).storageServiceClient
id, err := parseAzureResourceID(d.Id())
if err != nil {
return err
}
storageAccountName := id.Path["storageAccounts"]
resourceGroupName := id.ResourceGroup
d.Partial(true)
if d.HasChange("account_type") {
accountType := d.Get("account_type").(string)
sku := storage.Sku{
Name: storage.SkuName(accountType),
}
opts := storage.AccountUpdateParameters{
Sku: &sku,
}
_, err := client.Update(resourceGroupName, storageAccountName, opts)
if err != nil {
return fmt.Errorf("Error updating Azure Storage Account type %q: %s", storageAccountName, err)
}
d.SetPartial("account_type")
}
if d.HasChange("access_tier") {
accessTier := d.Get("access_tier").(string)
opts := storage.AccountUpdateParameters{
AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{
AccessTier: storage.AccessTier(accessTier),
},
}
_, err := client.Update(resourceGroupName, storageAccountName, opts)
if err != nil {
return fmt.Errorf("Error updating Azure Storage Account access_tier %q: %s", storageAccountName, err)
}
d.SetPartial("access_tier")
}
if d.HasChange("tags") {
tags := d.Get("tags").(map[string]interface{})
opts := storage.AccountUpdateParameters{
Tags: expandTags(tags),
}
_, err := client.Update(resourceGroupName, storageAccountName, opts)
if err != nil {
return fmt.Errorf("Error updating Azure Storage Account tags %q: %s", storageAccountName, err)
}
d.SetPartial("tags")
}
if d.HasChange("enable_blob_encryption") {
enableBlobEncryption := d.Get("enable_blob_encryption").(bool)
opts := storage.AccountUpdateParameters{
AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{
Encryption: &storage.Encryption{
Services: &storage.EncryptionServices{
Blob: &storage.EncryptionService{
Enabled: &enableBlobEncryption,
},
},
KeySource: &storageAccountEncryptionSource,
},
},
}
_, err := client.Update(resourceGroupName, storageAccountName, opts)
if err != nil {
return fmt.Errorf("Error updating Azure Storage Account enable_blob_encryption %q: %s", storageAccountName, err)
}
d.SetPartial("enable_blob_encryption")
}
d.Partial(false)
return nil
}
func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient).storageServiceClient
id, err := parseAzureResourceID(d.Id())
if err != nil {
return err
}
name := id.Path["storageAccounts"]
resGroup := id.ResourceGroup
resp, err := client.GetProperties(resGroup, name)
if err != nil {
if resp.StatusCode == http.StatusNotFound {
d.SetId("")
return nil
}
return fmt.Errorf("Error reading the state of AzureRM Storage Account %q: %s", name, err)
}
keys, err := client.ListKeys(resGroup, name)
if err != nil {
return err
}
accessKeys := *keys.Keys
d.Set("resource_group_name", resGroup)
d.Set("primary_access_key", accessKeys[0].Value)
d.Set("secondary_access_key", accessKeys[1].Value)
d.Set("location", resp.Location)
d.Set("account_kind", resp.Kind)
d.Set("account_type", resp.Sku.Name)
d.Set("primary_location", resp.AccountProperties.PrimaryLocation)
d.Set("secondary_location", resp.AccountProperties.SecondaryLocation)
if resp.AccountProperties.AccessTier != "" {
d.Set("access_tier", resp.AccountProperties.AccessTier)
}
if resp.AccountProperties.PrimaryEndpoints != nil {
d.Set("primary_blob_endpoint", resp.AccountProperties.PrimaryEndpoints.Blob)
d.Set("primary_queue_endpoint", resp.AccountProperties.PrimaryEndpoints.Queue)
d.Set("primary_table_endpoint", resp.AccountProperties.PrimaryEndpoints.Table)
d.Set("primary_file_endpoint", resp.AccountProperties.PrimaryEndpoints.File)
}
if resp.AccountProperties.SecondaryEndpoints != nil {
if resp.AccountProperties.SecondaryEndpoints.Blob != nil {
d.Set("secondary_blob_endpoint", resp.AccountProperties.SecondaryEndpoints.Blob)
} else {
d.Set("secondary_blob_endpoint", "")
}
if resp.AccountProperties.SecondaryEndpoints.Queue != nil {
d.Set("secondary_queue_endpoint", resp.AccountProperties.SecondaryEndpoints.Queue)
} else {
d.Set("secondary_queue_endpoint", "")
}
if resp.AccountProperties.SecondaryEndpoints.Table != nil {
d.Set("secondary_table_endpoint", resp.AccountProperties.SecondaryEndpoints.Table)
} else {
d.Set("secondary_table_endpoint", "")
}
}
if resp.AccountProperties.Encryption != nil {
if resp.AccountProperties.Encryption.Services.Blob != nil {
d.Set("enable_blob_encryption", resp.AccountProperties.Encryption.Services.Blob.Enabled)
}
}
d.Set("name", resp.Name)
flattenAndSetTags(d, resp.Tags)
return nil
}
func resourceArmStorageAccountDelete(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient).storageServiceClient
id, err := parseAzureResourceID(d.Id())
if err != nil {
return err
}
name := id.Path["storageAccounts"]
resGroup := id.ResourceGroup
_, err = client.Delete(resGroup, name)
if err != nil {
return fmt.Errorf("Error issuing AzureRM delete request for storage account %q: %s", name, err)
}
return nil
}
func validateArmStorageAccountName(v interface{}, k string) (ws []string, es []error) {
input := v.(string)
if !regexp.MustCompile(`\A([a-z0-9]{3,24})\z`).MatchString(input) {
es = append(es, fmt.Errorf("name can only consist of lowercase letters and numbers, and must be between 3 and 24 characters long"))
}
return
}
func validateArmStorageAccountType(v interface{}, k string) (ws []string, es []error) {
validAccountTypes := []string{"standard_lrs", "standard_zrs",
"standard_grs", "standard_ragrs", "premium_lrs"}
input := strings.ToLower(v.(string))
for _, valid := range validAccountTypes {
if valid == input {
return
}
}
es = append(es, fmt.Errorf("Invalid storage account type %q", input))
return
}
func storageAccountStateRefreshFunc(client *ArmClient, resourceGroupName string, storageAccountName string) resource.StateRefreshFunc {
return func() (interface{}, string, error) {
res, err := client.storageServiceClient.GetProperties(resourceGroupName, storageAccountName)
if err != nil {
return nil, "", fmt.Errorf("Error issuing read request in storageAccountStateRefreshFunc to Azure ARM for Storage Account '%s' (RG: '%s'): %s", storageAccountName, resourceGroupName, err)
}
return res, string(res.AccountProperties.ProvisioningState), nil
}
}