feat: added bypass property for network_acls

internal/services/cognitive/ai_services_resource.go

@@ -56,6 +56,7 @@ type AzureAIServicesVirtualNetworkRules struct {
 }
 
 type AzureAIServicesNetworkACLs struct {
+	Bypass              string                               `tfschema:"bypass"`
 	DefaultAction       string                               `tfschema:"default_action"`
 	IpRules             []string                             `tfschema:"ip_rules"`
 	VirtualNetworkRules []AzureAIServicesVirtualNetworkRules `tfschema:"virtual_network_rules"`
@@ -167,6 +168,15 @@ func (AzureAIServicesResource) Arguments() map[string]*pluginsdk.Schema {
 			RequiredWith: []string{"custom_subdomain_name"},
 			Elem: &pluginsdk.Resource{
 				Schema: map[string]*pluginsdk.Schema{
+					"bypass": {
+						Type:     pluginsdk.TypeString,
+						Optional: true,
+						Default:  cognitiveservicesaccounts.ByPassSelectionAzureServices,
+						ValidateFunc: validation.StringInSlice(
+							cognitiveservicesaccounts.PossibleValuesForByPassSelection(),
+							false,
+						),
+					},
 					"default_action": {
 						Type:     pluginsdk.TypeString,
 						Required: true,
@@ -723,7 +733,10 @@ func expandAzureAIServicesNetworkACLs(input []AzureAIServicesNetworkACLs) (*cogn
 		networkRules = append(networkRules, rule)
 	}
 
+	bypass := cognitiveservicesaccounts.ByPassSelection((v.Bypass))
+
 	ruleSet := cognitiveservicesaccounts.NetworkRuleSet{
+		Bypass:              &bypass,
 		DefaultAction:       &defaultAction,
 		IPRules:             &ipRules,
 		VirtualNetworkRules: &networkRules,
@@ -760,6 +773,7 @@ func flattenAzureAIServicesNetworkACLs(input *cognitiveservicesaccounts.NetworkR
 	}
 
 	return []AzureAIServicesNetworkACLs{{
+		Bypass:              string(*input.Bypass),
 		DefaultAction:       string(*input.DefaultAction),
 		IpRules:             ipRules,
 		VirtualNetworkRules: virtualNetworkRules,

internal/services/cognitive/ai_services_resource_test.go

@@ -116,6 +116,13 @@ func TestAccCognitiveAzureAIServices_networkACLs(t *testing.T) {
 			),
 		},
 		data.ImportStep(),
+		{
+			Config: r.networkACLsBypassUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
 	})
 }
 
@@ -504,6 +511,32 @@ resource "azurerm_ai_services" "test" {
   custom_subdomain_name = "acctestcogacc-%d"
 
   network_acls {
+    bypass         = "None"
+    default_action = "Allow"
+    ip_rules       = ["123.0.0.101"]
+    virtual_network_rules {
+      subnet_id = azurerm_subnet.test_a.id
+    }
+    virtual_network_rules {
+      subnet_id = azurerm_subnet.test_b.id
+    }
+  }
+}
+`, r.networkACLsTemplate(data), data.RandomInteger, data.RandomInteger)
+}
+
+func (r AzureAIServicesResource) networkACLsBypassUpdated(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+resource "azurerm_ai_services" "test" {
+  name                  = "acctestcogacc-%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  sku_name              = "S0"
+  custom_subdomain_name = "acctestcogacc-%d"
+
+  network_acls {
+    bypass         = "AzureServices"
     default_action = "Allow"
     ip_rules       = ["123.0.0.101"]
     virtual_network_rules {

website/docs/r/ai_services.html.markdown

@@ -68,6 +68,8 @@ The following arguments are supported:
 
 A `network_acls` block supports the following:
 
+* `bypass` - (Optional) Whether to allow trusted Azure Services to access the service. Possible values are `None` and `AzureServices`. Defaults to `AzureServices`.
+* 
 * `default_action` - (Required) The Default Action to use when no rules match from `ip_rules` / `virtual_network_rules`. Possible values are `Allow` and `Deny`.
 
 * `ip_rules` - (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the AI Services Account.