From 4587c804b08117ba242e233da29d0336947cd115 Mon Sep 17 00:00:00 2001 From: Xu Wu Date: Mon, 5 Dec 2022 17:10:14 +0800 Subject: [PATCH 1/2] add network acls for mhsm --- ...naged_hardware_security_module_resource.go | 75 +++++++++++++++++++ ..._hardware_security_module_resource_test.go | 24 +++++- ...ged_hardware_security_module.html.markdown | 12 +++ 3 files changed, 110 insertions(+), 1 deletion(-) diff --git a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go index cd17449984db..089f8547d6ad 100644 --- a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go +++ b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource.go @@ -96,6 +96,41 @@ func resourceKeyVaultManagedHardwareSecurityModule() *pluginsdk.Resource { Computed: true, }, + "public_network_access_enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + //Computed: true, + Default: true, + ForceNew: true, + }, + + "network_acls": { + Type: pluginsdk.TypeList, + Optional: true, + Computed: true, + MaxItems: 1, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "default_action": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice([]string{ + string(keyvault.NetworkRuleActionAllow), + string(keyvault.NetworkRuleActionDeny), + }, false), + }, + "bypass": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice([]string{ + string(keyvault.NetworkRuleBypassOptionsNone), + string(keyvault.NetworkRuleBypassOptionsAzureServices), + }, false), + }, + }, + }, + }, + // https://github.com/Azure/azure-rest-api-specs/issues/13365 "tags": tags.ForceNewSchema(), }, @@ -132,6 +167,8 @@ func resourceArmKeyVaultManagedHardwareSecurityModuleCreate(d *pluginsdk.Resourc EnableSoftDelete: utils.Bool(true), SoftDeleteRetentionInDays: utils.Int32(int32(d.Get("soft_delete_retention_days").(int))), EnablePurgeProtection: utils.Bool(d.Get("purge_protection_enabled").(bool)), + PublicNetworkAccess: keyvault.PublicNetworkAccessEnabled, // default enabled + NetworkAcls: expandMHSMNetworkAcls(d.Get("network_acls").([]interface{})), }, Sku: &keyvault.ManagedHsmSku{ Family: utils.String("B"), @@ -140,6 +177,10 @@ func resourceArmKeyVaultManagedHardwareSecurityModuleCreate(d *pluginsdk.Resourc Tags: tags.Expand(d.Get("tags").(map[string]interface{})), } + if !d.Get("public_network_access_enabled").(bool) { + hsm.Properties.PublicNetworkAccess = keyvault.PublicNetworkAccessDisabled + } + future, err := client.CreateOrUpdate(ctx, id.ResourceGroup, id.Name, hsm) if err != nil { return fmt.Errorf("creating %s: %+v", id, err) @@ -194,6 +235,14 @@ func resourceArmKeyVaultManagedHardwareSecurityModuleRead(d *pluginsdk.ResourceD d.Set("hsm_uri", props.HsmURI) d.Set("soft_delete_retention_days", props.SoftDeleteRetentionInDays) d.Set("purge_protection_enabled", props.EnablePurgeProtection) + + var publicAccess = true + if props.PublicNetworkAccess == keyvault.PublicNetworkAccessDisabled { + publicAccess = false + } + d.Set("public_network_access_enabled", publicAccess) + + d.Set("network_acls", flattenMHSMNetworkAcls(props.NetworkAcls)) } return tags.FlattenAndSet(d, resp.Tags) @@ -253,3 +302,29 @@ func resourceArmKeyVaultManagedHardwareSecurityModuleDelete(d *pluginsdk.Resourc return nil } + +func expandMHSMNetworkAcls(input []interface{}) *keyvault.MHSMNetworkRuleSet { + if len(input) == 0 { + return nil + } + v := input[0].(map[string]interface{}) + res := &keyvault.MHSMNetworkRuleSet{ + Bypass: keyvault.NetworkRuleBypassOptions(v["bypass"].(string)), + DefaultAction: keyvault.NetworkRuleAction(v["default_action"].