From fb100b35a6258b33d5a1a30c2fed0f920634f54f Mon Sep 17 00:00:00 2001
From: David Alexander <opensource@thelonelyghost.com>
Date: Wed, 13 Mar 2024 19:27:01 -0400
Subject: [PATCH] Fixes #2189: `environment` defaults to Azure Public Cloud

Ideally this would be drawn from Vault Server, but the documented
default there is to point at Azure Public Cloud. This seems like a
decent compromise.

Signed-off-by: David Alexander <opensource@thelonelyghost.com>
---
 CHANGELOG.md                                       | 3 +++
 vault/data_source_azure_access_credentials.go      | 5 ++++-
 vault/data_source_azure_access_credentials_test.go | 6 ++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a6fb86fdf..728cef792 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 ## Unreleased
 
+BUGS:
+* fix `vault_azure_access_credentials` to default to Azure Public Cloud ([#2190](https://github.com/hashicorp/terraform-provider-vault/pull/2190))
+
 ## 4.0.0 (Mar 13, 2024)
 
 **Important**: This release requires read policies to be set at the path level for mount metadata.
diff --git a/vault/data_source_azure_access_credentials.go b/vault/data_source_azure_access_credentials.go
index 7dca1dfd9..5f0846ac5 100644
--- a/vault/data_source_azure_access_credentials.go
+++ b/vault/data_source_azure_access_credentials.go
@@ -125,7 +125,7 @@ func azureAccessCredentialsDataSource() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 				Description: `The Azure environment to use during credential validation.
-Defaults to the environment configured in the Vault backend.
+Defaults to the Azure Public Cloud.
 Some possible values: AzurePublicCloud, AzureUSGovernmentCloud`,
 			},
 		},
@@ -313,6 +313,9 @@ func azureAccessCredentialsDataSourceRead(ctx context.Context, d *schema.Resourc
 }
 
 func getAzureCloudConfigFromName(name string) (cloud.Configuration, error) {
+	if name == "" {
+		return cloud.AzurePublic, nil
+	}
 	if c, ok := azureCloudConfigMap[strings.ToUpper(name)]; !ok {
 		return c, fmt.Errorf("unsupported Azure cloud name %q", name)
 	} else {
diff --git a/vault/data_source_azure_access_credentials_test.go b/vault/data_source_azure_access_credentials_test.go
index 5fdf380f5..a1fe24506 100644
--- a/vault/data_source_azure_access_credentials_test.go
+++ b/vault/data_source_azure_access_credentials_test.go
@@ -173,6 +173,12 @@ func Test_getAzureCloudConfigFromName(t *testing.T) {
 			cloudName: "unknown",
 			wantErr:   true,
 		},
+		{
+			name:      "empty",
+			cloudName: "",
+			want:      cloud.AzurePublic,
+			wantErr:   false,
+		},
 	}
 	for k, v := range azureCloudConfigMap {
 		tests = append(tests, test{