Added option to set the application security group of a VMSS

azurerm/resource_arm_virtual_machine_scale_set.go

@@ -379,6 +379,17 @@ func resourceArmVirtualMachineScaleSet() *schema.Resource {
 										Set:      schema.HashString,
 									},
 
+									"application_security_group_ids": {
+										Type:     schema.TypeSet,
+										Optional: true,
+										Elem: &schema.Schema{
+											Type:         schema.TypeString,
+											ValidateFunc: azure.ValidateResourceID,
+										},
+										Set:      schema.HashString,
+										MaxItems: 20,
+									},
+
 									"load_balancer_backend_address_pool_ids": {
 										Type:     schema.TypeSet,
 										Optional: true,
@@ -1142,6 +1153,14 @@ func flattenAzureRmVirtualMachineScaleSetNetworkProfile(profile *compute.Virtual
 				}
 				config["application_gateway_backend_address_pool_ids"] = schema.NewSet(schema.HashString, addressPools)
 
+				applicationSecurityGroups := make([]interface{}, 0)
+				if properties.ApplicationSecurityGroups != nil {
+					for _, asg := range *properties.ApplicationSecurityGroups {
+						applicationSecurityGroups = append(applicationSecurityGroups, *asg.ID)
+					}
+				}
+				config["application_security_group_ids"] = schema.NewSet(schema.HashString, applicationSecurityGroups)
+
 				if properties.LoadBalancerBackendAddressPools != nil {
 					addressPools := make([]interface{}, 0, len(*properties.LoadBalancerBackendAddressPools))
 					for _, pool := range *properties.LoadBalancerBackendAddressPools {
@@ -1506,6 +1525,18 @@ func expandAzureRmVirtualMachineScaleSetNetworkProfile(d *schema.ResourceData) *
 				ipConfiguration.ApplicationGatewayBackendAddressPools = &resources
 			}
 
+			if v := ipconfig["application_security_group_ids"]; v != nil {
+				asgs := v.(*schema.Set).List()
+				resources := make([]compute.SubResource, 0, len(asgs))
+				for _, p := range asgs {
+					id := p.(string)
+					resources = append(resources, compute.SubResource{
+						ID: &id,
+					})
+				}
+				ipConfiguration.ApplicationSecurityGroups = &resources
+			}
+
 			if v := ipconfig["load_balancer_backend_address_pool_ids"]; v != nil {
 				pools := v.(*schema.Set).List()
 				resources := make([]compute.SubResource, 0, len(pools))

azurerm/resource_arm_virtual_machine_scale_set_test.go

@@ -85,6 +85,27 @@ func TestAccAzureRMVirtualMachineScaleSet_basicPublicIP(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMVirtualMachineScaleSet_basicApplicationSecurity(t *testing.T) {
+	resourceName := "azurerm_virtual_machine_scale_set.test"
+	ri := acctest.RandInt()
+	networkProfileName := fmt.Sprintf("TestNetworkProfile-%d", ri)
+	networkProfile := map[string]interface{}{"name": networkProfileName, "primary": true}
+	networkProfileHash := fmt.Sprintf("%d", resourceArmVirtualMachineScaleSetNetworkConfigurationHash(networkProfile))
+	config := testAccAzureRMVirtualMachineScaleSet_basicApplicationSecurity(ri, testLocation())
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMVirtualMachineScaleSetDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.TestCheckResourceAttr(resourceName,
+					"network_profile."+networkProfileHash+".ip_configuration.0.application_security_group_ids.#", "1"),
+			},
+		},
+	})
+}
+
 func TestAccAzureRMVirtualMachineScaleSet_basicAcceleratedNetworking(t *testing.T) {
 	resourceName := "azurerm_virtual_machine_scale_set.test"
 	ri := acctest.RandInt()
@@ -1000,6 +1021,32 @@ func testCheckAzureRMVirtualMachineScaleSetPublicIPName(name, publicIPName strin
 	}
 }
 
