kitchen-azurerm 0.17.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79955d1437d49030459425fce323174e40d3a437c75dbe52393d9d5cc85df4b3
-  data.tar.gz: b08a9f9715e9f04fadb5965565604ce95d71a3fc2b38cb836a99b16c1f883df4
+  metadata.gz: 51b127c1a7e5d1c197dde573ce77d5e9900fe2297d12e5d8cbcd4d6d1e328ccc
+  data.tar.gz: d59c1a55f910f415a271a4818a8879a16e06dff3192d3d3a64d5ce1c32313e6c
 SHA512:
-  metadata.gz: a8e2a9e7905a2c670e295d912a995c657021f4171d0e902d77c4c62d780ab1ebfe29365ed943a57224af53d87e0257f261065e3189f986bde8462975745943e0
-  data.tar.gz: 1857240fc7bf3642dd91e3f8f3be067b4d88e53754afd1ee61b9c9ce1ef730a10a71edc1f145e6e7ec64a8e8e51a07b8e93ff2ac5022ee90f326b16e5bd8c91a
+  metadata.gz: 1e21e9a0cce3a113f9d6fd9206a9272282eb1d54c637e2c9f5b629a42ccbf144889355d18db7127a7693e088d8056005139cdf142e3232ed70870c72b23db3f0
+  data.tar.gz: '0690d8abddf2c745c7631e463e7479299a0e1e8a83af57caca797e8555a840bc0559c383d7d703b35c7bb7ec4c65b7556a15e95cf2b4582c153f8e45d0dd97e9'

data/README.md

@@ -10,15 +10,34 @@ This version has been tested on Windows, macOS, and Ubuntu. If you encounter a p
 
 ### Installation
 
-This plugin is distributed as a [Ruby Gem](https://rubygems.org/gems/kitchen-azurerm). To install it, run:
+This plugin ships in Chef Workstation out of the box so there is no need to install it when using Chef Workstation[https://downloads.chef.io/products/workstation].
 
-```$ gem install kitchen-azurerm```
+If you're not using Chef Workstation and need to install the plugin as a gem run:
 
-Note if you are running the ChefDK you may need to prefix the command with chef, i.e. ```$ chef gem install kitchen-azurerm```
+```$ gem install kitchen-azurerm```
 
 ### Configuration
 
-For the driver to interact with the Microsoft Azure Resource management REST API, a Service Principal needs to be configured with Contributor rights against the specific subscription being targeted. Using an Organizational (AAD) account and related password is no longer supported. To create a Service Principal and apply the correct permissions, you will need to [create and authenticate a service principal](https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/#authenticate-service-principal-with-password---azure-cli) using the [Azure CLI](https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/). Make sure you stay within the section titled 'Authenticate service principal with password - Azure CLI'.
+For the driver to interact with the Microsoft Azure Resource management REST API, a Service Principal needs to be configured with Contributor rights against the specific subscription being targeted. Using an Organizational (AAD) account and related password is no longer supported. To create a Service Principal and apply the correct permissions, you will need to [create an Azure service principal with the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest#create-a-service-principal) using the [Azure CLI](https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/). Make sure you stay within the section titled 'Authenticate service principal with password - Azure CLI'.
+
+If the above is TLDR then try this after `az login` using your target subscription ID and the desired SP name:
+
+```bash
+# Create a Service Principal using the desired subscription id from the command above
+az ad sp create-for-rbac --name="kitchen-azurerm" --role="Contributor" --scopes="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+
+#Output
+#
+#{
+#  "appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",    <- Also known as the Client ID
+#  "displayName": "azure-cli-2018-12-12-14-15-39",
+#  "name": "http://azure-cli-2018-12-12-14-15-39",
+#  "password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+#  "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+#}
+```
+
+NOTE: Don't forget to save the values from the output -- most importantly the `password`.
 
 You will also need to ensure you have an active Azure subscription (you can get started [for free](https://azure.microsoft.com/en-us/free/) or use your [MSDN Subscription](https://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits/)).
 
@@ -32,22 +51,31 @@ You are now ready to configure kitchen-azurerm to use the credentials from the s
 Using a text editor, open or create the file ```~/.azure/credentials``` and add the following section, noting there is one section per Subscription ID. **Make sure you save the file with UTF-8 encoding**
 
 ```ruby
-[abcd1234-YOUR-SUBSCRIPTION-ID-HERE-abcdef123456]
-client_id = "48b9bba3-YOUR-GUID-HERE-90f0b68ce8ba"
+[ADD-YOUR-AZURE-SUBSCRIPTION-ID-HERE-IN-SQUARE-BRACKET]
+client_id = "your-azure-client-id-here"
 client_secret = "your-client-secret-here"
-tenant_id = "9c117323-YOUR-GUID-HERE-9ee430723ba3"
+tenant_id = "your-azure-tenant-id-here"
 ```
 
 If preferred, you may also set the following environment variables, however this would be incompatible with supporting multiple Azure subscriptions.
 
 ```ruby
-AZURE_CLIENT_ID="48b9bba3-YOUR-GUID-HERE-90f0b68ce8ba"
+AZURE_CLIENT_ID="your-azure-client-id-here"
 AZURE_CLIENT_SECRET="your-client-secret-here"
-AZURE_TENANT_ID="9c117323-YOUR-GUID-HERE-9ee430723ba3"
+AZURE_TENANT_ID="your-azure-tenant-id-here"
 ```
 
 Note that the environment variables, if set, take preference over the values in a configuration file.
 
+After adjusting your ```~/.azure/credentials``` file you will need to adjust your ```kitchen.yml``` file to leverage the azurerm driver. Use the following examples to achieve this, then check your configuration with standard kitchen commands. For example,
+
+```bash
+% kitchen list
+Instance            Driver   Provisioner  Verifier  Transport  Last Action    Last Error
+wsus-windows-2019   Azurerm  ChefZero     Inspec    Winrm      <Not Created>  <None>
+wsus-windows-2016   Azurerm  ChefZero     Inspec    Winrm      <Not Created>  <None>
+```
+
 ### .kitchen.yml example 1 - Linux/Ubuntu
 
 Here's an example ```.kitchen.yml``` file that provisions an Ubuntu Server, using Chef Zero as the provisioner and SSH as the transport. Note that if the key does not exist at the specified location, it will be created. Also note that if ```ssh_key``` is supplied, Test Kitchen will use this in preference to any default/configured passwords that are supplied.
@@ -56,7 +84,7 @@ Here's an example ```.kitchen.yml``` file that provisions an Ubuntu Server, usin
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
 
@@ -71,9 +99,6 @@ platforms:
     driver:
       image_urn: Canonical:UbuntuServer:14.04.4-LTS:latest
       vm_name: trusty-vm
-      vm_tags:
-        ostype: linux
-        distro: ubuntu
 
 suites:
   - name: default
@@ -98,7 +123,7 @@ Here's a further example ```.kitchen.yml``` file that will provision a Windows S
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_DS2_v2'
 
@@ -113,6 +138,9 @@ platforms:
       resource_group_tags:
         project: 'My Cool Project'
         contact: 'me@somewhere.com'
+      vm_tags:
+        my_tag: its value
+        another_tag: its awesome value
     transport:
       name: winrm
 suites:
@@ -134,7 +162,7 @@ These resources will be created in the same Azure Resource Group as the VM under
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
   pre_deployment_template: predeploy.json
@@ -207,7 +235,7 @@ In this case, the public IP address is not used unless ```public_ip``` is set to
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
 
@@ -241,7 +269,7 @@ Note: The image must be available first. On deletion the disk and everything is
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
 
@@ -282,7 +310,7 @@ This example will:
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
 
@@ -319,7 +347,7 @@ Note: Custom data can be custom data or a file to custom data. Please also note
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
 
@@ -364,7 +392,7 @@ Note the availability of a `format_data_disks` option (default: `false`). When s
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_F2s'
 
