Added option to set the application security group of a VMSS

azurerm/resource_arm_virtual_machine_scale_set.go

@@ -379,6 +379,17 @@ func resourceArmVirtualMachineScaleSet() *schema.Resource {
 										Set:      schema.HashString,
 									},
 
+									"application_security_group_ids": {
+										Type:     schema.TypeSet,
+										Optional: true,
+										Elem: &schema.Schema{
+											Type:         schema.TypeString,
+											ValidateFunc: azure.ValidateResourceID,
+										},
+										Set:      schema.HashString,
+										MaxItems: 20,
+									},
+
 									"load_balancer_backend_address_pool_ids": {
 										Type:     schema.TypeSet,
 										Optional: true,
@@ -1128,51 +1139,68 @@ func flattenAzureRmVirtualMachineScaleSetNetworkProfile(profile *compute.Virtual
 				config := make(map[string]interface{})
 				config["name"] = *ipConfig.Name
 
-				properties := ipConfig.VirtualMachineScaleSetIPConfigurationProperties
+				if properties := ipConfig.VirtualMachineScaleSetIPConfigurationProperties; properties != nil {
 
-				if ipConfig.VirtualMachineScaleSetIPConfigurationProperties.Subnet != nil {
-					config["subnet_id"] = *properties.Subnet.ID
-				}
+					if properties.Subnet != nil {
+						config["subnet_id"] = *properties.Subnet.ID
+					}
 
-				addressPools := make([]interface{}, 0)
-				if properties.ApplicationGatewayBackendAddressPools != nil {
-					for _, pool := range *properties.ApplicationGatewayBackendAddressPools {
-						addressPools = append(addressPools, *pool.ID)
+					addressPools := make([]interface{}, 0)
+					if properties.ApplicationGatewayBackendAddressPools != nil {
+						for _, pool := range *properties.ApplicationGatewayBackendAddressPools {
+							if v := pool.ID; v != nil {
+								addressPools = append(addressPools, *v)
+							}
+						}
+					}
+					config["application_gateway_backend_address_pool_ids"] = schema.NewSet(schema.HashString, addressPools)
+
+					applicationSecurityGroups := make([]interface{}, 0)
+					if properties.ApplicationSecurityGroups != nil {
+						for _, asg := range *properties.ApplicationSecurityGroups {
+							if v := asg.ID; v != nil {
+								applicationSecurityGroups = append(applicationSecurityGroups, *v)
+							}
+						}
+					}
+					config["application_security_group_ids"] = schema.NewSet(schema.HashString, applicationSecurityGroups)
+
+					if properties.LoadBalancerBackendAddressPools != nil {
+						addressPools := make([]interface{}, 0, len(*properties.LoadBalancerBackendAddressPools))
+						for _, pool := range *properties.LoadBalancerBackendAddressPools {
+							if v := pool.ID; v != nil {
+								addressPools = append(addressPools, *v)
+							}
+						}
+						config["load_balancer_backend_address_pool_ids"] = schema.NewSet(schema.HashString, addressPools)
 					}
-				}
-				config["application_gateway_backend_address_pool_ids"] = schema.NewSet(schema.HashString, addressPools)
 
-				if properties.LoadBalancerBackendAddressPools != nil {
-					addressPools := make([]interface{}, 0, len(*properties.LoadBalancerBackendAddressPools))
-					for _, pool := range *properties.LoadBalancerBackendAddressPools {
-						addressPools = append(addressPools, *pool.ID)
+					if properties.LoadBalancerInboundNatPools != nil {
+						inboundNatPools := make([]interface{}, 0, len(*properties.LoadBalancerInboundNatPools))
+						for _, rule := range *properties.LoadBalancerInboundNatPools {
+							if v := rule.ID; v != nil {
+								inboundNatPools = append(inboundNatPools, *v)
+							}
+						}
+						config["load_balancer_inbound_nat_rules_ids"] = schema.NewSet(schema.HashString, inboundNatPools)
 					}
-					config["load_balancer_backend_address_pool_ids"] = schema.NewSet(schema.HashString, addressPools)
-				}
 