+func testCheckAzureRMVirtualMachineScaleSetApplicationSecurity(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		resp, err := testGetAzureRMVirtualMachineScaleSet(s, name)
+		if err != nil {
+			return err
+		}
+
+		n := resp.VirtualMachineProfile.NetworkProfile.NetworkInterfaceConfigurations
+		if n == nil || len(*n) == 0 {
+			return fmt.Errorf("Bad: Could not get network interface configurations for scale set %v", name)
+		}
+
+		ip := (*n)[0].IPConfigurations
+		if ip == nil || len(*ip) == 0 {
+			return fmt.Errorf("Bad: Could not get ip configurations for scale set %v", name)
+		}
+
+		asgs := (*ip)[0].ApplicationSecurityGroups
+		if asgs == nil || len(*asgs) == 0 {
+			return fmt.Errorf("Bad: Application Security Groups was empty for scale set %v", name)
+		}
+
+		return nil
+	}
+}
+
 func testCheckAzureRMVirtualMachineScaleSetAcceleratedNetworking(name string, boolean bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		resp, err := testGetAzureRMVirtualMachineScaleSet(s, name)
@@ -1362,6 +1409,97 @@ resource "azurerm_virtual_machine_scale_set" "test" {
 `, rInt, location)
 }
 
+func testAccAzureRMVirtualMachineScaleSet_basicApplicationSecurity(rInt int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+    name = "acctestRG-%[1]d"
+    location = "%[2]s"
+}
+
+resource "azurerm_virtual_network" "test" {
+    name = "acctvn-%[1]d"
+    address_space = ["10.0.0.0/16"]
+    location = "${azurerm_resource_group.test.location}"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_subnet" "test" {
+    name = "acctsub-%[1]d"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    virtual_network_name = "${azurerm_virtual_network.test.name}"
+    address_prefix = "10.0.2.0/24"
+}
+
+resource "azurerm_application_security_group" "test" {
+  location = "${azurerm_resource_group.test.location}"
+  name = "TestApplicationSecurityGroup"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_storage_account" "test" {
+	name                     = "accsa%[1]d"
+	resource_group_name      = "${azurerm_resource_group.test.name}"
+	location                 = "${azurerm_resource_group.test.location}"
+	account_tier             = "Standard"
+	account_replication_type = "LRS"
+
+    tags {
+        environment = "staging"
+    }
+}
+
+resource "azurerm_storage_container" "test" {
+    name = "vhds"
+    resource_group_name = "${azurerm_resource_group.test.name}"
+    storage_account_name = "${azurerm_storage_account.test.name}"
+    container_access_type = "private"
+}
+
+resource "azurerm_virtual_machine_scale_set" "test" {
+  name = "acctvmss-%[1]d"
+  location = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  upgrade_policy_mode = "Manual"
+
+  sku {
+    name = "Standard_D1_v2"
+    tier = "Standard"
+    capacity = 1
+  }
+
+  os_profile {
+    computer_name_prefix = "testvm-%[1]d"
+    admin_username = "myadmin"
+    admin_password = "Passwword1234"
+  }
+
+  network_profile {
+      name = "TestNetworkProfile-%[1]d"
+      primary = true
+      ip_configuration {
+        name = "TestIPConfiguration"
+        subnet_id = "${azurerm_subnet.test.id}"
+        application_security_group_ids = ["${azurerm_application_security_group.test.id}"]
+      }
+  }
+
+  storage_profile_os_disk {
+    name = "osDiskProfile"
+    caching       = "ReadWrite"
+    create_option = "FromImage"
+    vhd_containers = ["${azurerm_storage_account.test.primary_blob_endpoint}${azurerm_storage_container.test.name}"]
+  }
+
+  storage_profile_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "16.04-LTS"
+    version   = "latest"
+  }
+}
+`, rInt, location)
+}
+
 func testAccAzureRMVirtualMachineScaleSet_basicAcceleratedNetworking(rInt int, location string) string {
 	return fmt.Sprintf(`
 resource "azurerm_resource_group" "test" {

website/docs/r/virtual_machine_scale_set.html.markdown

@@ -377,6 +377,7 @@ output "principal_id" {
 * `load_balancer_backend_address_pool_ids` - (Optional) Specifies an array of references to backend address pools of load balancers. A scale set can reference backend address pools of one public and one internal load balancer. Multiple scale sets cannot use the same load balancer.
 * `load_balancer_inbound_nat_rules_ids` - (Optional) Specifies an array of references to inbound NAT rules for load balancers.
 * `primary` - (Required) Specifies if this ip_configuration is the primary one.
+* `application_security_group_ids` - (Optional) Specifies an array of references to application security groups
 * `public_ip_address_configuration` - (Optional) describes a virtual machines scale set IP Configuration's
  PublicIPAddress configuration. The public_ip_address_configuration is documented below.