diff --git a/azurerm/internal/services/storage/storage_account_network_rules_resource.go b/azurerm/internal/services/storage/storage_account_network_rules_resource.go index 85516c51dc5f..4ffe5c5fb23d 100644 --- a/azurerm/internal/services/storage/storage_account_network_rules_resource.go +++ b/azurerm/internal/services/storage/storage_account_network_rules_resource.go @@ -10,7 +10,6 @@ import ( "github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/locks" - networkValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/network/validate" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/storage/validate" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation" @@ -101,7 +100,7 @@ func resourceStorageAccountNetworkRules() *pluginsdk.Resource { "endpoint_resource_id": { Type: pluginsdk.TypeString, Required: true, - ValidateFunc: networkValidate.PrivateEndpointID, + ValidateFunc: azure.ValidateResourceID, }, "endpoint_tenant_id": { diff --git a/azurerm/internal/services/storage/storage_account_network_rules_resource_test.go b/azurerm/internal/services/storage/storage_account_network_rules_resource_test.go index ef9347b5888c..c38db49368c0 100644 --- a/azurerm/internal/services/storage/storage_account_network_rules_resource_test.go +++ b/azurerm/internal/services/storage/storage_account_network_rules_resource_test.go @@ -94,6 +94,28 @@ func TestAccStorageAccountNetworkRules_privateLinkAccess(t *testing.T) { }) } +func TestAccStorageAccountNetworkRules_SynapseAccess(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_storage_account_network_rules", "test") + r := StorageAccountNetworkRulesResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.disablePrivateLinkAccess(data), + Check: acceptance.ComposeTestCheckFunc( + check.That("azurerm_storage_account.test").ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.synapseAccess(data), + Check: acceptance.ComposeTestCheckFunc( + check.That("azurerm_storage_account.test").ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccStorageAccountNetworkRules_empty(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_storage_account_network_rules", "test") r := StorageAccountNetworkRulesResource{} @@ -325,3 +347,56 @@ resource "azurerm_storage_account_network_rules" "test" { } `, StorageAccountResource{}.networkRulesPrivateEndpointTemplate(data), data.RandomString) } + +func (r StorageAccountNetworkRulesResource) synapseAccess(data acceptance.TestData) string { + return fmt.Sprintf(` +%s + +resource "azurerm_storage_account" "synapse" { + name = "acctestacc%[2]s" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + account_kind = "BlobStorage" + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_storage_data_lake_gen2_filesystem" "test" { + name = "acctest-%[3]d" + storage_account_id = azurerm_storage_account.synapse.id +} + +resource "azurerm_synapse_workspace" "test" { + name = "acctestsw%[3]d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.test.id + sql_administrator_login = "sqladminuser" + sql_administrator_login_password = "H@Sh1CoR3!" +} + + +resource "azurerm_storage_account" "test" { + name = "unlikely23exst2acct%[2]s" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + account_tier = "Standard" + account_replication_type = "LRS" + + tags = { + environment = "production" + } +} + +resource "azurerm_storage_account_network_rules" "test" { + resource_group_name = azurerm_resource_group.test.name + storage_account_name = azurerm_storage_account.test.name + + default_action = "Deny" + ip_rules = ["127.0.0.1"] + private_link_access { + endpoint_resource_id = azurerm_synapse_workspace.test.id + } +} +`, StorageAccountResource{}.networkRulesPrivateEndpointTemplate(data), data.RandomString, data.RandomInteger) +} diff --git a/azurerm/internal/services/storage/storage_account_resource.go b/azurerm/internal/services/storage/storage_account_resource.go index 8a41cab84efe..ba3c153654f6 100644 --- a/azurerm/internal/services/storage/storage_account_resource.go +++ b/azurerm/internal/services/storage/storage_account_resource.go @@ -18,7 +18,6 @@ import ( "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/locks" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/network" - networkValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/network/validate" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/storage/migration" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/storage/validate" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tags" @@ -296,7 +295,7 @@ func resourceStorageAccount() *pluginsdk.Resource { "endpoint_resource_id": { Type: pluginsdk.TypeString, Required: true, - ValidateFunc: networkValidate.PrivateEndpointID, + ValidateFunc: azure.ValidateResourceID, }, "endpoint_tenant_id": { diff --git a/azurerm/internal/services/storage/storage_account_resource_test.go b/azurerm/internal/services/storage/storage_account_resource_test.go index 2a3e3bb4cd40..fa5fe414d676 100644 --- a/azurerm/internal/services/storage/storage_account_resource_test.go +++ b/azurerm/internal/services/storage/storage_account_resource_test.go @@ -542,6 +542,28 @@ func TestAccStorageAccount_privateLinkAccess(t *testing.T) { }) } +func TestAccStorageAccount_networkRulesSynapseAccess(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") + r := StorageAccountResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.networkRules(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.networkRulesSynapseAccess(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccStorageAccount_blobProperties(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") r := StorageAccountResource{} @@ -1739,6 +1761,55 @@ resource "azurerm_storage_account" "test" { `, r.networkRulesPrivateEndpointTemplate(data), data.RandomString) } +func (r StorageAccountResource) networkRulesSynapseAccess(data acceptance.TestData) string { + return fmt.Sprintf(` +%s + +resource "azurerm_storage_account" "synapse" { + name = "acctestacc%[2]s" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + account_kind = "BlobStorage" + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_storage_data_lake_gen2_filesystem" "test" { + name = "acctest-%[3]d" + storage_account_id = azurerm_storage_account.synapse.id +} + +resource "azurerm_synapse_workspace" "test" { + name = "acctestsw%[3]d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.test.id + sql_administrator_login = "sqladminuser" + sql_administrator_login_password = "H@Sh1CoR3!" +} + +resource "azurerm_storage_account" "test" { + name = "unlikely23exst2acct%[2]s" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Deny" + ip_rules = ["127.0.0.1"] + private_link_access { + endpoint_resource_id = azurerm_synapse_workspace.test.id + } + } + + tags = { + environment = "production" + } +} +`, r.networkRulesTemplate(data), data.RandomString, data.RandomInteger) +} + func (r StorageAccountResource) blobProperties(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index f87fcfd0555e..004cd9567525 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -259,9 +259,9 @@ any combination of `Logging`, `Metrics`, `AzureServices`, or `None`. A `private_link_access` block supports the following: -* `endpoint_resource_id` - (Required) The resource id of the `azurerm_private_endpoint` of the resource access rule. +* `endpoint_resource_id` - (Required) The resource id of the resource access rule to be granted access. -* `endpoint_tenant_id` - (Optional) The tenant id of the `azurerm_private_endpoint` of the resource access rule. Defaults to the current tenant id. +* `endpoint_tenant_id` - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id. --- diff --git a/website/docs/r/storage_account_network_rules.html.markdown b/website/docs/r/storage_account_network_rules.html.markdown index 50f42a7529e2..c875d693e4a8 100644 --- a/website/docs/r/storage_account_network_rules.html.markdown +++ b/website/docs/r/storage_account_network_rules.html.markdown @@ -94,9 +94,9 @@ The following arguments are supported: A `private_link_access` block supports the following: -* `endpoint_resource_id` - (Required) The resource id of the `azurerm_private_endpoint` of the resource access rule. +* `endpoint_resource_id` - (Required) The resource id of the resource access rule to be granted access. -* `endpoint_tenant_id` - (Optional) The tenant id of the `azurerm_private_endpoint` of the resource access rule. Defaults to the current tenant id. +* `endpoint_tenant_id` - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id. ## Attributes Reference