azurerm_eventhub_namespace: update public_network_access settings (#…

…18314)

internal/services/eventhub/eventhub_namespace_resource.go

@@ -129,6 +129,12 @@ func resourceEventHubNamespace() *pluginsdk.Resource {
 							}, false),
 						},
 
+						"public_network_access_enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+							Default:  true,
+						},
+
 						"trusted_service_access_enabled": {
 							Type:     pluginsdk.TypeBool,
 							Optional: true,
@@ -365,6 +371,10 @@ func resourceEventHubNamespaceCreate(d *pluginsdk.ResourceData, meta interface{}
 			Properties: expandEventHubNamespaceNetworkRuleset(ruleSets.([]interface{})),
 		}
 
+		if !strings.EqualFold(string(*rulesets.Properties.PublicNetworkAccess), string(*parameters.Properties.PublicNetworkAccess)) {
+			return fmt.Errorf("the value of public network access of namespace should be the same as of the network rulesets")
+		}
+
 		ruleSetsClient := meta.(*clients.Client).Eventhub.NetworkRuleSetsClient
 		namespaceId := networkrulesets.NewNamespaceID(id.SubscriptionId, id.ResourceGroupName, id.NamespaceName)
 		if _, err := ruleSetsClient.NamespacesCreateOrUpdateNetworkRuleSet(ctx, namespaceId, rulesets); err != nil {
@@ -463,6 +473,10 @@ func resourceEventHubNamespaceUpdate(d *pluginsdk.ResourceData, meta interface{}
 			Properties: expandEventHubNamespaceNetworkRuleset(ruleSets.([]interface{})),
 		}
 
+		if !strings.EqualFold(string(*rulesets.Properties.PublicNetworkAccess), string(*parameters.Properties.PublicNetworkAccess)) {
+			return fmt.Errorf("the value of public network access of namespace should be the same as of the network rulesets")
+		}
+
 		ruleSetsClient := meta.(*clients.Client).Eventhub.NetworkRuleSetsClient
 		namespaceId := networkrulesets.NewNamespaceID(id.SubscriptionId, id.ResourceGroupName, id.NamespaceName)
 		if _, err := ruleSetsClient.NamespacesCreateOrUpdateNetworkRuleSet(ctx, namespaceId, rulesets); err != nil {
@@ -671,11 +685,17 @@ func expandEventHubNamespaceNetworkRuleset(input []interface{}) *networkrulesets
 
 	block := input[0].(map[string]interface{})
 
+	publicNetworkAccess := networkrulesets.PublicNetworkAccessFlagEnabled
+	if !block["public_network_access_enabled"].(bool) {
+		publicNetworkAccess = networkrulesets.PublicNetworkAccessFlagDisabled
+	}
+
 	ruleset := networkrulesets.NetworkRuleSetProperties{
 		DefaultAction: func() *networkrulesets.DefaultAction {
 			v := networkrulesets.DefaultAction(block["default_action"].(string))
 			return &v
 		}(),
+		PublicNetworkAccess: &publicNetworkAccess,
 	}
 
 	if v, ok := block["trusted_service_access_enabled"]; ok {
@@ -766,8 +786,13 @@ func flattenEventHubNamespaceNetworkRuleset(ruleset networkrulesets.NamespacesGe
 
 	// TODO: fix this
 
+	publicNetworkAccess := true
+	if ruleset.Model.Properties.PublicNetworkAccess != nil && *ruleset.Model.Properties.PublicNetworkAccess == networkrulesets.PublicNetworkAccessFlagDisabled {
+		publicNetworkAccess = false
+	}
 	return []interface{}{map[string]interface{}{
 		"default_action":                 string(*ruleset.Model.Properties.DefaultAction),
+		"public_network_access_enabled":  publicNetworkAccess,
 		"virtual_network_rule":           vnetBlocks,
 		"ip_rule":                        ipBlocks,
 		"trusted_service_access_enabled": ruleset.Model.Properties.TrustedServiceAccessEnabled,

internal/services/eventhub/eventhub_namespace_resource_test.go

@@ -168,6 +168,18 @@ func TestAccEventHubNamespace_networkrule_iprule(t *testing.T) {
 	})
 }
 
+func TestAccEventHubNamespace_networkrule_publicNetworkAccessDiff(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_eventhub_namespace", "test")
+	r := EventHubNamespaceResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config:      r.networkrule_publicNetworkAccessDiff(data),
+			ExpectError: regexp.MustCompile("the value of public network access of namespace should be the same as of the network rulesets"),
+		},
+	})
+}
+
 func TestAccEventHubNamespace_networkrule_vnet(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_eventhub_namespace", "test")
 	r := EventHubNamespaceResource{}
@@ -718,6 +730,37 @@ resource "azurerm_eventhub_namespace" "test" {
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
 }
 
+func (EventHubNamespaceResource) networkrule_publicNetworkAccessDiff(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-eh-%d"
+  location = "%s"
+}
+
+resource "azurerm_eventhub_namespace" "test" {
+  name                          = "acctesteventhubnamespace-%d"
+  location                      = azurerm_resource_group.test.location
+  resource_group_name           = azurerm_resource_group.test.name
+  sku                           = "Standard"
+  capacity                      = "2"
+  public_network_access_enabled = true
+
+  network_rulesets {
+    default_action                = "Deny"
+    public_network_access_enabled = false
+    ip_rule {
+      ip_mask = "10.0.0.0/16"
+      action  = "Allow"
+    }
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
+
 func (EventHubNamespaceResource) networkrule_iprule_trusted_services(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {

website/docs/r/eventhub_namespace.html.markdown

@@ -79,6 +79,10 @@ A `network_rulesets` block supports the following:
 
 * `default_action` - (Required) The default action to take when a rule is not matched. Possible values are `Allow` and `Deny`.
 
+* `public_network_access` - (Optional)  Is public network access enabled for the EventHub Namespace? Defaults to `true`.
+
+* ~> **Note:** The public network access setting at the network rule sets level should be the same as it's at the namespace level.
+
 * `trusted_service_access_enabled` - (Optional) Whether Trusted Microsoft Services are allowed to bypass firewall.
 
 * `virtual_network_rule` - (Optional) One or more `virtual_network_rule` blocks as defined below.