Skip to content

azurerm_shared_image_version - support for new block uefi_settings #28076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yeoldegrove wants to merge 17 commits into
base: main
Choose a base branch
from
Open

azurerm_shared_image_version - support for new block uefi_settings #28076

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
3a648d0
bump go-azure-sdk/resource-manager/compute/2022-03-03/galleryimagever…
yeoldegrove Nov 14, 2024
e1f9fc0
shared_image_version_resource - fixes after bump to 2023-07-03
yeoldegrove Apr 14, 2025
190c298
shared_image_version_resource - add uefi_settings
yeoldegrove Nov 14, 2024
3c1cf81
shared_image_version_resource - add uefi_settings - docs
yeoldegrove Nov 19, 2024
d1c7667
Merge branch 'main' into shared_image_version_uefi_settings
yeoldegrove Aug 27, 2025
988dfae
shared_image_version_resource - set trusted_launch_supported in uefi_…
yeoldegrove Sep 4, 2025
317a68f
`shared_image_version_resource` - return all list values for certific…
yeoldegrove Oct 8, 2025
c8e6b74
`shared_image_version_resource` - move uefiKeySchema() to shared_schema
yeoldegrove Oct 8, 2025
9da880a
`shared_image_version_resource` - pass any db, dbx, kek, pk to addito…
yeoldegrove Oct 8, 2025
670cedc
`shared_image_version_resource` - expanded keys always have values
yeoldegrove Oct 8, 2025
2524c4f
`shared_image_version_resource` - do not check for nil on pointer.From
yeoldegrove Oct 8, 2025
3b5fda2
`shared_image_version_resource` - move certificate to testdata
yeoldegrove Oct 8, 2025
dfa88b1
Merge branch 'main' of ssh://github.com/hashicorp/terraform-provider-…
yeoldegrove Apr 9, 2026
c6f1351
`shared_image_version_resource` - validate base64 string correctly
yeoldegrove Apr 10, 2026
c542784
`shared_image_version_resource` - use ForceNew throughout `uefi_setti…
yeoldegrove Apr 10, 2026
b9e1c85
`shared_image_version_resource` - update docs for `ForceNew`
yeoldegrove Apr 13, 2026
bf5582d
`shared_image_version_resource` - removed unneeded comment in tests
yeoldegrove Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions internal/services/compute/image_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -466,6 +466,7 @@ resource "azurerm_storage_container" "test" {
}

# NOTE: using the legacy vm resource since this test requires an unmanaged disk
# this vm is not used for anything else than creating the image
Comment thread
yeoldegrove marked this conversation as resolved.
Outdated
resource "azurerm_virtual_machine" "testsource" {
name = "testsource"
location = azurerm_resource_group.test.location
Expand Down
244 changes: 243 additions & 1 deletion internal/services/compute/shared_image_version_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,55 @@ func resourceSharedImageVersion() *pluginsdk.Resource {
Default: false,
},

"uefi_settings": {
Type: pluginsdk.TypeList,
Optional: true,
ForceNew: true,
Comment thread
yeoldegrove marked this conversation as resolved.
MaxItems: 1,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"signature_template_names": {
Type: pluginsdk.TypeSet,
Required: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
ValidateFunc: validation.StringInSlice(galleryimageversions.PossibleValuesForUefiSignatureTemplateName(), false),
},
},
"additional_signatures": {
Type: pluginsdk.TypeList,
Optional: true,
MaxItems: 1,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"db": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: uefiKeySchema(),
},
"dbx": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: uefiKeySchema(),
},
"kek": {
Type: pluginsdk.TypeList,
Optional: true,
Elem: uefiKeySchema(),
},
"pk": {
Type: pluginsdk.TypeList,
Optional: true,
MaxItems: 1,
Elem: uefiKeySchema(),
},
Comment thread
yeoldegrove marked this conversation as resolved.
},
},
},
},
},
},

"tags": commonschema.Tags(),
},

Expand Down Expand Up @@ -237,7 +286,8 @@ func resourceSharedImageVersionCreate(d *pluginsdk.ResourceData, meta interface{
SafetyProfile: &galleryimageversions.GalleryImageVersionSafetyProfile{
AllowDeletionOfReplicatedLocations: utils.Bool(d.Get("deletion_of_replicated_locations_enabled").(bool)),
},
StorageProfile: galleryimageversions.GalleryImageVersionStorageProfile{},
StorageProfile: galleryimageversions.GalleryImageVersionStorageProfile{},
SecurityProfile: &galleryimageversions.ImageVersionSecurityProfile{},
},
Tags: tags.Expand(d.Get("tags").(map[string]interface{})),
}
Expand Down Expand Up @@ -279,6 +329,10 @@ func resourceSharedImageVersionCreate(d *pluginsdk.ResourceData, meta interface{
}
}

if v, ok := d.GetOk("uefi_settings"); ok {
version.Properties.SecurityProfile.UefiSettings = expandUefiSettings(v.([]interface{}))
}

if err := client.CreateOrUpdateThenPoll(ctx, id, version); err != nil {
return fmt.Errorf("creating %s: %+v", id, err)
}
Expand Down Expand Up @@ -439,6 +493,10 @@ func resourceSharedImageVersionRead(d *pluginsdk.ResourceData, meta interface{})
if safetyProfile := props.SafetyProfile; safetyProfile != nil {
d.Set("deletion_of_replicated_locations_enabled", pointer.From(safetyProfile.AllowDeletionOfReplicatedLocations))
}

if securityProfile := props.SecurityProfile; securityProfile != nil {
d.Set("uefi_settings", flattenUefiSettings(securityProfile.UefiSettings))
}
Comment thread
yeoldegrove marked this conversation as resolved.
}
return tags.FlattenAndSet(d, model.Tags)
}
Expand Down Expand Up @@ -534,6 +592,190 @@ func expandSharedImageVersionTargetRegions(d *pluginsdk.ResourceData) (*[]galler
return &results, nil
}

func uefiKeySchema() *pluginsdk.Resource {
return &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"certificate_base64": {
Type: pluginsdk.TypeList,
Required: true,
Elem: &pluginsdk.Schema{
Type: pluginsdk.TypeString,
},
},
"type": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice(galleryimageversions.PossibleValuesForUefiKeyType(), false),
},
},
}
}
Comment thread
yeoldegrove marked this conversation as resolved.
Outdated

func expandUefiSettings(input []interface{}) *galleryimageversions.GalleryImageVersionUefiSettings {
if len(input) == 0 || input[0] == nil {
return nil
}

v := input[0].(map[string]interface{})
result := &galleryimageversions.GalleryImageVersionUefiSettings{}

if templateNamesSet, ok := v["signature_template_names"].(*pluginsdk.Set); ok {
result.SignatureTemplateNames = expandSignatureTemplateNames(templateNamesSet.List())
}

if additionalSignatures, ok := v["additional_signatures"].([]interface{}); ok {
result.AdditionalSignatures = expandAdditionalSignatures(additionalSignatures)
}

return result
}

func expandSignatureTemplateNames(input []interface{}) *[]galleryimageversions.UefiSignatureTemplateName {
if len(input) == 0 {
return nil
}

result := make([]galleryimageversions.UefiSignatureTemplateName, 0)
for _, v := range input {
result = append(result, galleryimageversions.UefiSignatureTemplateName(v.(string)))
}
return &result
}

func expandAdditionalSignatures(input []interface{}) *galleryimageversions.UefiKeySignatures {
if len(input) == 0 || input[0] == nil {
return nil
}

v := input[0].(map[string]interface{})
result := &galleryimageversions.UefiKeySignatures{}

if db, ok := v["db"].([]interface{}); ok {
result.Db = expandUefiKeyList(db)
}

if dbx, ok := v["dbx"].([]interface{}); ok {
result.Dbx = expandUefiKeyList(dbx)
}

if kek, ok := v["kek"].([]interface{}); ok {
result.Kek = expandUefiKeyList(kek)
}

if pk, ok := v["pk"].([]interface{}); ok {
result.Pk = expandUefiKey(pk)
}

return result
}

func expandUefiKeyList(input []interface{}) *[]galleryimageversions.UefiKey {
if len(input) == 0 {
return nil
}

result := make([]galleryimageversions.UefiKey, 0)
for _, v := range input {
if item := expandUefiKey([]interface{}{v}); item != nil {
result = append(result, *item)
}
}
return &result
}

func expandUefiKey(input []interface{}) *galleryimageversions.UefiKey {
if len(input) == 0 || input[0] == nil {
return nil
}

data, ok := input[0].(map[string]interface{})
Copy link
Copy Markdown
Member

@catriona-m catriona-m Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the schema currently allows for more than 1 of each uefikey to be specified, if it is not possible to have more than 1 we should update the schema to specify MaxItems: 1, or if we can have more than 1, we will need to iterate the list and set them here

Copy link
Copy Markdown
Author

@yeoldegrove yeoldegrove Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Cannot remember why I did only return the first item.

if !ok {
return nil
}
Comment thread
yeoldegrove marked this conversation as resolved.
Outdated

certData := make([]string, 0)
if certList, ok := data["certificate_base64"].([]interface{}); ok {
for _, item := range certList {
if str, ok := item.(string); ok {
certData = append(certData, str)
}
}
}

typeStr, ok := data["type"].(string)
if !ok {
return nil
}
Comment thread
yeoldegrove marked this conversation as resolved.
Outdated

return &galleryimageversions.UefiKey{
Type: pointer.To(galleryimageversions.UefiKeyType(typeStr)),
Value: &certData,
}
}

func flattenUefiSettings(input *galleryimageversions.GalleryImageVersionUefiSettings) []interface{} {
Comment thread
yeoldegrove marked this conversation as resolved.
Outdated
results := make([]interface{}, 0)

if input == nil {
return results
}

results = append(results, map[string]interface{}{
"signature_template_names": pointer.From(input.SignatureTemplateNames),
"additional_signatures": flattenAdditionalSignatures(input.AdditionalSignatures),
})

return results
}

func flattenAdditionalSignatures(input *galleryimageversions.UefiKeySignatures) []interface{} {
results := make([]interface{}, 0)

if input == nil {
return results
}

result := make(map[string]interface{})
result["db"] = flattenUefiKeyList(input.Db)
result["dbx"] = flattenUefiKeyList(input.Dbx)
result["kek"] = flattenUefiKeyList(input.Kek)
result["pk"] = flattenUefiKey(input.Pk)

return append(results, result)
}

func flattenUefiKeyList(input *[]galleryimageversions.UefiKey) []interface{} {
results := make([]interface{}, 0)
if input == nil {
return results
}

for _, v := range *input {
if item := flattenUefiKey(&v); len(item) > 0 {
results = append(results, item[0])
}
}

return results
}

func flattenUefiKey(input *galleryimageversions.UefiKey) []interface{} {
Comment thread
yeoldegrove marked this conversation as resolved.
results := make([]interface{}, 0)
if input == nil {
return results
}

result := make(map[string]interface{})
if input.Value != nil && len(*input.Value) > 0 {
result["certificate_base64"] = (*input.Value)[0]
}
Copy link
Copy Markdown
Member

@catriona-m catriona-m Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible for there to be more than 1 certificate? If so, we should set them all here. If there can only be 1, we should consider making this property a string rather than a list

Copy link
Copy Markdown
Author

@yeoldegrove yeoldegrove Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Cannot remember why I did only return the first item.

if input.Type != nil {
result["type"] = pointer.From(input.Type)
}
Comment thread
yeoldegrove marked this conversation as resolved.
Outdated

return append(results, result)
}

func flattenSharedImageVersionTargetRegions(input *[]galleryimageversions.TargetRegion) []interface{} {
results := make([]interface{}, 0)

Expand Down
Loading
Loading