-				if properties.LoadBalancerInboundNatPools != nil {
-					inboundNatPools := make([]interface{}, 0, len(*properties.LoadBalancerInboundNatPools))
-					for _, rule := range *properties.LoadBalancerInboundNatPools {
-						inboundNatPools = append(inboundNatPools, *rule.ID)
+					if properties.Primary != nil {
+						config["primary"] = *properties.Primary
 					}
-					config["load_balancer_inbound_nat_rules_ids"] = schema.NewSet(schema.HashString, inboundNatPools)
-				}
 
-				if properties.Primary != nil {
-					config["primary"] = *properties.Primary
-				}
+					if properties.PublicIPAddressConfiguration != nil {
+						publicIpInfo := properties.PublicIPAddressConfiguration
+						publicIpConfigs := make([]map[string]interface{}, 0, 1)
+						publicIpConfig := make(map[string]interface{})
+						publicIpConfig["name"] = *publicIpInfo.Name
+						publicIpConfig["domain_name_label"] = *publicIpInfo.VirtualMachineScaleSetPublicIPAddressConfigurationProperties.DNSSettings
+						publicIpConfig["idle_timeout"] = *publicIpInfo.VirtualMachineScaleSetPublicIPAddressConfigurationProperties.IdleTimeoutInMinutes
+						config["public_ip_address_configuration"] = publicIpConfigs
+					}
 
-				if properties.PublicIPAddressConfiguration != nil {
-					publicIpInfo := properties.PublicIPAddressConfiguration
-					publicIpConfigs := make([]map[string]interface{}, 0, 1)
-					publicIpConfig := make(map[string]interface{})
-					publicIpConfig["name"] = *publicIpInfo.Name
-					publicIpConfig["domain_name_label"] = *publicIpInfo.VirtualMachineScaleSetPublicIPAddressConfigurationProperties.DNSSettings
-					publicIpConfig["idle_timeout"] = *publicIpInfo.VirtualMachineScaleSetPublicIPAddressConfigurationProperties.IdleTimeoutInMinutes
-					config["public_ip_address_configuration"] = publicIpConfigs
+					ipConfigs = append(ipConfigs, config)
 				}
-
-				ipConfigs = append(ipConfigs, config)
 			}
 
 			s["ip_configuration"] = ipConfigs
@@ -1506,6 +1534,18 @@ func expandAzureRmVirtualMachineScaleSetNetworkProfile(d *schema.ResourceData) *
 				ipConfiguration.ApplicationGatewayBackendAddressPools = &resources
 			}
 
+			if v := ipconfig["application_security_group_ids"]; v != nil {
+				asgs := v.(*schema.Set).List()
+				resources := make([]compute.SubResource, 0, len(asgs))
+				for _, p := range asgs {
+					id := p.(string)
+					resources = append(resources, compute.SubResource{
+						ID: &id,
+					})
+				}
+				ipConfiguration.ApplicationSecurityGroups = &resources
+			}
+
 			if v := ipconfig["load_balancer_backend_address_pool_ids"]; v != nil {
 				pools := v.(*schema.Set).List()
 				resources := make([]compute.SubResource, 0, len(pools))

azurerm/resource_arm_virtual_machine_scale_set_test.go

@@ -85,6 +85,27 @@ func TestAccAzureRMVirtualMachineScaleSet_basicPublicIP(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMVirtualMachineScaleSet_basicApplicationSecurity(t *testing.T) {
+	resourceName := "azurerm_virtual_machine_scale_set.test"
+	ri := acctest.RandInt()
+	networkProfileName := fmt.Sprintf("TestNetworkProfile-%d", ri)
+	networkProfile := map[string]interface{}{"name": networkProfileName, "primary": true}
+	networkProfileHash := fmt.Sprintf("%d", resourceArmVirtualMachineScaleSetNetworkConfigurationHash(networkProfile))
+	config := testAccAzureRMVirtualMachineScaleSet_basicApplicationSecurity(ri, testLocation())
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMVirtualMachineScaleSetDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.TestCheckResourceAttr(resourceName,
+					"network_profile."+networkProfileHash+".ip_configuration.0.application_security_group_ids.#", "1"),
+			},
+		},
+	})
+}
+
 func TestAccAzureRMVirtualMachineScaleSet_basicAcceleratedNetworking(t *testing.T) {
 	resourceName := "azurerm_virtual_machine_scale_set.test"
 	ri := acctest.RandInt()
@@ -1362,6 +1383,98 @@ resource "azurerm_virtual_machine_scale_set" "test" {
 `, rInt, location)
 }
 
