- name: Prepare random number
  set_fact:
    rpfx: "{{ resource_group | hash('md5') | truncate(7, True, '') }}{{ 1000 | random }}"
    tenant_id: "{{ azure_tenant }}"
  run_once: yes

- name: lookup service principal object id
  set_fact:
    object_id: "{{ lookup('azure_service_principal_attribute',
                   azure_client_id=azure_client_id,
                   azure_secret=azure_secret,
                   azure_tenant=tenant_id) }}"
  register: object_id

- name: Create instance of Key Vault -- check mode
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    enabled_for_deployment: yes
    vault_tenant: "{{ tenant_id }}"
    sku:
      name: standard
      family: A
    access_policies:
      - tenant_id: "{{ tenant_id }}"
        object_id: "{{ object_id }}"
        keys:
          - get
          - list
          - update
          - create
          - import
          - delete
          - recover
          - backup
          - restore
        secrets:
          - get
          - list
          - set
          - delete
          - recover
          - backup
          - restore
  check_mode: yes
  register: output
- name: Assert the resource instance is well created
  assert:
    that:
      - output.changed

- name: Create instance of Key Vault
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    enabled_for_deployment: yes
    vault_tenant: "{{ tenant_id }}"
    sku:
      name: standard
      family: A
    access_policies:
      - tenant_id: "{{ tenant_id }}"
        object_id: "{{ object_id }}"
        secrets:
          - get
          - list
          - set
          - delete
          - recover
          - backup
          - restore
  register: output
- name: Assert the resource instance is well created
  assert:
    that:
      - output.changed

- name: Create instance of Key Vault again
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    enabled_for_deployment: yes
    vault_tenant: "{{ tenant_id }}"
    sku:
      name: standard
      family: A
    access_policies:
      - tenant_id: "{{ tenant_id }}"
        object_id: "{{ object_id }}"
        secrets:
          - get
          - list
          - set
          - delete
          - recover
          - backup
          - restore
  register: output
- name: Assert the state has not changed
  assert:
    that:
      - output.changed == false

- name: Update existing Key Vault (add a rule and tags)
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    enabled_for_deployment: yes
    vault_tenant: "{{ tenant_id }}"
    sku:
      name: standard
      family: A
    access_policies:
      - tenant_id: "{{ tenant_id }}"
        object_id: "{{ object_id }}"
        keys:
          - get
          - list
          - update
          - create
          - import
          - delete
          - recover
          - backup
          - restore
        secrets:
          - get
          - list
          - set
          - delete
          - recover
          - backup
          - restore
    tags:
      aaa: bbb
  register: output
- name: Assert the state has changed
  assert:
    that:
      - output.changed == true

- name: Use REST API to retrieve keyvault (as facts not available yet)
  azure_rm_resource_facts:
    api_version: '2018-02-14'
    resource_group: "{{ resource_group }}"
    provider: keyvault
    resource_type: vaults
    resource_name: "vault{{ rpfx }}"
  register: output
- name: Assert the facts are properly set
  assert:
    that:
      - output.response[0].tags.aaa == "bbb"
#
# azure_rm_keyvaultkey tests
#

- name: create a kevyault key
  block:
    - azure_rm_keyvaultkey:
        keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
        key_name: testkey
        tags:
          testing: test
          delete: on-exit
      register: output
    - assert:
        that: output.changed
  rescue:
    - azure_rm_keyvaultkey:
        keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
        state: absent
        key_name: testkey

- name: delete a kevyault key
  azure_rm_keyvaultkey:
    keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
    state: absent
    key_name: testkey
  register: output

- assert:
    that: output.changed

#
# azure_rm_keyvaultsecret tests
#
- name: create a kevyault secret
  block:
    - azure_rm_keyvaultsecret:
        keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
        secret_name: testsecret
        secret_value: 'mysecret'
        tags:
          testing: test
          delete: on-exit
      register: output
    - assert:
        that: output.changed
  rescue:
    - azure_rm_keyvaultsecret:
        keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
        state: absent
        secret_name: testsecret

- name: delete a kevyault secret
  azure_rm_keyvaultsecret:
    keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
    state: absent
    secret_name: testsecret
  register: output

- assert:
    that: output.changed

#
# azure_rm_keyvault finalize & clean up
#

- name: Delete instance of Key Vault -- check mode
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    state: absent
  check_mode: yes
  register: output
- name: Assert the state has changed
  assert:
    that:
      - output.changed

- name: Delete instance of Key Vault
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    state: absent
  register: output
- name: Assert the state has changed
  assert:
    that:
      - output.changed

- name: Delete unexisting instance of Key Vault
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    state: absent
  register: output
- name: Assert the state has changed
  assert:
    that:
      - output.changed == false