From 2e4dad44aa4b31b12124fd31369818167098091e Mon Sep 17 00:00:00 2001 From: magodo Date: Mon, 9 Jan 2023 10:20:17 +0800 Subject: [PATCH] `azurerm_storage_account` - Support `allowed_copy_scope` --- .../storage/storage_account_resource.go | 26 ++++++++++ .../storage/storage_account_resource_test.go | 52 +++++++++++++++++++ website/docs/r/storage_account.html.markdown | 2 + 3 files changed, 80 insertions(+) diff --git a/internal/services/storage/storage_account_resource.go b/internal/services/storage/storage_account_resource.go index d798b05b9b3c..8e9b97260876 100644 --- a/internal/services/storage/storage_account_resource.go +++ b/internal/services/storage/storage_account_resource.go @@ -828,6 +828,15 @@ func resourceStorageAccount() *pluginsdk.Resource { }, }, + "allowed_copy_scope": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + string(storage.AllowedCopyScopePrivateLink), + string(storage.AllowedCopyScopeAAD), + }, false), + }, + "sftp_enabled": { Type: pluginsdk.TypeBool, Optional: true, @@ -1125,6 +1134,10 @@ func resourceStorageAccountCreate(d *pluginsdk.ResourceData, meta interface{}) e }, } + if v := d.Get("allowed_copy_scope").(string); v != "" { + parameters.AccountPropertiesCreateParameters.AllowedCopyScope = storage.AllowedCopyScope(v) + } + // For all Clouds except Public, China, and USGovernmentCloud, don't specify "allow_blob_public_access" and "min_tls_version" in request body. // https://github.com/hashicorp/terraform-provider-azurerm/issues/7812 // https://github.com/hashicorp/terraform-provider-azurerm/issues/8083 @@ -1766,6 +1779,18 @@ func resourceStorageAccountUpdate(d *pluginsdk.ResourceData, meta interface{}) e } } + if d.HasChange("allowed_copy_scope") { + // TODO: Currently, due to Track1 SDK has no way to represent a `null` value in the payload - instead it will be omitted, `allowed_copy_scope` can not be disabled once enabled. + opts := storage.AccountUpdateParameters{ + AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ + AllowedCopyScope: storage.AllowedCopyScope(d.Get("allowed_copy_scope").(string)), + }, + } + if _, err := client.Update(ctx, id.ResourceGroup, id.Name, opts); err != nil { + return fmt.Errorf("updating Azure Storage Account allowed_copy_scope %q: %+v", id.Name, err) + } + } + supportLevel := resolveStorageAccountServiceSupportLevel(storage.Kind(accountKind), storage.SkuTier(accountTier)) if d.HasChange("blob_properties") { @@ -2101,6 +2126,7 @@ func resourceStorageAccountRead(d *pluginsdk.ResourceData, meta interface{}) err return fmt.Errorf("setting `sas_policy`: %+v", err) } + d.Set("allowed_copy_scope", props.AllowedCopyScope) d.Set("sftp_enabled", props.IsSftpEnabled) } diff --git a/internal/services/storage/storage_account_resource_test.go b/internal/services/storage/storage_account_resource_test.go index b4215895a593..9bdb5f2182fb 100644 --- a/internal/services/storage/storage_account_resource_test.go +++ b/internal/services/storage/storage_account_resource_test.go @@ -1352,6 +1352,35 @@ func TestAccStorageAccount_sasPolicy(t *testing.T) { }) } +func TestAccStorageAccount_allowedCopyScope(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") + r := StorageAccountResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.allowedCopyScope(data, "AAD"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.allowedCopyScope(data, "PrivateLink"), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccStorageAccount_isSftpEnabled(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") r := StorageAccountResource{} @@ -4125,6 +4154,29 @@ resource "azurerm_storage_account" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomString) } +func (r StorageAccountResource) allowedCopyScope(data acceptance.TestData, scope string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-storage-%d" + location = "%s" +} + +resource "azurerm_storage_account" "test" { + name = "unlikely23exst2acct%s" + resource_group_name = azurerm_resource_group.test.name + + location = azurerm_resource_group.test.location + account_tier = "Standard" + account_replication_type = "LRS" + allowed_copy_scope = %q +} +`, data.RandomInteger, data.Locations.Primary, data.RandomString, scope) +} + func (r StorageAccountResource) emptyShareProperties(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index a1557b443ee5..cf9a353e9dff 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -166,6 +166,8 @@ The following arguments are supported: * `sas_policy` - (Optional) A `sas_policy` block as defined below. +* `allowed_copy_scope` - (Optional) Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are `AAD` and `PrivateLink`. + * `sftp_enabled` - (Optional) Boolean, enable SFTP for the storage account -> **NOTE:** SFTP support requires `is_hns_enabled` set to `true`. [More information on SFTP support can be found here](https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support). Defaults to `false`