enhancement: disk public access to false, as default (#4)

* disk public access to false, as default it now seems that disks are by default public network access enabled, this should be change to false and you should be able to set it to true --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
schubergphilis · Dec 19, 2024 · aa2524f · aa2524f
1 parent 68058d9
commit aa2524f
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 2 deletions.
diff --git a/README.md b/README.md
diff --git a/data.tf b/data.tf
@@ -0,0 +1,3 @@
+data "azurerm_resource_group" "this" {
+  name = var.resource_group_name
+}
diff --git a/main.linux.tf b/main.linux.tf
@@ -165,4 +165,27 @@ resource "azurerm_linux_virtual_machine" "this" {
   lifecycle {
     ignore_changes = [vm_agent_platform_updates_enabled]
   }
+}
+
+
+# https://github.com/hashicorp/terraform-provider-azurerm/issues/15156
+# https://github.com/Azure/azure-rest-api-specs/issues/21325
+
+resource "azapi_update_resource" "linux_os_disk" {
+  count = (lower(var.os_type) == "linux") ? 1 : 0
+
+  type      = "Microsoft.Compute/disks@2023-01-02"
+  name      = azurerm_linux_virtual_machine.this[0].os_disk[0].name
+  parent_id = data.azurerm_resource_group.this.id
+
+  body = {
+    properties = {
+      networkAccessPolicy = var.os_disk_managed_disk.network_access_policy
+      publicNetworkAccess = var.os_disk_managed_disk.public_network_access_enabled
+    }
+  }
+
+  depends_on = [
+    azurerm_linux_virtual_machine.this
+  ]
 }
diff --git a/main.windows.tf b/main.windows.tf
@@ -181,3 +181,25 @@ resource "azurerm_windows_virtual_machine" "this" {
     ]
   }
 }
+
+# https://github.com/hashicorp/terraform-provider-azurerm/issues/15156
+# https://github.com/Azure/azure-rest-api-specs/issues/21325
+
+resource "azapi_update_resource" "windows_os_disk" {
+  count = (lower(var.os_type) == "windows") ? 1 : 0
+
+  type      = "Microsoft.Compute/disks@2023-01-02"
+  name      = azurerm_windows_virtual_machine.this[0].os_disk[0].name
+  parent_id = data.azurerm_resource_group.this.id
+
+  body = {
+    properties = {
+      networkAccessPolicy = var.os_disk_managed_disk.network_access_policy
+      publicNetworkAccess = var.os_disk_managed_disk.public_network_access_enabled
+    }
+  }
+
+  depends_on = [
+    azurerm_windows_virtual_machine.this
+  ]
+}
diff --git a/terraform.tf b/terraform.tf
@@ -6,6 +6,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = ">= 4.5, < 5.0"
     }
+    azapi = {
+      source  = "Azure/azapi"
+      version = ">= 2.0, < 3.0"
+    }
     time = {
       source  = "hashicorp/time"
       version = ">= 0.12"

diff --git a/variables.tf b/variables.tf
@@ -118,6 +118,28 @@ variable "custom_data" {
   }
 }
 
+variable "os_disk_managed_disk" {
+  type = object({
+    network_access_policy         = optional(string, "DenyAll")
+    public_network_access_enabled = optional(string, "Disabled")
+  })
+  default     = {}
+  description = <<OS_DISK_MANAGED_DISK
+This variable is an object used to define the managed disk settings for the OS disk of the virtual machine.
+
+- `network_access_policy` (Optional) - Policy for accessing the disk via network. Allowed values are AllowAll, AllowPrivate, and DenyAll.
+- `public_network_access_enabled` (Optional) - Whether it is allowed to access the disk via public network. Defaults to Disabled.
+
+```hcl
+os_disk_managed_disk = {
+  network_access_policy = "AllowPrivate"
+  public_network_access_enabled = "Enabled"
+}
+```
+
+OS_DISK_MANAGED_DISK
+}
+
 variable "data_disk_managed_disks" {
   type = map(object({
     caching                                   = string
@@ -147,7 +169,7 @@ variable "data_disk_managed_disks" {
     optimized_frequent_attach_enabled         = optional(bool, false)
     os_type                                   = optional(string)
     performance_plus_enabled                  = optional(bool, false)
-    public_network_access_enabled             = optional(bool)
+    public_network_access_enabled             = optional(bool, false)
     resource_group_name                       = optional(string)
     secure_vm_disk_encryption_set_resource_id = optional(string)
     security_type                             = optional(string)