Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_netapp_volume - support for the kerberos_enabled, smb_continuous_availability_enabled, kerberos_5_read_only_enabled, kerberos_5_read_write_enabled, kerberos_5i_read_only_enabled, kerberos_5i_read_write_enabled, kerberos_5p_read_only_enabled, kerberos_5p_read_write_enabled properties #25385

Merged
merged 20 commits into from
Mar 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
136 changes: 92 additions & 44 deletions internal/services/netapp/netapp_volume_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,21 @@ func resourceNetAppVolume() *pluginsdk.Resource {
},
},

"kerberos_enabled": {
// Due to large infrastructure requirements, there is not a reliable way to test Kerberos volumes in a shared environment at this time
Type: pluginsdk.TypeBool,
Optional: true,
ForceNew: true,
Description: "Enable to allow Kerberos secured volumes. Requires appropriate export rules as well as the parent `azurerm_netapp_account` having a defined AD connection.",
},

"smb_continuous_availability_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Description: "Continuous availability option should be used only for SQL and FSLogix workloads. Using it for any other SMB workloads is not supported.",
ForceNew: true,
},

"security_style": {
Type: pluginsdk.TypeString,
Optional: true,
Expand Down Expand Up @@ -206,6 +221,31 @@ func resourceNetAppVolume() *pluginsdk.Resource {
Type: pluginsdk.TypeBool,
Optional: true,
},

"kerberos_5_read_only_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},
"kerberos_5_read_write_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},
"kerberos_5i_read_only_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},
"kerberos_5i_read_write_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},
"kerberos_5p_read_only_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},
"kerberos_5p_read_write_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
},
},
},
},
Expand Down Expand Up @@ -303,15 +343,17 @@ func resourceNetAppVolume() *pluginsdk.Resource {
},

"smb_non_browsable_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Description: "Enable non browsable share setting for SMB/Dual Protocol volume. When enabled, it restricts windows clients to browse the share",
},

"smb_access_based_enumeration_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Type: pluginsdk.TypeBool,
Optional: true,
Default: false,
Description: "Enable access based enumeration setting for SMB/Dual Protocol volume. When enabled, users who do not have permission to access a shared folder or file underneath it, do not see that shared resource displayed in their environment.",
},
},
}
Expand Down Expand Up @@ -348,6 +390,8 @@ func resourceNetAppVolumeCreate(d *pluginsdk.ResourceData, meta interface{}) err
volumePath := d.Get("volume_path").(string)
serviceLevel := volumes.ServiceLevel(d.Get("service_level").(string))
subnetID := d.Get("subnet_id").(string)
kerberosEnabled := d.Get("kerberos_enabled").(bool)
smbContiuouslyAvailable := d.Get("smb_continuous_availability_enabled").(bool)

var networkFeatures volumes.NetworkFeatures
networkFeaturesString := d.Get("network_features").(string)
Expand Down Expand Up @@ -480,6 +524,8 @@ func resourceNetAppVolumeCreate(d *pluginsdk.ResourceData, meta interface{}) err
CreationToken: volumePath,
ServiceLevel: &serviceLevel,
SubnetId: subnetID,
KerberosEnabled: &kerberosEnabled,
SmbContinuouslyAvailable: &smbContiuouslyAvailable,
NetworkFeatures: &networkFeatures,
SmbNonBrowsable: &smbNonBrowsable,
SmbAccessBasedEnumeration: &smbAccessBasedEnumeration,
Expand Down Expand Up @@ -686,6 +732,8 @@ func resourceNetAppVolumeRead(d *pluginsdk.ResourceData, meta interface{}) error
d.Set("volume_path", props.CreationToken)
d.Set("service_level", string(pointer.From(props.ServiceLevel)))
d.Set("subnet_id", props.SubnetId)
d.Set("kerberos_enabled", props.KerberosEnabled)
d.Set("smb_continuous_availability_enabled", props.SmbContinuouslyAvailable)
d.Set("network_features", string(pointer.From(props.NetworkFeatures)))
d.Set("protocols", props.ProtocolTypes)
d.Set("security_style", string(pointer.From(props.SecurityStyle)))
Expand Down Expand Up @@ -843,16 +891,28 @@ func expandNetAppVolumeExportPolicyRule(input []interface{}) *volumes.VolumeProp
unixReadOnly := v["unix_read_only"].(bool)
unixReadWrite := v["unix_read_write"].(bool)
rootAccessEnabled := v["root_access_enabled"].(bool)
kerberos5ro := v["kerberos_5_read_only_enabled"].(bool)
kerberos5rw := v["kerberos_5_read_write_enabled"].(bool)
kerberos5iro := v["kerberos_5i_read_only_enabled"].(bool)
kerberos5irw := v["kerberos_5i_read_write_enabled"].(bool)
kerberos5pro := v["kerberos_5p_read_only_enabled"].(bool)
kerberos5prw := v["kerberos_5p_read_write_enabled"].(bool)

result := volumes.ExportPolicyRule{
AllowedClients: utils.String(allowedClients),
Cifs: utils.Bool(cifsEnabled),
Nfsv3: utils.Bool(nfsv3Enabled),
Nfsv41: utils.Bool(nfsv41Enabled),
RuleIndex: utils.Int64(ruleIndex),
UnixReadOnly: utils.Bool(unixReadOnly),
UnixReadWrite: utils.Bool(unixReadWrite),
HasRootAccess: utils.Bool(rootAccessEnabled),
AllowedClients: utils.String(allowedClients),
Cifs: utils.Bool(cifsEnabled),
Nfsv3: utils.Bool(nfsv3Enabled),
Nfsv41: utils.Bool(nfsv41Enabled),
Kerberos5ReadOnly: utils.Bool(kerberos5ro),
Kerberos5ReadWrite: utils.Bool(kerberos5rw),
Kerberos5iReadOnly: utils.Bool(kerberos5iro),
Kerberos5iReadWrite: utils.Bool(kerberos5irw),
Kerberos5pReadOnly: utils.Bool(kerberos5pro),
Kerberos5pReadWrite: utils.Bool(kerberos5prw),
RuleIndex: utils.Int64(ruleIndex),
UnixReadOnly: utils.Bool(unixReadOnly),
UnixReadWrite: utils.Bool(unixReadWrite),
HasRootAccess: utils.Bool(rootAccessEnabled),
}

results = append(results, result)
Expand Down Expand Up @@ -935,41 +995,29 @@ func flattenNetAppVolumeExportPolicyRule(input *volumes.VolumePropertiesExportPo
}

protocolsEnabled := []string{}
if v := item.Cifs; v != nil {
if *v {
protocolsEnabled = append(protocolsEnabled, "CIFS")
}
}
if v := item.Nfsv3; v != nil {
if *v {
protocolsEnabled = append(protocolsEnabled, "NFSv3")
}
}
if v := item.Nfsv41; v != nil {
if *v {
protocolsEnabled = append(protocolsEnabled, "NFSv4.1")
}
}
unixReadOnly := false
if v := item.UnixReadOnly; v != nil {
unixReadOnly = *v
if utils.NormaliseNilableBool(item.Cifs) {
protocolsEnabled = append(protocolsEnabled, "CIFS")
}
unixReadWrite := false
if v := item.UnixReadWrite; v != nil {
unixReadWrite = *v
if utils.NormaliseNilableBool(item.Nfsv3) {
protocolsEnabled = append(protocolsEnabled, "NFSv3")
}
rootAccessEnabled := false
if v := item.HasRootAccess; v != nil {
rootAccessEnabled = *v
if utils.NormaliseNilableBool(item.Nfsv41) {
protocolsEnabled = append(protocolsEnabled, "NFSv4.1")
}

result := map[string]interface{}{
"rule_index": ruleIndex,
"allowed_clients": utils.FlattenStringSlice(&allowedClients),
"unix_read_only": unixReadOnly,
"unix_read_write": unixReadWrite,
"root_access_enabled": rootAccessEnabled,
"protocols_enabled": utils.FlattenStringSlice(&protocolsEnabled),
"allowed_clients": utils.FlattenStringSlice(&allowedClients),
"kerberos_5_read_only_enabled": utils.NormaliseNilableBool(item.Kerberos5ReadOnly),
"kerberos_5_read_write_enabled": utils.NormaliseNilableBool(item.Kerberos5ReadWrite),
"kerberos_5i_read_only_enabled": utils.NormaliseNilableBool(item.Kerberos5iReadOnly),
"kerberos_5i_read_write_enabled": utils.NormaliseNilableBool(item.Kerberos5iReadWrite),
"kerberos_5p_read_only_enabled": utils.NormaliseNilableBool(item.Kerberos5pReadOnly),
"kerberos_5p_read_write_enabled": utils.NormaliseNilableBool(item.Kerberos5pReadWrite),
"protocols_enabled": utils.FlattenStringSlice(&protocolsEnabled),
"root_access_enabled": utils.NormaliseNilableBool(item.HasRootAccess),
"rule_index": ruleIndex,
"unix_read_only": utils.NormaliseNilableBool(item.UnixReadOnly),
"unix_read_write": utils.NormaliseNilableBool(item.UnixReadWrite),
}
results = append(results, result)
}
Expand Down
18 changes: 18 additions & 0 deletions website/docs/r/netapp_volume.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -145,12 +145,18 @@ The following arguments are supported:

