From c53b8c77b7270d29f05d96fc132d0c63c9305d60 Mon Sep 17 00:00:00 2001 From: christian-calabrese Date: Tue, 23 Jul 2024 15:25:17 +0200 Subject: [PATCH] feat: Added ip_restriction_default_action variable to app service and slot (#331) * feat: added ip_restriction_default_action variable to app service and slot * feat: added ip_restriction_default_action variable to app service and slot * feat: added ip_restriction_default_action variable to app service and slot * chore: ran pre-commit * chore: ran pre-commit * feat: made parameter ip_restriction_default_action mandatory * fix: set minimum version of provider of app_service module --- app_gateway/README.md | 2 +- app_service/README.md | 3 ++- app_service/main.tf | 2 ++ app_service/variables.tf | 10 ++++++++++ app_service/versions.tf | 2 +- app_service_slot/README.md | 3 ++- app_service_slot/main.tf | 2 ++ app_service_slot/variables.tf | 11 +++++++++++ app_service_slot/versions.tf | 2 +- 9 files changed, 32 insertions(+), 5 deletions(-) diff --git a/app_gateway/README.md b/app_gateway/README.md index 80cf62c7..19f90a5f 100644 --- a/app_gateway/README.md +++ b/app_gateway/README.md @@ -483,7 +483,7 @@ No modules. | [private\_ip\_address](#input\_private\_ip\_address) | Private frontend ip | `list(string)` | `[]` | no | | [public\_ip\_id](#input\_public\_ip\_id) | Public IP | `string` | n/a | yes | | [resource\_group\_name](#input\_resource\_group\_name) | n/a | `string` | n/a | yes | -| [rewrite\_rule\_sets](#input\_rewrite\_rule\_sets) | Rewrite rules sets obj descriptor | 
list(object({
    name = string # Unique name of the rewrite rule set block
    rewrite_rules = list(object({
      name          = string     # Unique name of the rewrite rule block
      rule_sequence = number     # Rule sequence of the rewrite rule that determines the order of execution in a set.
      conditions = list(object({ # One or more condition blocks as defined above.
        variable    = string     # The variable of the condition.
        pattern     = string     # The pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.
        ignore_case = bool       # Perform a case in-sensitive comparison. Defaults to false
        negate      = bool       # Negate the result of the condition evaluation. Defaults to false
      }))

      request_header_configurations = list(object({
        header_name  = string # Header name of the header configuration.
        header_value = string # Header value of the header configuration. To delete a request header set this property to an empty string.
      }))

      response_header_configurations = list(object({
        header_name  = string # Header name of the header configuration.
        header_value = string # Header value of the header configuration. To delete a response header set this property to an empty string.
      }))

      url = object({
        path         = string                # The URL path to rewrite.
        query_string = string                # The query string to rewrite.
        reroute      = optional(bool, false) # Whether the URL path map should be reevaluated after this rewrite has been applied.
      })

    }))
  }))
| `[]` | no | +| [rewrite\_rule\_sets](#input\_rewrite\_rule\_sets) | Rewrite rules sets obj descriptor | 
list(object({
    name = string # Unique name of the rewrite rule set block
    rewrite_rules = list(object({
      name          = string     # Unique name of the rewrite rule block
      rule_sequence = number     # Rule sequence of the rewrite rule that determines the order of execution in a set.
      conditions = list(object({ # One or more condition blocks as defined above.
        variable    = string     # The variable of the condition.
        pattern     = string     # The pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.
        ignore_case = bool       # Perform a case in-sensitive comparison. Defaults to false
        negate      = bool       # Negate the result of the condition evaluation. Defaults to false
      }))

      request_header_configurations = list(object({
        header_name  = string # Header name of the header configuration.
        header_value = string # Header value of the header configuration. To delete a request header set this property to an empty string.
      }))

      response_header_configurations = list(object({
        header_name  = string # Header name of the header configuration.
        header_value = string # Header value of the header configuration. To delete a response header set this property to an empty string.
      }))

      url = object({
        path         = string                 # The URL path to rewrite.
        query_string = string                 # The query string to rewrite.
        reroute      = optional(bool, false)  # Whether the URL path map should be reevaluated after this rewrite has been applied.
        components   = optional(string, null) # The components used to rewrite the URL. Possible values are path_only and query_string_only to limit the rewrite to the URL Path or URL Query String only.
      })