@@ -403,7 +431,7 @@ These resources will be created in the same Azure Resource Group as the VM under
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
   post_deployment_template: postdeploy.json
@@ -488,7 +516,7 @@ See the [Managed identities for Azure resources](https://docs.microsoft.com/en-u
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'West Europe'
   machine_size: 'Standard_D1'
 
@@ -521,7 +549,7 @@ This following example introduces ```secret_url```, ```vault_name```, and ```vau
 ---
 driver:
   name: azurerm
-  subscription_id: '4801fa9d-YOUR-GUID-HERE-b265ff49ce21'
+  subscription_id: 'your-azure-subscription-id-here'
   location: 'CentralUS'
   machine_size: 'Standard_D2s_v3'
   secret_url: 'https://YOUR-SECRET-PATH'
@@ -556,7 +584,7 @@ Note that the ```use_managed_disks``` option should be set to false until suppor
 ---
 driver:
   name: azurerm
-  subscription_id: 'abcdabcd-YOUR-GUID-HERE-abcdabcdabcd'
+  subscription_id: 'your-azure-subscription-id-here'
   azure_environment: 'AzureUSGovernment'
   location: 'US Gov Iowa'
   machine_size: 'Standard_D2_v2_Promo'
@@ -616,9 +644,9 @@ data:    Canonical  UbuntuServer  15.10-DAILY        15.10.201509220  westeurope
 info:    vm image list command OK
 ```
 
-### Additional parameters that can be specified
+### Additional parameters that can be specified in your `kitchen.yml` or added to your personal `kitchen.local.yml`
 
-* Note that the ```driver``` section can also takes a ```username``` and ```password```. The default username is "azure" and the password is a randomly generated 12 character password that can be found in your local kitchen state file (typically .kitchen/<instance-name>.yml) if you require it for any reason.
+* Note that the ```driver``` section can also take explicit values for ```username``` and ```password```. Otherwise, the default username is "azure" and the password is a randomly generated 24 character password that can be found in your local kitchen state file (typically `.kitchen/<instance-name>.yml`) if you require it for any reason.
 
 * The ```storage_account_type``` parameter defaults to 'Standard_LRS' and allows you to switch to premium storage (e.g. 'Premium_LRS')
 
@@ -642,9 +670,11 @@ info:    vm image list command OK
 
 * The ```azure_resource_group_prefix``` and ```azure_resource_group_suffix``` can be used to further disambiguate Azure resource group names created by the driver.
 
-* The ```explicit_resource_group_name``` and ```destroy_explicit_resource_group``` (default: "true") parameters can be used in scenarios where you are provided a pre-created Resource Group. Example usage: ```explicit_resource_group_name: kitchen-<%= ENV["USERNAME"] %>```
+* The ```explicit_resource_group_name``` and ```destroy_explicit_resource_group``` (default: "true") parameters can be used in scenarios where you are provided a pre-created Resource Group. Example usage: ```explicit_resource_group_name: kitchen-<%= ENV["USERNAME"] %>```. The ```destroy_explicit_resource_group``` option can now be used after using the ```destroy_resource_group_contents``` option creates an empty resource group to destroy the resource group previously created.
+
+* The ```destroy_resource_group_contents``` (default: "false") parameter can be used when you want to destroy the resources within a resource group without destroying the resource group itself. For example, the following configuration options used in combination would use an existing resource group (or create one if it doesn't exist) and will destroy the contents of the resource group in the ```kitchen destroy``` phase. If you wish to destroy the empty resource group created after you empty the resource group with this flag you can now set the ```destroy_explicit_resource_group``` to "true" to destroy the empty resource group. 
 
-* The ```destroy_resource_group_contents``` (default: "false") parameter can be used when you want to destroy the resources within a resource group without destroying the resource group itself. For example, the following configuration options used in combination would use an existing resource group (or create one if it doesn't exist) and will destroy the contents of the resource group in the ```kitchen destroy``` phase.
+* The ```destroy_explicit_resource_group_tags``` (default: "true") parameter can be used when you want to remove tags associated with an explicit resource group. The default setting is set to "true" to remain consistent with previous behavior. This should be used in combination with an ```explicit_resource_group_name``` and will be honored during the ```kitchen destroy``` phase.
 
