provider/azurerm: EventHub Authorization Rules (#10971)

* Adding a missing property to the Consumer Groups doc

* Support for Event Hub Authorization Rules

* Documentation for Authorization Rules

* Missed a comment

* Fixing the `no authorisation rule` state

* Making the documentation around the Permissions more explicit / updating the import url

* Fixing up the tests

* Clearing up the docs

* Fixing the linting

* Moving the validation inside of the expand

builtin/providers/azurerm/import_arm_eventhub_authorization_rule_test.go

@@ -0,0 +1,106 @@
+package azurerm
+
+import (
+	"testing"
+
+	"fmt"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAzureRMEventHubAuthorizationRule_importListen(t *testing.T) {
+	resourceName := "azurerm_eventhub_authorization_rule.test"
+
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_listen, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+			},
+
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMEventHubAuthorizationRule_importSend(t *testing.T) {
+	resourceName := "azurerm_eventhub_authorization_rule.test"
+
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_send, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+			},
+
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMEventHubAuthorizationRule_importReadWrite(t *testing.T) {
+	resourceName := "azurerm_eventhub_authorization_rule.test"
+
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_readwrite, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+			},
+
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAzureRMEventHubAuthorizationRule_importManage(t *testing.T) {
+	resourceName := "azurerm_eventhub_authorization_rule.test"
+
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_manage, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+			},
+
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}

builtin/providers/azurerm/provider.go

@@ -56,9 +56,10 @@ func Provider() terraform.ResourceProvider {
 			"azurerm_cdn_profile":        resourceArmCdnProfile(),
 			"azurerm_container_registry": resourceArmContainerRegistry(),
 
-			"azurerm_eventhub":                resourceArmEventHub(),
+			"azurerm_eventhub":                    resourceArmEventHub(),
-			"azurerm_eventhub_consumer_group": resourceArmEventHubConsumerGroup(),
+			"azurerm_eventhub_authorization_rule": resourceArmEventHubAuthorizationRule(),
-			"azurerm_eventhub_namespace":      resourceArmEventHubNamespace(),
+			"azurerm_eventhub_consumer_group":     resourceArmEventHubConsumerGroup(),
+			"azurerm_eventhub_namespace":          resourceArmEventHubNamespace(),
 
 			"azurerm_lb":                      resourceArmLoadBalancer(),
 			"azurerm_lb_backend_address_pool": resourceArmLoadBalancerBackendAddressPool(),

builtin/providers/azurerm/resource_arm_eventhub_authorization_rule.go

@@ -0,0 +1,250 @@
+package azurerm
+
+import (
+	"fmt"
+	"log"
+
+	"net/http"
+
+	"github.com/Azure/azure-sdk-for-go/arm/eventhub"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceArmEventHubAuthorizationRule() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceArmEventHubAuthorizationRuleCreateUpdate,
+		Read:   resourceArmEventHubAuthorizationRuleRead,
+		Update: resourceArmEventHubAuthorizationRuleCreateUpdate,
+		Delete: resourceArmEventHubAuthorizationRuleDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"namespace_name": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"eventhub_name": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"resource_group_name": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"location": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"listen": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
+			"send": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
+			"manage": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
+			"primary_key": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"primary_connection_string": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"secondary_key": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"secondary_connection_string": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceArmEventHubAuthorizationRuleCreateUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).eventHubClient
+	log.Printf("[INFO] preparing arguments for Azure ARM EventHub Authorization Rule creation.")
+
+	name := d.Get("name").(string)
+	namespaceName := d.Get("namespace_name").(string)
+	eventHubName := d.Get("eventhub_name").(string)
+	location := d.Get("location").(string)
+	resGroup := d.Get("resource_group_name").(string)
+
+	rights, err := expandEventHubAuthorizationRuleAccessRights(d)
+	if err != nil {
+		return err
+	}
+
+	parameters := eventhub.SharedAccessAuthorizationRuleCreateOrUpdateParameters{
+		Name:     &name,
+		Location: &location,
+		SharedAccessAuthorizationRuleProperties: &eventhub.SharedAccessAuthorizationRuleProperties{
+			Rights: rights,
+		},
+	}
+
+	_, err = client.CreateOrUpdateAuthorizationRule(resGroup, namespaceName, eventHubName, name, parameters)
+	if err != nil {
+		return err
+	}
+
+	read, err := client.GetAuthorizationRule(resGroup, namespaceName, eventHubName, name)
+	if err != nil {
+		return err
+	}
+
+	if read.ID == nil {
+		return fmt.Errorf("Cannot read EventHub Authorization Rule %s (resource group %s) ID", name, resGroup)
+	}
+
+	d.SetId(*read.ID)
+
+	return resourceArmEventHubAuthorizationRuleRead(d, meta)
+}
+
+func resourceArmEventHubAuthorizationRuleRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).eventHubClient
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+	resGroup := id.ResourceGroup
+	namespaceName := id.Path["namespaces"]
+	eventHubName := id.Path["eventhubs"]
+	name := id.Path["authorizationRules"]
+
+	resp, err := client.GetAuthorizationRule(resGroup, namespaceName, eventHubName, name)
+	if err != nil {
+		return fmt.Errorf("Error making Read request on Azure EventHub Authorization Rule %s: %s", name, err)
+	}
+	if resp.StatusCode == http.StatusNotFound {
+		d.SetId("")
+		return nil
+	}
+
+	keysResp, err := client.ListKeys(resGroup, namespaceName, eventHubName, name)
+	if err != nil {
+		return fmt.Errorf("Error making Read request on Azure EventHub Authorization Rule List Keys %s: %s", name, err)
+	}
+
+	d.Set("name", name)
+	d.Set("eventhub_name", eventHubName)
+	d.Set("namespace_name", namespaceName)
+	d.Set("resource_group_name", resGroup)
+	d.Set("location", azureRMNormalizeLocation(*resp.Location))
+
+	flattenEventHubAuthorizationRuleAccessRights(d, resp)
+
+	d.Set("primary_key", keysResp.PrimaryKey)
+	d.Set("primary_connection_string", keysResp.PrimaryConnectionString)
+	d.Set("secondary_key", keysResp.SecondaryKey)
+	d.Set("secondary_connection_string", keysResp.SecondaryConnectionString)
+
+	return nil
+}
+
+func resourceArmEventHubAuthorizationRuleDelete(d *schema.ResourceData, meta interface{}) error {
+	eventhubClient := meta.(*ArmClient).eventHubClient
+
+	id, err := parseAzureResourceID(d.Id())
+	if err != nil {
+		return err
+	}
+	resGroup := id.ResourceGroup
+	namespaceName := id.Path["namespaces"]
+	eventHubName := id.Path["eventhubs"]
+	name := id.Path["authorizationRules"]
+
+	resp, err := eventhubClient.DeleteAuthorizationRule(resGroup, namespaceName, eventHubName, name)
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("Error issuing Azure ARM delete request of EventHub Authorization Rule '%s': %s", name, err)
+	}
+
+	return nil
+}
+
+func expandEventHubAuthorizationRuleAccessRights(d *schema.ResourceData) (*[]eventhub.AccessRights, error) {
+	canSend := d.Get("send").(bool)
+	canListen := d.Get("listen").(bool)
+	canManage := d.Get("manage").(bool)
+	rights := []eventhub.AccessRights{}
+	if canListen {
+		rights = append(rights, eventhub.Listen)
+	}
+
+	if canSend {
+		rights = append(rights, eventhub.Send)
+	}
+
+	if canManage {
+		rights = append(rights, eventhub.Manage)
+	}
+
+	if len(rights) == 0 {
+		return nil, fmt.Errorf("At least one Authorization Rule State must be enabled (e.g. Listen/Manage/Send)")
+	}
+
+	if canManage && !(canListen && canSend) {
+		return nil, fmt.Errorf("In order to enable the 'Manage' Authorization Rule - both the 'Listen' and 'Send' rules must be enabled")
+	}
+
+	return &rights, nil
+}
+
+func flattenEventHubAuthorizationRuleAccessRights(d *schema.ResourceData, resp eventhub.SharedAccessAuthorizationRuleResource) {
+
+	var canListen = false
+	var canSend = false
+	var canManage = false
+
+	for _, right := range *resp.Rights {
+		switch right {
+		case eventhub.Listen:
+			canListen = true
+		case eventhub.Send:
+			canSend = true
+		case eventhub.Manage:
+			canManage = true
+		default:
+			log.Printf("[DEBUG] Unknown Authorization Rule Right '%s'", right)
+		}
+	}
+
+	d.Set("listen", canListen)
+	d.Set("send", canSend)
+	d.Set("manage", canManage)
+}

