azurerm_search_service should support the "Allow Azure services on the trusted services list to access this search service"-flag

[mkemmerz]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

The Azure Search Service should have an attribute to disable / enable the flag to "Allow Azure services on the trusted services list to access this search service".

This was recently introduced by Microsoft:

The flag is required if you disable the networking and use additional AI resources like Open AI that needs to reach the Search Service.

New or Affected Resource(s)/Data Source(s)

azurerm_search_service

Potential Terraform Configuration

resource "azurerm_search_service" "example" {
  name                = "example-resource"
  ...
  network_bypass = "AzureServices"
}

References

This issue requires the 1.4.0 of the search go sdk before it can be implemented: https://github.com/Azure/azure-sdk-for-go/releases/tag/sdk%2Fresourcemanager%2Fsearch%2Farmsearch%2Fv1.4.0-beta.1 because it adds support for: New field Bypass in struct NetworkRuleSet

[vishbhalla]

Any work arounds for this in the mean time (apart from click ops of course)? I don't see anything in the CLI.

[mkemmerz]

Any work arounds for this in the mean time (apart from click ops of course)? I don't see anything in the CLI.

The Microsoft documentation only mentions the direct API call: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#enable-trusted-service-1

You can also use the REST API to enable trusted service. This example uses the Azure CLI and the jq tool.

rid=/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups/<YOUR-RESOURCE-GROUP>/providers/Microsoft.Search/searchServices/<YOUR-RESOURCE-NAME>
apiVersion=2024-03-01-Preview
#store the resource properties in a variable
az rest --uri "https://management.azure.com$rid?api-version=$apiVersion" > search.json

#replace bypass with AzureServices using jq
jq '.properties.networkRuleSet.bypass = "AzureServices"' search.json > search_updated.json

#apply the updated properties to the resource
az rest --uri "https://management.azure.com$rid?api-version=$apiVersion" \
    --method PUT \
    --body @search_updated.json

[henrydleao]

Hey, you can add the following snippet bellow the lines where you create your AI Search: ` resource "azapi_update_resource" "ai_search_allow_azure_services" { type = "Microsoft.Search/searchServices@2024-06-01-Preview" resource_id = azurerm_search_service.ai_search.id

body = { properties = { networkRuleSet = { bypass = "AzureServices" } } } } `

This will make an API call and update the AI Search with just what you wanted. Adjust the resource_id to reflect your Terraform code.

[aeimer]

@henrydleao many thanks for the tip!

If you were wondering what else can be set and where the docs are:

None, AzurePortal, AzureServices

https://learn.microsoft.com/en-us/rest/api/searchmanagement/services/update?view=rest-searchmanagement-2024-06-01-preview&preserve-view=true&tabs=HTTP#searchbypass