diff --git a/internal/services/eventhub/eventhub_namespace_resource.go b/internal/services/eventhub/eventhub_namespace_resource.go index bf9ca2bddc45..abf5fcb73e29 100644 --- a/internal/services/eventhub/eventhub_namespace_resource.go +++ b/internal/services/eventhub/eventhub_namespace_resource.go @@ -129,6 +129,12 @@ func resourceEventHubNamespace() *pluginsdk.Resource { }, false), }, + "public_network_access_enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + Default: true, + }, + "trusted_service_access_enabled": { Type: pluginsdk.TypeBool, Optional: true, @@ -365,6 +371,10 @@ func resourceEventHubNamespaceCreate(d *pluginsdk.ResourceData, meta interface{} Properties: expandEventHubNamespaceNetworkRuleset(ruleSets.([]interface{})), } + if !strings.EqualFold(string(*rulesets.Properties.PublicNetworkAccess), string(*parameters.Properties.PublicNetworkAccess)) { + return fmt.Errorf("the value of public network access of namespace should be the same as of the network rulesets") + } + ruleSetsClient := meta.(*clients.Client).Eventhub.NetworkRuleSetsClient namespaceId := networkrulesets.NewNamespaceID(id.SubscriptionId, id.ResourceGroupName, id.NamespaceName) if _, err := ruleSetsClient.NamespacesCreateOrUpdateNetworkRuleSet(ctx, namespaceId, rulesets); err != nil { @@ -463,6 +473,10 @@ func resourceEventHubNamespaceUpdate(d *pluginsdk.ResourceData, meta interface{} Properties: expandEventHubNamespaceNetworkRuleset(ruleSets.([]interface{})), } + if !strings.EqualFold(string(*rulesets.Properties.PublicNetworkAccess), string(*parameters.Properties.PublicNetworkAccess)) { + return fmt.Errorf("the value of public network access of namespace should be the same as of the network rulesets") + } + ruleSetsClient := meta.(*clients.Client).Eventhub.NetworkRuleSetsClient namespaceId := networkrulesets.NewNamespaceID(id.SubscriptionId, id.ResourceGroupName, id.NamespaceName) if _, err := ruleSetsClient.NamespacesCreateOrUpdateNetworkRuleSet(ctx, namespaceId, rulesets); err != nil { @@ -671,11 +685,17 @@ func expandEventHubNamespaceNetworkRuleset(input []interface{}) *networkrulesets block := input[0].(map[string]interface{}) + publicNetworkAccess := networkrulesets.PublicNetworkAccessFlagEnabled + if !block["public_network_access_enabled"].(bool) { + publicNetworkAccess = networkrulesets.PublicNetworkAccessFlagDisabled + } + ruleset := networkrulesets.NetworkRuleSetProperties{ DefaultAction: func() *networkrulesets.DefaultAction { v := networkrulesets.DefaultAction(block["default_action"].(string)) return &v }(), + PublicNetworkAccess: &publicNetworkAccess, } if v, ok := block["trusted_service_access_enabled"]; ok { @@ -766,8 +786,13 @@ func flattenEventHubNamespaceNetworkRuleset(ruleset networkrulesets.NamespacesGe // TODO: fix this + publicNetworkAccess := true + if ruleset.Model.Properties.PublicNetworkAccess != nil && *ruleset.Model.Properties.PublicNetworkAccess == networkrulesets.PublicNetworkAccessFlagDisabled { + publicNetworkAccess = false + } return []interface{}{map[string]interface{}{ "default_action": string(*ruleset.Model.Properties.DefaultAction), + "public_network_access_enabled": publicNetworkAccess, "virtual_network_rule": vnetBlocks, "ip_rule": ipBlocks, "trusted_service_access_enabled": ruleset.Model.Properties.TrustedServiceAccessEnabled, diff --git a/internal/services/eventhub/eventhub_namespace_resource_test.go b/internal/services/eventhub/eventhub_namespace_resource_test.go index 9712741a2f93..a3eaebdf8447 100644 --- a/internal/services/eventhub/eventhub_namespace_resource_test.go +++ b/internal/services/eventhub/eventhub_namespace_resource_test.go @@ -168,6 +168,18 @@ func TestAccEventHubNamespace_networkrule_iprule(t *testing.T) { }) } +func TestAccEventHubNamespace_networkrule_publicNetworkAccessDiff(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_eventhub_namespace", "test") + r := EventHubNamespaceResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.networkrule_publicNetworkAccessDiff(data), + ExpectError: regexp.MustCompile("the value of public network access of namespace should be the same as of the network rulesets"), + }, + }) +} + func TestAccEventHubNamespace_networkrule_vnet(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_eventhub_namespace", "test") r := EventHubNamespaceResource{} @@ -718,6 +730,37 @@ resource "azurerm_eventhub_namespace" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger) } +func (EventHubNamespaceResource) networkrule_publicNetworkAccessDiff(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-eh-%d" + location = "%s" +} + +resource "azurerm_eventhub_namespace" "test" { + name = "acctesteventhubnamespace-%d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + sku = "Standard" + capacity = "2" + public_network_access_enabled = true + + network_rulesets { + default_action = "Deny" + public_network_access_enabled = false + ip_rule { + ip_mask = "10.0.0.0/16" + action = "Allow" + } + } +} +`, data.RandomInteger, data.Locations.Primary, data.RandomInteger) +} + func (EventHubNamespaceResource) networkrule_iprule_trusted_services(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/website/docs/r/eventhub_namespace.html.markdown b/website/docs/r/eventhub_namespace.html.markdown index 18775bba3ebd..81dc68bff2df 100644 --- a/website/docs/r/eventhub_namespace.html.markdown +++ b/website/docs/r/eventhub_namespace.html.markdown @@ -79,6 +79,10 @@ A `network_rulesets` block supports the following: * `default_action` - (Required) The default action to take when a rule is not matched. Possible values are `Allow` and `Deny`. +* `public_network_access` - (Optional) Is public network access enabled for the EventHub Namespace? Defaults to `true`. + +* ~> **Note:** The public network access setting at the network rule sets level should be the same as it's at the namespace level. + * `trusted_service_access_enabled` - (Optional) Whether Trusted Microsoft Services are allowed to bypass firewall. * `virtual_network_rule` - (Optional) One or more `virtual_network_rule` blocks as defined below.