builtin/providers/azurerm/resource_arm_eventhub_authorization_rule_test.go

@@ -0,0 +1,263 @@
+package azurerm
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAzureRMEventHubAuthorizationRule_listen(t *testing.T) {
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_listen, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMEventHubAuthorizationRuleExists("azurerm_eventhub_authorization_rule.test"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMEventHubAuthorizationRule_send(t *testing.T) {
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_send, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMEventHubAuthorizationRuleExists("azurerm_eventhub_authorization_rule.test"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMEventHubAuthorizationRule_readwrite(t *testing.T) {
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_readwrite, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMEventHubAuthorizationRuleExists("azurerm_eventhub_authorization_rule.test"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAzureRMEventHubAuthorizationRule_manage(t *testing.T) {
+	ri := acctest.RandInt()
+	config := fmt.Sprintf(testAccAzureRMEventHubAuthorizationRule_manage, ri, ri, ri, ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMEventHubAuthorizationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMEventHubAuthorizationRuleExists("azurerm_eventhub_authorization_rule.test"),
+				),
+			},
+		},
+	})
+}
+
+func testCheckAzureRMEventHubAuthorizationRuleDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*ArmClient).eventHubClient
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "azurerm_eventhub_authorization_rule" {
+			continue
+		}
+
+		name := rs.Primary.Attributes["name"]
+		namespaceName := rs.Primary.Attributes["namespace_name"]
+		eventHubName := rs.Primary.Attributes["eventhub_name"]
+		resourceGroup := rs.Primary.Attributes["resource_group_name"]
+
+		resp, err := conn.GetAuthorizationRule(resourceGroup, namespaceName, eventHubName, name)
+		if err != nil {
+			return nil
+		}
+
+		if resp.StatusCode != http.StatusNotFound {
+			return fmt.Errorf("EventHub Authorization Rule still exists:\n%#v", resp)
+		}
+	}
+
+	return nil
+}
+
+func testCheckAzureRMEventHubAuthorizationRuleExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Ensure we have enough information in state to look up in API
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		name := rs.Primary.Attributes["name"]
+		namespaceName := rs.Primary.Attributes["namespace_name"]
+		eventHubName := rs.Primary.Attributes["eventhub_name"]
+		resourceGroup, hasResourceGroup := rs.Primary.Attributes["resource_group_name"]
+		if !hasResourceGroup {
+			return fmt.Errorf("Bad: no resource group found in state for Event Hub: %s", name)
+		}
+
+		conn := testAccProvider.Meta().(*ArmClient).eventHubClient
+		resp, err := conn.GetAuthorizationRule(resourceGroup, namespaceName, eventHubName, name)
+		if err != nil {
+			return fmt.Errorf("Bad: Get on eventHubClient: %s", err)
+		}
+
+		if resp.StatusCode == http.StatusNotFound {
+			return fmt.Errorf("Bad: Event Hub Authorization Rule %q (eventhub %s, namespace %s / resource group: %s) does not exist", name, eventHubName, namespaceName, resourceGroup)
+		}
+
+		return nil
+	}
+}
+
+var testAccAzureRMEventHubAuthorizationRule_listen = `
+resource "azurerm_resource_group" "test" {
+    name = "acctestRG-%d"
+    location = "West US"
+}
+resource "azurerm_eventhub_namespace" "test" {
+    name = "acctesteventhubnamespace-%d"
+    location = "${azurerm_resource_group.test.location}"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    sku = "Standard"
+}
+resource "azurerm_eventhub" "test" {
+  name                = "acctesteventhub-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  partition_count     = 2
+  message_retention   = 7
+}
+resource "azurerm_eventhub_authorization_rule" "test" {
+  name                = "acctesteventhubrule-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  eventhub_name       = "${azurerm_eventhub.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  listen              = true
+  send                = false
+  manage              = false
+}`
+
+var testAccAzureRMEventHubAuthorizationRule_send = `
+resource "azurerm_resource_group" "test" {
+    name = "acctestRG-%d"
+    location = "West US"
+}
+resource "azurerm_eventhub_namespace" "test" {
+    name = "acctesteventhubnamespace-%d"
+    location = "${azurerm_resource_group.test.location}"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    sku = "Standard"
+}
+resource "azurerm_eventhub" "test" {
+  name                = "acctesteventhub-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  partition_count     = 2
+  message_retention   = 7
+}
+resource "azurerm_eventhub_authorization_rule" "test" {
+  name                = "acctesteventhubrule-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  eventhub_name       = "${azurerm_eventhub.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  listen              = false
+  send                = true
+  manage              = false
+}`
+
+var testAccAzureRMEventHubAuthorizationRule_readwrite = `
+resource "azurerm_resource_group" "test" {
+    name = "acctestRG-%d"
+    location = "West US"
+}
+resource "azurerm_eventhub_namespace" "test" {
+    name = "acctesteventhubnamespace-%d"
+    location = "${azurerm_resource_group.test.location}"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    sku = "Standard"
+}
+resource "azurerm_eventhub" "test" {
+  name                = "acctesteventhub-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  partition_count     = 2
+  message_retention   = 7
+}
+resource "azurerm_eventhub_authorization_rule" "test" {
+  name                = "acctesteventhubrule-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  eventhub_name       = "${azurerm_eventhub.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  listen              = true
+  send                = true
+  manage              = false
+}`
+
+var testAccAzureRMEventHubAuthorizationRule_manage = `
+resource "azurerm_resource_group" "test" {
+    name = "acctestRG-%d"
+    location = "West US"
+}
+resource "azurerm_eventhub_namespace" "test" {
+    name = "acctesteventhubnamespace-%d"
+    location = "${azurerm_resource_group.test.location}"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    sku = "Standard"
+}
+resource "azurerm_eventhub" "test" {
+  name                = "acctesteventhub-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  partition_count     = 2
+  message_retention   = 7
+}
+resource "azurerm_eventhub_authorization_rule" "test" {
+  name                = "acctesteventhubrule-%d"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  eventhub_name       = "${azurerm_eventhub.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  listen              = true
+  send                = true
+  manage              = true
+}`

website/source/docs/providers/azurerm/r/eventhub_authorization_rule.html.markdown