 ```yaml
 ---
@@ -658,6 +688,8 @@ driver:
 
 * The ```secret_url```, ```vault_name```, and ```vault_resource_group``` parameters can be used to deploy VM with specified key vault certificate.
 
+* The ```use_fqdn_hostname``` (default: "false") parameter can be used to determine how kitchen communicates with the Virtual Machine. When true, Kitchen will use the FQDN that is assigned to the Virtual Machine. When false, kitchen will use the public IP address of the machine. This may overcome issues with Corporate firewalls or VPNs blocking Public IP addresses.
+
 ## Enabling alternative WinRM configurations
 
 * By default on Windows machines, a PowerShell script runs that enables WinRM over the SSL transport, for Basic, Negotiate and CredSSP connections. To supply your own PowerShell script (e.g. to enable HTTP), use the `winrm_powershell_script` parameter. Windows 2008 R2 example:

data/lib/kitchen/driver/azure_credentials.rb

@@ -1,4 +1,6 @@
 require "inifile"
+require "kitchen/logging"
+autoload :MsRest, "ms_rest"
 
 module Kitchen
   module Driver
@@ -6,6 +8,8 @@ module Kitchen
     # AzureCredentials
     #
     class AzureCredentials
+      include Kitchen::Logging
+
       CONFIG_PATH = "#{ENV["HOME"]}/.azure/credentials".freeze
 
       #
@@ -24,12 +28,6 @@ module Kitchen
       def initialize(subscription_id:, environment: "Azure")
         @subscription_id = subscription_id
         @environment = environment
-        config_file = ENV["AZURE_CONFIG_FILE"] || File.expand_path(CONFIG_PATH)
-        if File.file?(config_file)
-          @credentials = IniFile.load(File.expand_path(config_file))
-        else
-          warn "#{CONFIG_PATH} was not found or not accessible. Will use environment variables or MSI."
-        end
       end
 
       #
@@ -50,8 +48,23 @@ module Kitchen
 
       private
 
+      def logger
+        Kitchen.logger
+      end
+
+      def config_path
+        @config_path ||= File.expand_path(ENV["AZURE_CONFIG_FILE"] || CONFIG_PATH)
+      end
+
       def credentials
-        @credentials ||= {}
+        @credentials ||= begin
+          if File.file?(config_path)
+            IniFile.load(config_path)
+          else
+            warn "#{config_path} was not found or not accessible."
+            {}
+          end
+        end
       end
 
       def credentials_property(property)
@@ -59,7 +72,7 @@ module Kitchen
       end
 
       def tenant_id!
-        tenant_id || raise("Must provide tenant id. Use AZURE_TENANT_ID environment variable or set it in credentials file")
+        tenant_id || warn("(#{config_path}) does not contain tenant_id neither is the AZURE_TENANT_ID environment variable set.")
       end
 
       def tenant_id
@@ -74,13 +87,37 @@ module Kitchen
         ENV["AZURE_CLIENT_SECRET"] || credentials_property("client_secret")
       end
 
