Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_storage_container_immutability_policy - Fix immutability_period_in_days validation #28661

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+44 −24
Open

azurerm_storage_container_immutability_policy - Fix immutability_period_in_days validation #28661

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 29 additions & 20 deletions internal/services/storage/storage_container_immutability_policy_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func (r StorageContainerImmutabilityPolicyResource) CustomizeDiff() sdk.Resource

if lockedOld.(bool) {
if diff.HasChange("immutability_period_in_days") {
if periodOld, periodNew := diff.GetChange("immutability_period_in_days"); periodOld.(int) < periodNew.(int) {
if periodOld, periodNew := diff.GetChange("immutability_period_in_days"); periodOld.(int) > periodNew.(int) {
return fmt.Errorf("`immutability_period_in_days` cannot be decreased once an immutability policy has been locked")
}
}
Expand Down Expand Up @@ -228,28 +228,37 @@ func (r StorageContainerImmutabilityPolicyResource) Update() sdk.ResourceFunc {
},
}

options := blobcontainers.CreateOrUpdateImmutabilityPolicyOperationOptions{
IfMatch: resp.Model.Etag,
}

updateResp, err := client.CreateOrUpdateImmutabilityPolicy(ctx, *containerId, input, options)
if err != nil {
return fmt.Errorf("updating %s: %+v", id, err)
}

// Lock the policy if requested - note that this is a one-way operation that prevents subsequent changes or
// deletion to the policy, the container it applies to, and the storage account where it resides.
if model.Locked {
if updateResp.Model == nil {
return fmt.Errorf("preparing to lock %s: model was nil", id)
if *resp.Model.Properties.State == blobcontainers.ImmutabilityPolicyStateLocked {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've only added the condition for when the policy is locked, so you can more easily understand the changes on https://github.com/hashicorp/terraform-provider-azurerm/pull/28661/files?w=1.

// Only extending the immutability policy is allowed when the policy is locked
options := blobcontainers.ExtendImmutabilityPolicyOperationOptions{
IfMatch: resp.Model.Etag,
}

lockOptions := blobcontainers.LockImmutabilityPolicyOperationOptions{
IfMatch: updateResp.Model.Etag,
if _, err := client.ExtendImmutabilityPolicy(ctx, *containerId, input, options); err != nil {
return fmt.Errorf("extending %s: %+v", id, err)
}
} else {
options := blobcontainers.CreateOrUpdateImmutabilityPolicyOperationOptions{
IfMatch: resp.Model.Etag,
}
updateResp, err := client.CreateOrUpdateImmutabilityPolicy(ctx, *containerId, input, options)
if err != nil {
return fmt.Errorf("updating %s: %+v", id, err)
}

if _, err = client.LockImmutabilityPolicy(ctx, *containerId, lockOptions); err != nil {
return fmt.Errorf("locking %s: %+v", id, err)
// Lock the policy if requested - note that this is a one-way operation that prevents subsequent changes or
// deletion to the policy, the container it applies to, and the storage account where it resides.
if model.Locked {
if updateResp.Model == nil {
return fmt.Errorf("preparing to lock %s: model was nil", id)
}

lockOptions := blobcontainers.LockImmutabilityPolicyOperationOptions{
IfMatch: updateResp.Model.Etag,
}

if _, err = client.LockImmutabilityPolicy(ctx, *containerId, lockOptions); err != nil {
return fmt.Errorf("locking %s: %+v", id, err)
}
}
}

Expand Down
19 changes: 15 additions & 4 deletions internal/services/storage/storage_container_immutability_policy_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ func TestAccStorageContainerImmutabilityPolicy_completeLocked(t *testing.T) {
},
data.ImportStep(),
{
Config: r.completeLocked(data),
Config: r.completeLocked(data, 2),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
Expand All @@ -109,6 +109,17 @@ func TestAccStorageContainerImmutabilityPolicy_completeLocked(t *testing.T) {
Config: r.basic(data),
ExpectError: regexp.MustCompile("unable to set `locked = false` - once an immutability policy locked it cannot be unlocked"),
},
{
Config: r.completeLocked(data, 1),
ExpectError: regexp.MustCompile("`immutability_period_in_days` cannot be decreased once an immutability policy has been locked"),
},
{
Config: r.completeLocked(data, 3),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
})
}

Expand Down Expand Up @@ -154,20 +165,20 @@ resource "azurerm_storage_container_immutability_policy" "test" {
`, template)
}

func (r StorageContainerImmutabilityPolicyResource) completeLocked(data acceptance.TestData) string {
func (r StorageContainerImmutabilityPolicyResource) completeLocked(data acceptance.TestData, period uint) string {
template := r.template(data)
return fmt.Sprintf(`
%[1]s

resource "azurerm_storage_container_immutability_policy" "test" {
storage_container_resource_manager_id = azurerm_storage_container.test.resource_manager_id
immutability_period_in_days = 2
immutability_period_in_days = %d
protected_append_writes_all_enabled = true
protected_append_writes_enabled = false

locked = true
}
`, template)
`, template, period)
}

func (r StorageContainerImmutabilityPolicyResource) template(data acceptance.TestData) string {
Expand Down