From 641ab60e77a42de69c7c1c8545ff777ef1c5e988 Mon Sep 17 00:00:00 2001 From: magodo Date: Tue, 30 Aug 2022 14:15:03 +0800 Subject: [PATCH] `azurerm_storage_account` - support for the `public_network_access_enabled` property (#18005) `azurerm_storage_account` - support for the `public_network_access_enabled` property --- .../storage/storage_account_resource.go | 33 ++++++++++++++ .../storage/storage_account_resource_test.go | 45 +++++++++++++++++++ website/docs/r/storage_account.html.markdown | 2 + 3 files changed, 80 insertions(+) diff --git a/internal/services/storage/storage_account_resource.go b/internal/services/storage/storage_account_resource.go index d88f5c546d85..ad1b519d66bd 100644 --- a/internal/services/storage/storage_account_resource.go +++ b/internal/services/storage/storage_account_resource.go @@ -289,6 +289,12 @@ func resourceStorageAccount() *pluginsdk.Resource { Default: true, }, + "public_network_access_enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + Default: true, + }, + "default_to_oauth_authentication": { Type: pluginsdk.TypeBool, Optional: true, @@ -976,6 +982,10 @@ func resourceStorageAccountCreate(d *pluginsdk.ResourceData, meta interface{}) e allowSharedKeyAccess := d.Get("shared_access_key_enabled").(bool) defaultToOAuthAuthentication := d.Get("default_to_oauth_authentication").(bool) crossTenantReplication := d.Get("cross_tenant_replication_enabled").(bool) + publicNetworkAccess := storage.PublicNetworkAccessDisabled + if d.Get("public_network_access_enabled").(bool) { + publicNetworkAccess = storage.PublicNetworkAccessEnabled + } accountTier := d.Get("account_tier").(string) replicationType := d.Get("account_replication_type").(string) @@ -990,6 +1000,7 @@ func resourceStorageAccountCreate(d *pluginsdk.ResourceData, meta interface{}) e Tags: tags.Expand(t), Kind: storage.Kind(accountKind), AccountPropertiesCreateParameters: &storage.AccountPropertiesCreateParameters{ + PublicNetworkAccess: publicNetworkAccess, EnableHTTPSTrafficOnly: &enableHTTPSTrafficOnly, NetworkRuleSet: expandStorageAccountNetworkRules(d, tenantId), IsHnsEnabled: &isHnsEnabled, @@ -1497,6 +1508,22 @@ func resourceStorageAccountUpdate(d *pluginsdk.ResourceData, meta interface{}) e } } + if d.HasChange("public_network_access_enabled") { + publicNetworkAccess := storage.PublicNetworkAccessDisabled + if d.Get("public_network_access_enabled").(bool) { + publicNetworkAccess = storage.PublicNetworkAccessEnabled + } + opts := storage.AccountUpdateParameters{ + AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ + PublicNetworkAccess: publicNetworkAccess, + }, + } + + if _, err := client.Update(ctx, id.ResourceGroup, id.Name, opts); err != nil { + return fmt.Errorf("updating Azure Storage Account public_network_access_enabled %q: %+v", id.Name, err) + } + } + if d.HasChange("network_rules") { opts := storage.AccountUpdateParameters{ AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ @@ -1737,6 +1764,12 @@ func resourceStorageAccountRead(d *pluginsdk.ResourceData, meta interface{}) err d.Set("is_hns_enabled", props.IsHnsEnabled) d.Set("nfsv3_enabled", props.EnableNfsV3) + publicNetworkAccessEnabled := true + if props.PublicNetworkAccess == storage.PublicNetworkAccessDisabled { + publicNetworkAccessEnabled = false + } + d.Set("public_network_access_enabled", publicNetworkAccessEnabled) + if crossTenantReplication := props.AllowCrossTenantReplication; crossTenantReplication != nil { d.Set("cross_tenant_replication_enabled", crossTenantReplication) } diff --git a/internal/services/storage/storage_account_resource_test.go b/internal/services/storage/storage_account_resource_test.go index e52b9eacf809..3227e1a0ceb8 100644 --- a/internal/services/storage/storage_account_resource_test.go +++ b/internal/services/storage/storage_account_resource_test.go @@ -468,6 +468,28 @@ func TestAccStorageAccount_updateResourceByEnablingIdentity(t *testing.T) { }) } +func TestAccStorageAccount_publicNetworkAccess(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") + r := StorageAccountResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.publicNetworkAccess(data, true), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.publicNetworkAccess(data, false), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccStorageAccount_networkRules(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") r := StorageAccountResource{} @@ -1275,6 +1297,29 @@ resource "azurerm_storage_account" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomString) } +func (r StorageAccountResource) publicNetworkAccess(data acceptance.TestData, enabled bool) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-storage-%d" + location = "%s" +} + +resource "azurerm_storage_account" "test" { + name = "unlikely23exst2acct%s" + resource_group_name = azurerm_resource_group.test.name + + location = azurerm_resource_group.test.location + account_tier = "Standard" + account_replication_type = "LRS" + public_network_access_enabled = %t +} +`, data.RandomInteger, data.Locations.Primary, data.RandomString, enabled) +} + func (r StorageAccountResource) noCrossTenantReplication(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index 140b4fd2c48e..bace2e59e611 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -115,6 +115,8 @@ The following arguments are supported: ~> **Note:** Terraform uses Shared Key Authorisation to provision Storage Containers, Blobs and other items - when Shared Key Access is disabled, you will need to enable [the `storage_use_azuread` flag in the Provider block](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#storage_use_azuread) to use Azure AD for authentication, however not all Azure Storage services support Active Directory authentication. +* `public_network_access_enabled` - (Optional) Whether the public network access is enabled? Defaults to `true`. + * `default_to_oauth_authentication` - (Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is `false` * `is_hns_enabled` - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created.