Add support for service delegation and example code

Author: stanleyz

main.tf

@@ -23,11 +23,13 @@ resource "azurerm_subnet" "subnet" {
   enforce_private_link_service_network_policies  = lookup(var.subnet_enforce_private_link_service_network_policies, var.subnet_names[count.index], false)
 
   dynamic "delegation" {
-    for_each = lookup(var.subnet_delegation, var_subnet_names[count.index], {})
-    name     = lookup(delegation.value, "name")
-    service_delegation {
-      name    = lookup(delegation.value, "service_name")
-      actions = lookup(delegation.value, "service_actions", [])
+    for_each = lookup(var.subnet_delegation, var.subnet_names[count.index], {})
+    content {
+      name = delegation.key
+      service_delegation {
+        name    = lookup(delegation.value, "service_name")
+        actions = lookup(delegation.value, "service_actions", [])
+      }
     }
   }
 }

test/fixture/main.tf

@@ -40,6 +40,19 @@ module "vnet" {
     subnet3 = ["Microsoft.AzureActiveDirectory"]
   }
 
+  subnet_delegation = {
+    subnet2 = {
+      "Microsoft.Sql.managedInstances" = {
+        service_name = "Microsoft.Sql/managedInstances"
+        service_actions = [
+          "Microsoft.Network/virtualNetworks/subnets/join/action",
+          "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
+          "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
+        ]
+      }
+    }
+  }
+
   route_tables_ids = {
     subnet1 = azurerm_route_table.rt1.id
   }

variables.tf

@@ -52,6 +52,12 @@ variable "subnet_enforce_private_link_service_network_policies" {
   default     = {}
 }
 
+variable "subnet_delegation" {
+  description = "A map of subnet name to delegation block on the subnet"
+  type        = map(map(any))
+  default     = {}
+}
+
 variable "nsg_ids" {
   description = "A map of subnet name to Network Security Group IDs"
   type        = map(string)