New Resource: azurerm_private_link_endpoint New Data Source: azurerm_private_link_endpoint_connection and expose attibute in azurerm_subnet
#4493
Conversation
There was a problem hiding this comment.
Hi @WodansSon,
Thanks for the PR, looking pretty good here 🙂 Left some comments inline that need to be addressed before merge.
| if location := resp.Location; location != nil { | ||
| d.Set("location", azure.NormalizeLocation(*location)) | ||
| } | ||
| if privateEndpointProperties := resp.PrivateEndpointProperties; privateEndpointProperties != nil { |
There was a problem hiding this comment.
i personally would use props here as it makes the code easier to review
| if privateEndpointProperties := resp.PrivateEndpointProperties; privateEndpointProperties != nil { | |
| if props := resp.PrivateEndpointProperties; props != nil { |
website/docs/r/subnet.html.markdown
Outdated
| @@ -71,6 +71,10 @@ The following arguments are supported: | |||
|
|
|||
| * `delegation` - (Optional) One or more `delegation` blocks as defined below. | |||
|
|
|||
| * `disable_private_endpoint_network_policies` - (Optional) Enable or Disable network policies on private end point in the subnet. Default valule is `false`. | |||
|
|
|||
| -> **NOTE:** Network policies like network security groups (NSG) are not supported for private endpoints. In order to deploy a Private Endpoint on a given subnet, an explicit disable setting is required on that subnet. This setting is only applicable for the Private Endpoint. For other resources in the subnet, access is controlled based on Network Security Groups (NSG) security rules definition. | |||
There was a problem hiding this comment.
I have read this three times and i'm not entirely sure what this does 🤔, could we reword this to be easier to understand?
There was a problem hiding this comment.
Fixed. I re-wrote this let me know if this makes more sense.
|
|
||
| * `group_ids` - (Optional) The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. | ||
|
|
||
| * `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. |
There was a problem hiding this comment.
| * `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. | |
| * `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to `140` chars. |
|
|
||
| * `name` - The name of the resource that is unique within a resource group. This name can be used to access the resource. | ||
|
|
||
| * `status` - Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. |
There was a problem hiding this comment.
Could we list the states quoted like we do in the resource?
There was a problem hiding this comment.
Yep... I had already fixed that but didn't push the commit yet.
|
|
||
| The `network_interface` block contains the following: | ||
|
|
||
| * `id` - Resource ID. |
There was a problem hiding this comment.
COuld we expand on this description as in the resource?
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Default: "Please approve my connection", | ||
| }, |
There was a problem hiding this comment.
SHould we ensure no empty strings here?
There was a problem hiding this comment.
Yeah, I can add that to my validation function I just wrote to check max length.
| Optional: true, | ||
| Elem: &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| }, |
There was a problem hiding this comment.
Could we validate this is a actual azure resource id?
There was a problem hiding this comment.
Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.
| "private_link_service_id": { | ||
| Type: schema.TypeString, | ||
| Required: true, | ||
| ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Could we validate this is a actual azure resource id?
There was a problem hiding this comment.
Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.
| Type: schema.TypeString, | ||
| Required: true, | ||
| ForceNew: true, | ||
| ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Not a blocker but ideally i'd like a regex to validate the name against here (and the other name bits of this schema)
There was a problem hiding this comment.
Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.
| Computed: true, | ||
| }, | ||
|
|
||
| "tags": tagsForDataSourceSchema(), |
There was a problem hiding this comment.
Could we use the new tags.SchemaForDataSource function?
|
Also would it make more sense to call this resource |
WodansSon
changed the title
azurerm_private_endpoint and expose attibute in azurerm_subnetazurerm_private_link_endpoint and expose attibute in azurerm_subnet
There was a problem hiding this comment.
Thanks for the revisions @WodansSon, left some comments inline that need to be addressed before merge.
| "name": { | ||
| Type: schema.TypeString, | ||
| Required: true, | ||
| ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Could we do a regex validation here?
There was a problem hiding this comment.
As before, could we do some better validation here?
There was a problem hiding this comment.
