Toggle private only enabled conditionally

Author: QixiaLu

internal/services/network/bastion_host_resource.go

@@ -147,13 +147,6 @@ func resourceBastionHost() *pluginsdk.Resource {
 				Default:  false,
 			},
 
-			"private_only_enabled": {
-				Type:     pluginsdk.TypeBool,
-				Optional: true,
-				Default:  false,
-				ForceNew: true,
-			},
-
 			"session_recording_enabled": {
 				Type:     pluginsdk.TypeBool,
 				Optional: true,
@@ -172,6 +165,12 @@ func resourceBastionHost() *pluginsdk.Resource {
 				Computed: true,
 			},
 
+			"private_only_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Computed: true,
+				ForceNew: true,
+			},
+
 			"tags": commonschema.Tags(),
 
 			"zones": commonschema.ZonesMultipleOptionalForceNew(),
@@ -187,35 +186,22 @@ func resourceBastionHost() *pluginsdk.Resource {
 			}),
 			func(ctx context.Context, d *pluginsdk.ResourceDiff, meta interface{}) error {
 				sku := bastionhosts.BastionHostSkuName(d.Get("sku").(string))
-				privateOnlyEnabled := d.Get("private_only_enabled").(bool)
-
-				if privateOnlyEnabled && sku != bastionhosts.BastionHostSkuNamePremium {
-					return errors.New("`private_only_enabled` is only supported when `sku` is `Premium`")
-				}
 
 				// GetRawConfig is used because `public_ip_address_id` may reference another resource and be unknown during plan.
 				// d.Get() returns "" for unknown values, which would incorrectly trigger the required check.
 				// By inspecting the raw config, we can distinguish between "not set" and "unknown" and skip validation when unknown.
 				rawConfig := d.GetRawConfig()
 				ipConfigRaw := rawConfig.AsValueMap()["ip_configuration"]
-				ipConfiguration := d.Get("ip_configuration").([]interface{})
-				if privateOnlyEnabled {
-					if !ipConfigRaw.IsNull() && ipConfigRaw.IsKnown() && len(ipConfiguration) > 0 {
-						ipConfigMap := ipConfiguration[0].(map[string]interface{})
-						if v, ok := ipConfigMap["public_ip_address_id"]; ok && v.(string) != "" {
-							return errors.New("`public_ip_address_id` must not be set when `private_only_enabled` is `true`")
-						}
-					}
-				} else if sku != bastionhosts.BastionHostSkuNameDeveloper {
-					if len(ipConfiguration) == 0 {
-						return errors.New("`ip_configuration` with `public_ip_address_id` is required when `private_only_enabled` is `false`")
-					}
 
-					if !ipConfigRaw.IsNull() && ipConfigRaw.IsKnown() {
-						pipRaw := ipConfigRaw.AsValueSlice()[0].AsValueMap()["public_ip_address_id"]
-						if pipRaw.IsKnown() && (pipRaw.IsNull() || pipRaw.AsString() == "") {
-							return errors.New("`public_ip_address_id` is required in `ip_configuration` when `private_only_enabled` is `false`")
-						}
+				// Basic and Standard SKUs require public_ip_address_id; Developer uses virtual_network_id instead.
+				// Premium without public_ip_address_id enables private-only mode.
+				if sku != bastionhosts.BastionHostSkuNamePremium && sku != bastionhosts.BastionHostSkuNameDeveloper {
+					if ipConfigRaw.IsNull() || !ipConfigRaw.IsKnown() || len(ipConfigRaw.AsValueSlice()) == 0 {
+						return errors.New("`ip_configuration` with `public_ip_address_id` is required when `sku` is `Basic` or `Standard`")
+					}
+					pipRaw := ipConfigRaw.AsValueSlice()[0].AsValueMap()["public_ip_address_id"]
+					if pipRaw.IsKnown() && (pipRaw.IsNull() || pipRaw.AsString() == "") {
+						return errors.New("`public_ip_address_id` must be set in `ip_configuration` when `sku` is `Basic` or `Standard`")
 					}
 				}
 
