From 1e018b54c39de8bb67f36d9815db90178ebbe114 Mon Sep 17 00:00:00 2001
From: "Xavier Pillons (MSFT)" <xpillons@microsoft.com>
Date: Fri, 13 Oct 2023 11:26:53 +0200
Subject: [PATCH] assign nsg_common on netapp subnet + rules

---
 bicep/azhop.bicep            | 7 +++++--
 tf/network_security_group.tf | 6 ++++++
 tf/variables_local.tf        | 4 ++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/bicep/azhop.bicep b/bicep/azhop.bicep
index c0a1bf42a..15a0d41dd 100644
--- a/bicep/azhop.bicep
+++ b/bicep/azhop.bicep
@@ -170,7 +170,6 @@ var config = {
         ]
       }
       netapp: {
-        apply_nsg: false
         name: contains(azhopConfig.network.vnet.subnets.netapp, 'name') ? azhopConfig.network.vnet.subnets.netapp.name : 'netapp'
         cidr: azhopConfig.network.vnet.subnets.netapp.address_prefixes
         delegations: [
@@ -453,7 +452,11 @@ var config = {
     
       // SLURM
       AllowComputeSlurmIn         : ['405', 'Inbound', 'Allow', '*', 'Slurmd', 'asg', 'asg-ondemand', 'subnet', 'compute']
-    
+
+      // NFS
+      AllowNfsIn                  : ['430', 'Inbound', 'Allow', '*', 'Nfs', 'asg', 'asg-nfs-client', 'subnet', 'netapp']
+      AllowNfsComputeIn           : ['435', 'Inbound', 'Allow', '*', 'Nfs', 'subnet', 'compute', 'subnet', 'netapp']
+      
       // CycleCloud
       AllowCycleWebIn             : ['440', 'Inbound', 'Allow', 'Tcp', 'Web', 'asg', 'asg-ondemand', 'asg', 'asg-cyclecloud']
       AllowCycleClientIn          : ['450', 'Inbound', 'Allow', 'Tcp', 'CycleCloud', 'asg', 'asg-cyclecloud-client', 'asg', 'asg-cyclecloud']
diff --git a/tf/network_security_group.tf b/tf/network_security_group.tf
index 96e1a339e..5db98c63c 100644
--- a/tf/network_security_group.tf
+++ b/tf/network_security_group.tf
@@ -96,6 +96,12 @@ resource "azurerm_subnet_network_security_group_association" "admin" {
   network_security_group_id = azurerm_network_security_group.common[0].id
 }
 
+resource "azurerm_subnet_network_security_group_association" "netapp" {
+  count                     = local.create_nsg ? 1 : 0
+  subnet_id                 = local.create_netapp_subnet ? azurerm_subnet.netapp[0].id : data.azurerm_subnet.netapp[0].id
+  network_security_group_id = azurerm_network_security_group.common[0].id
+}
+
 resource "azurerm_subnet_network_security_group_association" "outbounddns" {
   count                     = local.create_nsg ? (local.no_outbounddns_subnet ? 0 : 1) : 0
   subnet_id                 = local.create_outbounddns_subnet ? azurerm_subnet.outbounddns[0].id : data.azurerm_subnet.outbounddns[0].id
diff --git a/tf/variables_local.tf b/tf/variables_local.tf
index 96c7369fc..7f0b10a09 100644
--- a/tf/variables_local.tf
+++ b/tf/variables_local.tf
@@ -408,6 +408,10 @@ locals {
         AllowLustreClientIn         = ["410", "Inbound", "Allow", "Tcp", "Lustre",             "asg/asg-lustre-client", "subnet/admin"],
         AllowLustreClientComputeIn  = ["420", "Inbound", "Allow", "Tcp", "Lustre",             "subnet/compute",        "subnet/admin"],
 
+        # NFS
+        AllowNfsIn                  = ["430", "Inbound", "Allow", "*",   "Nfs",                "asg/asg-nfs-client",       "subnet/netapp"],
+        AllowNfsComputeIn           = ["435", "Inbound", "Allow", "*",   "Nfs",                "subnet/compute",           "subnet/netapp"],
+
         # CycleCloud
         AllowCycleWebIn             = ["440", "Inbound", "Allow", "Tcp", "Web",                "asg/asg-ondemand",          "asg/asg-cyclecloud"],
         AllowCycleClientIn          = ["450", "Inbound", "Allow", "Tcp", "CycleCloud",         "asg/asg-cyclecloud-client", "asg/asg-cyclecloud"],