Fixed... I was hoping that the private link service was going to be merged before this one so I can re-use the validation in that PR. However, I have added the validation in this one as well.
azurerm/helpers/validate/strings.go
Outdated
| func PrivateLinkEnpointRequestMessage(i interface{}, k string) (_ []string, errors []error) { | ||
| return stringMaxLength(140)(i, k) | ||
| } | ||
|
|
||
| func stringMaxLength(maxLength int) func(i interface{}, k string) (_ []string, errors []error) { | ||
| return func(i interface{}, k string) (_ []string, errors []error) { | ||
| v, ok := i.(string) | ||
| if !ok { | ||
| return nil, []error{fmt.Errorf("expected type of %q to be string", k)} | ||
| } | ||
|
|
||
| if len(v) > maxLength { | ||
| return nil, []error{fmt.Errorf("%q must not be longer than %d characters, got %d", k, maxLength, len(v))} | ||
| } | ||
|
|
||
| if strings.TrimSpace(v) == "" { | ||
| return nil, []error{fmt.Errorf("%q must not be empty", k)} | ||
| } | ||
|
|
||
| return | ||
| } | ||
| } |
There was a problem hiding this comment.
We have validation.StringLenBetween that should work instead?
There was a problem hiding this comment.
stringLenBetween is a private function which is why I wrote the wrapper. I didn't want to make it public out of fear of breaking other code.
There was a problem hiding this comment.
It is? looking at the code:
ValidateFunc: validation.StringLenBetween(1, 1024),
| Type: schema.TypeString, | ||
| Required: true, | ||
| ForceNew: true, | ||
| ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
COuld we do proper validation here?
| "subnet_id": { | ||
| Type: schema.TypeString, | ||
| Required: true, | ||
| ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Could we validate this is a proper ID?
| "private_link_service_id": { | ||
| Type: schema.TypeString, | ||
| Required: true, | ||
| ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Could we validate this is a proper ID
azurerm/resource_arm_subnet.go
Outdated
| @@ -195,6 +201,22 @@ func resourceArmSubnetCreateUpdate(d *schema.ResourceData, meta interface{}) err | |||
| properties.RouteTable = nil | |||
| } | |||
|
|
|||
| if v, ok := d.GetOk("disable_private_endpoint_network_policies"); ok { | |||
|
|
||
| The following arguments are supported: | ||
|
|
||
| * `name` - (Required) Specifies the Name of the `Private Link Endpoint`. |
There was a problem hiding this comment.
We don't usually block quote the resource
| * `name` - (Required) Specifies the Name of the `Private Link Endpoint`. | |
| * `name` - (Required) Specifies the Name of the Private Link Endpoint. |
There was a problem hiding this comment.
same comment + can we use data source wording here?
|
|
||
| * `name` - (Required) Specifies the Name of the `Private Link Endpoint`. | ||
|
|
||
| * `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists. |
There was a problem hiding this comment.
| * `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists. | |
| * `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the Private Link Endpoint exists. |
|
|
||
| * `name` - (Required) Specifies the Name of the `Private Link Endpoint`. Changing this forces a new resource to be created. | ||
|
|
||
| * `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists. |
|
Is this ready for re-review? it doesn't look like all comments have been addressed? |
| ValidateFunc: validate.NoEmptyStrings, | ||
| }, | ||
| "group_ids": { | ||
| Type: schema.TypeList, |
There was a problem hiding this comment.
This should be a type set?
| "network_interface_ids": { | ||
| Type: schema.TypeSet, | ||
| Computed: true, | ||
| Elem: &schema.Schema{Type: schema.TypeString}, |
There was a problem hiding this comment.
could we validate this is a resource ID?
| if err := d.Set("private_service_connection", flattenArmPrivateLinkEndpointServiceConnection(props.PrivateLinkServiceConnections, props.ManualPrivateLinkServiceConnections)); err != nil { | ||
| return fmt.Errorf("Error setting `private_service_connection`: %+v", err) | ||
| } | ||
| if props.NetworkInterfaces != nil { |
There was a problem hiding this comment.
This check should be in the flatten function
website/docs/r/subnet.html.markdown
Outdated
| @@ -76,6 +76,10 @@ The following arguments are supported: | |||
|
|
|||
| * `delegation` - (Optional) One or more `delegation` blocks as defined below. | |||
|
|
|||
| * `disable_private_link_endpoint_network_policy_enforcement` - (Optional) Enable or Disable network policies on private end point in the subnet. Default valule is `false`. | |||
There was a problem hiding this comment.
Yep, updated the values.
|
Whoops guess the system automagically added me to the reviewers list, please don't think I consider myself deserving of that title just because I made a comment.... |
There was a problem hiding this comment.
thanks for the revisions @WodansSon, i've left some more comments inline
| "private_service_connection": { | ||
| Type: schema.TypeList, | ||
| Computed: true, | ||
| MaxItems: 1, |
There was a problem hiding this comment.
We don't need this on a datasource
| "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" | ||
| ) | ||
|
|
||
| func dataSourceArmPrivateLinkEndpointConnections() *schema.Resource { |
There was a problem hiding this comment.
As there can be only one i don't think this should be plural
There was a problem hiding this comment.
And would it make sense to call it: dataSourceArmPrivateLinkEndpointConnectionsStatus?
| } | ||
|
|
There was a problem hiding this comment.
COuld we not remove all this whitespace
azurerm/data_source_subnet.go
Outdated
| if props.NetworkSecurityGroup != nil { | ||
| d.Set("network_security_group_id", props.NetworkSecurityGroup.ID) | ||
| } else { | ||
| d.Set("network_security_group_id", "") | ||
| } | ||
|
|
There was a problem hiding this comment.
COuld we not remove all this whitespace
azurerm/data_source_subnet.go
Outdated
| if props.RouteTable != nil { | ||
| d.Set("route_table_id", props.RouteTable.ID) | ||
| } else { | ||
| d.Set("route_table_id", "") | ||
| } | ||
|
|
There was a problem hiding this comment.
COuld we not remove all this whitespace
| Optional: true, | ||
| Elem: &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| }, |
| data "azurerm_subscription" "current" {} | ||
|
|
||
| resource "azurerm_resource_group" "test" { | ||
| name = "acctestRG-privateendpoint-%d" |
There was a problem hiding this comment.
Could we just use private link here as it's the service name
| name = "acctestRG-privateendpoint-%d" | |
| name = "acctestRG-privatelink-%d" |
| @@ -140,6 +140,12 @@ func resourceArmSubnet() *schema.Resource { | |||
| }, | |||
| }, | |||
|
|
|||
| "enforce_private_link_endpoint_network_policies": { | |||
There was a problem hiding this comment.
Should this conflict with the service policies?
There was a problem hiding this comment.
Yes, you are correct... I will add the conflicts with to the policies.
|
|
||
| ## Attributes Reference | ||
|
|
||
| The following attributes are exported: |
There was a problem hiding this comment.
I think the docs are missing the private_service_connection block here
There was a problem hiding this comment.
Removed the data source as it didn't make much sense.
website/docs/d/subnet.html.markdown
Outdated
| @@ -40,3 +40,4 @@ output "subnet_id" { | |||
| * `route_table_id` - The ID of the Route Table associated with this subnet. | |||
| * `ip_configurations` - The collection of IP Configurations with IPs within this subnet. | |||
| * `service_endpoints` - A list of Service Endpoints within this subnet. | |||
| * `disable_private_link_endpoint_network_policy_enforcement` - Enable or Disable network policies for a Private Link Endpoint in the subnet. | |||
There was a problem hiding this comment.
I think this description needs to be updated?
WodansSon
changed the title
azurerm_private_link_endpoint Data Source: azurerm_private_link_endpoint_connection_status and expose attibute in azurerm_subnetazurerm_private_link_endpoint New Data Source: azurerm_private_link_endpoint_connection and expose attibute in azurerm_subnet
…form-provider-azurerm into nr_private-end-point
|
This has been released in version 1.38.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 1.38.0"
}
# ... other configuration ... |
|
Thanks! There are some issue's though:
|
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
(fixes #4701 )