remove cmk resources for cosmosdb

microsoft · Jan 1, 2025 · 2884691 · 2884691
1 parent 907bea7
commit 2884691
Show file tree

Hide file tree

Showing 5 changed files with 4 additions and 60 deletions.
diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl
diff --git a/core/terraform/api-identity.tf b/core/terraform/api-identity.tf
@@ -57,6 +57,4 @@ resource "azurerm_cosmosdb_sql_role_assignment" "tre_db_contributor" {
   role_definition_id  = data.azurerm_cosmosdb_sql_role_definition.cosmosdb_db_contributor.id
   principal_id        = azurerm_user_assigned_identity.id.principal_id
   scope               = azurerm_cosmosdb_account.tre_db_account.id
-
-  depends_on = [null_resource.tre_db_account_enable_cmk]
 }
diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf
@@ -43,30 +43,14 @@ resource "azurerm_cosmosdb_account" "mongo" {
     }
   }
 
+  key_vault_key_id      = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null
   default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null
 
   tags = local.tre_core_tags
 
-  # since key_vault_key_id is created by the 'mongo_enable_cmk' null_resource, terraform forces re-creation of the resource
-  lifecycle { ignore_changes = [tags, key_vault_key_id] }
-}
-
-# Using the az CLI command since terraform forces a re-creation of the resource
-# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781
-resource "null_resource" "mongo_enable_cmk" {
-  count = var.enable_cmk_encryption ? 1 : 0
-
-  provisioner "local-exec" {
-    command = "az cosmosdb update --name ${azurerm_cosmosdb_account.mongo.name} --resource-group ${azurerm_cosmosdb_account.mongo.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}"
-  }
-
-  depends_on = [
-    azurerm_cosmosdb_account.mongo,
-    azurerm_role_assignment.kv_encryption_key_user[0]
-  ]
+  lifecycle { ignore_changes = [tags] }
 }
 
-
 resource "azurerm_cosmosdb_mongo_database" "mongo" {
   name                = "porter"
   resource_group_name = azurerm_resource_group.core.name

diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -21,10 +21,6 @@ terraform {
       source  = "Azure/azapi"
       version = "~> 1.15.0"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = "~> 3.2"
-    }
   }
 
   backend "azurerm" {}

diff --git a/core/terraform/statestore.tf b/core/terraform/statestore.tf
@@ -25,6 +25,7 @@ resource "azurerm_cosmosdb_account" "tre_db_account" {
     }
   }
 
+  key_vault_key_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null
   default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null
 
   consistency_policy {
@@ -38,8 +39,7 @@ resource "azurerm_cosmosdb_account" "tre_db_account" {
     failover_priority = 0
   }
 
-  # since key_vault_key_id is created by the 'tre_db_account_enable_cmk' null_resource, terraform forces re-creation of the resource
-  lifecycle { ignore_changes = [tags, key_vault_key_id] }
+  lifecycle { ignore_changes = [tags] }
 }
 
 moved {
@@ -107,18 +107,3 @@ resource "azurerm_private_endpoint" "sspe" {
     subresource_names              = ["Sql"]
   }
 }
-
-# Using the az CLI command since terraform forces a re-creation of the resource
-# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781
-resource "null_resource" "tre_db_account_enable_cmk" {
-  count = var.enable_cmk_encryption ? 1 : 0
-
-  provisioner "local-exec" {
-    command = "az cosmosdb update --name ${azurerm_cosmosdb_account.tre_db_account.name} --resource-group ${azurerm_cosmosdb_account.tre_db_account.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}"
-  }
-
-  depends_on = [
-    azurerm_cosmosdb_account.tre_db_account,
-    azurerm_role_assignment.kv_encryption_key_user[0]
-  ]
-}