    }))
  }))
| `[]` | no | | [routes](#input\_routes) | n/a | 
map(object({
    listener              = string # Prefix for http_listener_name
    backend               = string # Prefix for backend_address_pool_name, backend_http_settings_name
    rewrite_rule_set_name = string # The Name of the Rewrite Rule Set which should be used for this Routing Rule.
    priority              = number # Rule evaluation order can be dictated by specifying an integer value from 1 to 20000 with 1 being the highest priority and 20000 being the lowest priority.
  }))
| n/a | yes | | [routes\_path\_based](#input\_routes\_path\_based) | To configure path based routing | 
map(object({
    listener     = string # Prefix for http_listener_name
    url_map_name = string # The Name of the URL Path Map which should be associated with this Routing Rule.
    priority     = number # Rule evaluation order can be dictated by specifying an integer value from 1 to 20000 with 1 being the highest priority and 20000 being the lowest priority.
  }))
| `{}` | no | | [sec\_log\_analytics\_workspace\_id](#input\_sec\_log\_analytics\_workspace\_id) | Log analytics workspace security (it should be in a different subscription). | `string` | `null` | no | diff --git a/app_service/README.md b/app_service/README.md index f1121c0f..bfe092c8 100644 --- a/app_service/README.md +++ b/app_service/README.md @@ -57,7 +57,7 @@ Of course, the values listed above may change in the future, so please check whi | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.0 | -| [azurerm](#requirement\_azurerm) | ~>3.39 | +| [azurerm](#requirement\_azurerm) | ~>3.95 | ## Modules @@ -93,6 +93,7 @@ No modules. | [health\_check\_maxpingfailures](#input\_health\_check\_maxpingfailures) | Max ping failures allowed | `number` | `null` | no | | [health\_check\_path](#input\_health\_check\_path) | (Optional) The health check path to be pinged by App Service. | `string` | `null` | no | | [https\_only](#input\_https\_only) | (Optional) Can the App Service only be accessed via HTTPS? Defaults to true. | `bool` | `true` | no | +| [ip\_restriction\_default\_action](#input\_ip\_restriction\_default\_action) | The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. | `string` | n/a | yes | | [java\_server](#input\_java\_server) | n/a | `string` | `null` | no | | [java\_server\_version](#input\_java\_server\_version) | n/a | `string` | `null` | no | | [java\_version](#input\_java\_version) | n/a | `string` | `null` | no | diff --git a/app_service/main.tf b/app_service/main.tf index 337e6277..36e14cf9 100644 --- a/app_service/main.tf +++ b/app_service/main.tf @@ -71,6 +71,8 @@ resource "azurerm_linux_web_app" "this" { http2_enabled = true + ip_restriction_default_action = var.ip_restriction_default_action + dynamic "ip_restriction" { for_each = var.allowed_subnets iterator = subnet diff --git a/app_service/variables.tf b/app_service/variables.tf index d6b3aa00..56005d44 100644 --- a/app_service/variables.tf +++ b/app_service/variables.tf @@ -132,6 +132,16 @@ variable "health_check_maxpingfailures" { } } +variable "ip_restriction_default_action" { + type = string + description = "The Default action for traffic that does not match any ip_restriction rule. possible values include Allow and Deny." + + validation { + condition = contains(["Allow", "Deny"], var.ip_restriction_default_action) + error_message = "Possible values include Allow and Deny" + } +} + variable "allowed_subnets" { type = list(string) description = "(Optional) List of subnet allowed to call the appserver endpoint." diff --git a/app_service/versions.tf b/app_service/versions.tf index 7b19215d..38495757 100644 --- a/app_service/versions.tf +++ b/app_service/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~>3.39" + version = "~>3.95" } } } diff --git a/app_service_slot/README.md b/app_service_slot/README.md index 75ebb2a4..d9752db6 100644 --- a/app_service_slot/README.md +++ b/app_service_slot/README.md @@ -56,7 +56,7 @@ Of course, the values listed above may change in the future, so please check whi | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.0 | -| [azurerm](#requirement\_azurerm) | ~>3.39 | +| [azurerm](#requirement\_azurerm) | ~>3.95 | ## Modules @@ -92,6 +92,7 @@ No modules. | [go\_version](#input\_go\_version) | n/a | `string` | `null` | no | | [health\_check\_path](#input\_health\_check\_path) | (Optional) The health check path to be pinged by App Service. | `string` | `null` | no | | [https\_only](#input\_https\_only) | (Optional) Can the App Service only be accessed via HTTPS? Defaults to true. | `bool` | `true` | no | +| [ip\_restriction\_default\_action](#input\_ip\_restriction\_default\_action) | (Optional) The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. Defaults to Allow. | `string` | `"Allow"` | no | | [java\_server](#input\_java\_server) | n/a | `string` | `null` | no | | [java\_server\_version](#input\_java\_server\_version) | n/a | `string` | `null` | no | | [java\_version](#input\_java\_version) | n/a | `string` | `null` | no | diff --git a/app_service_slot/main.tf b/app_service_slot/main.tf index c392a49d..ce695a83 100644 --- a/app_service_slot/main.tf +++ b/app_service_slot/main.tf @@ -44,6 +44,8 @@ resource "azurerm_linux_web_app_slot" "this" { http2_enabled = true + ip_restriction_default_action = var.ip_restriction_default_action + dynamic "ip_restriction" { for_each = var.allowed_subnets iterator = subnet diff --git a/app_service_slot/variables.tf b/app_service_slot/variables.tf index 95f03ca0..9c7f1c12 100644 --- a/app_service_slot/variables.tf +++ b/app_service_slot/variables.tf @@ -85,6 +85,17 @@ variable "health_check_path" { default = null } +variable "ip_restriction_default_action" { + type = string + description = "(Optional) The Default action for traffic that does not match any ip_restriction rule. possible values include Allow and Deny. Defaults to Allow." + default = "Allow" + + validation { + condition = contains(["Allow", "Deny"], var.ip_restriction_default_action) + error_message = "Possible values include Allow and Deny" + } +} + variable "allowed_subnets" { type = list(string) description = "(Optional) List of subnet allowed to call the appserver endpoint." diff --git a/app_service_slot/versions.tf b/app_service_slot/versions.tf index 7b19215d..38495757 100644 --- a/app_service_slot/versions.tf +++ b/app_service_slot/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~>3.39" + version = "~>3.95" } } }