Skip to content

[HORIZONDB] az horizondb create/update/firewall-rule: Add public access support#10066

Open
petarperin-mdcs wants to merge 1 commit into
Azure:mainfrom
petarperin-mdcs:horizondb-public-access-firewall-rules
Open

[HORIZONDB] az horizondb create/update/firewall-rule: Add public access support#10066
petarperin-mdcs wants to merge 1 commit into
Azure:mainfrom
petarperin-mdcs:horizondb-public-access-firewall-rules

Conversation

@petarperin-mdcs

Copy link
Copy Markdown
Member

Related command

az horizondb create --public-access, az horizondb update --public-access, az horizondb firewall-rule create/show/list/update/delete

Description

Expands the horizondb extension to support configuring public access on a cluster, mirroring the Azure CLI PostgreSQL Flexible Server pattern.

  • Adds --public-access to az horizondb create (accepts Enabled / Disabled / All / None / <ip> / <startIp>-<endIp>). Supplying an IP/range or All automatically creates a firewall rule once the cluster exists; Enabled detects the caller's client IP (via an IP echo service) and prompts before allowing it. Omitting the argument preserves today's behavior (no firewall rule, no prompt).
  • Adds --public-access to az horizondb update (Enabled / Disabled).
  • Adds a new az horizondb firewall-rule command group: create, show, list, update, delete.

Design notes

  • HorizonDB firewall rules are pool-scoped (.../clusters/{cluster}/pools/{pool}/firewallRules/{name}). The CLI targets the seeded default pool (DefaultPool).
  • network.publicNetworkAccess is service-computed (read-only in the spec/SDK), so public access is managed via firewall rules rather than by setting a flag.
  • No vendored SDK change was required — the generated horizon_db_firewall_rules operations and HorizonDbFirewallRule models were already present.
  • Child commands use --cluster-name/-c for the cluster and --name/-n for the firewall rule, consistent with prior HorizonDB child-command conventions; firewall-rule list does not expose --ids.

Testing

  • Unit tests for public-access validation/parsing/resolution and firewall-rule model building (test_horizondb_firewall_rule.py).
  • A live-only end-to-end scenario test (test_horizondb_firewall_rule_scenario.py) covering create-with-public-access plus the full firewall-rule lifecycle; skipped in playback until a recording is captured.
  • azdev style, azdev linter --min-severity medium, compileall, test_index.py, and the existing scenario suite all pass locally.

Note for reviewers: because publicNetworkAccess is read-only, update --public-access Disabled currently emits guidance toward the firewall-rule commands rather than toggling a flag. Happy to adjust the update semantics if the RP will accept publicNetworkAccess on PATCH.

General Guidelines

  • Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
  • Have you run python scripts/ci/test_index.py -q locally?
  • My extension version conforms to the Extension version schema

About Extension Publish

setup.py version bumped to 1.0.0b5 and HISTORY.rst updated. src/index.json is intentionally not modified.

…cess support

Add an `--public-access` argument to `az horizondb create` and `az horizondb update`,
and a new `az horizondb firewall-rule` command group, mirroring the Azure CLI
PostgreSQL Flexible Server pattern.

HorizonDB firewall rules are pool-scoped and target the seeded default pool
("DefaultPool"). Because `network.publicNetworkAccess` is service-computed
(read-only), public access is managed via firewall rules:

- create `--public-access` accepts Enabled/Disabled/All/None/<ip>/<ip>-<ip>.
  Supplying an IP/range or `All` auto-creates a firewall rule once the cluster
  exists; `Enabled` detects the caller IP (with prompt); omitting the argument
  preserves existing behavior (no rule).
- update `--public-access` accepts Enabled/Disabled.
- `az horizondb firewall-rule create/show/list/update/delete` manage rules
  directly.

Includes unit tests for validators, public-access parsing/resolution, and rule
building, plus a live-only end-to-end scenario test.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 2, 2026 13:03
@azure-client-tools-bot-prd

azure-client-tools-bot-prd Bot commented Jul 2, 2026

Copy link
Copy Markdown
⚠️Azure CLI Extensions Breaking Change Test
⚠️horizondb
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd horizondb create cmd horizondb create added parameter public_access
⚠️ 1006 - ParaAdd horizondb create cmd horizondb create added parameter yes
⚠️ 1011 - SubgroupAdd horizondb firewall-rule sub group horizondb firewall-rule added
⚠️ 1006 - ParaAdd horizondb update cmd horizondb update added parameter public_access
⚠️ 1006 - ParaAdd horizondb update cmd horizondb update added parameter yes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands the horizondb Azure CLI extension to support configuring cluster public access via pool-scoped firewall rules, aligning the UX with patterns used by other Azure database CLIs.

Changes:

  • Adds --public-access to az horizondb create and az horizondb update, including client-IP auto-detection for Enabled.
  • Introduces a new az horizondb firewall-rule command group (create/show/list/update/delete) targeting the seeded DefaultPool.
  • Adds unit tests for parsing/validation and a live-only scenario test for end-to-end firewall rule lifecycle.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/horizondb/setup.py Bumps extension version to 1.0.0b5.
src/horizondb/HISTORY.rst Documents the new public access + firewall-rule capabilities.
src/horizondb/azext_horizondb/utils/validators.py Adds validators/helpers for --public-access and firewall-rule IP args.
src/horizondb/azext_horizondb/utils/_network.py Adds parsing + client-IP detection logic for --public-access Enabled.
src/horizondb/azext_horizondb/commands/firewall_rule_commands.py Implements firewall-rule CRUD operations and rule model building.
src/horizondb/azext_horizondb/commands/custom_commands.py Wires create/update flows to optionally create firewall rules from --public-access.
src/horizondb/azext_horizondb/cluster_commands.py Registers the horizondb firewall-rule command group and client factory usage.
src/horizondb/azext_horizondb/_params.py Defines new arguments for --public-access and firewall-rule subcommands.
src/horizondb/azext_horizondb/_help.py Adds help/examples for public-access and firewall-rule commands.
src/horizondb/azext_horizondb/_client_factory.py Adds cf_horizondb_firewall_rules factory for firewall-rule operations.
src/horizondb/azext_horizondb/tests/latest/test_horizondb_firewall_rule.py Adds unit tests for validators/parsing and firewall-rule command helpers.
src/horizondb/azext_horizondb/tests/latest/test_horizondb_firewall_rule_scenario.py Adds a live-only scenario test covering create-with-public-access and rule lifecycle.

Comment on lines +146 to +151
if public_access is not None:
_apply_public_access(cmd, resource_group_name, cluster_name, public_access, yes)

return sdk_no_wait(no_wait, client.begin_update,
resource_group_name=resource_group_name,
cluster_name=cluster_name,
properties=properties)
if update_result is not None:
return update_result
return client.get(resource_group_name=resource_group_name, cluster_name=cluster_name)
Comment on lines +90 to +94
if val == 'disabled':
logger.warning("HorizonDB public network access is managed through firewall rules. To remove "
"public access, delete rules with 'az horizondb firewall-rule delete' "
"(list them with 'az horizondb firewall-rule list').")
return
Comment on lines +19 to +20
now = datetime.now()
suffix = '{}-{}-{}_{}-{}-{}'.format(now.year, now.month, now.day, now.hour, now.minute, now.second)
@yonzhan yonzhan requested a review from Pan-Qi July 2, 2026 21:54
@yonzhan

yonzhan commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

HORIZONDB

@Pan-Qi

Pan-Qi commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 2 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants