Merge pull request #3173 from Lucretius/iothub-ip-filter-rules

iothub IP filters

azurerm/resource_arm_iothub.go

@@ -323,6 +323,33 @@ func resourceArmIotHub() *schema.Resource {
 				},
 			},
 
+			"ip_filter_rule": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validate.NoEmptyStrings,
+						},
+						"ip_mask": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validate.CIDR,
+						},
+						"action": {
+							Type:     schema.TypeString,
+							Required: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								string(devices.Accept),
+								string(devices.Reject),
+							}, false),
+						},
+					},
+				},
+			},
+
 			"tags": tagsSchema(),
 		},
 	}
@@ -375,12 +402,14 @@ func resourceArmIotHubCreateUpdate(d *schema.ResourceData, meta interface{}) err
 	}
 
 	routes := expandIoTHubRoutes(d)
+	ipFilterRules := expandIPFilterRules(d)
 
 	properties := devices.IotHubDescription{
 		Name:     utils.String(name),
 		Location: utils.String(location),
 		Sku:      skuInfo,
 		Properties: &devices.IotHubProperties{
+			IPFilterRules: ipFilterRules,
 			Routing: &devices.RoutingProperties{
 				Endpoints:     endpoints,
 				Routes:        routes,
@@ -476,6 +505,12 @@ func resourceArmIotHubRead(d *schema.ResourceData, meta interface{}) error {
 		if err := d.Set("fallback_route", fallbackRoute); err != nil {
 			return fmt.Errorf("Error setting `fallbackRoute` in IoTHub %q: %+v", name, err)
 		}
+
+		ipFilterRules := flattenIPFilterRules(properties.IPFilterRules)
+		if err := d.Set("ip_filter_rule", ipFilterRules); err != nil {
+			return fmt.Errorf("Error setting `ip_filter_rule` in IoTHub %q: %+v", name, err)
+		}
+
 	}
 
 	d.Set("name", name)
@@ -907,3 +942,46 @@ func validateIoTHubFileNameFormat(v interface{}, k string) (warnings []string, e
 
 	return warnings, errors
 }
+func expandIPFilterRules(d *schema.ResourceData) *[]devices.IPFilterRule {
+	ipFilterRuleList := d.Get("ip_filter_rule").(*schema.Set).List()
+	if len(ipFilterRuleList) == 0 {
+		return nil
+	}
+
+	rules := make([]devices.IPFilterRule, 0)
+
+	for _, r := range ipFilterRuleList {
+		rawRule := r.(map[string]interface{})
+		rule := &devices.IPFilterRule{
+			FilterName: utils.String(rawRule["name"].(string)),
+			Action:     devices.IPFilterActionType(rawRule["action"].(string)),
+			IPMask:     utils.String(rawRule["ip_mask"].(string)),
+		}
+
+		rules = append(rules, *rule)
+	}
+	return &rules
+}
+
+func flattenIPFilterRules(in *[]devices.IPFilterRule) []interface{} {
+	rules := make([]interface{}, 0)
+	if in == nil {
+		return rules
+	}
+
+	for _, r := range *in {
+		rawRule := make(map[string]interface{})
+
+		if r.FilterName != nil {
+			rawRule["name"] = *r.FilterName
+		}
+
+		rawRule["action"] = string(r.Action)
+
+		if r.IPMask != nil {
+			rawRule["ip_mask"] = *r.IPMask
+		}
+		rules = append(rules, rawRule)
+	}
+	return rules
+}

azurerm/resource_arm_iothub_test.go

@@ -35,6 +35,30 @@ func TestAccAzureRMIotHub_basic(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMIotHub_ipFilterRules(t *testing.T) {
+	resourceName := "azurerm_iothub.test"
+	rInt := tf.AccRandTimeInt()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMIotHubDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMIotHub_ipFilterRules(rInt, testLocation()),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMIotHubExists(resourceName),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccAzureRMIotHub_requiresImport(t *testing.T) {
 	if !requireResourcesToBeImported {
 		t.Skip("Skipping since resources aren't required to be imported")
@@ -271,6 +295,37 @@ resource "azurerm_iothub" "test" {
 `, rInt, location, rInt)
 }
 
+func testAccAzureRMIotHub_ipFilterRules(rInt int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_iothub" "test" {
+  name                = "acctestIoTHub-%d"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  location            = "${azurerm_resource_group.test.location}"
+
+  sku {
+    name     = "S1"
+    tier     = "Standard"
+    capacity = "1"
+	}
+	
+	ip_filter_rule {
+		name        = "test"
+		ip_mask     = "10.0.0.0/31"
+		action      = "Accept"
+	}
+
+  tags {
+    "purpose" = "testing"
+  }
+}
+`, rInt, location, rInt)
+}
+
 func testAccAzureRMIotHub_customRoutes(rInt int, rStr string, location string) string {
 	return fmt.Sprintf(`
 resource "azurerm_resource_group" "test" {

website/docs/r/iothub.html.markdown

@@ -87,6 +87,8 @@ The following arguments are supported:
 
 * `endpoint` - (Optional) An `endpoint` block as defined below.
 
+* `ip_filter_rule` - (Optional) One or more `ip_filter_rule` blocks as defined below.
+
 * `route` - (Optional) A `route` block as defined below.
 
 * `fallback_route` - (Optional) A `fallback_route` block as defined below. If the fallback route is enabled, messages that don't match any of the supplied routes are automatically sent to this route. Defaults to messages/events.
@@ -127,6 +129,16 @@ An `endpoint` block supports the following:
 
 ---
 
+An `ip_filter_rule` block supports the following:
+
+* `name` - (Required) The name of the filter.
+
+* `ip_mask` - (Required) The IP address range in CIDR notation for the rule.
+
+* `action` - (Required) The desired action for requests captured by this rule. Possible values are  `Accept`, `Reject`
+
+---
+
 A `route` block supports the following:
 
 * `name` - (Required) The name of the route.