azurerm_cognitive_account supports ignore_missing_vnet_service_endpoi…

…nt (#12600)
hashicorp · Jul 15, 2021 · 5ea98ee · 5ea98ee
1 parent 87f5f53
commit 5ea98ee
Show file tree

Hide file tree

Showing 3 changed files with 142 additions and 16 deletions.
diff --git a/azurerm/internal/services/cognitive/cognitive_account_resource.go b/azurerm/internal/services/cognitive/cognitive_account_resource.go
@@ -226,10 +226,36 @@ func resourceCognitiveAccount() *pluginsdk.Resource {
 							},
 							Set: set.HashIPv4AddressOrCIDR,
 						},
+						// TODO 3.0 - Remove below property
 						"virtual_network_subnet_ids": {
-							Type:     pluginsdk.TypeSet,
-							Optional: true,
-							Elem:     &pluginsdk.Schema{Type: pluginsdk.TypeString},
+							Type:          pluginsdk.TypeSet,
+							Optional:      true,
+							Computed:      true,
+							ConflictsWith: []string{"network_acls.0.virtual_network_rules"},
+							Deprecated:    "Deprecated in favour of `virtual_network_rules`",
+							Elem:          &pluginsdk.Schema{Type: pluginsdk.TypeString},
+						},
+
+						"virtual_network_rules": {
+							Type:          pluginsdk.TypeSet,
+							Optional:      true,
+							Computed:      true, // TODO -- remove this when deprecation resolves
+							ConflictsWith: []string{"network_acls.0.virtual_network_subnet_ids"},
+							ConfigMode:    pluginsdk.SchemaConfigModeAttr, // TODO -- remove in 3.0, because this property is optional and computed, it has to be declared as empty array to remove existed values
+							Elem: &pluginsdk.Resource{
+								Schema: map[string]*pluginsdk.Schema{
+									"subnet_id": {
+										Type:     pluginsdk.TypeString,
+										Required: true,
+									},
+
+									"ignore_missing_vnet_service_endpoint": {
+										Type:     pluginsdk.TypeBool,
+										Optional: true,
+										Default:  false,
+									},
+								},
+							},
 						},
 					},
 				},
@@ -322,7 +348,7 @@ func resourceCognitiveAccountCreate(d *pluginsdk.ResourceData, meta interface{})
 		return fmt.Errorf("expanding sku_name for %s: %v", id, err)
 	}
 
-	networkAcls, subnetIds := expandCognitiveAccountNetworkAcls(d.Get("network_acls").([]interface{}))
+	networkAcls, subnetIds := expandCognitiveAccountNetworkAcls(d)
 
 	// also lock on the Virtual Network ID's since modifications in the networking stack are exclusive
 	virtualNetworkNames := make([]string, 0)
@@ -407,7 +433,7 @@ func resourceCognitiveAccountUpdate(d *pluginsdk.ResourceData, meta interface{})
 		return fmt.Errorf("error expanding sku_name for %s: %+v", *id, err)
 	}
 
-	networkAcls, subnetIds := expandCognitiveAccountNetworkAcls(d.Get("network_acls").([]interface{}))
+	networkAcls, subnetIds := expandCognitiveAccountNetworkAcls(d)
 
 	// also lock on the Virtual Network ID's since modifications in the networking stack are exclusive
 	virtualNetworkNames := make([]string, 0)
@@ -620,7 +646,8 @@ func cognitiveAccountStateRefreshFunc(ctx context.Context, client *cognitiveserv
 	}
 }
 
-func expandCognitiveAccountNetworkAcls(input []interface{}) (*cognitiveservices.NetworkRuleSet, []string) {
+func expandCognitiveAccountNetworkAcls(d *pluginsdk.ResourceData) (*cognitiveservices.NetworkRuleSet, []string) {
+	input := d.Get("network_acls").([]interface{})
 	subnetIds := make([]string, 0)
 	if len(input) == 0 || input[0] == nil {
 		return nil, subnetIds
@@ -640,15 +667,30 @@ func expandCognitiveAccountNetworkAcls(input []interface{}) (*cognitiveservices.
 		ipRules = append(ipRules, rule)
 	}
 
-	networkRulesRaw := v["virtual_network_subnet_ids"].(*pluginsdk.Set)
 	networkRules := make([]cognitiveservices.VirtualNetworkRule, 0)
-	for _, v := range networkRulesRaw.List() {
-		rawId := v.(string)
-		subnetIds = append(subnetIds, rawId)
-		rule := cognitiveservices.VirtualNetworkRule{
-			ID: utils.String(rawId),
+	if d.HasChange("network_acls.0.virtual_network_subnet_ids") {
+		networkRulesRaw := v["virtual_network_subnet_ids"]
+		for _, v := range networkRulesRaw.(*pluginsdk.Set).List() {
+			rawId := v.(string)
+			subnetIds = append(subnetIds, rawId)
+			rule := cognitiveservices.VirtualNetworkRule{
+				ID: utils.String(rawId),
+			}
+			networkRules = append(networkRules, rule)
+		}
+	}
+	if d.HasChange("network_acls.0.virtual_network_rules") {
+		networkRulesRaw := v["virtual_network_rules"]
+		for _, v := range networkRulesRaw.(*pluginsdk.Set).List() {
+			value := v.(map[string]interface{})
+			subnetId := value["subnet_id"].(string)
+			subnetIds = append(subnetIds, subnetId)
+			rule := cognitiveservices.VirtualNetworkRule{
+				ID:                               utils.String(subnetId),
+				IgnoreMissingVnetServiceEndpoint: utils.Bool(value["ignore_missing_vnet_service_endpoint"].(bool)),
+			}
+			networkRules = append(networkRules, rule)
 		}
-		networkRules = append(networkRules, rule)
 	}
 
 	ruleSet := cognitiveservices.NetworkRuleSet{
@@ -768,6 +810,7 @@ func flattenCognitiveAccountNetworkAcls(input *cognitiveservices.NetworkRuleSet)
 		}
 	}
 
