Support enabling public access only from IP ranges for AML

[kimyen]

Doc: https://learn.microsoft.com/en-us/azure/machine-learning/how-to-configure-private-link?tabs=cli&view=azureml-api-2#enable-public-access-only-from-internet-ip-ranges-preview

Desired behavior: add new azapi resource or extend existing azapi resource to allow specifying a list of CIDR.

[ms-henglu]

Hi @kimyen ,

Thank you for taking time to open this issue and apologize for late response.

Here's an example:

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "acctesthenglu56"
  location = "West Europe"
}

resource "azurerm_application_insights" "example" {
  name                = "acctesthenglu56"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  application_type    = "web"
}

resource "azurerm_key_vault" "example" {
  name                = "acctesthenglu56"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"
}

resource "azurerm_storage_account" "example" {
  name                     = "acctesthenglu56"
  location                 = azurerm_resource_group.example.location
  resource_group_name      = azurerm_resource_group.example.name
  account_tier             = "Standard"
  account_replication_type = "GRS"
}

resource "azapi_resource" "workspace" {
  type      = "Microsoft.MachineLearningServices/workspaces@2024-04-01-preview"
  parent_id = azurerm_resource_group.example.id
  name      = "acctesthenglu56"
  location  = "westeurope"
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }
  body = {
    properties = {
      applicationInsights = azurerm_application_insights.example.id
      keyVault            = azurerm_key_vault.example.id
      publicNetworkAccess = "Enabled"
      storageAccount      = azurerm_storage_account.example.id
      v1LegacyMode        = false
      ipAllowlist         = ["168.168.168.168/32"]
    }
    sku = {
      name = "Basic"
      tier = "Basic"
    }
  }
}

If you want to enable the ipAllowlist feature on an existing machine learning workspace, please refer to the example below:

resource "azurerm_machine_learning_workspace" "example" {
  name                    = "acctesthenglu56"
  location                = azurerm_resource_group.example.location
  resource_group_name     = azurerm_resource_group.example.name
  application_insights_id = azurerm_application_insights.example.id
  key_vault_id            = azurerm_key_vault.example.id
  storage_account_id      = azurerm_storage_account.example.id

  identity {
    type = "SystemAssigned"
  }
  public_network_access_enabled = true
}

resource "azapi_update_resource" "update_workspace" {
  type        = "Microsoft.MachineLearningServices/workspaces@2024-04-01-preview"
  resource_id = azurerm_machine_learning_workspace.example.id
  body = {
    properties = {
      ipAllowlist = ["168.168.168.168/32"]
    }
  }
}

[ms-henglu]

I'll close this issue as it's resolved, feel free to reopen it if there's any question.