New Resource: azurerm_cloud_hardware_security_module_cluster

[wuxu92]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

Documentation: https://learn.microsoft.com/en-us/azure/cloud-hsm/

The current version only support fixed Sku, so this resource intentionally doesn't expose SKU properties. it also only support useridentity while the swagger definition is SystemAndUserAssignedIdentity, and PublicNetworkAccess only support Disabled, so does not expose either.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

--- PASS: TestAccCloudHardwareSecurityModuleCluster_update (1566.59s)
--- PASS: TestAccCloudHardwareSecurityModuleCluster_requiresImport (1627.74s)
--- PASS: TestAccCloudHardwareSecurityModuleCluster_complete (1657.24s)
--- PASS: TestAccCloudHardwareSecurityModuleCluster_privateEndpoint (1863.45s)
--- PASS: TestAccCloudHardwareSecurityModuleCluster_userAssignedIdentity (2737.66s)
--- PASS: TestAccCloudHardwareSecurityModuleCluster_basic (2793.65s)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• New Resource: azurerm_cloud_hardware_security_module_cluster

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the provider.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[ms-zhenhua]

Hi @wuxu92 ,

Thanks for the PR. I've taken a look through and left some comments inline. If we can fix those up, this should be good to continue 👍

[ms-zhenhua]

The provider block should be put in each testcase.

[wuxu92]

sorry, I didn't get this comment, this is in a template method so it applies to each testcase, what change is required here?

[ms-zhenhua]

Use this as an example, could you put provider definition in each testcase of basic, complete, update...?

[wuxu92]

Is this kind of new guideline? I see there are lots of tests put the provider definition in the template instead of each case.

[ms-zhenhua]

It's not new, you may refer to the example of the guidance.

[wuxu92]

However, this example does not specify whether the provider block should be placed in the template method or a specific method. Most of the existing template methods contain the provider block..

[ms-zhenhua]

Use this as an example, could you put provider definition in each testcase of basic, complete, update...?

[ms-zhenhua]

LGTM~

[magodo]

Thanks for this PR!
I've taken a look through and left some comments inline, but this is mostly looking good to me 👍

[magodo]

Will there be more than one hsm's information returned?

[wuxu92]

yes, there are 3 hsms by default, and the current API doesn't support customize. I'm renaming it to hsm.

[magodo]

If there are 3, then we can keep it to be plural as in the flattening code you are still populating all of them?

[wuxu92]

Oh, I mixed up the plural rule and have reverted back to using "hsms". I'm wondering if it's acceptable to use "hsms" here, or if I should use the full name "hardware_security_modules" instead of the abbreviation(there were already "hsm_xx" properties in the provider).

[magodo]

I'm not sure, let's keep hsms first...

[magodo]

How come this is a retryable error? A retry on a Cloud HSM whose PE is deleted beforehead will succeed?

[wuxu92]

Yes a retry is required here, as the CloudHSM will under updating status when and a while after the deletion of the linked PE. so when run terraform destroy, the PE is deleted firstly then to delete the Cloud HSM, and the conflict error responded and a retry may succeed. this is confirmed by service team: cloud hsm should be in-progress for a max of 5 mins after deleting a private endpoint

[magodo]

This also seems to be like a service issue. Did the service team mention they have any plan to improve this?

[wuxu92]

Yes it's a service issue. I know other resources linked to a PE don't encounter such issue and HSM team is aware of it. I need to confirm with them again about the fix as they once indicated a way to improve the deletion in next version.