feat: add support for pre-configured NSG for ARO

Fixes hashicorp#25059

Signed-off-by: Dustin Scott <[email protected]>

internal/services/redhatopenshift/redhat_openshift_cluster_resource.go

@@ -57,9 +57,10 @@ type ClusterProfile struct {
 }
 
 type NetworkProfile struct {
-	OutboundType string `tfschema:"outbound_type"`
-	PodCidr      string `tfschema:"pod_cidr"`
-	ServiceCidr  string `tfschema:"service_cidr"`
+	OutboundType            string `tfschema:"outbound_type"`
+	PodCidr                 string `tfschema:"pod_cidr"`
+	ServiceCidr             string `tfschema:"service_cidr"`
+	PreconfiguredNSGEnabled bool   `tfschema:"preconfigured_nsg_enabled"`
 }
 
 type MainProfile struct {
@@ -193,6 +194,12 @@ func (r RedHatOpenShiftCluster) Arguments() map[string]*pluginsdk.Schema {
 							false,
 						),
 					},
+					"preconfigured_nsg_enabled": {
+						Type:     pluginsdk.TypeBool,
+						Optional: true,
+						ForceNew: true,
+						Default:  false,
+					},
 				},
 			},
 		},
@@ -606,10 +613,16 @@ func expandOpenshiftNetworkProfile(input []NetworkProfile) *openshiftclusters.Ne
 		return nil
 	}
 
+	preconfiguredNSG := openshiftclusters.PreconfiguredNSGDisabled
+	if input[0].PreconfiguredNSGEnabled {
+		preconfiguredNSG = openshiftclusters.PreconfiguredNSGEnabled
+	}
+
 	return &openshiftclusters.NetworkProfile{
-		OutboundType: pointer.To(openshiftclusters.OutboundType(input[0].OutboundType)),
-		PodCidr:      pointer.To(input[0].PodCidr),
-		ServiceCidr:  pointer.To(input[0].ServiceCidr),
+		OutboundType:     pointer.To(openshiftclusters.OutboundType(input[0].OutboundType)),
+		PodCidr:          pointer.To(input[0].PodCidr),
+		ServiceCidr:      pointer.To(input[0].ServiceCidr),
+		PreconfiguredNSG: pointer.To(preconfiguredNSG),
 	}
 }
 
@@ -618,11 +631,17 @@ func flattenOpenShiftNetworkProfile(profile *openshiftclusters.NetworkProfile) [
 		return []NetworkProfile{}
 	}
 
+	preconfiguredNSGEnabled := false
+	if profile.PreconfiguredNSG != nil {
+		preconfiguredNSGEnabled = *profile.PreconfiguredNSG == openshiftclusters.PreconfiguredNSGEnabled
+	}
+
 	return []NetworkProfile{
 		{
-			OutboundType: string(pointer.From(profile.OutboundType)),
-			PodCidr:      pointer.From(profile.PodCidr),
-			ServiceCidr:  pointer.From(profile.ServiceCidr),
+			OutboundType:            string(pointer.From(profile.OutboundType)),
+			PodCidr:                 pointer.From(profile.PodCidr),
+			ServiceCidr:             pointer.From(profile.ServiceCidr),
+			PreconfiguredNSGEnabled: preconfiguredNSGEnabled,
 		},
 	}
 }

internal/services/redhatopenshift/redhat_openshift_cluster_resource_test.go

@@ -108,6 +108,21 @@ func TestAccOpenShiftCluster_encryptionAtHost(t *testing.T) {
 	})
 }
 
+func TestAccOpenShiftCluster_preconfiguredNSG(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_redhat_openshift_cluster", "test")
+	r := OpenShiftClusterResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.preconfiguredNSG(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("service_principal.0.client_secret"),
+	})
+}
+
 func TestAccOpenShiftCluster_pullSecret(t *testing.T) {
 	// the pull secret can be generated from https://console.redhat.com/openshift/install/pull-secret
 	pullSecret := os.Getenv("ARM_TEST_ARO_PULL_SECRET")
@@ -565,6 +580,103 @@ resource "azurerm_redhat_openshift_cluster" "test" {
   `, r.template(data), data.RandomInteger, data.RandomString)
 }
 
+func (r OpenShiftClusterResource) preconfiguredNSG(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_network_security_group" "test" {
+  name                = "test-nsg"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_network_security_rule" "test_allow_all_inbound" {
+  name                        = "test_allow_all_inbound"
+  resource_group_name         = azurerm_resource_group.test.name
+  priority                    = 100
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "*"
+  source_port_range           = "*"
+  destination_port_range      = "*"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  network_security_group_name = azurerm_network_security_group.test.name
+}
+
+resource "azurerm_network_security_rule" "test_allow_all_outbound" {
+  name                        = "test_allow_all_outbound"
+  resource_group_name         = azurerm_resource_group.test.name
+  priority                    = 100
+  direction                   = "Outbound"
+  access                      = "Allow"
+  protocol                    = "*"
+  source_port_range           = "*"
+  destination_port_range      = "*"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  network_security_group_name = azurerm_network_security_group.test.name
+}
+
+resource "azurerm_subnet_network_security_group_association" "test_main" {
+  subnet_id                 = azurerm_subnet.main_subnet.id
+  network_security_group_id = azurerm_network_security_group.test.id
+}
+
+resource "azurerm_subnet_network_security_group_association" "test_worker" {
+  subnet_id                 = azurerm_subnet.worker_subnet.id
+  network_security_group_id = azurerm_network_security_group.test.id
+}
+
+resource "azurerm_redhat_openshift_cluster" "test" {
+  name                = "acctestaro%[2]d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+
+  cluster_profile {
+    domain       = "aro-%[3]s.com"
+    version      = "4.13.23"
+  }
+
+  network_profile {
+    pod_cidr                  = "10.128.0.0/14"
+    service_cidr              = "172.30.0.0/16"
+    preconfigured_nsg_enabled = true
+  }
+
+  api_server_profile {
+    visibility = "Public"
+  }
+
+  ingress_profile {
+    visibility = "Public"
+  }
+
+  main_profile {
+    vm_size   = "Standard_D8s_v3"
+    subnet_id = azurerm_subnet.main_subnet.id
+  }
+
+  worker_profile {
+    vm_size      = "Standard_D4s_v3"
+    disk_size_gb = 128
+    node_count   = 3
+    subnet_id    = azurerm_subnet.worker_subnet.id
+  }
+
+  service_principal {
+    client_id     = azuread_application.test.application_id
+    client_secret = azuread_service_principal_password.test.value
+  }
+
+  depends_on = [
+    "azurerm_role_assignment.role_network1",
+    "azurerm_role_assignment.role_network2",
+  ]
+}
+  `, r.template(data), data.RandomInteger, data.RandomString)
+}
+
 func (r OpenShiftClusterResource) encryptionAtHost(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %[1]s

website/docs/r/redhat_openshift_cluster.html.markdown

@@ -217,6 +217,8 @@ A `network_profile` block supports the following:
 
 * `outbound_type` - (Optional) The outbound (egress) routing method. Possible values are `Loadbalancer` and `UserDefinedRouting`. Defaults to `Loadbalancer`. Changing this forces a new resource to be created.
 
+* `preconfigured_nsg_enabled` - (Optional) Whether a preconfigured network security group is being used on the subnets.  Defaults to `false`.  Changing this forces a new resource to be created.
+
 ---
 
 A `api_server_profile` block supports the following: