fix: support for the kind of OpenAI only

internal/services/cognitive/cognitive_account_resource.go

@@ -243,9 +243,9 @@ func resourceCognitiveAccount() *pluginsdk.Resource {
 						},
 
 						"bypass": {
-							Type:     pluginsdk.TypeString,
-							Optional: true,
-							Default:  cognitiveservicesaccounts.ByPassSelectionNone,
+							Type:        pluginsdk.TypeString,
+							Optional:    true,
+							Description: "Only support for the kind `OpenAI`",
 							ValidateFunc: validation.StringInSlice(
 								cognitiveservicesaccounts.PossibleValuesForByPassSelection(),
 								false,
@@ -353,7 +353,10 @@ func resourceCognitiveAccountCreate(d *pluginsdk.ResourceData, meta interface{})
 		Name: d.Get("sku_name").(string),
 	}
 
-	networkAcls, subnetIds := expandCognitiveAccountNetworkAcls(d)
+	networkAcls, subnetIds, err := expandCognitiveAccountNetworkAcls(d)
+	if err != nil {
+		return err
+	}
 
 	// also lock on the Virtual Network ID's since modifications in the networking stack are exclusive
 	virtualNetworkNames := make([]string, 0)
@@ -439,7 +442,10 @@ func resourceCognitiveAccountUpdate(d *pluginsdk.ResourceData, meta interface{})
 		Name: d.Get("sku_name").(string),
 	}
 
-	networkAcls, subnetIds := expandCognitiveAccountNetworkAcls(d)
+	networkAcls, subnetIds, err := expandCognitiveAccountNetworkAcls(d)
+	if err != nil {
+		return err
+	}
 
 	// also lock on the Virtual Network ID's since modifications in the networking stack are exclusive
 	virtualNetworkNames := make([]string, 0)
@@ -672,11 +678,11 @@ func cognitiveAccountStateRefreshFunc(ctx context.Context, client *cognitiveserv
 	}
 }
 
-func expandCognitiveAccountNetworkAcls(d *pluginsdk.ResourceData) (*cognitiveservicesaccounts.NetworkRuleSet, []string) {
+func expandCognitiveAccountNetworkAcls(d *pluginsdk.ResourceData) (*cognitiveservicesaccounts.NetworkRuleSet, []string, error) {
 	input := d.Get("network_acls").([]interface{})
 	subnetIds := make([]string, 0)
 	if len(input) == 0 || input[0] == nil {
-		return nil, subnetIds
+		return nil, subnetIds, nil
 	}
 
 	v := input[0].(map[string]interface{})
@@ -706,15 +712,22 @@ func expandCognitiveAccountNetworkAcls(d *pluginsdk.ResourceData) (*cognitiveser
 		networkRules = append(networkRules, rule)
 	}
 
-	bypass := cognitiveservicesaccounts.ByPassSelection(v["bypass"].(string))
-
 	ruleSet := cognitiveservicesaccounts.NetworkRuleSet{
-		Bypass:              &bypass,
 		DefaultAction:       &defaultAction,
 		IPRules:             &ipRules,
 		VirtualNetworkRules: &networkRules,
 	}
-	return &ruleSet, subnetIds
+
+	kind := d.Get("kind").(string)
+	if kind == "OpenAI" {
+		bypass := cognitiveservicesaccounts.ByPassSelection(v["bypass"].(string))
+		ruleSet.Bypass = &bypass
+	} else {
+		if b, ok := d.GetOk("network_acls.0.bypass"); ok && b != "" {
+			return nil, nil, fmt.Errorf("the `network_acls.bypass` does not support Trusted Services for the kind %q", kind)
+		}
+	}
+	return &ruleSet, subnetIds, nil
 }
 
 func expandCognitiveAccountStorage(input []interface{}) *[]cognitiveservicesaccounts.UserOwnedStorage {

internal/services/cognitive/cognitive_account_resource_test.go

@@ -288,13 +288,40 @@ func TestAccCognitiveAccount_networkAclsVirtualNetworkRules(t *testing.T) {
 			),
 		},
 		data.ImportStep(),
+	})
+}
+
+func TestAccCognitiveAccount_networkAclsVirtualNetworkRulesWithBypass(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_cognitive_account", "test")
+	r := CognitiveAccountResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
-			Config: r.networkAclsVirtualNetworkBypassUpdated(data),
+			Config: r.networkAclsVirtualNetworkRulesWithBypass(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
 		},
 		data.ImportStep(),
+		{
+			Config: r.networkAclsVirtualNetworkRulesWithBypassUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccCognitiveAccount_networkAclsVirtualNetworkRulesWithBypassKindNotSupported(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_cognitive_account", "test")
+	r := CognitiveAccountResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config:      r.networkAclsVirtualNetworkRulesWithBypassKindNotSupported(data),
+			ExpectError: regexp.MustCompile("the `network_acls.bypass` does not support Trusted Services for the kind \"Face\""),
+		},
 	})
 }
 
@@ -896,7 +923,7 @@ resource "azurerm_cognitive_account" "test" {
   name                  = "acctestcogacc-%d"
   location              = azurerm_resource_group.test.location
   resource_group_name   = azurerm_resource_group.test.name
-  kind                  = "OpenAI"
+  kind                  = "Face"
   sku_name              = "S0"
   custom_subdomain_name = "acctestcogacc-%d"
 
@@ -920,7 +947,7 @@ resource "azurerm_cognitive_account" "test" {
   name                  = "acctestcogacc-%d"
   location              = azurerm_resource_group.test.location
   resource_group_name   = azurerm_resource_group.test.name
-  kind                  = "OpenAI"
+  kind                  = "Face"
   sku_name              = "S0"
   custom_subdomain_name = "acctestcogacc-%d"
 
@@ -946,12 +973,11 @@ resource "azurerm_cognitive_account" "test" {
   name                  = "acctestcogacc-%d"
   location              = azurerm_resource_group.test.location
   resource_group_name   = azurerm_resource_group.test.name
-  kind                  = "OpenAI"
+  kind                  = "Face"
   sku_name              = "S0"
   custom_subdomain_name = "acctestcogacc-%d"
 
   network_acls {
-    bypass         = "None"
     default_action = "Deny"
     virtual_network_rules {
       subnet_id = azurerm_subnet.test_a.id
@@ -972,12 +998,11 @@ resource "azurerm_cognitive_account" "test" {
   name                  = "acctestcogacc-%d"
   location              = azurerm_resource_group.test.location
   resource_group_name   = azurerm_resource_group.test.name
-  kind                  = "OpenAI"
+  kind                  = "Face"
   sku_name              = "S0"
   custom_subdomain_name = "acctestcogacc-%d"
 
   network_acls {
-    bypass         = "AzureServices"
     default_action = "Allow"
     ip_rules       = ["123.0.0.101"]
     virtual_network_rules {
@@ -989,9 +1014,10 @@ resource "azurerm_cognitive_account" "test" {
 `, r.networkAclsTemplate(data), data.RandomInteger, data.RandomInteger)
 }
 
-func (r CognitiveAccountResource) networkAclsVirtualNetworkBypassUpdated(data acceptance.TestData) string {
+func (r CognitiveAccountResource) networkAclsVirtualNetworkRulesWithBypass(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
+
 resource "azurerm_cognitive_account" "test" {
   name                  = "acctestcogacc-%d"
   location              = azurerm_resource_group.test.location
@@ -1001,11 +1027,67 @@ resource "azurerm_cognitive_account" "test" {
   custom_subdomain_name = "acctestcogacc-%d"
 
   network_acls {
-    bypass         = "None"
-    default_action = "Allow"
-    ip_rules       = ["123.0.0.101"]
+    bypass = "AzureServices"
+    default_action = "Deny"
     virtual_network_rules {
-      subnet_id                            = azurerm_subnet.test_a.id
+      subnet_id = azurerm_subnet.test_a.id
+    }
+    virtual_network_rules {
+      subnet_id                            = azurerm_subnet.test_b.id
+      ignore_missing_vnet_service_endpoint = true
+    }
+  }
+}
+`, r.networkAclsTemplate(data), data.RandomInteger, data.RandomInteger)
+}
+
+func (r CognitiveAccountResource) networkAclsVirtualNetworkRulesWithBypassUpdated(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_cognitive_account" "test" {
+  name                  = "acctestcogacc-%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  kind                  = "OpenAI"
+  sku_name              = "S0"
+  custom_subdomain_name = "acctestcogacc-%d"
+
+  network_acls {
+    bypass = "None"
+    default_action = "Deny"
+    virtual_network_rules {
+      subnet_id = azurerm_subnet.test_a.id
+    }
+    virtual_network_rules {
+      subnet_id                            = azurerm_subnet.test_b.id
+      ignore_missing_vnet_service_endpoint = true
+    }
+  }
+}
+`, r.networkAclsTemplate(data), data.RandomInteger, data.RandomInteger)
+}
+
+func (r CognitiveAccountResource) networkAclsVirtualNetworkRulesWithBypassKindNotSupported(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_cognitive_account" "test" {
+  name                  = "acctestcogacc-%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  kind                  = "Face"
+  sku_name              = "S0"
+  custom_subdomain_name = "acctestcogacc-%d"
+
+  network_acls {
+    bypass = "AzureServices"
+    default_action = "Deny"
+    virtual_network_rules {
+      subnet_id = azurerm_subnet.test_a.id
+    }
+    virtual_network_rules {
+      subnet_id                            = azurerm_subnet.test_b.id
       ignore_missing_vnet_service_endpoint = true
     }
   }

website/docs/r/cognitive_account.html.markdown

@@ -98,7 +98,7 @@ The following arguments are supported:
 
 A `network_acls` block supports the following:
 
-* `bypass` - (Optional) Wether to allow truested Azure Services to access the service. Possible values are `None` and `AzureServices`. Defaults to `None`.
+* `bypass` - (Optional) Wether to allow truested Azure Services to access the service. Possible values are `None` and `AzureServices`. Defaults to `None`. Only the `Kind` of `OpenAI` is supported.
 
 * `default_action` - (Required) The Default Action to use when no rules match from `ip_rules` / `virtual_network_rules`. Possible values are `Allow` and `Deny`.