Skip to content

Commit

Permalink
virtual network support encryption
Browse files Browse the repository at this point in the history
  • Loading branch information
wuxu92 committed Jul 31, 2023
1 parent 0c65995 commit deec543
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 0 deletions.
52 changes: 52 additions & 0 deletions internal/services/network/virtual_network_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"net/http"
"time"

"github.com/hashicorp/go-azure-helpers/lang/pointer"
"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
"github.com/hashicorp/go-azure-helpers/resourcemanager/location"
Expand Down Expand Up @@ -102,6 +103,26 @@ func resourceVirtualNetworkSchema() map[string]*pluginsdk.Schema {
},
},

"encryption": {
Type: pluginsdk.TypeList,
Optional: true,
MaxItems: 1,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"enabled": {
Type: pluginsdk.TypeBool,
Required: true,
},

"unencrypted_allowed": {
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
},
},
},
},

"dns_servers": {
Type: pluginsdk.TypeList,
Optional: true,
Expand Down Expand Up @@ -282,6 +303,10 @@ func resourceVirtualNetworkRead(d *pluginsdk.ResourceData, meta interface{}) err
return fmt.Errorf("setting `ddos_protection_plan`: %+v", err)
}

if err := d.Set("encryption", flattenVirtualNetworkEncryption(props.Encryption)); err != nil {
return fmt.Errorf("setting `encryption`: %+v", err)
}

if err := d.Set("subnet", flattenVirtualNetworkSubnets(props.Subnets)); err != nil {
return fmt.Errorf("setting `subnets`: %+v", err)
}
Expand Down Expand Up @@ -406,6 +431,18 @@ func expandVirtualNetworkProperties(ctx context.Context, d *pluginsdk.ResourceDa
}
}

if v := d.Get("encryption").([]interface{}); len(v) > 0 && v[0] != nil {
encryptionConf := v[0].(map[string]interface{})
properties.Encryption = &network.VirtualNetworkEncryption{
Enabled: pointer.To(encryptionConf["enabled"].(bool)),
Enforcement: network.VirtualNetworkEncryptionEnforcementDropUnencrypted,
}
if encryptionConf["unencrypted_allowed"].(bool) {
properties.Encryption.Enforcement = network.VirtualNetworkEncryptionEnforcementAllowUnencrypted
}

}

if v, ok := d.GetOk("bgp_community"); ok {
properties.BgpCommunities = &network.VirtualNetworkBgpCommunities{VirtualNetworkCommunity: utils.String(v.(string))}
}
Expand All @@ -430,6 +467,21 @@ func flattenVirtualNetworkDDoSProtectionPlan(input *network.VirtualNetworkProper
}
}

func flattenVirtualNetworkEncryption(encryption *network.VirtualNetworkEncryption) interface{} {
if encryption == nil {
return nil
}

allow := encryption.Enforcement == network.VirtualNetworkEncryptionEnforcementAllowUnencrypted

return []interface{}{
map[string]interface{}{
"enabled": encryption.Enabled,
"unencrypted_allowed": allow,
},
}
}

func flattenVirtualNetworkSubnets(input *[]network.Subnet) *pluginsdk.Set {
results := &pluginsdk.Set{
F: resourceAzureSubnetHash,
Expand Down
5 changes: 5 additions & 0 deletions internal/services/network/virtual_network_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -385,6 +385,11 @@ resource "azurerm_virtual_network" "test" {
resource_group_name = azurerm_resource_group.test.name
dns_servers = ["10.7.7.2", "10.7.7.7", "10.7.7.1", ]
encryption {
enabled = true
unencrypted_allowed = true
}
subnet {
name = "subnet1"
address_prefix = "10.0.1.0/24"
Expand Down
10 changes: 10 additions & 0 deletions website/docs/r/virtual_network.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,8 @@ The following arguments are supported:

* `ddos_protection_plan` - (Optional) A `ddos_protection_plan` block as documented below.

* `encryption` - (Optional) A `encryption` block as defined below.

* `dns_servers` - (Optional) List of IP addresses of DNS servers

-> **NOTE** Since `dns_servers` can be configured both inline and via the separate `azurerm_virtual_network_dns_servers` resource, we have to explicitly set it to empty slice (`[]`) to remove it.
Expand All @@ -99,6 +101,14 @@ A `ddos_protection_plan` block supports the following:

---

A `encryption` block supports the following:

* `enabled` - (Required) Enable/disable encryption on Virtual Network.

* `unencrypted_allowed` - (Optional) Whether ths virtual network allos VM that does not support encryption. Defaults to `false`.

---

The `subnet` block supports:

* `name` - (Required) The name of the subnet.
Expand Down

0 comments on commit deec543

Please sign in to comment.