feat: Added ip_restriction_default_action variable to app service and…

… slot (#331) * feat: added ip_restriction_default_action variable to app service and slot * feat: added ip_restriction_default_action variable to app service and slot * feat: added ip_restriction_default_action variable to app service and slot * chore: ran pre-commit * chore: ran pre-commit * feat: made parameter ip_restriction_default_action mandatory * fix: set minimum version of provider of app_service module
pagopa · Jul 23, 2024 · c53b8c7 · c53b8c7
1 parent 21218cc
commit c53b8c7
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 5 deletions.
diff --git a/app_gateway/README.md b/app_gateway/README.md
@@ -483,7 +483,7 @@ No modules.
 | <a name="input_private_ip_address"></a> [private\_ip\_address](#input\_private\_ip\_address) | Private frontend ip | `list(string)` | `[]` | no |
 | <a name="input_public_ip_id"></a> [public\_ip\_id](#input\_public\_ip\_id) | Public IP | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | n/a | `string` | n/a | yes |
-| <a name="input_rewrite_rule_sets"></a> [rewrite\_rule\_sets](#input\_rewrite\_rule\_sets) | Rewrite rules sets obj descriptor | <pre>list(object({<br>    name = string # Unique name of the rewrite rule set block<br>    rewrite_rules = list(object({<br>      name          = string     # Unique name of the rewrite rule block<br>      rule_sequence = number     # Rule sequence of the rewrite rule that determines the order of execution in a set.<br>      conditions = list(object({ # One or more condition blocks as defined above.<br>        variable    = string     # The variable of the condition.<br>        pattern     = string     # The pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.<br>        ignore_case = bool       # Perform a case in-sensitive comparison. Defaults to false<br>        negate      = bool       # Negate the result of the condition evaluation. Defaults to false<br>      }))<br><br>      request_header_configurations = list(object({<br>        header_name  = string # Header name of the header configuration.<br>        header_value = string # Header value of the header configuration. To delete a request header set this property to an empty string.<br>      }))<br><br>      response_header_configurations = list(object({<br>        header_name  = string # Header name of the header configuration.<br>        header_value = string # Header value of the header configuration. To delete a response header set this property to an empty string.<br>      }))<br><br>      url = object({<br>        path         = string                # The URL path to rewrite.<br>        query_string = string                # The query string to rewrite.<br>        reroute      = optional(bool, false) # Whether the URL path map should be reevaluated after this rewrite has been applied.<br>      })<br><br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_rewrite_rule_sets"></a> [rewrite\_rule\_sets](#input\_rewrite\_rule\_sets) | Rewrite rules sets obj descriptor | <pre>list(object({<br>    name = string # Unique name of the rewrite rule set block<br>    rewrite_rules = list(object({<br>      name          = string     # Unique name of the rewrite rule block<br>      rule_sequence = number     # Rule sequence of the rewrite rule that determines the order of execution in a set.<br>      conditions = list(object({ # One or more condition blocks as defined above.<br>        variable    = string     # The variable of the condition.<br>        pattern     = string     # The pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.<br>        ignore_case = bool       # Perform a case in-sensitive comparison. Defaults to false<br>        negate      = bool       # Negate the result of the condition evaluation. Defaults to false<br>      }))<br><br>      request_header_configurations = list(object({<br>        header_name  = string # Header name of the header configuration.<br>        header_value = string # Header value of the header configuration. To delete a request header set this property to an empty string.<br>      }))<br><br>      response_header_configurations = list(object({<br>        header_name  = string # Header name of the header configuration.<br>        header_value = string # Header value of the header configuration. To delete a response header set this property to an empty string.<br>      }))<br><br>      url = object({<br>        path         = string                 # The URL path to rewrite.<br>        query_string = string                 # The query string to rewrite.<br>        reroute      = optional(bool, false)  # Whether the URL path map should be reevaluated after this rewrite has been applied.<br>        components   = optional(string, null) # The components used to rewrite the URL. Possible values are path_only and query_string_only to limit the rewrite to the URL Path or URL Query String only.<br>      })<br><br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_routes"></a> [routes](#input\_routes) | n/a | <pre>map(object({<br>    listener              = string # Prefix for http_listener_name<br>    backend               = string # Prefix for backend_address_pool_name, backend_http_settings_name<br>    rewrite_rule_set_name = string # The Name of the Rewrite Rule Set which should be used for this Routing Rule.<br>    priority              = number # Rule evaluation order can be dictated by specifying an integer value from 1 to 20000 with 1 being the highest priority and 20000 being the lowest priority.<br>  }))</pre> | n/a | yes |
 | <a name="input_routes_path_based"></a> [routes\_path\_based](#input\_routes\_path\_based) | To configure path based routing | <pre>map(object({<br>    listener     = string # Prefix for http_listener_name<br>    url_map_name = string # The Name of the URL Path Map which should be associated with this Routing Rule.<br>    priority     = number # Rule evaluation order can be dictated by specifying an integer value from 1 to 20000 with 1 being the highest priority and 20000 being the lowest priority.<br>  }))</pre> | `{}` | no |
 | <a name="input_sec_log_analytics_workspace_id"></a> [sec\_log\_analytics\_workspace\_id](#input\_sec\_log\_analytics\_workspace\_id) | Log analytics workspace security (it should be in a different subscription). | `string` | `null` | no |

diff --git a/app_service/README.md b/app_service/README.md
@@ -57,7 +57,7 @@ Of course, the values listed above may change in the future, so please check whi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>3.39 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>3.95 |
 