+	virtualNetworkSubnetIds := make([]interface{}, 0)
 	virtualNetworkRules := make([]interface{}, 0)
 	if input.VirtualNetworkRules != nil {
 		for _, v := range *input.VirtualNetworkRules {
@@ -781,14 +824,19 @@ func flattenCognitiveAccountNetworkAcls(input *cognitiveservices.NetworkRuleSet)
 				id = subnetId.ID()
 			}
 
-			virtualNetworkRules = append(virtualNetworkRules, id)
+			virtualNetworkSubnetIds = append(virtualNetworkSubnetIds, id)
+			virtualNetworkRules = append(virtualNetworkRules, map[string]interface{}{
+				"subnet_id":                            id,
+				"ignore_missing_vnet_service_endpoint": *v.IgnoreMissingVnetServiceEndpoint,
+			})
 		}
 	}
 	return []interface{}{
 		map[string]interface{}{
 			"default_action":             string(input.DefaultAction),
 			"ip_rules":                   pluginsdk.NewSet(pluginsdk.HashString, ipRules),
-			"virtual_network_subnet_ids": pluginsdk.NewSet(pluginsdk.HashString, virtualNetworkRules),
+			"virtual_network_subnet_ids": pluginsdk.NewSet(pluginsdk.HashString, virtualNetworkSubnetIds),
+			"virtual_network_rules":      virtualNetworkRules,
 		},
 	}
 }

diff --git a/azurerm/internal/services/cognitive/cognitive_account_resource_test.go b/azurerm/internal/services/cognitive/cognitive_account_resource_test.go
@@ -214,6 +214,28 @@ func TestAccCognitiveAccount_withMultipleCognitiveAccounts(t *testing.T) {
 	})
 }
 
+func TestAccCognitiveAccount_networkAclsVirtualNetworkRules(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_cognitive_account", "test")
+	r := CognitiveAccountResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.networkAclsVirtualNetworkRules(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.networkAclsVirtualNetworkRulesUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccCognitiveAccount_networkAcls(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_cognitive_account", "test")
 	r := CognitiveAccountResource{}
@@ -684,6 +706,56 @@ resource "azurerm_cognitive_account" "test" {
 `, r.networkAclsTemplate(data), data.RandomInteger, data.RandomInteger)
 }
 
+func (r CognitiveAccountResource) networkAclsVirtualNetworkRules(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_cognitive_account" "test" {
+  name                  = "acctestcogacc-%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  kind                  = "Face"
+  sku_name              = "S0"
+  custom_subdomain_name = "acctestcogacc-%d"
+
+  network_acls {
+    default_action = "Deny"
+    virtual_network_rules {
+      subnet_id = azurerm_subnet.test_a.id
+    }
+    virtual_network_rules {
+      subnet_id                            = azurerm_subnet.test_b.id
+      ignore_missing_vnet_service_endpoint = true
+    }
+
+  }
+}
+`, r.networkAclsTemplate(data), data.RandomInteger, data.RandomInteger)
+}
+
+func (r CognitiveAccountResource) networkAclsVirtualNetworkRulesUpdated(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+resource "azurerm_cognitive_account" "test" {
+  name                  = "acctestcogacc-%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  kind                  = "Face"
+  sku_name              = "S0"
+  custom_subdomain_name = "acctestcogacc-%d"
+
+  network_acls {
+    default_action = "Allow"
+    ip_rules       = ["123.0.0.101"]
+    virtual_network_rules {
+      subnet_id                            = azurerm_subnet.test_a.id
+      ignore_missing_vnet_service_endpoint = true
+    }
+  }
+}
+`, r.networkAclsTemplate(data), data.RandomInteger, data.RandomInteger)
+}
+
 func (CognitiveAccountResource) networkAclsTemplate(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {

diff --git a/website/docs/r/cognitive_account.html.markdown b/website/docs/r/cognitive_account.html.markdown
@@ -86,7 +86,13 @@ A `network_acls` block supports the following:
 
 * `ip_rules` - (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Cognitive Account.
 
-* `virtual_network_subnet_ids` - (Optional) One or more Subnet ID's which should be able to access this Cognitive Account.
+* `virtual_network_rules` - (Optional) A `virtual_network_rules` block as defined below.
+
+A `virtual_network_rules` block supports the following:
+
+* `subnet_id` - (Required) The ID of the subnet which should be able to access this Cognitive Account.
+
+* `ignore_missing_vnet_service_endpoint` - (Optional) Whether ignore missing vnet service endpoint or not. Default to `false`.
 
 ---