+      # Retrieve a token based upon the preferred authentication method.
+      #
+      # @return [::MsRest::TokenProvider] A new token provider object.
       def token_provider
-        if client_id && client_secret
+        # Login with a credentials file or setting the environment variables
+        #
+        # Typically used with a service principal.
+        #
+        # SPN with client_id, client_secret and tenant_id
+        if client_id && client_secret && tenant_id
           ::MsRestAzure::ApplicationTokenProvider.new(tenant_id, client_id, client_secret, ad_settings)
-        elsif client_id
+        # Login with a Managed Service Identity.
+        #
+        # Typically used with a Managed Service Identity when you have a particular object registered in a tenant.
+        #
+        # MSI with client_id and tenant_id (aka User Assigned Identity).
+        elsif client_id && tenant_id
           ::MsRestAzure::MSITokenProvider.new(50342, ad_settings, { client_id: client_id })
-        else
+        # Default approach to inheriting existing object permissions (application or device this code is running on).
+        #
+        # Typically used when you want to inherit the permissions of the system you're running on that are in a tenant.
+        #
+        # MSI with just tenant_id (aka System Assigned Identity).
+        elsif tenant_id
           ::MsRestAzure::MSITokenProvider.new(50342, ad_settings)
+        # Login using the Azure CLI
+        #
+        # Typically used when you want to rely upon `az login` as your preferred authentication method.
+        else
+          warn("Using tenant id set through `az login`.")
+          ::MsRestAzure::AzureCliTokenProvider.new(ad_settings)
         end
       end
 

data/lib/kitchen/driver/azurerm.rb

@@ -1,21 +1,27 @@
 require "kitchen"
+
+autoload :MsRestAzure, "ms_rest_azure"
 require_relative "azure_credentials"
-require "securerandom"
-require "azure_mgmt_resources"
-require "azure_mgmt_network"
-require "base64"
-require "sshkey"
-require "fileutils"
-require "erb"
-require "ostruct"
-require "json"
-require "faraday"
+require "securerandom" unless defined?(SecureRandom)
+module Azure
+  autoload :Resources, "azure_mgmt_resources"
+  autoload :Network, "azure_mgmt_network"
+end
+require "base64" unless defined?(Base64)
+autoload :SSHKey, "sshkey"
+require "fileutils" unless defined?(FileUtils)
+require "erb" unless defined?(Erb)
+require "ostruct" unless defined?(OpenStruct)
+require "json" unless defined?(JSON)
+autoload :Faraday, "faraday"
 
 module Kitchen
   module Driver
     #
     # Azurerm
+    # Create a new resource group object and set the location and tags attributes then return it.
     #
+    # @return [::Azure::Resources::Profiles::Latest::Mgmt::Models::ResourceGroup] A new resource group object.
     class Azurerm < Kitchen::Driver::Base
       attr_accessor :resource_management_client
       attr_accessor :network_management_client
@@ -75,7 +81,7 @@ module Kitchen
       end
 
       default_config(:password) do |_config|
-        SecureRandom.base64(12)
+        SecureRandom.base64(25)
       end
 
       default_config(:vm_name) do |_config|
@@ -174,6 +180,10 @@ module Kitchen
         true
       end
 
+      default_config(:destroy_explicit_resource_group_tags) do |_config|
+        true
+      end
+
       default_config(:destroy_resource_group_contents) do |_config|
         false
       end
@@ -202,6 +212,10 @@ module Kitchen
         5
       end
 
+      default_config(:use_fqdn_hostname) do |_config|
+        false
+      end
+
       def create(state)
         state = validate_state(state)
         deployment_parameters = {
@@ -210,22 +224,22 @@ module Kitchen
           storageAccountType: config[:storage_account_type],
           bootDiagnosticsEnabled: config[:boot_diagnostics_enabled],
           newStorageAccountName: "storage#{state[:uuid]}",
-          adminUsername: state[:username],
+          adminUsername: config[:username],
           dnsNameForPublicIP: "kitchen-#{state[:uuid]}",
           vmName: state[:vm_name],
           systemAssignedIdentity: config[:system_assigned_identity],
-          userAssignedIdentities: config[:user_assigned_identities],
+          userAssignedIdentities: config[:user_assigned_identities].map { |identity| [identity, {}] }.to_h,
           secretUrl: config[:secret_url],
           vaultName: config[:vault_name],
           vaultResourceGroup: config[:vault_resource_group],
         }
 
         if instance.transport[:ssh_key].nil?
-          deployment_parameters["adminPassword"] = state[:password]
+          deployment_parameters[:adminPassword] = config[:password]
         end
 
         if config[:subscription_id].to_s == ""
-          raise "A subscription_id config value was not detected and kitchen-azurerm cannot continue. Please check your .kitchen.yml configuration. Exiting."
+          raise "A subscription_id config value was not detected and kitchen-azurerm cannot continue. Please check your kitchen.yml configuration. Exiting."
         end
 
         if config[:nic_name].to_s == ""
@@ -277,12 +291,9 @@ module Kitchen
         @resource_management_client = ::Azure::Resources::Profiles::Latest::Mgmt::Client.new(options)
 
         # Create Resource Group
-        resource_group = ::Azure::Resources::Profiles::Latest::Mgmt::Models::ResourceGroup.new
-        resource_group.location = config[:location]
-        resource_group.tags = config[:resource_group_tags]
         begin
           info "Creating Resource Group: #{state[:azure_resource_group_name]}"
-          create_resource_group(state[:azure_resource_group_name], resource_group)
+          create_resource_group(state[:azure_resource_group_name], get_resource_group)
         rescue ::MsRestAzure::AzureOperationError => operation_error
           error operation_error.body
           raise operation_error
@@ -300,6 +311,9 @@ module Kitchen
           info "Creating deployment: #{deployment_name}"
           create_deployment_async(state[:azure_resource_group_name], deployment_name, deployment(deployment_parameters)).value!
           follow_deployment_until_end_state(state[:azure_resource_group_name], deployment_name)
+          state[:username] = deployment_parameters[:adminUsername] unless existing_state_value?(state, :username)
+          state[:password] = deployment_parameters[:adminPassword] unless existing_state_value?(state, :password) && instance.transport[:ssh_key].nil?
+
           if File.file?(config[:post_deployment_template])
             post_deployment_name = "post-deploy-#{state[:uuid]}"
             info "Creating deployment: #{post_deployment_name}"
@@ -325,6 +339,10 @@ module Kitchen
           result = get_public_ip(state[:azure_resource_group_name], "publicip")
           info "IP Address is: #{result.ip_address} [#{result.dns_settings.fqdn}]"
           state[:hostname] = result.ip_address
+          if config[:use_fqdn_hostname]
+            info "Using FQDN to communicate instead of IP"
+            state[:hostname] = result.dns_settings.fqdn
+          end
         else
           # Retrieve the internal IP from the resource group:
           result = get_network_interface(state[:azure_resource_group_name], vmnic.to_s)
@@ -333,15 +351,24 @@ module Kitchen
         end
       end
 
+      # Return a True of False if the state is already stored for a particular property.
+      #
+      # @param [Hash] Hash of existing state values.
+      # @param [String] A property to check
+      # @return [Boolean]
       def existing_state_value?(state, property)
         state.key?(property) && !state[property].nil?
       end
 
+      # Leverage existing state values or bring state into existence from a configuration file.
+      #
+      # @param [Hash] Existing Hash of state values.
+      # @return [Hash] Updated Hash of state values.
       def validate_state(state = {})
         state[:uuid] = SecureRandom.hex(8) unless existing_state_value?(state, :uuid)
         state[:server_id] = "vm#{state[:uuid]}" unless existing_state_value?(state, :server_id)
         state[:azure_resource_group_name] = azure_resource_group_name unless existing_state_value?(state, :azure_resource_group_name)
-        %i{subscription_id username password vm_name azure_environment use_managed_disks}.each do |config_element|
+        %i{subscription_id vm_name azure_environment use_managed_disks}.each do |config_element|
           state[config_element] = config[config_element] unless existing_state_value?(state, config_element)
         end
         state.delete(:password) unless instance.transport[:ssh_key].nil?
@@ -522,11 +549,38 @@ module Kitchen
       end
 
       def destroy(state)
-        return if state[:server_id].nil?
+        # TODO: We have some not so fun state issues we need to clean up
+        state[:azure_environment] = config[:azure_environment] unless state[:azure_environment]
+        state[:subscription_id] = config[:subscription_id] unless state[:subscription_id]
 
+        # Setup our authentication components for the SDK
         options = Kitchen::Driver::AzureCredentials.new(subscription_id: state[:subscription_id],
-                                                        environment: state[:azure_environment]).azure_options
+          environment: state[:azure_environment]).azure_options
         @resource_management_client = ::Azure::Resources::Profiles::Latest::Mgmt::Client.new(options)
+
+        # If we don't have any instances, let's check to see if the user wants to delete a resource group and if so let's delete!
+        if state[:server_id].nil? && state[:azure_resource_group_name].nil? && !config[:explicit_resource_group_name].nil? && config[:destroy_explicit_resource_group]
+          if resource_group_exists?(config[:explicit_resource_group_name])
+            info "This instance doesn't exist but you asked to delete the resource group."
+            begin
+              info "Destroying Resource Group: #{config[:explicit_resource_group_name]}"
+              delete_resource_group_async(config[:explicit_resource_group_name])
+              info "Destroy operation accepted and will continue in the background."
+              return
+            rescue ::MsRestAzure::AzureOperationError => operation_error
+              error operation_error.body
+              raise operation_error
+            end
+          end
+        end
+
+        # Our working environment
+        info "Azure environment: #{state[:azure_environment]}"
+
+        # Skip if we don't have any instances
+        return if state[:server_id].nil?
+
+        # Destroy resource group contents
         if config[:destroy_resource_group_contents] == true
           info "Destroying individual resources within the Resource Group."
           empty_deployment_name = "empty-deploy-#{state[:uuid]}"
@@ -534,25 +588,49 @@ module Kitchen
             info "Creating deployment: #{empty_deployment_name}"
             create_deployment_async(state[:azure_resource_group_name], empty_deployment_name, empty_deployment).value!
             follow_deployment_until_end_state(state[:azure_resource_group_name], empty_deployment_name)
+
+            # NOTE: We are using the internal wrapper function create_resource_group() which wraps the API
+            # method of create_or_update()
+            begin
+              # Maintain tags on the resource group
+              create_resource_group(state[:azure_resource_group_name], get_resource_group) unless config[:destroy_explicit_resource_group_tags] == true
+              warn 'The "destroy_explicit_resource_group_tags" setting value is set to "false". The tags on the resource group will NOT be removed.' unless config[:destroy_explicit_resource_group_tags] == true
+              # Corner case where we want to use kitchen to remove the tags
+              resource_group = get_resource_group
+              resource_group.tags = {}
+              create_resource_group(state[:azure_resource_group_name], resource_group) unless config[:destroy_explicit_resource_group_tags] == false
+              warn 'The "destroy_explicit_resource_group_tags" setting value is set to "true". The tags on the resource group will be removed.' unless config[:destroy_explicit_resource_group_tags] == false
+            rescue ::MsRestAzure::AzureOperationError => operation_error
+              error operation_error.body
+              raise operation_error
+            end
+
           rescue ::MsRestAzure::AzureOperationError => operation_error
             error operation_error.body
             raise operation_error
           end
         end
+
+        # Do not remove the explicitly named resource group
         if config[:destroy_explicit_resource_group] == false && !config[:explicit_resource_group_name].nil?
           warn 'The "destroy_explicit_resource_group" setting value is set to "false". The resource group will not be deleted.'
           warn 'Remember to manually destroy resources, or set "destroy_resource_group_contents: true" to save costs!' unless config[:destroy_resource_group_contents] == true
-          return
+          return state
         end
-        info "Azure environment: #{state[:azure_environment]}"
+
+        # Destroy the world
         begin
           info "Destroying Resource Group: #{state[:azure_resource_group_name]}"
           delete_resource_group_async(state[:azure_resource_group_name])
           info "Destroy operation accepted and will continue in the background."
+          # Remove resource group name from driver state
+          state.delete(:azure_resource_group_name)
         rescue ::MsRestAzure::AzureOperationError => operation_error
           error operation_error.body
           raise operation_error
         end
+
+        # Clear state of components
         state.delete(:server_id)
         state.delete(:hostname)
         state.delete(:username)
@@ -706,6 +784,36 @@ module Kitchen
       # Wrapper methods for the Azure API calls to retry the calls when getting timeouts.
       #
 
