azurerm_virtual_network: support encryption (#22745)

hashicorp · Aug 3, 2023 · 96d48fc · 96d48fc
1 parent 7d03797
commit 96d48fc
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 0 deletions.
diff --git a/internal/services/network/virtual_network_resource.go b/internal/services/network/virtual_network_resource.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/location"
@@ -102,6 +103,24 @@ func resourceVirtualNetworkSchema() map[string]*pluginsdk.Schema {
 			},
 		},
 
+		"encryption": {
+			Type:     pluginsdk.TypeList,
+			Optional: true,
+			MaxItems: 1,
+			Elem: &pluginsdk.Resource{
+				Schema: map[string]*pluginsdk.Schema{
+					"enforcement": {
+						Type:     pluginsdk.TypeString,
+						Required: true,
+						ValidateFunc: validation.StringInSlice([]string{
+							string((network.VirtualNetworkEncryptionEnforcementDropUnencrypted)),
+							string(network.VirtualNetworkEncryptionEnforcementAllowUnencrypted),
+						}, false),
+					},
+				},
+			},
+		},
+
 		"dns_servers": {
 			Type:     pluginsdk.TypeList,
 			Optional: true,
@@ -282,6 +301,10 @@ func resourceVirtualNetworkRead(d *pluginsdk.ResourceData, meta interface{}) err
 			return fmt.Errorf("setting `ddos_protection_plan`: %+v", err)
 		}
 
+		if err := d.Set("encryption", flattenVirtualNetworkEncryption(props.Encryption)); err != nil {
+			return fmt.Errorf("setting `encryption`: %+v", err)
+		}
+
 		if err := d.Set("subnet", flattenVirtualNetworkSubnets(props.Subnets)); err != nil {
 			return fmt.Errorf("setting `subnets`: %+v", err)
 		}
@@ -406,6 +429,16 @@ func expandVirtualNetworkProperties(ctx context.Context, d *pluginsdk.ResourceDa
 		}
 	}
 
+	if v, ok := d.GetOk("encryption"); ok {
+		if vList := v.([]interface{}); len(vList) > 0 && vList[0] != nil {
+			encryptionConf := vList[0].(map[string]interface{})
+			properties.Encryption = &network.VirtualNetworkEncryption{
+				Enabled:     pointer.To(true),
+				Enforcement: network.VirtualNetworkEncryptionEnforcement(encryptionConf["enforcement"].(string)),
+			}
+		}
+	}
+
 	if v, ok := d.GetOk("bgp_community"); ok {
 		properties.BgpCommunities = &network.VirtualNetworkBgpCommunities{VirtualNetworkCommunity: utils.String(v.(string))}
 	}
@@ -430,6 +463,18 @@ func flattenVirtualNetworkDDoSProtectionPlan(input *network.VirtualNetworkProper
 	}
 }
 
+func flattenVirtualNetworkEncryption(encryption *network.VirtualNetworkEncryption) interface{} {
+	if encryption == nil || encryption.Enabled == nil || !*encryption.Enabled {
+		return make([]interface{}, 0)
+	}
+
+	return []interface{}{
+		map[string]interface{}{
+			"enforcement": encryption.Enforcement,
+		},
+	}
+}
+
 func flattenVirtualNetworkSubnets(input *[]network.Subnet) *pluginsdk.Set {
 	results := &pluginsdk.Set{
 		F: resourceAzureSubnetHash,

diff --git a/internal/services/network/virtual_network_resource_test.go b/internal/services/network/virtual_network_resource_test.go
@@ -385,6 +385,10 @@ resource "azurerm_virtual_network" "test" {
   resource_group_name = azurerm_resource_group.test.name
   dns_servers         = ["10.7.7.2", "10.7.7.7", "10.7.7.1", ]
 
+  encryption {
+    enforcement = "AllowUnencrypted"
+  }
+
   subnet {
     name           = "subnet1"
     address_prefix = "10.0.1.0/24"

diff --git a/website/docs/r/virtual_network.html.markdown b/website/docs/r/virtual_network.html.markdown
@@ -75,6 +75,8 @@ The following arguments are supported:
 
 * `ddos_protection_plan` - (Optional) A `ddos_protection_plan` block as documented below.
 
+* `encryption` - (Optional) A `encryption` block as defined below.
+
 * `dns_servers` - (Optional) List of IP addresses of DNS servers
 
 -> **NOTE** Since `dns_servers` can be configured both inline and via the separate `azurerm_virtual_network_dns_servers` resource, we have to explicitly set it to empty slice (`[]`) to remove it.
@@ -99,6 +101,12 @@ A `ddos_protection_plan` block supports the following:
 
 ---
 
+A `encryption` block supports the following:
+
+* `enforcement` - (Required) Specifies if the encrypted Virtual Network allows VM that does not support encryption. Possible values are `DropUnencrypted` and `AllowUnencrypted`.
+
+---
+
 The `subnet` block supports:
 
 * `name` - (Required) The name of the subnet.