Enhancement to azurerm_servicebus_namespace_network_rule_set: Support…

… 'allow trusted services' (#13853)

internal/services/servicebus/servicebus_namespace_network_rule_set_resource.go

@@ -70,6 +70,12 @@ func resourceServiceBusNamespaceNetworkRuleSet() *pluginsdk.Resource {
 				},
 			},
 
+			"trusted_services_allowed": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
 			"network_rules": {
 				Type:     pluginsdk.TypeSet,
 				Optional: true,
@@ -119,9 +125,10 @@ func resourceServiceBusNamespaceNetworkRuleSetCreateUpdate(d *pluginsdk.Resource
 
 	parameters := servicebus.NetworkRuleSet{
 		NetworkRuleSetProperties: &servicebus.NetworkRuleSetProperties{
-			DefaultAction:       servicebus.DefaultAction(d.Get("default_action").(string)),
-			VirtualNetworkRules: expandServiceBusNamespaceVirtualNetworkRules(d.Get("network_rules").(*pluginsdk.Set).List()),
-			IPRules:             expandServiceBusNamespaceIPRules(d.Get("ip_rules").(*pluginsdk.Set).List()),
+			DefaultAction:               servicebus.DefaultAction(d.Get("default_action").(string)),
+			VirtualNetworkRules:         expandServiceBusNamespaceVirtualNetworkRules(d.Get("network_rules").(*pluginsdk.Set).List()),
+			IPRules:                     expandServiceBusNamespaceIPRules(d.Get("ip_rules").(*pluginsdk.Set).List()),
+			TrustedServiceAccessEnabled: utils.Bool(d.Get("trusted_services_allowed").(bool)),
 		},
 	}
 
@@ -158,6 +165,7 @@ func resourceServiceBusNamespaceNetworkRuleSetRead(d *pluginsdk.ResourceData, me
 
 	if props := resp.NetworkRuleSetProperties; props != nil {
 		d.Set("default_action", string(props.DefaultAction))
+		d.Set("trusted_services_allowed", props.TrustedServiceAccessEnabled)
 
 		if err := d.Set("network_rules", pluginsdk.NewSet(networkRuleHash, flattenServiceBusNamespaceVirtualNetworkRules(props.VirtualNetworkRules))); err != nil {
 			return fmt.Errorf("failed to set `network_rules`: %+v", err)

internal/services/servicebus/servicebus_namespace_network_rule_set_resource_test.go

@@ -40,6 +40,7 @@ func TestAccServiceBusNamespaceNetworkRule_complete(t *testing.T) {
 			Config: r.complete(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("trusted_services_allowed").HasValue("true"),
 			),
 		},
 		data.ImportStep(),
@@ -130,7 +131,8 @@ resource "azurerm_servicebus_namespace_network_rule_set" "test" {
   namespace_name      = azurerm_servicebus_namespace.test.name
   resource_group_name = azurerm_resource_group.test.name
 
-  default_action = "Deny"
+  default_action           = "Deny"
+  trusted_services_allowed = true
 
   network_rules {
     subnet_id                            = azurerm_subnet.test.id

website/docs/r/servicebus_namespace_network_rule_set.html.markdown

@@ -75,6 +75,8 @@ The following arguments are supported:
 
 * `default_action` - (Optional) Specifies the default action for the ServiceBus Namespace Network Rule Set. Possible values are `Allow` and `Deny`. Defaults to `Deny`.
 
+* `trusted_services_allowed` - (Optional) If True, then Azure Services that are known and trusted for this resource type are allowed to bypass firewall configuration. See [Trusted Microsoft Services](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/service-bus-messaging/includes/service-bus-trusted-services.md)  
+
 * `ip_rules` - (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the ServiceBus Namespace.
 
 * `network_rules` - (Optional) One or more `network_rules` blocks as defined below.