+func testAccAzureRMVirtualMachineScaleSet_basicApplicationSecurity(rInt int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+    name = "acctestRG-%[1]d"
+    location = "%[2]s"
+}
+
+resource "azurerm_virtual_network" "test" {
+    name = "acctvn-%[1]d"
+    address_space = ["10.0.0.0/16"]
+    location = "${azurerm_resource_group.test.location}"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_subnet" "test" {
+    name = "acctsub-%[1]d"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    virtual_network_name = "${azurerm_virtual_network.test.name}"
+    address_prefix = "10.0.2.0/24"
+}
+
+resource "azurerm_application_security_group" "test" {
+  location = "${azurerm_resource_group.test.location}"
+  name = "TestApplicationSecurityGroup"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_storage_account" "test" {
+	name                     = "accsa%[1]d"
+	resource_group_name      = "${azurerm_resource_group.test.name}"
+	location                 = "${azurerm_resource_group.test.location}"
+	account_tier             = "Standard"
+	account_replication_type = "LRS"
+
+    tags {
+        environment = "staging"
+    }
+}
+
+resource "azurerm_storage_container" "test" {
+    name = "vhds"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    storage_account_name = "${azurerm_storage_account.test.name}"
+    container_access_type = "private"
+}
+
+resource "azurerm_virtual_machine_scale_set" "test" {
+  name = "acctvmss-%[1]d"
+  location = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  upgrade_policy_mode = "Manual"
+
+  sku {
+    name = "Standard_D1_v2"
+    tier = "Standard"
+    capacity = 1
+  }
+
+  os_profile {
+    computer_name_prefix = "testvm-%[1]d"
+    admin_username = "myadmin"
+    admin_password = "Passwword1234"
+  }
+
+  network_profile {
+      name = "TestNetworkProfile-%[1]d"
+      primary = true
+      ip_configuration {
+        name = "TestIPConfiguration"
+        primary = true
+        subnet_id = "${azurerm_subnet.test.id}"
+        application_security_group_ids = ["${azurerm_application_security_group.test.id}"]
+      }
+  }
+
+  storage_profile_os_disk {
+    name = "osDiskProfile"
+    caching       = "ReadWrite"
+    create_option = "FromImage"
+    vhd_containers = ["${azurerm_storage_account.test.primary_blob_endpoint}${azurerm_storage_container.test.name}"]
+  }
+
+  storage_profile_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "16.04-LTS"
+    version   = "latest"
+  }
+}
+`, rInt, location)
+}
+
 func testAccAzureRMVirtualMachineScaleSet_basicAcceleratedNetworking(rInt int, location string) string {
 	return fmt.Sprintf(`
 resource "azurerm_resource_group" "test" {

website/docs/r/virtual_machine_scale_set.html.markdown

@@ -378,8 +378,8 @@ output "principal_id" {
 * `load_balancer_backend_address_pool_ids` - (Optional) Specifies an array of references to backend address pools of load balancers. A scale set can reference backend address pools of one public and one internal load balancer. Multiple scale sets cannot use the same load balancer.
 * `load_balancer_inbound_nat_rules_ids` - (Optional) Specifies an array of references to inbound NAT rules for load balancers.
 * `primary` - (Required) Specifies if this ip_configuration is the primary one.
-* `public_ip_address_configuration` - (Optional) describes a virtual machines scale set IP Configuration's
- PublicIPAddress configuration. The public_ip_address_configuration is documented below.
+* `application_security_group_ids` - (Optional) Specifies up to `20` application security group IDs.
+* `public_ip_address_configuration` - (Optional) Describes a virtual machines scale set IP Configuration's PublicIPAddress configuration. The public_ip_address_configuration is documented below.
 
 `public_ip_address_configuration` supports the following: