api: Make PlatformProfile.networkSecurityGroupId optional

api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp

@@ -316,7 +316,7 @@ model PlatformProfile {
   outboundType?: OutboundType = OutboundType.loadBalancer;
 
   /** ResourceId for the network security group attached to the cluster subnet */
-  networkSecurityGroupId: NetworkSecurityGroupResourceId;
+  networkSecurityGroupId?: NetworkSecurityGroupResourceId;
 
   /** The id of the disk encryption set to be used for etcd.
    * Configure this when `etcdEncryption` is set to true

api/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/hcpclusters/preview/2024-06-10-preview/openapi.json

@@ -1952,8 +1952,7 @@
         }
       },
       "required": [
-        "subnetId",
-        "networkSecurityGroupId"
+        "subnetId"
       ]
     },
     "ProvisioningState": {

frontend/pkg/frontend/ocm.go

@@ -149,14 +149,6 @@ func (f *Frontend) BuildCSCluster(resourceID *arm.ResourceID, tenantID string, h
 				ID(f.location)).
 			CloudProvider(cmv1.NewCloudProvider().
 				ID(csCloudProvider)).
-			Azure(cmv1.NewAzure().
-				TenantID(tenantID).
-				SubscriptionID(resourceID.SubscriptionID).
-				ResourceGroupName(resourceID.ResourceGroupName).
-				ResourceName(hcpCluster.Name).
-				ManagedResourceGroupName(ensureManagedResourceGroupName(hcpCluster)).
-				SubnetResourceID(hcpCluster.Properties.Spec.Platform.SubnetID).
-				NetworkSecurityGroupResourceID(hcpCluster.Properties.Spec.Platform.NetworkSecurityGroupID)).
 			Product(cmv1.NewProduct().
 				ID(csProductId)).
 			Hypershift(cmv1.NewHypershift().
@@ -177,6 +169,22 @@ func (f *Frontend) BuildCSCluster(resourceID *arm.ResourceID, tenantID string, h
 			FIPS(hcpCluster.Properties.Spec.FIPS).
 			EtcdEncryption(hcpCluster.Properties.Spec.EtcdEncryption)
 
+		azureBuilder := cmv1.NewAzure().
+			TenantID(tenantID).
+			SubscriptionID(resourceID.SubscriptionID).
+			ResourceGroupName(resourceID.ResourceGroupName).
+			ResourceName(hcpCluster.Name).
+			ManagedResourceGroupName(ensureManagedResourceGroupName(hcpCluster)).
+			SubnetResourceID(hcpCluster.Properties.Spec.Platform.SubnetID)
+
+		// Cluster Service rejects an empty NetworkSecurityGroupResourceID string.
+		if hcpCluster.Properties.Spec.Platform.NetworkSecurityGroupID != "" {
+			azureBuilder = azureBuilder.
+				NetworkSecurityGroupResourceID(hcpCluster.Properties.Spec.Platform.NetworkSecurityGroupID)
+		}
+
+		clusterBuilder = clusterBuilder.Azure(azureBuilder)
+
 		// Cluster Service rejects an empty DomainPrefix string.
 		if hcpCluster.Properties.Spec.DNS.BaseDomainPrefix != "" {
 			clusterBuilder = clusterBuilder.

internal/api/hcpopenshiftcluster.go

@@ -84,12 +84,11 @@ type ProxyProfile struct {
 // PlatformProfile represents the Azure platform configuration.
 // Visibility for the entire struct is "read create".
 type PlatformProfile struct {
-	ManagedResourceGroup string       `json:"managedResourceGroup,omitempty"`
-	SubnetID             string       `json:"subnetId,omitempty"             validate:"required_for_put"`
-	OutboundType         OutboundType `json:"outboundType,omitempty"         validate:"omitempty,enum_outboundtype"`
-	//TODO: Is nsg required for PUT, or will we create if not specified?
-	NetworkSecurityGroupID string `json:"networkSecurityGroupId,omitempty" validate:"required_for_put"`
-	EtcdEncryptionSetID    string `json:"etcdEncryptionSetId,omitempty"`
+	ManagedResourceGroup   string       `json:"managedResourceGroup,omitempty"`
+	SubnetID               string       `json:"subnetId,omitempty"             validate:"required_for_put"`
+	OutboundType           OutboundType `json:"outboundType,omitempty"         validate:"omitempty,enum_outboundtype"`
+	NetworkSecurityGroupID string       `json:"networkSecurityGroupId,omitempty"`
+	EtcdEncryptionSetID    string       `json:"etcdEncryptionSetId,omitempty"`
 }
 
 // ExternalAuthConfigProfile represents the external authentication configuration.

internal/api/hcpopenshiftcluster_test.go

@@ -48,8 +48,7 @@ func minimumValidCluster() *HCPOpenShiftCluster {
 					Visibility: "public",
 				},
 				Platform: PlatformProfile{
-					SubnetID:               "/something/something/virtualNetworks/subnets",
-					NetworkSecurityGroupID: "/something/something/networkSecurityGroups",
+					SubnetID: "/something/something/virtualNetworks/subnets",
 				},
 			},
 		},
@@ -104,10 +103,6 @@ func TestClusterRequiredForPut(t *testing.T) {
 					Message: "Missing required field 'subnetId'",
 					Target:  "properties.spec.platform.subnetId",
 				},
-				{
-					Message: "Missing required field 'networkSecurityGroupId'",
-					Target:  "properties.spec.platform.networkSecurityGroupId",
-				},
 			},
 		},
 		{