Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Resource: azurerm_private_link_endpoint New Data Source: azurerm_private_link_endpoint_connection and expose attibute in azurerm_subnet #4493

Merged
merged 45 commits into from
Dec 3, 2019

Conversation

WodansSon
Copy link
Collaborator

@WodansSon WodansSon commented Oct 3, 2019

(fixes #4701 )

@WodansSon WodansSon requested a review from katbyte October 3, 2019 04:05
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @WodansSon,

Thanks for the PR, looking pretty good here 🙂 Left some comments inline that need to be addressed before merge.

if location := resp.Location; location != nil {
d.Set("location", azure.NormalizeLocation(*location))
}
if privateEndpointProperties := resp.PrivateEndpointProperties; privateEndpointProperties != nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i personally would use props here as it makes the code easier to review

Suggested change
if privateEndpointProperties := resp.PrivateEndpointProperties; privateEndpointProperties != nil {
if props := resp.PrivateEndpointProperties; props != nil {

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@@ -71,6 +71,10 @@ The following arguments are supported:

* `delegation` - (Optional) One or more `delegation` blocks as defined below.

* `disable_private_endpoint_network_policies` - (Optional) Enable or Disable network policies on private end point in the subnet. Default valule is `false`.

-> **NOTE:** Network policies like network security groups (NSG) are not supported for private endpoints. In order to deploy a Private Endpoint on a given subnet, an explicit disable setting is required on that subnet. This setting is only applicable for the Private Endpoint. For other resources in the subnet, access is controlled based on Network Security Groups (NSG) security rules definition.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have read this three times and i'm not entirely sure what this does 🤔, could we reword this to be easier to understand?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. I re-wrote this let me know if this makes more sense.


* `group_ids` - (Optional) The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to.

* `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars.
* `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to `140` chars.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.


* `name` - The name of the resource that is unique within a resource group. This name can be used to access the resource.

* `status` - Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we list the states quoted like we do in the resource?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep... I had already fixed that but didn't push the commit yet.


The `network_interface` block contains the following:

* `id` - Resource ID.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COuld we expand on this description as in the resource?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep... Fixed.

Type: schema.TypeString,
Optional: true,
Default: "Please approve my connection",
},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SHould we ensure no empty strings here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I can add that to my validation function I just wrote to check max length.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we validate this is a actual azure resource id?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.

"private_link_service_id": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validate.NoEmptyStrings,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we validate this is a actual azure resource id?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.

Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validate.NoEmptyStrings,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker but ideally i'd like a regex to validate the name against here (and the other name bits of this schema)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.

Computed: true,
},

"tags": tagsForDataSourceSchema(),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use the new tags.SchemaForDataSource function?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@katbyte
Copy link
Collaborator

katbyte commented Oct 7, 2019

Also would it make more sense to call this resource azurerm_private_link_endpoint or azurerm_private_link_service_endpoint 🤔

@WodansSon WodansSon changed the title [WIP]Data Source/New Resource: azurerm_private_endpoint and expose attibute in azurerm_subnet Data Source/New Resource: azurerm_private_link_endpoint and expose attibute in azurerm_subnet Oct 9, 2019
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the revisions @WodansSon, left some comments inline that need to be addressed before merge.

"name": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validate.NoEmptyStrings,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we do a regex validation here?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As before, could we do some better validation here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed... I was hoping that the private link service was going to be merged before this one so I can re-use the validation in that PR. However, I have added the validation in this one as well.

Comment on lines 23 to 44
func PrivateLinkEnpointRequestMessage(i interface{}, k string) (_ []string, errors []error) {
return stringMaxLength(140)(i, k)
}

func stringMaxLength(maxLength int) func(i interface{}, k string) (_ []string, errors []error) {
return func(i interface{}, k string) (_ []string, errors []error) {
v, ok := i.(string)
if !ok {
return nil, []error{fmt.Errorf("expected type of %q to be string", k)}
}

if len(v) > maxLength {
return nil, []error{fmt.Errorf("%q must not be longer than %d characters, got %d", k, maxLength, len(v))}
}

if strings.TrimSpace(v) == "" {
return nil, []error{fmt.Errorf("%q must not be empty", k)}
}

return
}
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have validation.StringLenBetween that should work instead?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stringLenBetween is a private function which is why I wrote the wrapper. I didn't want to make it public out of fear of breaking other code.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is? looking at the code:
ValidateFunc: validation.StringLenBetween(1, 1024),

Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validate.NoEmptyStrings,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COuld we do proper validation here?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this again

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

"subnet_id": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validate.NoEmptyStrings,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we validate this is a proper ID?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address this?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

"private_link_service_id": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validate.NoEmptyStrings,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we validate this is a proper ID

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address this?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@@ -195,6 +201,22 @@ func resourceArmSubnetCreateUpdate(d *schema.ResourceData, meta interface{}) err
properties.RouteTable = nil
}

if v, ok := d.GetOk("disable_private_endpoint_network_policies"); ok {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment

examples/private_endpoint/variables.tf Show resolved Hide resolved

The following arguments are supported:

* `name` - (Required) Specifies the Name of the `Private Link Endpoint`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't usually block quote the resource

Suggested change
* `name` - (Required) Specifies the Name of the `Private Link Endpoint`.
* `name` - (Required) Specifies the Name of the Private Link Endpoint.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment + can we use data source wording here?