@@ -0,0 +1,97 @@
+---
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_eventhub_authorization_rule"
+sidebar_current: "docs-azurerm-resource-eventhub-authorization-rule"
+description: |-
+  Creates a new Event Hub Authorization Rule within an Event Hub.
+---
+
+# azurerm\_eventhub\_authorization\_rule
+
+Creates a new Event Hub Authorization Rule within an Event Hub.
+
+## Example Usage
+
+```
+resource "azurerm_resource_group" "test" {
+    name = "resourceGroup1"
+    location = "West US"
+}
+
+resource "azurerm_eventhub_namespace" "test" {
+    name = "acceptanceTestEventHubNamespace"
+    location = "West US"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    sku = "Basic"
+    capacity = 2
+
+    tags {
+        environment = "Production"
+    }
+}
+
+resource "azurerm_eventhub" "test" {
+  name                = "acceptanceTestEventHub"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  partition_count     = 2
+  message_retention   = 2
+}
+
+resource "azurerm_eventhub_authorization_rule" "test" {
+  name                = "navi"
+  namespace_name      = "${azurerm_eventhub_namespace.test.name}"
+  eventhub_name       = "${azurerm_eventhub.test.name}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+  listen              = true
+  send                = false
+  manage              = false
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) Specifies the name of the EventHub Authorization Rule resource. Changing this forces a new resource to be created.
+
+* `namespace_name` - (Required) Specifies the name of the grandparent EventHub Namespace. Changing this forces a new resource to be created.
+
+* `eventhub_name` - (Required) Specifies the name of the EventHub. Changing this forces a new resource to be created.
+
+* `resource_group_name` - (Required) The name of the resource group in which the EventHub Namespace exists. Changing this forces a new resource to be created.
+
+* `location` - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
+
+~> **NOTE** At least one of the 3 permissions below needs to be set.
+
+* `listen` - (Optional) Does this Authorization Rule have permissions to Listen to the Event Hub? Defaults to `false`.
+
+* `send` - (Optional) Does this Authorization Rule have permissions to Send to the Event Hub? Defaults to `false`.
+
+* `manage` - (Optional) Does this Authorization Rule have permissions to Manage to the Event Hub? When this property is `true` - both `listen` and `send` must be too. Defaults to `false`.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - The EventHub ID.
+
+* `primary_key` - The Primary Key for the Event Hub Authorization Rule.
+
+* `primary_connection_string` - The Primary Connection String for the Event Hub Authorization Rule.
+
+* `secondary_key` - The Secondary Key for the Event Hub Authorization Rule.
+
+* `secondary_connection_string` - The Secondary Connection String for the Event Hub Authorization Rule.
+
+
+## Import
+
+EventHubs can be imported using the `resource id`, e.g.
+
+```
+terraform import azurerm_eventhub_authorization_rule.rule1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.EventHub/namespaces/namespace1/eventhubs/eventhub1/authorizationRules/rule1
+```

website/source/docs/providers/azurerm/r/eventhub_consumer_group.html.markdown

@@ -57,6 +57,8 @@ The following arguments are supported:
 
 * `namespace_name` - (Required) Specifies the name of the grandparent EventHub Namespace. Changing this forces a new resource to be created.
 
+* `eventhub_name` - (Required) Specifies the name of the EventHub. Changing this forces a new resource to be created.
+
 * `resource_group_name` - (Required) The name of the resource group in which the EventHub Consumer Group's grandparent Namespace exists. Changing this forces a new resource to be created.
 
 * `location` - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

website/source/layouts/azurerm.erb

@@ -100,6 +100,9 @@
                 <li<%= sidebar_current("docs-azurerm-resource-eventhub") %>>
                   <a href="/docs/providers/azurerm/r/eventhub.html">azurerm_eventhub</a>
                 </li>
+                <li<%= sidebar_current("docs-azurerm-resource-eventhub-authorization-rule") %>>
+                  <a href="/docs/providers/azurerm/r/eventhub_authorization_rule.html">azurerm_eventhub_authorization_rule</a>
+                </li>
                 <li<%= sidebar_current("docs-azurerm-resource-eventhub-consumer-group") %>>
                   <a href="/docs/providers/azurerm/r/eventhub_consumer_group.html">azurerm_eventhub_consumer_group</a>
                 </li>