From 50739e97e02965612e41cf8a321c553fcd0a95f9 Mon Sep 17 00:00:00 2001
From: Henrik Simonsen Knutsen <46495473+hknutsen@users.noreply.github.com>
Date: Tue, 10 Sep 2024 14:55:19 +0200
Subject: [PATCH] refactor: don't configure network rules if default action is
 "Allow" (#233)

Release-As: 12.7.3
---
 main.tf               | 28 ++++++++++++++++------------
 tests/unit.tftest.hcl | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 12 deletions(-)

diff --git a/main.tf b/main.tf
index adeefdd..6309c72 100644
--- a/main.tf
+++ b/main.tf
@@ -118,18 +118,22 @@ resource "azurerm_storage_account" "this" {
     }
   }
 
-  network_rules {
-    default_action             = var.network_rules_default_action
-    bypass                     = !var.network_rules_bypass_azure_services ? [] : ["AzureServices"]
-    ip_rules                   = var.network_rules_ip_rules
-    virtual_network_subnet_ids = var.network_rules_virtual_network_subnet_ids
-
-    dynamic "private_link_access" {
-      for_each = var.private_link_accesses
-
-      content {
-        endpoint_resource_id = private_link_access.value.endpoint_resource_id
-        endpoint_tenant_id   = private_link_access.value.endpoint_tenant_id
+  dynamic "network_rules" {
+    for_each = var.network_rules_default_action == "Allow" ? [] : [0]
+
+    content {
+      default_action             = var.network_rules_default_action
+      bypass                     = !var.network_rules_bypass_azure_services ? [] : ["AzureServices"]
+      ip_rules                   = var.network_rules_ip_rules
+      virtual_network_subnet_ids = var.network_rules_virtual_network_subnet_ids
+
+      dynamic "private_link_access" {
+        for_each = var.private_link_accesses
+
+        content {
+          endpoint_resource_id = private_link_access.value.endpoint_resource_id
+          endpoint_tenant_id   = private_link_access.value.endpoint_tenant_id
+        }
       }
     }
   }
diff --git a/tests/unit.tftest.hcl b/tests/unit.tftest.hcl
index 4027ae7..7d1540e 100644
--- a/tests/unit.tftest.hcl
+++ b/tests/unit.tftest.hcl
@@ -211,3 +211,44 @@ run "premium_block_blob_storage" {
     error_message = "Hierarchical namespace (HNS) enabled"
   }
 }
+
+run "network_rules_enabled" {
+  command = plan
+
+  variables {
+    account_name               = run.setup_tests.account_name
+    resource_group_name        = run.setup_tests.resource_group_name
+    location                   = run.setup_tests.location
+    log_analytics_workspace_id = run.setup_tests.log_analytics_workspace_id
+
+    network_rules_default_action = "Deny"
+  }
+
+  assert {
+    condition     = length(azurerm_storage_account.this.network_rules) == 1
+    error_message = "Network rules block not created when it should have been"
+  }
+
+  assert {
+    condition     = try(azurerm_storage_account.this.network_rules[0].default_action, null) == "Deny"
+    error_message = "Invalid network rules default action"
+  }
+}
+
+run "network_rules_disabled" {
+  command = plan
+
+  variables {
+    account_name               = run.setup_tests.account_name
+    resource_group_name        = run.setup_tests.resource_group_name
+    location                   = run.setup_tests.location
+    log_analytics_workspace_id = run.setup_tests.log_analytics_workspace_id
+
+    network_rules_default_action = "Allow"
+  }
+
+  assert {
+    condition     = length(azurerm_storage_account.this.network_rules) == 0
+    error_message = "Network rules block created when it should not have been"
+  }
+}