* `name` - (Required) Specifies the Name of the `Private Link Endpoint`.

* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists.
* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the Private Link Endpoint exists.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment


* `name` - (Required) Specifies the Name of the `Private Link Endpoint`. Changing this forces a new resource to be created.

* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this force new?

@katbyte
Copy link
Collaborator

katbyte commented Oct 15, 2019

Is this ready for re-review? it doesn't look like all comments have been addressed?

Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the revisions, i've left some more comments inline

ValidateFunc: validate.NoEmptyStrings,
},
"group_ids": {
Type: schema.TypeList,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a type set?

"network_interface_ids": {
Type: schema.TypeSet,
Computed: true,
Elem: &schema.Schema{Type: schema.TypeString},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we validate this is a resource ID?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

if err := d.Set("private_service_connection", flattenArmPrivateLinkEndpointServiceConnection(props.PrivateLinkServiceConnections, props.ManualPrivateLinkServiceConnections)); err != nil {
return fmt.Errorf("Error setting `private_service_connection`: %+v", err)
}
if props.NetworkInterfaces != nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check should be in the flatten function

@@ -76,6 +76,10 @@ The following arguments are supported:

* `delegation` - (Optional) One or more `delegation` blocks as defined below.

* `disable_private_link_endpoint_network_policy_enforcement` - (Optional) Enable or Disable network policies on private end point in the subnet. Default valule is `false`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we renamed this?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, updated the values.

@bentterp
Copy link
Contributor

Whoops guess the system automagically added me to the reviewers list, please don't think I consider myself deserving of that title just because I made a comment....

Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the revisions @WodansSon, i've left some more comments inline

"private_service_connection": {
Type: schema.TypeList,
Computed: true,
MaxItems: 1,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need this on a datasource

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
)

func dataSourceArmPrivateLinkEndpointConnections() *schema.Resource {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As there can be only one i don't think this should be plural

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And would it make sense to call it: dataSourceArmPrivateLinkEndpointConnectionsStatus?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COuld we not remove all this whitespace

if props.NetworkSecurityGroup != nil {
d.Set("network_security_group_id", props.NetworkSecurityGroup.ID)
} else {
d.Set("network_security_group_id", "")
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COuld we not remove all this whitespace

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

if props.RouteTable != nil {
d.Set("route_table_id", props.RouteTable.ID)
} else {
d.Set("route_table_id", "")
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COuld we not remove all this whitespace

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same thing?

data "azurerm_subscription" "current" {}

resource "azurerm_resource_group" "test" {
name = "acctestRG-privateendpoint-%d"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we just use private link here as it's the service name

Suggested change
name = "acctestRG-privateendpoint-%d"
name = "acctestRG-privatelink-%d"

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@@ -140,6 +140,12 @@ func resourceArmSubnet() *schema.Resource {
},
},

"enforce_private_link_endpoint_network_policies": {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this conflict with the service policies?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are correct... I will add the conflicts with to the policies.


## Attributes Reference

The following attributes are exported:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the docs are missing the private_service_connection block here

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the data source as it didn't make much sense.

@@ -40,3 +40,4 @@ output "subnet_id" {
* `route_table_id` - The ID of the Route Table associated with this subnet.
* `ip_configurations` - The collection of IP Configurations with IPs within this subnet.
* `service_endpoints` - A list of Service Endpoints within this subnet.
* `disable_private_link_endpoint_network_policy_enforcement` - Enable or Disable network policies for a Private Link Endpoint in the subnet.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this description needs to be updated?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@WodansSon WodansSon changed the title Data Source/New Resource: azurerm_private_link_endpoint Data Source: azurerm_private_link_endpoint_connection_status and expose attibute in azurerm_subnet New Resource: azurerm_private_link_endpoint New Data Source: azurerm_private_link_endpoint_connection and expose attibute in azurerm_subnet Nov 27, 2019
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the revisions @WodansSon, LGTM now 👍

@katbyte katbyte merged commit 99ed814 into master Dec 3, 2019
@katbyte katbyte deleted the nr_private-end-point branch December 3, 2019 09:30
katbyte added a commit that referenced this pull request Dec 3, 2019
@ghost
Copy link

ghost commented Dec 7, 2019

This has been released in version 1.38.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.38.0"
}
# ... other configuration ...

@geekzter
Copy link

geekzter commented Dec 7, 2019

Thanks!

There are some issue's though:

  • Documentation is referring to non existing attribute disable_private_link_service_network_policy_enforcement, instead of enforce_private_link_service_network_policies.
  • Documentation sample does not include required block private_service_connection
  • The resource has no output attribute for private_ip_address, hence there is no way to wire this up with a private dns record

@ghost
Copy link

ghost commented Jan 2, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Jan 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Azure private-link resource creation via terraform?
5 participants