azurerm_eventhub_namespace_customer_managed_key - validating that the User Assigned Identity used for accessing the Key Vault is assigned to the EventHub Namespace

[xiaxyi]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_eventhub_namespace_customer_managed_key - validating that the User Assigned Identity used for accessing the Key Vault is assigned to the EventHub Namespace [GH-28509]

~originally: azurerm_eventhub_namespace_customer_managed_key - parsing UAI resource ID that's returned by the api. ~

The resourceGroups staticSegment of the UAI ID was changed to resourcegroups by the api, which caused the mismatch of the same uai that's assigned to the parent eventhub namespace and the uai assigned to the eventhub cmk,

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #0000

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[Scarlettliuyc]

Thanks @xiaxyi . could you please @ reviewer here to pass this updates

[tombuildsstuff]

Rather than comparing these two IDs by checking the results of .ID() match - can we compare the Resource ID values instead:

Suggested change

	if parentEhnUaiId.ID() == userAssignedIdentity {
	if resourceids.Match(parentEhnUaiId, userAssignedIdentity) {

The Match function is available in hashicorp/go-azure-helpers#234 fwiw

[tombuildsstuff]

#25873

[xiaxyi]

Thanks @tombuildsstuff for the comment, the userAssignedIdentity in the right side of the equation is a sting that's got by userAssignedIdentity := d.Get("user_assigned_identity_id").(string). We didn't parse the id as there is a validation function in schema to validate the user's input of the user_assigned_identity_id

"user_assigned_identity_id": {
				Type:         pluginsdk.TypeString,
				Optional:     true,
				ValidateFunc: commonids.ValidateUserAssignedIdentityID,
			},

Do we need to parse the user_assigned_identity_id in order to do the resourceids.Match()?

[tombuildsstuff]

@xiaxyi

Do we need to parse the user_assigned_identity_id in order to do the resourceids.Match()?

Yes, intentionally. By comparing the Resource ID types rather than the literal string value, we can do context-aware comparisons (since we know what each of the Resource ID Segments are, we can compare the IDs with that context - which will help in the future with the some of the casing related items).

[xiaxyi]

Thanks @tombuildsstuff , code is updated, would you mind taking a look and let me know if everything is cool?

[Scarlettliuyc]

Hi @tombuildsstuff good day, as we have customers are waiting for this fix to update, could please review an approve it ASAP. Thanks in advanced.

[Scarlettliuyc]

hi @tombuildsstuff good day, could confrim when this fix would be update? Thanks in advanced.

[tombuildsstuff]

LGTM - thanks for pushing those changes @xiaxyi

[tombuildsstuff]

this needs to be moved within the if statement below, else the tests fail:

------- Stdout: -------
=== RUN   TestAccEventHubNamespaceCustomerManagedKey_basic
=== PAUSE TestAccEventHubNamespaceCustomerManagedKey_basic
=== CONT  TestAccEventHubNamespaceCustomerManagedKey_basic
    testcase.go:113: Step 1/2 error: Error running apply: exit status 1
        Error: parsing "": cannot parse an empty string
          with azurerm_eventhub_namespace_customer_managed_key.test,
          on terraform_plugin_test.tf line 104, in resource "azurerm_eventhub_namespace_customer_managed_key" "test":
         104: resource "azurerm_eventhub_namespace_customer_managed_key" "test" {
--- FAIL: TestAccEventHubNamespaceCustomerManagedKey_basic (14570.71s)
FAIL

[xiaxyi]

@tombuildsstuff Thanks for the comment, adding the empty check for this property. Tests are fine:

[jackofallops]

@tombuildsstuff Thanks for the comment, adding the empty check for this property. Tests are fine:

Hi @xiaxyi - Can you take a look at optimising the test config, it's using a dedicated cluster which I believe is unnecessary for this property? This makes the test take 4+ hours and cost a large amount of $ per test - Can you take a look at removing the dedicated cluster resource from the test and posting the test result?

Thanks!