refactor: don't configure network rules if default action is "Allow" (#…

…233) Release-As: 12.7.3
equinor · Sep 10, 2024 · 50739e9 · 50739e9
1 parent ec4e5d9
commit 50739e9
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 12 deletions.
diff --git a/main.tf b/main.tf
@@ -118,18 +118,22 @@ resource "azurerm_storage_account" "this" {
     }
   }
 
-  network_rules {
-    default_action             = var.network_rules_default_action
-    bypass                     = !var.network_rules_bypass_azure_services ? [] : ["AzureServices"]
-    ip_rules                   = var.network_rules_ip_rules
-    virtual_network_subnet_ids = var.network_rules_virtual_network_subnet_ids
-
-    dynamic "private_link_access" {
-      for_each = var.private_link_accesses
-
-      content {
-        endpoint_resource_id = private_link_access.value.endpoint_resource_id
-        endpoint_tenant_id   = private_link_access.value.endpoint_tenant_id
+  dynamic "network_rules" {
+    for_each = var.network_rules_default_action == "Allow" ? [] : [0]
+
+    content {
+      default_action             = var.network_rules_default_action
+      bypass                     = !var.network_rules_bypass_azure_services ? [] : ["AzureServices"]
+      ip_rules                   = var.network_rules_ip_rules
+      virtual_network_subnet_ids = var.network_rules_virtual_network_subnet_ids
+
+      dynamic "private_link_access" {
+        for_each = var.private_link_accesses
+
+        content {
+          endpoint_resource_id = private_link_access.value.endpoint_resource_id
+          endpoint_tenant_id   = private_link_access.value.endpoint_tenant_id
+        }
       }
     }
   }

diff --git a/tests/unit.tftest.hcl b/tests/unit.tftest.hcl
@@ -211,3 +211,44 @@ run "premium_block_blob_storage" {
     error_message = "Hierarchical namespace (HNS) enabled"
   }
 }
+
+run "network_rules_enabled" {
+  command = plan
+
+  variables {
+    account_name               = run.setup_tests.account_name
+    resource_group_name        = run.setup_tests.resource_group_name
+    location                   = run.setup_tests.location
+    log_analytics_workspace_id = run.setup_tests.log_analytics_workspace_id
+
+    network_rules_default_action = "Deny"
+  }
+
+  assert {
+    condition     = length(azurerm_storage_account.this.network_rules) == 1
+    error_message = "Network rules block not created when it should have been"
+  }
+
+  assert {
+    condition     = try(azurerm_storage_account.this.network_rules[0].default_action, null) == "Deny"
+    error_message = "Invalid network rules default action"
+  }
+}
+
+run "network_rules_disabled" {
+  command = plan
+
+  variables {
+    account_name               = run.setup_tests.account_name
+    resource_group_name        = run.setup_tests.resource_group_name
+    location                   = run.setup_tests.location
+    log_analytics_workspace_id = run.setup_tests.log_analytics_workspace_id
+
+    network_rules_default_action = "Allow"
+  }
+
+  assert {
+    condition     = length(azurerm_storage_account.this.network_rules) == 0
+    error_message = "Network rules block created when it should not have been"
+  }
+}