Merge pull request #8 from data-platform-hq/extend-fw

kharkevich · web-flow · commit fe50928dc631 · 2022-11-01T20:31:24.000-04:00
feat: separate scm_ip_restriction
diff --git a/README.md b/README.md
@@ -39,15 +39,16 @@ No modules.
 | <a name="input_enable_appinsights"></a> [enable\_appinsights](#input\_enable\_appinsights) | Enable application insights | `bool` | `true` | no |
 | <a name="input_env"></a> [env](#input\_env) | Environment | `string` | n/a | yes |
 | <a name="input_identity_ids"></a> [identity\_ids](#input\_identity\_ids) | List of user assigned identity IDs | `list(string)` | `null` | no |
-| <a name="input_ip_restriction"></a> [ip\_restriction](#input\_ip\_restriction) | Firewall settings for the function app | <pre>list(object({<br>    name                      = string<br>    ip_address                = string<br>    service_tag               = string<br>    virtual_network_subnet_id = string<br>    priority                  = string<br>    action                    = string<br>    headers = list(object({<br>      x_azure_fdid      = list(string)<br>      x_fd_health_probe = list(string)<br>      x_forwarded_for   = list(string)<br>      x_forwarded_host  = list(string)<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "action": "Allow",<br>    "headers": null,<br>    "ip_address": null,<br>    "name": "allow_azure",<br>    "priority": "100",<br>    "service_tag": "AzureCloud",<br>    "virtual_network_subnet_id": null<br>  }<br>]</pre> | no |
+| <a name="input_ip_restriction"></a> [ip\_restriction](#input\_ip\_restriction) | Firewall settings for the web app | <pre>list(object({<br>    name                      = string<br>    ip_address                = string<br>    service_tag               = string<br>    virtual_network_subnet_id = string<br>    priority                  = string<br>    action                    = string<br>    headers = list(object({<br>      x_azure_fdid      = list(string)<br>      x_fd_health_probe = list(string)<br>      x_forwarded_for   = list(string)<br>      x_forwarded_host  = list(string)<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "action": "Allow",<br>    "headers": null,<br>    "ip_address": null,<br>    "name": "allow_azure",<br>    "priority": "100",<br>    "service_tag": "AzureCloud",<br>    "virtual_network_subnet_id": null<br>  }<br>]</pre> | no |
 | <a name="input_location"></a> [location](#input\_location) | Location | `string` | n/a | yes |
 | <a name="input_logs"></a> [logs](#input\_logs) | Logs configuration | <pre>object({<br>    detailed_error_messages = bool<br>    failed_request_tracing  = bool<br>    http_logs = object({<br>      file_system = object({<br>        retention_in_days = number<br>        retention_in_mb   = number<br>      })<br>    })<br>  })</pre> | <pre>{<br>  "detailed_error_messages": false,<br>  "failed_request_tracing": false,<br>  "http_logs": {<br>    "file_system": {<br>      "retention_in_days": 7,<br>      "retention_in_mb": 35<br>    }<br>  }<br>}</pre> | no |
-| <a name="input_name"></a> [name](#input\_name) | Function index/name (like 007) | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | Web index/name (like 007) | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Project name | `string` | n/a | yes |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Resource group name | `string` | n/a | yes |
+| <a name="input_scm_ip_restriction"></a> [scm\_ip\_restriction](#input\_scm\_ip\_restriction) | Firewall settings for the SCM web app | <pre>list(object({<br>    name                      = string<br>    ip_address                = string<br>    service_tag               = string<br>    virtual_network_subnet_id = string<br>    priority                  = string<br>    action                    = string<br>    headers = list(object({<br>      x_azure_fdid      = list(string)<br>      x_fd_health_probe = list(string)<br>      x_forwarded_for   = list(string)<br>      x_forwarded_host  = list(string)<br>    }))<br>  }))</pre> | `null` | no |
 | <a name="input_service_plan_id"></a> [service\_plan\_id](#input\_service\_plan\_id) | App Service plan ID | `string` | n/a | yes |
 | <a name="input_storage_account"></a> [storage\_account](#input\_storage\_account) | BYOS storage mount configuration | <pre>list(object({<br>    access_key   = string<br>    account_name = string<br>    name         = string<br>    share_name   = string<br>    type         = string<br>    mount_path   = string<br>  }))</pre> | `[]` | no |
-| <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | Subnet ID for the function app | `string` | `null` | no |
+| <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | Subnet ID for the web app | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags | `map(string)` | n/a | yes |
 | <a name="input_use_private_net"></a> [use\_private\_net](#input\_use\_private\_net) | Use private network injection | `bool` | `false` | no |
 | <a name="input_websockets_enabled"></a> [websockets\_enabled](#input\_websockets\_enabled) | Enable websockets | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
@@ -53,7 +53,7 @@ resource "azurerm_linux_web_app" "this" {
     websockets_enabled = var.websockets_enabled
     use_32_bit_worker  = false
     ip_restriction     = var.ip_restriction
-    scm_ip_restriction = var.ip_restriction
+    scm_ip_restriction = var.scm_ip_restriction == null ? var.ip_restriction : var.scm_ip_restriction
     application_stack {
       docker_image        = local.application_stack["docker_image"]
       docker_image_tag    = local.application_stack["docker_image_tag"]
diff --git a/variables.tf b/variables.tf
@@ -31,7 +31,7 @@ variable "service_plan_id" {
 
 variable "name" {
   type        = string
-  description = "Function index/name (like 007)"
+  description = "Web index/name (like 007)"
 }
 
 variable "application_type" {
@@ -41,7 +41,7 @@ variable "application_type" {
 }
 
 variable "ip_restriction" {
-  description = "Firewall settings for the function app"
+  description = "Firewall settings for the web app"
   type = list(object({
     name                      = string
     ip_address                = string
@@ -69,6 +69,25 @@ variable "ip_restriction" {
   ]
 }
 
+variable "scm_ip_restriction" {
+  description = "Firewall settings for the SCM web app"
+  type = list(object({
+    name                      = string
+    ip_address                = string
+    service_tag               = string
+    virtual_network_subnet_id = string
+    priority                  = string
+    action                    = string
+    headers = list(object({
+      x_azure_fdid      = list(string)
+      x_fd_health_probe = list(string)
+      x_forwarded_for   = list(string)
+      x_forwarded_host  = list(string)
+    }))
+  }))
+  default = null
+}
+
 variable "app_settings" {
   type        = map(string)
   default     = {}
@@ -77,7 +96,7 @@ variable "app_settings" {
 
 variable "subnet_id" {
   type        = string
-  description = "Subnet ID for the function app"
+  description = "Subnet ID for the web app"
   default     = null
 }
 