* `encryption_key_source` - (Optional) The encryption key source, it can be `Microsoft.NetApp` for platform managed keys or `Microsoft.KeyVault` for customer-managed keys. This is required with `key_vault_private_endpoint_id`. Changing this forces a new resource to be created.

* `kerberos_enabled` - (Optional) Enable to allow Kerberos secured volumes. Requires appropriate export rules.

~> **NOTE:** `kerberos_enabled` requires that the parent `azurerm_netapp_account` has a *valid* AD connection defined. If the configuration is invalid, the volume will still be created but in a failed state. This requires manually deleting the volume and recreating it again via Terraform once the AD configuration has been corrected.

* `key_vault_private_endpoint_id` - (Optional) The Private Endpoint ID for Key Vault, which is required when using customer-managed keys. This is required with `encryption_key_source`. Changing this forces a new resource to be created.

* `smb_non_browsable_enabled` - (Optional) Limits clients from browsing for an SMB share by hiding the share from view in Windows Explorer or when listing shares in "net view." Only end users that know the absolute paths to the share are able to find the share. Defaults to `false`. For more information, please refer to [Understand NAS share permissions in Azure NetApp Files](https://learn.microsoft.com/en-us/azure/azure-netapp-files/network-attached-storage-permissions#:~:text=Non%2Dbrowsable%20shares,find%20the%20share.)

* `smb_access_based_enumeration_enabled` - (Optional) Limits enumeration of files and folders (that is, listing the contents) in SMB only to users with allowed access on the share. For instance, if a user doesn't have access to read a file or folder in a share with access-based enumeration enabled, then the file or folder doesn't show up in directory listings. Defaults to `false`. For more information, please refer to [Understand NAS share permissions in Azure NetApp Files](https://learn.microsoft.com/en-us/azure/azure-netapp-files/network-attached-storage-permissions#:~:text=security%20for%20administrators.-,Access%2Dbased%20enumeration,in%20an%20Azure%20NetApp%20Files%20SMB%20volume.%20Only%20contosoadmin%20has%20access.,-In%20the%20below)

* `smb_continuous_availability_enabled` - (Optional) Enable SMB Continuous Availability.

* `tags` - (Optional) A mapping of tags to assign to the resource.

-> **Note:** It is highly recommended to use the **lifecycle** property as noted in the example since it will prevent an accidental deletion of the volume if the `protocols` argument changes to a different protocol type.
Expand All @@ -171,6 +177,18 @@ An `export_policy_rule` block supports the following:

* `root_access_enabled` - (Optional) Is root access permitted to this volume?

* `kerberos_5_read_only_enabled` - (Optional) Is Kerberos 5 read-only access permitted to this volume?

* `kerberos_5_read_write_enabled` - (Optional) Is Kerberos 5 read/write permitted to this volume?

* `kerberos_5i_read_only_enabled` - (Optional) Is Kerberos 5i read-only permitted to this volume?

* `kerberos_5i_read_write_enabled` - (Optional) Is Kerberos 5i read/write permitted to this volume?

* `kerberos_5p_read_only_enabled` - (Optional) Is Kerberos 5p read-only permitted to this volume?

* `kerberos_5p_read_write_enabled` - (Optional) Is Kerberos 5p read/write permitted to this volume?

---

A `data_protection_replication` block is used when enabling the Cross-Region Replication (CRR) data protection option by deploying two Azure NetApp Files Volumes, one to be a primary volume and the other one will be the secondary, the secondary will have this block and will reference the primary volume, each volume must be in a supported [region pair](https://docs.microsoft.com/azure/azure-netapp-files/cross-region-replication-introduction#supported-region-pairs) and it supports the following:
Expand Down
Loading