+      # Create a new resource group object and set the location and tags attributes then return it.
+      #
+      # @return [::Azure::Resources::Profiles::Latest::Mgmt::Models::ResourceGroup] A new resource group object.
+      def get_resource_group
+        resource_group = ::Azure::Resources::Profiles::Latest::Mgmt::Models::ResourceGroup.new
+        resource_group.location = config[:location]
+        resource_group.tags = config[:resource_group_tags]
+        resource_group
+      end
+
+      # Checks whether a resource group exists.
+      #
+      # @param resource_group_name [String] The name of the resource group to check.
+      # The name is case insensitive.
+      #
+      # @return [Boolean] operation results.
+      #
+      def resource_group_exists?(resource_group_name)
+        retries = config[:azure_api_retries]
+        begin
+          resource_management_client.resource_groups.check_existence(resource_group_name)
+        rescue Faraday::TimeoutError, Faraday::ClientError => exception
+          send_exception_message(exception, "while checking if resource group '#{resource_group_name}' exists. #{retries} retries left.")
+          raise if retries == 0
+
+          retries -= 1
+          retry
+        end
+      end
+
       def create_resource_group(resource_group_name, resource_group)
         retries = config[:azure_api_retries]
         begin

data/templates/internal.erb

@@ -178,10 +178,10 @@
             }
         },
         "userAssignedIdentities": {
-            "type": "array",
-            "defaultValue": [],
+            "type": "object",
+            "defaultValue": {},
             "metadata": {
-                "description": "A list of resource IDs for user identities to associate with the Virtual Machine, or empty to disable user assigned identities."
+                "description": "An object whose keys are resource IDs for user identities to associate with the Virtual Machine and whose values are empty objects, or empty to disable user assigned identities."
             }
         },
         "bootDiagnosticsEnabled": {
@@ -415,7 +415,7 @@
             <%- end -%>
             "identity": {
                 "type": "[variables('vmIdentityType')]",
-                "identityIds": "[if(empty(parameters('userAssignedIdentities')), json('null'), parameters('userAssignedIdentities'))]"
+                "userAssignedIdentities": "[if(empty(parameters('userAssignedIdentities')), json('null'), parameters('userAssignedIdentities'))]"
             },
             "tags": {
                 <%= vm_tags unless vm_tags.empty? %>

data/templates/public.erb

@@ -178,10 +178,10 @@
             }
         },
         "userAssignedIdentities": {
-            "type": "array",
-            "defaultValue": [],
+            "type": "object",
+            "defaultValue": {},
             "metadata": {
-                "description": "A list of resource IDs for user identities to associate with the Virtual Machine, or empty to disable user assigned identities."
+                "description": "An object whose keys are resource IDs for user identities to associate with the Virtual Machine and whose values are empty objects, or empty to disable user assigned identities."
             }
         },
         "bootDiagnosticsEnabled": {
@@ -434,7 +434,7 @@
             <%- end -%>
             "identity": {
                 "type": "[variables('vmIdentityType')]",
-                "identityIds": "[if(empty(parameters('userAssignedIdentities')), json('null'), parameters('userAssignedIdentities'))]"
+                "userAssignedIdentities": "[if(empty(parameters('userAssignedIdentities')), json('null'), parameters('userAssignedIdentities'))]"
             },
             "tags": {
                 <%= vm_tags unless vm_tags.empty? %>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kitchen-azurerm
 version: !ruby/object:Gem::Version
-  version: 0.17.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Stuart Preston
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-04-23 00:00:00.000000000 Z
+date: 2020-09-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: azure_mgmt_network
@@ -128,16 +128,16 @@ dependencies:
   name: chefstyle
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.4.2
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -212,7 +212,7 @@ homepage: https://github.com/test-kitchen/kitchen-azurerm
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -228,7 +228,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.2
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Test Kitchen driver for Azure Resource Manager.
 test_files: []