From 38bd28f1674b517db79648ebcb3fc28a215fd438 Mon Sep 17 00:00:00 2001 From: Dustin Scott Date: Thu, 23 May 2024 07:18:49 -0500 Subject: [PATCH] feat: add support for pre-configured NSG for ARO Fixes #25059 Signed-off-by: Dustin Scott --- .../redhat_openshift_cluster_resource.go | 37 ++++-- .../redhat_openshift_cluster_resource_test.go | 112 ++++++++++++++++++ .../r/redhat_openshift_cluster.html.markdown | 2 + 3 files changed, 142 insertions(+), 9 deletions(-) diff --git a/internal/services/redhatopenshift/redhat_openshift_cluster_resource.go b/internal/services/redhatopenshift/redhat_openshift_cluster_resource.go index 1aae6bc0bcba..d1134c10c485 100644 --- a/internal/services/redhatopenshift/redhat_openshift_cluster_resource.go +++ b/internal/services/redhatopenshift/redhat_openshift_cluster_resource.go @@ -57,9 +57,10 @@ type ClusterProfile struct { } type NetworkProfile struct { - OutboundType string `tfschema:"outbound_type"` - PodCidr string `tfschema:"pod_cidr"` - ServiceCidr string `tfschema:"service_cidr"` + OutboundType string `tfschema:"outbound_type"` + PodCidr string `tfschema:"pod_cidr"` + ServiceCidr string `tfschema:"service_cidr"` + PreconfiguredNSGEnabled bool `tfschema:"preconfigured_nsg_enabled"` } type MainProfile struct { @@ -193,6 +194,12 @@ func (r RedHatOpenShiftCluster) Arguments() map[string]*pluginsdk.Schema { false, ), }, + "preconfigured_nsg_enabled": { + Type: pluginsdk.TypeBool, + Optional: true, + ForceNew: true, + Default: false, + }, }, }, }, @@ -606,10 +613,16 @@ func expandOpenshiftNetworkProfile(input []NetworkProfile) *openshiftclusters.Ne return nil } + preconfiguredNSG := openshiftclusters.PreconfiguredNSGDisabled + if input[0].PreconfiguredNSGEnabled { + preconfiguredNSG = openshiftclusters.PreconfiguredNSGEnabled + } + return &openshiftclusters.NetworkProfile{ - OutboundType: pointer.To(openshiftclusters.OutboundType(input[0].OutboundType)), - PodCidr: pointer.To(input[0].PodCidr), - ServiceCidr: pointer.To(input[0].ServiceCidr), + OutboundType: pointer.To(openshiftclusters.OutboundType(input[0].OutboundType)), + PodCidr: pointer.To(input[0].PodCidr), + ServiceCidr: pointer.To(input[0].ServiceCidr), + PreconfiguredNSG: pointer.To(preconfiguredNSG), } } @@ -618,11 +631,17 @@ func flattenOpenShiftNetworkProfile(profile *openshiftclusters.NetworkProfile) [ return []NetworkProfile{} } + preconfiguredNSGEnabled := false + if profile.PreconfiguredNSG != nil { + preconfiguredNSGEnabled = *profile.PreconfiguredNSG == openshiftclusters.PreconfiguredNSGEnabled + } + return []NetworkProfile{ { - OutboundType: string(pointer.From(profile.OutboundType)), - PodCidr: pointer.From(profile.PodCidr), - ServiceCidr: pointer.From(profile.ServiceCidr), + OutboundType: string(pointer.From(profile.OutboundType)), + PodCidr: pointer.From(profile.PodCidr), + ServiceCidr: pointer.From(profile.ServiceCidr), + PreconfiguredNSGEnabled: preconfiguredNSGEnabled, }, } } diff --git a/internal/services/redhatopenshift/redhat_openshift_cluster_resource_test.go b/internal/services/redhatopenshift/redhat_openshift_cluster_resource_test.go index 1012f084bbfe..e554dedbf936 100644 --- a/internal/services/redhatopenshift/redhat_openshift_cluster_resource_test.go +++ b/internal/services/redhatopenshift/redhat_openshift_cluster_resource_test.go @@ -108,6 +108,21 @@ func TestAccOpenShiftCluster_encryptionAtHost(t *testing.T) { }) } +func TestAccOpenShiftCluster_preconfiguredNSG(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_redhat_openshift_cluster", "test") + r := OpenShiftClusterResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.preconfiguredNSG(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("service_principal.0.client_secret"), + }) +} + func TestAccOpenShiftCluster_pullSecret(t *testing.T) { // the pull secret can be generated from https://console.redhat.com/openshift/install/pull-secret pullSecret := os.Getenv("ARM_TEST_ARO_PULL_SECRET") @@ -565,6 +580,103 @@ resource "azurerm_redhat_openshift_cluster" "test" { `, r.template(data), data.RandomInteger, data.RandomString) } +func (r OpenShiftClusterResource) preconfiguredNSG(data acceptance.TestData) string { + return fmt.Sprintf(` +%[1]s + +resource "azurerm_network_security_group" "test" { + name = "test-nsg" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name +} + +resource "azurerm_network_security_rule" "test_allow_all_inbound" { + name = "test_allow_all_inbound" + resource_group_name = azurerm_resource_group.test.name + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + network_security_group_name = azurerm_network_security_group.test.name +} + +resource "azurerm_network_security_rule" "test_allow_all_outbound" { + name = "test_allow_all_outbound" + resource_group_name = azurerm_resource_group.test.name + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + network_security_group_name = azurerm_network_security_group.test.name +} + +resource "azurerm_subnet_network_security_group_association" "test_main" { + subnet_id = azurerm_subnet.main_subnet.id + network_security_group_id = azurerm_network_security_group.test.id +} + +resource "azurerm_subnet_network_security_group_association" "test_worker" { + subnet_id = azurerm_subnet.worker_subnet.id + network_security_group_id = azurerm_network_security_group.test.id +} + +resource "azurerm_redhat_openshift_cluster" "test" { + name = "acctestaro%[2]d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + + cluster_profile { + domain = "aro-%[3]s.com" + version = "4.13.23" + } + + network_profile { + pod_cidr = "10.128.0.0/14" + service_cidr = "172.30.0.0/16" + preconfigured_nsg_enabled = true + } + + api_server_profile { + visibility = "Public" + } + + ingress_profile { + visibility = "Public" + } + + main_profile { + vm_size = "Standard_D8s_v3" + subnet_id = azurerm_subnet.main_subnet.id + } + + worker_profile { + vm_size = "Standard_D4s_v3" + disk_size_gb = 128 + node_count = 3 + subnet_id = azurerm_subnet.worker_subnet.id + } + + service_principal { + client_id = azuread_application.test.application_id + client_secret = azuread_service_principal_password.test.value + } + + depends_on = [ + "azurerm_role_assignment.role_network1", + "azurerm_role_assignment.role_network2", + ] +} + `, r.template(data), data.RandomInteger, data.RandomString) +} + func (r OpenShiftClusterResource) encryptionAtHost(data acceptance.TestData) string { return fmt.Sprintf(` %[1]s diff --git a/website/docs/r/redhat_openshift_cluster.html.markdown b/website/docs/r/redhat_openshift_cluster.html.markdown index 8c90130500a6..d1d216516708 100644 --- a/website/docs/r/redhat_openshift_cluster.html.markdown +++ b/website/docs/r/redhat_openshift_cluster.html.markdown @@ -217,6 +217,8 @@ A `network_profile` block supports the following: * `outbound_type` - (Optional) The outbound (egress) routing method. Possible values are `Loadbalancer` and `UserDefinedRouting`. Defaults to `Loadbalancer`. Changing this forces a new resource to be created. +* `preconfigured_nsg_enabled` - (Optional) Whether a preconfigured network security group is being used on the subnets. Defaults to `false`. Changing this forces a new resource to be created. + --- A `api_server_profile` block supports the following: