kusto_cluster_resource - allowed_fqdns, allowed_ip_ranges, outbound_n…

…etwork_access_restricted (#17581)
hashicorp · Jul 20, 2022 · 01029aa · 01029aa
1 parent ee0f292
commit 01029aa
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 8 deletions.
diff --git a/internal/services/kusto/kusto_cluster_resource.go b/internal/services/kusto/kusto_cluster_resource.go
@@ -75,23 +75,43 @@ func resourceKustoCluster() *pluginsdk.Resource {
 								string(kusto.AzureSkuNameStandardD12V2),
 								string(kusto.AzureSkuNameStandardD13V2),
 								string(kusto.AzureSkuNameStandardD14V2),
+								string(kusto.AzureSkuNameStandardD16dV5),
+								string(kusto.AzureSkuNameStandardD32dV4),
+								string(kusto.AzureSkuNameStandardD32dV5),
 								string(kusto.AzureSkuNameStandardDS13V21TBPS),
 								string(kusto.AzureSkuNameStandardDS13V22TBPS),
 								string(kusto.AzureSkuNameStandardDS14V23TBPS),
 								string(kusto.AzureSkuNameStandardDS14V24TBPS),
+								string(kusto.AzureSkuNameStandardE16aV4),
+								string(kusto.AzureSkuNameStandardE16adsV5),
 								string(kusto.AzureSkuNameStandardE16asV43TBPS),
 								string(kusto.AzureSkuNameStandardE16asV44TBPS),
-								string(kusto.AzureSkuNameStandardE16aV4),
+								string(kusto.AzureSkuNameStandardE16asV53TBPS),
+								string(kusto.AzureSkuNameStandardE16asV54TBPS),
+								string(kusto.AzureSkuNameStandardE16sV43TBPS),
+								string(kusto.AzureSkuNameStandardE16sV44TBPS),
+								string(kusto.AzureSkuNameStandardE16sV53TBPS),
+								string(kusto.AzureSkuNameStandardE16sV54TBPS),
 								string(kusto.AzureSkuNameStandardE2aV4),
+								string(kusto.AzureSkuNameStandardE2adsV5),
 								string(kusto.AzureSkuNameStandardE4aV4),
+								string(kusto.AzureSkuNameStandardE4adsV5),
 								string(kusto.AzureSkuNameStandardE64iV3),
+								string(kusto.AzureSkuNameStandardE80idsV4),
+								string(kusto.AzureSkuNameStandardE8aV4),
+								string(kusto.AzureSkuNameStandardE8adsV5),
 								string(kusto.AzureSkuNameStandardE8asV41TBPS),
 								string(kusto.AzureSkuNameStandardE8asV42TBPS),
-								string(kusto.AzureSkuNameStandardE8aV4),
+								string(kusto.AzureSkuNameStandardE8asV51TBPS),
+								string(kusto.AzureSkuNameStandardE8asV52TBPS),
+								string(kusto.AzureSkuNameStandardE8sV41TBPS),
+								string(kusto.AzureSkuNameStandardE8sV42TBPS),
+								string(kusto.AzureSkuNameStandardE8sV51TBPS),
+								string(kusto.AzureSkuNameStandardE8sV52TBPS),
 								string(kusto.AzureSkuNameStandardL16s),
+								string(kusto.AzureSkuNameStandardL16sV2),
 								string(kusto.AzureSkuNameStandardL4s),
 								string(kusto.AzureSkuNameStandardL8s),
-								string(kusto.AzureSkuNameStandardL16sV2),
 								string(kusto.AzureSkuNameStandardL8sV2),
 							}, false),
 						},
@@ -106,6 +126,24 @@ func resourceKustoCluster() *pluginsdk.Resource {
 				},
 			},
 
+			"allowed_fqdns": {
+				Type:     pluginsdk.TypeList,
+				Optional: true,
+				Elem: &pluginsdk.Schema{
+					Type:         pluginsdk.TypeString,
+					ValidateFunc: validation.StringIsNotEmpty,
+				},
+			},
+
+			"allowed_ip_ranges": {
+				Type:     pluginsdk.TypeList,
+				Optional: true,
+				Elem: &pluginsdk.Schema{
+					Type:         pluginsdk.TypeString,
+					ValidateFunc: validation.StringIsNotEmpty,
+				},
+			},
+
 			"trusted_external_tenants": {
 				Type:       pluginsdk.TypeList,
 				Optional:   true,
@@ -211,6 +249,12 @@ func resourceKustoCluster() *pluginsdk.Resource {
 				Default:  true,
 			},
 
+			"outbound_network_access_restricted": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
 			"double_encryption_enabled": {
 				Type:     pluginsdk.TypeBool,
 				Optional: true,
@@ -332,6 +376,21 @@ func resourceKustoClusterCreateUpdate(d *pluginsdk.ResourceData, meta interface{
 		clusterProperties.VirtualNetworkConfiguration = vnet
 	}
 
+	if v, ok := d.GetOk("allowed_fqdns"); ok {
+		clusterProperties.AllowedFqdnList, _ = expandKustoListString(v.([]interface{}))
+	}
+
+	if v, ok := d.GetOk("allowed_ip_ranges"); ok {
+		clusterProperties.AllowedIPRangeList, _ = expandKustoListString(v.([]interface{}))
+	}
+
+	clusterProperties.RestrictOutboundNetworkAccess = kusto.ClusterNetworkAccessFlagDisabled
+	if v, ok := d.GetOk("outbound_network_access_restricted"); ok {
+		if v.(bool) {
+			clusterProperties.RestrictOutboundNetworkAccess = kusto.ClusterNetworkAccessFlagEnabled
+		}
+	}
+
 	expandedIdentity, err := expandClusterIdentity(d.Get("identity").([]interface{}))
 	if err != nil {
 		return fmt.Errorf("expanding `identity`: %+v", err)
@@ -449,6 +508,8 @@ func resourceKustoClusterRead(d *pluginsdk.ResourceData, meta interface{}) error
 	}
 
 	if props := resp.ClusterProperties; props != nil {
+		d.Set("allowed_fqdns", props.AllowedFqdnList)
+		d.Set("allowed_ip_ranges", props.AllowedIPRangeList)
 		d.Set("double_encryption_enabled", props.EnableDoubleEncryption)
 		d.Set("trusted_external_tenants", flattenTrustedExternalTenants(props.TrustedExternalTenants))
 		d.Set("auto_stop_enabled", props.EnableAutoStop)
@@ -461,6 +522,7 @@ func resourceKustoClusterRead(d *pluginsdk.ResourceData, meta interface{}) error
 		d.Set("data_ingestion_uri", props.DataIngestionURI)
 		d.Set("engine", props.EngineType)
 		d.Set("public_ip_type", props.PublicIPType)
+		d.Set("outbound_network_access_restricted", props.RestrictOutboundNetworkAccess == kusto.ClusterNetworkAccessFlagEnabled)
 	}
 
 	return tags.FlattenAndSet(d, resp.Tags)
@@ -527,6 +589,20 @@ func flattenOptimizedAutoScale(optimizedAutoScale *kusto.OptimizedAutoscale) []i
 	}
 }
 
+func expandKustoListString(input []interface{}) (*[]string, error) {
+	if input == nil || len(input) == 0 {
+		return nil, fmt.Errorf("list of string is empty")
+	}
+
+	result := make([]string, 0)
+
+	for _, v := range input {
+		result = append(result, v.(string))
+	}
+
+	return &result, nil
+}
+
 func expandKustoClusterSku(input []interface{}) (*kusto.AzureSku, error) {
 	sku := input[0].(map[string]interface{})
 	name := sku["name"].(string)

diff --git a/internal/services/kusto/kusto_cluster_resource_test.go b/internal/services/kusto/kusto_cluster_resource_test.go
@@ -39,6 +39,11 @@ func TestAccKustoCluster_complete(t *testing.T) {
 			Config: r.complete(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("allowed_fqdns.#").HasValue("1"),
+				check.That(data.ResourceName).Key("allowed_fqdns.0").HasValue("255.255.255.0/24"),
+				check.That(data.ResourceName).Key("allowed_ip_ranges.#").HasValue("1"),
+				check.That(data.ResourceName).Key("allowed_ip_ranges.0").HasValue("0.0.0.0/0"),
+				check.That(data.ResourceName).Key("outbound_network_access_restricted").HasValue("true"),
 			),
 		},
 		data.ImportStep(),
@@ -399,11 +404,14 @@ resource "azurerm_resource_group" "test" {
 }
 
 resource "azurerm_kusto_cluster" "test" {
-  name                          = "acctestkc%s"
-  location                      = azurerm_resource_group.test.location
-  resource_group_name           = azurerm_resource_group.test.name
-  public_network_access_enabled = false
-  public_ip_type                = "DualStack"
+  name                               = "acctestkc%s"
+  location                           = azurerm_resource_group.test.location
+  resource_group_name                = azurerm_resource_group.test.name
+  allowed_fqdns                      = ["255.255.255.0/24"]
+  allowed_ip_ranges                  = ["0.0.0.0/0"]
+  public_network_access_enabled      = false
+  public_ip_type                     = "DualStack"
+  outbound_network_access_restricted = true
   sku {
     name     = "Standard_D13_v2"
     capacity = 2

diff --git a/website/docs/r/kusto_cluster.html.markdown b/website/docs/r/kusto_cluster.html.markdown
@@ -46,6 +46,10 @@ The following arguments are supported:
 
 * `sku` - (Required) A `sku` block as defined below.
 
+* `allowed_fqdns` - (Optional) List of allowed FQDNs(Fully Qualified Domain Name) for egress from Cluster.
+
+* `allowed_ip_ranges` - (Optional) The list of ips in the format of CIDR allowed to connect to the cluster.
+
 * `double_encryption_enabled` - (Optional) Is the cluster's double encryption enabled? Defaults to `false`. Changing this forces a new resource to be created.
 
 * `identity` - (Optional) An `identity` block as defined below.
@@ -60,6 +64,8 @@ The following arguments are supported:
 
 * `public_network_access_enabled` - (Optional) Is the public network access enabled? Defaults to `true`.
 
+* `outbound_network_access_restricted` - (Optional) Whether to restrict outbound network access. Value is optional but if passed in, must be `true` or `false`, default is `false`.
+
 * `purge_enabled` - (Optional) Specifies if the purge operations are enabled.
 
 * `virtual_network_configuration`- (Optional) A `virtual_network_configuration` block as defined below. Changing this forces a new resource to be created.