-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Resource: azurerm_private_link_endpoint
New Data Source: azurerm_private_link_endpoint_connection
and expose attibute in azurerm_subnet
#4493
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @WodansSon,
Thanks for the PR, looking pretty good here 🙂 Left some comments inline that need to be addressed before merge.
if location := resp.Location; location != nil { | ||
d.Set("location", azure.NormalizeLocation(*location)) | ||
} | ||
if privateEndpointProperties := resp.PrivateEndpointProperties; privateEndpointProperties != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i personally would use props here as it makes the code easier to review
if privateEndpointProperties := resp.PrivateEndpointProperties; privateEndpointProperties != nil { | |
if props := resp.PrivateEndpointProperties; props != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
website/docs/r/subnet.html.markdown
Outdated
@@ -71,6 +71,10 @@ The following arguments are supported: | |||
|
|||
* `delegation` - (Optional) One or more `delegation` blocks as defined below. | |||
|
|||
* `disable_private_endpoint_network_policies` - (Optional) Enable or Disable network policies on private end point in the subnet. Default valule is `false`. | |||
|
|||
-> **NOTE:** Network policies like network security groups (NSG) are not supported for private endpoints. In order to deploy a Private Endpoint on a given subnet, an explicit disable setting is required on that subnet. This setting is only applicable for the Private Endpoint. For other resources in the subnet, access is controlled based on Network Security Groups (NSG) security rules definition. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have read this three times and i'm not entirely sure what this does 🤔, could we reword this to be easier to understand?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. I re-wrote this let me know if this makes more sense.
|
||
* `group_ids` - (Optional) The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. | ||
|
||
* `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. | |
* `request_message` - (Optional) A message passed to the owner of the remote resource with this connection request. Restricted to `140` chars. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
|
||
* `name` - The name of the resource that is unique within a resource group. This name can be used to access the resource. | ||
|
||
* `status` - Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we list the states quoted like we do in the resource?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep... I had already fixed that but didn't push the commit yet.
|
||
The `network_interface` block contains the following: | ||
|
||
* `id` - Resource ID. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
COuld we expand on this description as in the resource?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep... Fixed.
Type: schema.TypeString, | ||
Optional: true, | ||
Default: "Please approve my connection", | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SHould we ensure no empty strings here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I can add that to my validation function I just wrote to check max length.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Optional: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we validate this is a actual azure resource id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.
"private_link_service_id": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we validate this is a actual azure resource id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker but ideally i'd like a regex to validate the name against here (and the other name bits of this schema)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep... I have that code in the other PR once that is merged I can reference the helper functions for validation here.
Computed: true, | ||
}, | ||
|
||
"tags": tagsForDataSourceSchema(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we use the new tags.SchemaForDataSource
function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Also would it make more sense to call this resource |
azurerm_private_endpoint
and expose attibute in azurerm_subnet
azurerm_private_link_endpoint
and expose attibute in azurerm_subnet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the revisions @WodansSon, left some comments inline that need to be addressed before merge.
"name": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we do a regex validation here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As before, could we do some better validation here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed... I was hoping that the private link service was going to be merged before this one so I can re-use the validation in that PR. However, I have added the validation in this one as well.
azurerm/helpers/validate/strings.go
Outdated
func PrivateLinkEnpointRequestMessage(i interface{}, k string) (_ []string, errors []error) { | ||
return stringMaxLength(140)(i, k) | ||
} | ||
|
||
func stringMaxLength(maxLength int) func(i interface{}, k string) (_ []string, errors []error) { | ||
return func(i interface{}, k string) (_ []string, errors []error) { | ||
v, ok := i.(string) | ||
if !ok { | ||
return nil, []error{fmt.Errorf("expected type of %q to be string", k)} | ||
} | ||
|
||
if len(v) > maxLength { | ||
return nil, []error{fmt.Errorf("%q must not be longer than %d characters, got %d", k, maxLength, len(v))} | ||
} | ||
|
||
if strings.TrimSpace(v) == "" { | ||
return nil, []error{fmt.Errorf("%q must not be empty", k)} | ||
} | ||
|
||
return | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have validation.StringLenBetween
that should work instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stringLenBetween
is a private function which is why I wrote the wrapper. I didn't want to make it public out of fear of breaking other code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is? looking at the code:
ValidateFunc: validation.StringLenBetween(1, 1024),
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
COuld we do proper validation here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this again
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
"subnet_id": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we validate this is a proper ID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please address this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
"private_link_service_id": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ValidateFunc: validate.NoEmptyStrings, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we validate this is a proper ID
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please address this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
azurerm/resource_arm_subnet.go
Outdated
@@ -195,6 +201,22 @@ func resourceArmSubnetCreateUpdate(d *schema.ResourceData, meta interface{}) err | |||
properties.RouteTable = nil | |||
} | |||
|
|||
if v, ok := d.GetOk("disable_private_endpoint_network_policies"); ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment
|
||
The following arguments are supported: | ||
|
||
* `name` - (Required) Specifies the Name of the `Private Link Endpoint`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't usually block quote the resource
* `name` - (Required) Specifies the Name of the `Private Link Endpoint`. | |
* `name` - (Required) Specifies the Name of the Private Link Endpoint. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment + can we use data source wording here?
|
||
* `name` - (Required) Specifies the Name of the `Private Link Endpoint`. | ||
|
||
* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists. | |
* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the Private Link Endpoint exists. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment
|
||
* `name` - (Required) Specifies the Name of the `Private Link Endpoint`. Changing this forces a new resource to be created. | ||
|
||
* `resource_group_name` - (Required) Specifies the Name of the Resource Group within which the `Private Link Endpoint` exists. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this force new?
Is this ready for re-review? it doesn't look like all comments have been addressed? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the revisions, i've left some more comments inline
ValidateFunc: validate.NoEmptyStrings, | ||
}, | ||
"group_ids": { | ||
Type: schema.TypeList, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be a type set?
"network_interface_ids": { | ||
Type: schema.TypeSet, | ||
Computed: true, | ||
Elem: &schema.Schema{Type: schema.TypeString}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we validate this is a resource ID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
if err := d.Set("private_service_connection", flattenArmPrivateLinkEndpointServiceConnection(props.PrivateLinkServiceConnections, props.ManualPrivateLinkServiceConnections)); err != nil { | ||
return fmt.Errorf("Error setting `private_service_connection`: %+v", err) | ||
} | ||
if props.NetworkInterfaces != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check should be in the flatten function
website/docs/r/subnet.html.markdown
Outdated
@@ -76,6 +76,10 @@ The following arguments are supported: | |||
|
|||
* `delegation` - (Optional) One or more `delegation` blocks as defined below. | |||
|
|||
* `disable_private_link_endpoint_network_policy_enforcement` - (Optional) Enable or Disable network policies on private end point in the subnet. Default valule is `false`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we renamed this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, updated the values.
Whoops guess the system automagically added me to the reviewers list, please don't think I consider myself deserving of that title just because I made a comment.... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the revisions @WodansSon, i've left some more comments inline
"private_service_connection": { | ||
Type: schema.TypeList, | ||
Computed: true, | ||
MaxItems: 1, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't need this on a datasource
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" | ||
) | ||
|
||
func dataSourceArmPrivateLinkEndpointConnections() *schema.Resource { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As there can be only one i don't think this should be plural
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And would it make sense to call it: dataSourceArmPrivateLinkEndpointConnectionsStatus
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
COuld we not remove all this whitespace
azurerm/data_source_subnet.go
Outdated
if props.NetworkSecurityGroup != nil { | ||
d.Set("network_security_group_id", props.NetworkSecurityGroup.ID) | ||
} else { | ||
d.Set("network_security_group_id", "") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
COuld we not remove all this whitespace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
azurerm/data_source_subnet.go
Outdated
if props.RouteTable != nil { | ||
d.Set("route_table_id", props.RouteTable.ID) | ||
} else { | ||
d.Set("route_table_id", "") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
COuld we not remove all this whitespace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
Optional: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same thing?
data "azurerm_subscription" "current" {} | ||
|
||
resource "azurerm_resource_group" "test" { | ||
name = "acctestRG-privateendpoint-%d" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we just use private link here as it's the service name
name = "acctestRG-privateendpoint-%d" | |
name = "acctestRG-privatelink-%d" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
@@ -140,6 +140,12 @@ func resourceArmSubnet() *schema.Resource { | |||
}, | |||
}, | |||
|
|||
"enforce_private_link_endpoint_network_policies": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this conflict with the service policies?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are correct... I will add the conflicts with to the policies.
|
||
## Attributes Reference | ||
|
||
The following attributes are exported: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the docs are missing the private_service_connection
block here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the data source as it didn't make much sense.
website/docs/d/subnet.html.markdown
Outdated
@@ -40,3 +40,4 @@ output "subnet_id" { | |||
* `route_table_id` - The ID of the Route Table associated with this subnet. | |||
* `ip_configurations` - The collection of IP Configurations with IPs within this subnet. | |||
* `service_endpoints` - A list of Service Endpoints within this subnet. | |||
* `disable_private_link_endpoint_network_policy_enforcement` - Enable or Disable network policies for a Private Link Endpoint in the subnet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this description needs to be updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
azurerm_private_link_endpoint
Data Source: azurerm_private_link_endpoint_connection_status
and expose attibute in azurerm_subnet
azurerm_private_link_endpoint
New Data Source: azurerm_private_link_endpoint_connection
and expose attibute in azurerm_subnet
…form-provider-azurerm into nr_private-end-point
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the revisions @WodansSon, LGTM now 👍
This has been released in version 1.38.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 1.38.0"
}
# ... other configuration ... |
Thanks! There are some issue's though:
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
(fixes #4701 )