Refactor admin password validation for Windows VM

hqhqhqhqhqhqhqhqhqhqhq · hqhqhqhqhqhqhqhqhqhqhq · commit 1ec23742aaf5 · 2025-10-19T05:25:08.000+11:00
Simplifies validation logic for admin_password and admin_password_wo in the Windows Virtual Machine resource by removing redundant constraints and updating test and documentation to clarify usage. This improves clarity and flexibility for specifying administrator credentials.
diff --git a/internal/services/compute/windows_virtual_machine_resource.go b/internal/services/compute/windows_virtual_machine_resource.go
@@ -24,7 +24,6 @@ import (
 	"github.com/hashicorp/go-azure-sdk/resource-manager/compute/2024-03-01/virtualmachines"
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	sdkValidation "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	azValidate "github.com/hashicorp/terraform-provider-azurerm/helpers/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
@@ -56,10 +55,6 @@ func resourceWindowsVirtualMachine() *pluginsdk.Resource {
 			Delete: pluginsdk.DefaultTimeout(45 * time.Minute),
 		},
 
-		ValidateRawResourceConfigFuncs: []schema.ValidateRawResourceConfigFunc{
-			sdkValidation.PreferWriteOnlyAttribute(cty.GetAttrPath("admin_password"), cty.GetAttrPath("admin_password_wo")),
-		},
-
 		Schema: map[string]*pluginsdk.Schema{
 			"name": {
 				Type:         pluginsdk.TypeString,
@@ -78,24 +73,19 @@ func resourceWindowsVirtualMachine() *pluginsdk.Resource {
 				ForceNew:         true,
 				Sensitive:        true,
 				DiffSuppressFunc: adminPasswordDiffSuppressFunc,
-				RequiredWith: []string{
-					"admin_username",
-				},
 				ConflictsWith: []string{
 					"os_managed_disk_id",
 					"admin_password_wo",
 				},
 				ValidateFunc: computeValidate.WindowsAdminPassword,
-				ExactlyOneOf: []string{"admin_password", "admin_password_wo"},
 			},
 
 			"admin_password_wo": {
 				Type:          pluginsdk.TypeString,
 				Optional:      true,
 				WriteOnly:     true,
 				RequiredWith:  []string{"admin_password_wo_version"},
-				ConflictsWith: []string{"admin_password"},
-				ExactlyOneOf:  []string{"admin_password", "admin_password_wo"},
+				ConflictsWith: []string{"admin_password", "os_managed_disk_id"},
 				ValidateFunc:  computeValidate.WindowsAdminPassword,
 			},
 
@@ -110,9 +100,6 @@ func resourceWindowsVirtualMachine() *pluginsdk.Resource {
 				Type:     pluginsdk.TypeString,
 				Optional: true,
 				ForceNew: true,
-				RequiredWith: []string{
-					"admin_password",
-				},
 				ExactlyOneOf: []string{
 					"admin_username",
 					"os_managed_disk_id",
diff --git a/internal/services/compute/windows_virtual_machine_resource_auth_test.go b/internal/services/compute/windows_virtual_machine_resource_auth_test.go
@@ -32,12 +32,12 @@ func TestAccWindowsVirtualMachine_authPasswordWriteOnly(t *testing.T) {
 
 	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
-			Config: r.authPasswordWriteOnly(data, "P@$$w0rd1234!", 1),
+			Config: r.authPasswordWriteOnly(data, 1),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
 		},
-		data.ImportStep("admin_password", "admin_password_wo_version"),
+		data.ImportStep("admin_password_wo_version"),
 	})
 }
 
@@ -71,18 +71,52 @@ resource "azurerm_windows_virtual_machine" "test" {
 `, r.template(data))
 }
 
-func (r WindowsVirtualMachineResource) authPasswordWriteOnly(data acceptance.TestData, password string, version int) string {
+func (r WindowsVirtualMachineResource) authPasswordWriteOnly(data acceptance.TestData, version int) string {
 	return fmt.Sprintf(`
 %s
 
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_key_vault" "test" {
+  name                = "acctestkv%[2]s"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "standard"
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+
+    secret_permissions = [
+      "Get",
+      "Set",
+      "Delete",
+      "Purge",
+    ]
+  }
+}
+
+resource "azurerm_key_vault_secret" "test" {
+  name         = "admin-password"
+  value        = "P@$$w0rd1234!%[3]d"
+  key_vault_id = azurerm_key_vault.test.id
+}
+
+ephemeral "azurerm_key_vault_secret" "test" {
+  name         = azurerm_key_vault_secret.test.name
+  key_vault_id = azurerm_key_vault.test.id
+}
+
 resource "azurerm_windows_virtual_machine" "test" {
   name                      = local.vm_name
   resource_group_name       = azurerm_resource_group.test.name
   location                  = azurerm_resource_group.test.location
   size                      = "Standard_F2"
   admin_username            = "adminuser"
-  admin_password_wo         = "%s"
-  admin_password_wo_version = %d
+  admin_password_wo         = ephemeral.azurerm_key_vault_secret.test.value
+  admin_password_wo_version = %[3]d
+
   network_interface_ids = [
     azurerm_network_interface.test.id,
   ]
@@ -99,5 +133,5 @@ resource "azurerm_windows_virtual_machine" "test" {
     version   = "latest"
   }
 }
-`, r.template(data), password, version)
+`, r.template(data), data.RandomString, version)
 }
diff --git a/website/docs/r/windows_virtual_machine.html.markdown b/website/docs/r/windows_virtual_machine.html.markdown
@@ -107,15 +107,15 @@ The following arguments are supported:
 
 ---
 
-* `admin_password_wo` - (Optional, Write-Only) The Password which should be used for the local-administrator on this Virtual Machine.
+* `admin_password` - (Optional) The Password which should be used for the local-administrator on this Virtual Machine. Changing this forces a new resource to be created.
 
-~> **Note:** One of `admin_password` or `admin_password_wo` must be specified.
+~> **Note:** This is required unless using an existing OS Managed Disk by specifying `os_managed_disk_id` or using `admin_password_wo`.
 
-* `admin_password_wo_version` - (Optional) An integer value used to trigger an update for `admin_password_wo`. This property should be incremented when updating `admin_password_wo`.
+* `admin_password_wo` - (Optional, Write-Only) The write-only Password which should be used for the local-administrator on this Virtual Machine. This property should be used when sensitive values should not be stored in state.
 
-* `admin_password` - (Optional) The Password which should be used for the local-administrator on this Virtual Machine. Changing this forces a new resource to be created.
+~> **Note:** One of `admin_password` or `admin_password_wo` must be specified when not using an existing OS Managed Disk.
 
-~> **Note:** This is required unless using an existing OS Managed Disk by specifying `os_managed_disk_id`.
+* `admin_password_wo_version` - (Optional) An integer value used to trigger an update for `admin_password_wo`. This property should be incremented when updating `admin_password_wo`. Changing this forces a new resource to be created.
 
 * `admin_username` - (Optional) The username of the local administrator used for the Virtual Machine. Changing this forces a new resource to be created.
 
