Fix immutability_period_in_days validation

abicky · abicky · commit 13a5eb62f99f · 2025-02-02T14:01:17.000+09:00
This commit fixes #28660
diff --git a/internal/services/storage/storage_container_immutability_policy_resource.go b/internal/services/storage/storage_container_immutability_policy_resource.go
@@ -104,7 +104,7 @@ func (r StorageContainerImmutabilityPolicyResource) CustomizeDiff() sdk.Resource
 
 			if lockedOld.(bool) {
 				if diff.HasChange("immutability_period_in_days") {
-					if periodOld, periodNew := diff.GetChange("immutability_period_in_days"); periodOld.(int) < periodNew.(int) {
+					if periodOld, periodNew := diff.GetChange("immutability_period_in_days"); periodOld.(int) > periodNew.(int) {
 						return fmt.Errorf("`immutability_period_in_days` cannot be decreased once an immutability policy has been locked")
 					}
 				}
@@ -228,28 +228,37 @@ func (r StorageContainerImmutabilityPolicyResource) Update() sdk.ResourceFunc {
 				},
 			}
 
-			options := blobcontainers.CreateOrUpdateImmutabilityPolicyOperationOptions{
-				IfMatch: resp.Model.Etag,
-			}
-
-			updateResp, err := client.CreateOrUpdateImmutabilityPolicy(ctx, *containerId, input, options)
-			if err != nil {
-				return fmt.Errorf("updating %s: %+v", id, err)
-			}
-
-			// Lock the policy if requested - note that this is a one-way operation that prevents subsequent changes or
-			// deletion to the policy, the container it applies to, and the storage account where it resides.
-			if model.Locked {
-				if updateResp.Model == nil {
-					return fmt.Errorf("preparing to lock %s: model was nil", id)
+			if *resp.Model.Properties.State == blobcontainers.ImmutabilityPolicyStateLocked {
+				// Only extending the immutability policy is allowed when the policy is locked
+				options := blobcontainers.ExtendImmutabilityPolicyOperationOptions{
+					IfMatch: resp.Model.Etag,
 				}
-
-				lockOptions := blobcontainers.LockImmutabilityPolicyOperationOptions{
-					IfMatch: updateResp.Model.Etag,
+				if _, err := client.ExtendImmutabilityPolicy(ctx, *containerId, input, options); err != nil {
+					return fmt.Errorf("extending %s: %+v", id, err)
+				}
+			} else {
+				options := blobcontainers.CreateOrUpdateImmutabilityPolicyOperationOptions{
+					IfMatch: resp.Model.Etag,
+				}
+				updateResp, err := client.CreateOrUpdateImmutabilityPolicy(ctx, *containerId, input, options)
+				if err != nil {
+					return fmt.Errorf("updating %s: %+v", id, err)
 				}
 
-				if _, err = client.LockImmutabilityPolicy(ctx, *containerId, lockOptions); err != nil {
-					return fmt.Errorf("locking %s: %+v", id, err)
+				// Lock the policy if requested - note that this is a one-way operation that prevents subsequent changes or
+				// deletion to the policy, the container it applies to, and the storage account where it resides.
+				if model.Locked {
+					if updateResp.Model == nil {
+						return fmt.Errorf("preparing to lock %s: model was nil", id)
+					}
+
+					lockOptions := blobcontainers.LockImmutabilityPolicyOperationOptions{
+						IfMatch: updateResp.Model.Etag,
+					}
+
+					if _, err = client.LockImmutabilityPolicy(ctx, *containerId, lockOptions); err != nil {
+						return fmt.Errorf("locking %s: %+v", id, err)
+					}
 				}
 			}
 
diff --git a/internal/services/storage/storage_container_immutability_policy_resource_test.go b/internal/services/storage/storage_container_immutability_policy_resource_test.go
@@ -99,7 +99,7 @@ func TestAccStorageContainerImmutabilityPolicy_completeLocked(t *testing.T) {
 		},
 		data.ImportStep(),
 		{
-			Config: r.completeLocked(data),
+			Config: r.completeLocked(data, 2),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
@@ -109,6 +109,17 @@ func TestAccStorageContainerImmutabilityPolicy_completeLocked(t *testing.T) {
 			Config:      r.basic(data),
 			ExpectError: regexp.MustCompile("unable to set `locked = false` - once an immutability policy locked it cannot be unlocked"),
 		},
+		{
+			Config:      r.completeLocked(data, 1),
+			ExpectError: regexp.MustCompile("`immutability_period_in_days` cannot be decreased once an immutability policy has been locked"),
+		},
+		{
+			Config: r.completeLocked(data, 3),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
 	})
 }
 
@@ -154,20 +165,20 @@ resource "azurerm_storage_container_immutability_policy" "test" {
 `, template)
 }
 
-func (r StorageContainerImmutabilityPolicyResource) completeLocked(data acceptance.TestData) string {
+func (r StorageContainerImmutabilityPolicyResource) completeLocked(data acceptance.TestData, period uint) string {
 	template := r.template(data)
 	return fmt.Sprintf(`
 %[1]s
 
 resource "azurerm_storage_container_immutability_policy" "test" {
   storage_container_resource_manager_id = azurerm_storage_container.test.resource_manager_id
-  immutability_period_in_days           = 2
+  immutability_period_in_days           = %d
   protected_append_writes_all_enabled   = true
   protected_append_writes_enabled       = false
 
   locked = true
 }
-`, template)
+`, template, period)
 }
 
 func (r StorageContainerImmutabilityPolicyResource) template(data acceptance.TestData) string {