(string)), + } + + return res +} + +func flattenMHSMNetworkAcls(acl *keyvault.MHSMNetworkRuleSet) []interface{} { + res := map[string]interface{}{ + "bypass": string(keyvault.NetworkRuleBypassOptionsAzureServices), + "default_action": string(keyvault.NetworkRuleActionAllow), + } + + if acl != nil { + res["bypass"] = string(acl.Bypass) + res["default_action"] = string(acl.DefaultAction) + } + return []interface{}{res} +} diff --git a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go index 2a4515074e5a..150822c7478e 100644 --- a/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go +++ b/internal/services/keyvault/key_vault_managed_hardware_security_module_resource_test.go @@ -135,8 +135,23 @@ provider "azurerm" { %s +resource "azurerm_virtual_network" "test" { + name = "acctestvirtnet%[2]d" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name +} + +resource "azurerm_subnet" "test_a" { + name = "acctestsubneta%[2]d" + resource_group_name = azurerm_resource_group.test.name + virtual_network_name = azurerm_virtual_network.test.name + address_prefixes = ["10.0.2.0/24"] + service_endpoints = ["Microsoft.KeyVault"] +} + resource "azurerm_key_vault_managed_hardware_security_module" "test" { - name = "kvHsm%d" + name = "kvHsm%[2]d" resource_group_name = azurerm_resource_group.test.name location = azurerm_resource_group.test.location sku_name = "Standard_B1" @@ -145,6 +160,13 @@ resource "azurerm_key_vault_managed_hardware_security_module" "test" { tenant_id = data.azurerm_client_config.current.tenant_id admin_object_ids = [data.azurerm_client_config.current.object_id] + network_acls { + default_action = "Deny" + bypass = "None" + } + + public_network_access_enabled = true + tags = { Env = "Test" } diff --git a/website/docs/r/key_vault_managed_hardware_security_module.html.markdown b/website/docs/r/key_vault_managed_hardware_security_module.html.markdown index f80df93793cd..02a04049e3ae 100644 --- a/website/docs/r/key_vault_managed_hardware_security_module.html.markdown +++ b/website/docs/r/key_vault_managed_hardware_security_module.html.markdown @@ -66,8 +66,20 @@ The following arguments are supported: * `soft_delete_retention_days` - (Optional) The number of days that items should be retained for once soft-deleted. This value can be between `7` and `90` days. Defaults to `90`. Changing this forces a new resource to be created. +* `public_network_access_enabled` - (Optional) Whether traffic from public networks is permitted. Defaults to `True`. Changing this forces a new resource to be created. + +* `network_acls` - (Optional) A `network_acls` block as defined below. + * `tags` - (Optional) A mapping of tags to assign to the resource. Changing this forces a new resource to be created. +--- + +A `network_acls` block supports the following: + +* `bypass` - (Required) Specifies which traffic can bypass the network rules. Possible values are `AzureServices` and `None`. + +* `default_action` - (Required) The Default Action to use when no rules match from `ip_rules` / `virtual_network_subnet_ids`. Possible values are `Allow` and `Deny`. + ## Attributes Reference The following attributes are exported: From 11da0f30cac068ff70b1a9af6f884b5892e43936 Mon Sep 17 00:00:00 2001 From: xuwu1 Date: Sat, 10 Dec 2022 14:01:20 +0800 Subject: [PATCH 2/2] remove document aboud ip rules --- .../r/key_vault_managed_hardware_security_module.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/key_vault_managed_hardware_security_module.html.markdown b/website/docs/r/key_vault_managed_hardware_security_module.html.markdown index 02a04049e3ae..5bb94e54c758 100644 --- a/website/docs/r/key_vault_managed_hardware_security_module.html.markdown +++ b/website/docs/r/key_vault_managed_hardware_security_module.html.markdown @@ -78,7 +78,7 @@ A `network_acls` block supports the following: * `bypass` - (Required) Specifies which traffic can bypass the network rules. Possible values are `AzureServices` and `None`. -* `default_action` - (Required) The Default Action to use when no rules match from `ip_rules` / `virtual_network_subnet_ids`. Possible values are `Allow` and `Deny`. +* `default_action` - (Required) The Default Action to use. Possible values are `Allow` and `Deny`. ## Attributes Reference