@@ -240,7 +226,6 @@ func resourceBastionHostCreate(d *pluginsdk.ResourceData, meta interface{}) erro
 	fileCopyEnabled := d.Get("file_copy_enabled").(bool)
 	ipConnectEnabled := d.Get("ip_connect_enabled").(bool)
 	kerberosEnabled := d.Get("kerberos_enabled").(bool)
-	privateOnlyEnabled := d.Get("private_only_enabled").(bool)
 	shareableLinkEnabled := d.Get("shareable_link_enabled").(bool)
 	tunnelingEnabled := d.Get("tunneling_enabled").(bool)
 	sessionRecordingEnabled := d.Get("session_recording_enabled").(bool)
@@ -324,6 +309,17 @@ func resourceBastionHostCreate(d *pluginsdk.ResourceData, meta interface{}) erro
 		parameters.Properties.EnableSessionRecording = pointer.To(sessionRecordingEnabled)
 	}
 
+	ipConfigs := d.Get("ip_configuration").([]interface{})
+	privateOnlyEnabled := false
+	if sku == bastionhosts.BastionHostSkuNamePremium {
+		if len(ipConfigs) > 0 {
+			ipConfigMap := ipConfigs[0].(map[string]interface{})
+			if v, ok := ipConfigMap["public_ip_address_id"]; ok && v.(string) != "" {
+				privateOnlyEnabled = true
+			}
+		}
+	}
+
 	if privateOnlyEnabled {
 		parameters.Properties.EnablePrivateOnlyBastion = pointer.To(privateOnlyEnabled)
 	}

internal/services/network/bastion_host_resource_test.go

@@ -163,6 +163,7 @@ func TestAccBastionHost_privateOnly(t *testing.T) {
 			Config: r.privateOnly(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("private_only_enabled").HasValue("true"),
 			),
 		},
 		data.ImportStep(),
@@ -559,11 +560,10 @@ resource "azurerm_subnet" "test" {
 }
 
 resource "azurerm_bastion_host" "test" {
-  name                 = "acctestBastion%s"
-  location             = azurerm_resource_group.test.location
-  resource_group_name  = azurerm_resource_group.test.name
-  sku                  = "Premium"
-  private_only_enabled = true
+  name                = "acctestBastion%s"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  sku                 = "Premium"
 
   ip_configuration {
     name      = "ip-configuration"

website/docs/d/bastion_host.html.markdown

@@ -58,7 +58,7 @@ In addition to the Arguments listed above - the following Attributes are exporte
 
 * `session_recording_enabled` - Is Session Recording feature enabled for the Bastion Host.
 
-* `private_only_enabled` - Is the Bastion Host deployed in Private-Only mode.
+* `private_only_enabled` - Whether Private-Only deployment is enabled for the Bastion Host. 
 
 * `dns_name` - The FQDN for the Bastion Host.
 

website/docs/r/bastion_host.html.markdown

@@ -86,10 +86,6 @@ The following arguments are supported:
 
 ~> **Note:** `kerberos_enabled` is only supported when `sku` is `Standard` or `Premium`.
 
-* `private_only_enabled` - (Optional) Is Private-Only deployment enabled for the Bastion Host. Defaults to `false`. Changing this forces a new resource to be created.
-
-~> **Note:** `private_only_enabled` is only supported when `sku` is `Premium`. When `private_only_enabled` is `true`, `public_ip_address_id` in `ip_configuration` must not be specified.
-
 * `scale_units` - (Optional) The number of scale units with which to provision the Bastion Host. Possible values are between `2` and `50`. Defaults to `2`.
 
 ~> **Note:** `scale_units` only can be changed when `sku` is `Standard` or `Premium`. `scale_units` is always `2` when `sku` is `Basic`.
@@ -124,7 +120,7 @@ A `ip_configuration` block supports the following:
 
 * `public_ip_address_id` - (Optional) Reference to a Public IP Address to associate with this Bastion Host. Changing this forces a new resource to be created.
 
-~> **Note:** `public_ip_address_id` is required when `private_only_enabled` is `false`.
+~> **Note:** `public_ip_address_id` is required when `sku` is `Basic` or `Standard`. When `sku` is `Premium` and `public_ip_address_id` is omitted, the Bastion Host is deployed in Private-Only mode (`private_only_enabled` will be `true`).
 
 ## Attributes Reference
 
@@ -134,6 +130,8 @@ In addition to the Arguments listed above - the following Attributes are exporte
 
 * `dns_name` - The FQDN for the Bastion Host.
 
+* `private_only_enabled` - Whether Private-Only deployment is enabled for the Bastion Host. 
+
 ## Timeouts
 
 The `timeouts` block allows you to specify [timeouts](https://developer.hashicorp.com/terraform/language/resources/configure#define-operation-timeouts) for certain actions: