Merge pull request #17 from data-platform-hq/fix-ip_restriction

feat: update firewall defaults

Author: kharkevich

README.md

@@ -46,14 +46,14 @@ No modules.
 | <a name="input_enable_diagnostic_setting"></a> [enable\_diagnostic\_setting](#input\_enable\_diagnostic\_setting) | Enable diagnostic setting. var.analytics\_workspace\_id must be provided | `bool` | `false` | no |
 | <a name="input_env"></a> [env](#input\_env) | Environment | `string` | n/a | yes |
 | <a name="input_identity_ids"></a> [identity\_ids](#input\_identity\_ids) | List of user assigned identity IDs | `list(string)` | `null` | no |
-| <a name="input_ip_restriction"></a> [ip\_restriction](#input\_ip\_restriction) | Firewall settings for the web app | <pre>list(object({<br>    name                      = string<br>    ip_address                = string<br>    service_tag               = string<br>    virtual_network_subnet_id = string<br>    priority                  = string<br>    action                    = string<br>    headers = list(object({<br>      x_azure_fdid      = list(string)<br>      x_fd_health_probe = list(string)<br>      x_forwarded_for   = list(string)<br>      x_forwarded_host  = list(string)<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "action": "Allow",<br>    "headers": null,<br>    "ip_address": null,<br>    "name": "allow_azure",<br>    "priority": "100",<br>    "service_tag": "AzureCloud",<br>    "virtual_network_subnet_id": null<br>  }<br>]</pre> | no |
+| <a name="input_ip_restriction"></a> [ip\_restriction](#input\_ip\_restriction) | Firewall settings for the function app | <pre>list(object({<br>    name                      = string<br>    ip_address                = optional(string, null)<br>    service_tag               = optional(string, null)<br>    virtual_network_subnet_id = optional(string, null)<br>    priority                  = optional(string, "100")<br>    action                    = string<br>    headers = optional(list(object({<br>      x_azure_fdid      = optional(list(string), null)<br>      x_fd_health_probe = optional(list(string), null)<br>      x_forwarded_for   = optional(list(string), null)<br>      x_forwarded_host  = optional(list(string), null)<br>    })), [])<br>  }))</pre> | <pre>[<br>  {<br>    "action": "Allow",<br>    "name": "allow_azure",<br>    "service_tag": "AzureCloud"<br>  }<br>]</pre> | no |
 | <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | Configure Linux Function App to Key Vault | <pre>object({<br>    id                  = optional(string, null)<br>    key_permissions     = optional(list(string), null)<br>    secret_permissions  = optional(list(string), ["Get", "List"])<br>    storage_permissions = optional(list(string), null)<br>  })</pre> | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Location | `string` | n/a | yes |
 | <a name="input_logs"></a> [logs](#input\_logs) | Logs configuration | <pre>object({<br>    detailed_error_messages = bool<br>    failed_request_tracing  = bool<br>    http_logs = object({<br>      file_system = object({<br>        retention_in_days = number<br>        retention_in_mb   = number<br>      })<br>    })<br>  })</pre> | <pre>{<br>  "detailed_error_messages": false,<br>  "failed_request_tracing": false,<br>  "http_logs": {<br>    "file_system": {<br>      "retention_in_days": 7,<br>      "retention_in_mb": 35<br>    }<br>  }<br>}</pre> | no |
 | <a name="input_name"></a> [name](#input\_name) | Web index/name (like 007) | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Project name | `string` | n/a | yes |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Resource group name | `string` | n/a | yes |
-| <a name="input_scm_ip_restriction"></a> [scm\_ip\_restriction](#input\_scm\_ip\_restriction) | Firewall settings for the SCM web app | <pre>list(object({<br>    name                      = string<br>    ip_address                = string<br>    service_tag               = string<br>    virtual_network_subnet_id = string<br>    priority                  = string<br>    action                    = string<br>    headers = list(object({<br>      x_azure_fdid      = list(string)<br>      x_fd_health_probe = list(string)<br>      x_forwarded_for   = list(string)<br>      x_forwarded_host  = list(string)<br>    }))<br>  }))</pre> | `null` | no |
+| <a name="input_scm_ip_restriction"></a> [scm\_ip\_restriction](#input\_scm\_ip\_restriction) | Firewall settings for the function app | <pre>list(object({<br>    name                      = string<br>    ip_address                = optional(string, null)<br>    service_tag               = optional(string, null)<br>    virtual_network_subnet_id = optional(string, null)<br>    priority                  = optional(string, "100")<br>    action                    = string<br>    headers = optional(list(object({<br>      x_azure_fdid      = optional(list(string), null)<br>      x_fd_health_probe = optional(list(string), null)<br>      x_forwarded_for   = optional(list(string), null)<br>      x_forwarded_host  = optional(list(string), null)<br>    })), [])<br>  }))</pre> | <pre>[<br>  {<br>    "action": "Allow",<br>    "name": "allow_azure",<br>    "service_tag": "AzureCloud"<br>  }<br>]</pre> | no |
 | <a name="input_service_plan_id"></a> [service\_plan\_id](#input\_service\_plan\_id) | App Service plan ID | `string` | n/a | yes |
 | <a name="input_storage_account"></a> [storage\_account](#input\_storage\_account) | BYOS storage mount configuration | <pre>list(object({<br>    access_key   = string<br>    account_name = string<br>    name         = string<br>    share_name   = string<br>    type         = string<br>    mount_path   = string<br>  }))</pre> | `[]` | no |
 | <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | Subnet ID for the web app | `string` | `null` | no |

main.tf

@@ -85,9 +85,47 @@ resource "azurerm_linux_web_app" "this" {
     http2_enabled      = true
     websockets_enabled = var.websockets_enabled
     use_32_bit_worker  = false
-    ip_restriction     = var.ip_restriction
-    scm_ip_restriction = var.scm_ip_restriction == null ? var.ip_restriction : var.scm_ip_restriction
-    worker_count       = var.worker_count
+    dynamic "ip_restriction" {
+      for_each = var.ip_restriction
+      content {
+        name                      = ip_restriction.value.name
+        ip_address                = ip_restriction.value.ip_address
+        service_tag               = ip_restriction.value.service_tag
+        virtual_network_subnet_id = ip_restriction.value.virtual_network_subnet_id
+        priority                  = ip_restriction.value.priority
+        action                    = ip_restriction.value.action
+        dynamic "headers" {
+          for_each = ip_restriction.value.headers
+          content {
+            x_azure_fdid      = headers.value.x_azure_fdid
+            x_fd_health_probe = headers.value.x_fd_health_probe
+            x_forwarded_for   = headers.value.x_forwarded_for
+            x_forwarded_host  = headers.value.x_forwarded_host
+          }
+        }
+      }
+    }
+    dynamic "scm_ip_restriction" {
+      for_each = var.scm_ip_restriction
+      content {
+        name                      = scm_ip_restriction.value.name
+        ip_address                = scm_ip_restriction.value.ip_address
+        service_tag               = scm_ip_restriction.value.service_tag
+        virtual_network_subnet_id = scm_ip_restriction.value.virtual_network_subnet_id
+        priority                  = scm_ip_restriction.value.priority
+        action                    = scm_ip_restriction.value.action
+        dynamic "headers" {
+          for_each = scm_ip_restriction.value.headers
+          content {
+            x_azure_fdid      = headers.value.x_azure_fdid
+            x_fd_health_probe = headers.value.x_fd_health_probe
+            x_forwarded_for   = headers.value.x_forwarded_for
+            x_forwarded_host  = headers.value.x_forwarded_host
+          }
+        }
+      }
+    }
+    worker_count = var.worker_count
     application_stack {
       docker_image        = local.application_stack["docker_image"]
       docker_image_tag    = local.application_stack["docker_image_tag"]

variables.tf

@@ -45,51 +45,53 @@ variable "application_type" {
 }
 
 variable "ip_restriction" {
-  description = "Firewall settings for the web app"
+  description = "Firewall settings for the function app"
   type = list(object({
     name                      = string
-    ip_address                = string
-    service_tag               = string
-    virtual_network_subnet_id = string
-    priority                  = string
+    ip_address                = optional(string, null)
+    service_tag               = optional(string, null)
+    virtual_network_subnet_id = optional(string, null)
+    priority                  = optional(string, "100")
     action                    = string
-    headers = list(object({
-      x_azure_fdid      = list(string)
-      x_fd_health_probe = list(string)
-      x_forwarded_for   = list(string)
-      x_forwarded_host  = list(string)
-    }))
+    headers = optional(list(object({
+      x_azure_fdid      = optional(list(string), null)
+      x_fd_health_probe = optional(list(string), null)
+      x_forwarded_for   = optional(list(string), null)
+      x_forwarded_host  = optional(list(string), null)
+    })), [])
   }))
   default = [
     {
-      name                      = "allow_azure"
-      ip_address                = null
-      service_tag               = "AzureCloud"
-      virtual_network_subnet_id = null
-      priority                  = "100"
-      action                    = "Allow"
-      headers                   = null
+      name        = "allow_azure"
+      service_tag = "AzureCloud"
+      action      = "Allow"
     }
   ]
 }
 
 variable "scm_ip_restriction" {
-  description = "Firewall settings for the SCM web app"
+  description = "Firewall settings for the function app"
   type = list(object({
     name                      = string
-    ip_address                = string
-    service_tag               = string
-    virtual_network_subnet_id = string
-    priority                  = string
+    ip_address                = optional(string, null)
+    service_tag               = optional(string, null)
+    virtual_network_subnet_id = optional(string, null)
+    priority                  = optional(string, "100")
     action                    = string
-    headers = list(object({
-      x_azure_fdid      = list(string)
-      x_fd_health_probe = list(string)
-      x_forwarded_for   = list(string)
-      x_forwarded_host  = list(string)
-    }))
+    headers = optional(list(object({
+      x_azure_fdid      = optional(list(string), null)
+      x_fd_health_probe = optional(list(string), null)
+      x_forwarded_for   = optional(list(string), null)
+      x_forwarded_host  = optional(list(string), null)
+    })), [])
   }))
-  default = null
+  default = [
+    {
+      name        = "allow_azure"
+      service_tag = "AzureCloud"
+      action      = "Allow"
+    }
+  ]
 }
 
 variable "app_settings" {

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.40.0"
+      version = ">= 3.49.0"
     }
   }
 }