 ## Modules
 
@@ -93,6 +93,7 @@ No modules.
 | <a name="input_health_check_maxpingfailures"></a> [health\_check\_maxpingfailures](#input\_health\_check\_maxpingfailures) | Max ping failures allowed | `number` | `null` | no |
 | <a name="input_health_check_path"></a> [health\_check\_path](#input\_health\_check\_path) | (Optional) The health check path to be pinged by App Service. | `string` | `null` | no |
 | <a name="input_https_only"></a> [https\_only](#input\_https\_only) | (Optional) Can the App Service only be accessed via HTTPS? Defaults to true. | `bool` | `true` | no |
+| <a name="input_ip_restriction_default_action"></a> [ip\_restriction\_default\_action](#input\_ip\_restriction\_default\_action) | The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. | `string` | n/a | yes |
 | <a name="input_java_server"></a> [java\_server](#input\_java\_server) | n/a | `string` | `null` | no |
 | <a name="input_java_server_version"></a> [java\_server\_version](#input\_java\_server\_version) | n/a | `string` | `null` | no |
 | <a name="input_java_version"></a> [java\_version](#input\_java\_version) | n/a | `string` | `null` | no |

diff --git a/app_service/main.tf b/app_service/main.tf
@@ -71,6 +71,8 @@ resource "azurerm_linux_web_app" "this" {
 
     http2_enabled = true
 
+    ip_restriction_default_action = var.ip_restriction_default_action
+
     dynamic "ip_restriction" {
       for_each = var.allowed_subnets
       iterator = subnet

diff --git a/app_service/variables.tf b/app_service/variables.tf
@@ -132,6 +132,16 @@ variable "health_check_maxpingfailures" {
   }
 }
 
+variable "ip_restriction_default_action" {
+  type        = string
+  description = "The Default action for traffic that does not match any ip_restriction rule. possible values include Allow and Deny."
+
+  validation {
+    condition     = contains(["Allow", "Deny"], var.ip_restriction_default_action)
+    error_message = "Possible values include Allow and Deny"
+  }
+}
+
 variable "allowed_subnets" {
   type        = list(string)
   description = "(Optional) List of subnet allowed to call the appserver endpoint."

diff --git a/app_service/versions.tf b/app_service/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>3.39"
+      version = "~>3.95"
     }
   }
 }
diff --git a/app_service_slot/README.md b/app_service_slot/README.md
@@ -56,7 +56,7 @@ Of course, the values listed above may change in the future, so please check whi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>3.39 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>3.95 |
 
 ## Modules
 
@@ -92,6 +92,7 @@ No modules.
 | <a name="input_go_version"></a> [go\_version](#input\_go\_version) | n/a | `string` | `null` | no |
 | <a name="input_health_check_path"></a> [health\_check\_path](#input\_health\_check\_path) | (Optional) The health check path to be pinged by App Service. | `string` | `null` | no |
 | <a name="input_https_only"></a> [https\_only](#input\_https\_only) | (Optional) Can the App Service only be accessed via HTTPS? Defaults to true. | `bool` | `true` | no |
+| <a name="input_ip_restriction_default_action"></a> [ip\_restriction\_default\_action](#input\_ip\_restriction\_default\_action) | (Optional) The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. Defaults to Allow. | `string` | `"Allow"` | no |
 | <a name="input_java_server"></a> [java\_server](#input\_java\_server) | n/a | `string` | `null` | no |
 | <a name="input_java_server_version"></a> [java\_server\_version](#input\_java\_server\_version) | n/a | `string` | `null` | no |
 | <a name="input_java_version"></a> [java\_version](#input\_java\_version) | n/a | `string` | `null` | no |

diff --git a/app_service_slot/main.tf b/app_service_slot/main.tf
@@ -44,6 +44,8 @@ resource "azurerm_linux_web_app_slot" "this" {
 
     http2_enabled = true
 
+    ip_restriction_default_action = var.ip_restriction_default_action
+
     dynamic "ip_restriction" {
       for_each = var.allowed_subnets
       iterator = subnet

diff --git a/app_service_slot/variables.tf b/app_service_slot/variables.tf
@@ -85,6 +85,17 @@ variable "health_check_path" {
   default     = null
 }
 
+variable "ip_restriction_default_action" {
+  type        = string
+  description = "(Optional) The Default action for traffic that does not match any ip_restriction rule. possible values include Allow and Deny. Defaults to Allow."
+  default     = "Allow"
+
+  validation {
+    condition     = contains(["Allow", "Deny"], var.ip_restriction_default_action)
+    error_message = "Possible values include Allow and Deny"
+  }
+}
+
 variable "allowed_subnets" {
   type        = list(string)
   description = "(Optional) List of subnet allowed to call the appserver endpoint."

diff --git a/app_service_slot/versions.tf b/app_service_slot/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>3.39"
+      version = "~>3.95"
     }
   }
 }