azurerm_app_service Added support for Action of Allow or Deny in ip…

…_restriction. (#6967) Fixes #6900
hashicorp · May 20, 2020 · 7c5a78c · 7c5a78c
1 parent c4ffe15
commit 7c5a78c
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 0 deletions.
diff --git a/azurerm/helpers/azure/app_service.go b/azurerm/helpers/azure/app_service.go
@@ -328,6 +328,15 @@ func SchemaAppServiceSiteConfig() *schema.Schema {
 								Computed:     true,
 								ValidateFunc: validation.IntBetween(1, 2147483647),
 							},
+							"action": {
+								Type:     schema.TypeString,
+								Default:  "Allow",
+								Optional: true,
+								ValidateFunc: validation.StringInSlice([]string{
+									"Allow",
+									"Deny",
+								}, false),
+							},
 						},
 					},
 				},
@@ -705,6 +714,10 @@ func SchemaAppServiceDataSourceSiteConfig() *schema.Schema {
 								Type:     schema.TypeInt,
 								Computed: true,
 							},
+							"action": {
+								Type:     schema.TypeString,
+								Computed: true,
+							},
 						},
 					},
 				},
@@ -1452,6 +1465,7 @@ func ExpandAppServiceSiteConfig(input interface{}) (*web.SiteConfig, error) {
 			vNetSubnetID := restriction["virtual_network_subnet_id"].(string)
 			name := restriction["name"].(string)
 			priority := restriction["priority"].(int)
+			action := restriction["action"].(string)
 			if vNetSubnetID != "" && ipAddress != "" {
 				return siteConfig, fmt.Errorf(fmt.Sprintf("only one of `ip_address` or `virtual_network_subnet_id` can be set for `site_config.0.ip_restriction.%d`", i))
 			}
@@ -1481,6 +1495,10 @@ func ExpandAppServiceSiteConfig(input interface{}) (*web.SiteConfig, error) {
 				ipSecurityRestriction.Priority = utils.Int32(int32(priority))
 			}
 
+			if action != "" {
+				ipSecurityRestriction.Action = &action
+			}
+
 			restrictions = append(restrictions, ipSecurityRestriction)
 		}
 		siteConfig.IPSecurityRestrictions = &restrictions
@@ -1615,6 +1633,11 @@ func FlattenAppServiceSiteConfig(input *web.SiteConfig) []interface{} {
 			if priority := v.Priority; priority != nil {
 				block["priority"] = *priority
 			}
+
+			if action := v.Action; action != nil {
+				block["action"] = *action
+			}
+
 			restrictions = append(restrictions, block)
 		}
 	}

diff --git a/azurerm/internal/services/web/tests/data_source_app_service_test.go b/azurerm/internal/services/web/tests/data_source_app_service_test.go
@@ -139,6 +139,7 @@ func TestAccDataSourceAzureRMAppService_ipRestriction(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"),
+					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"),
 				),
 			},
 		},

diff --git a/azurerm/internal/services/web/tests/resource_arm_app_service_test.go b/azurerm/internal/services/web/tests/resource_arm_app_service_test.go
@@ -507,6 +507,7 @@ func TestAccAzureRMAppService_oneIpRestriction(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMAppServiceExists(data.ResourceName),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"),
+					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"),
 				),
 			},
 			data.ImportStep(),
@@ -529,6 +530,7 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"),
+					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"),
 				),
 			},
 			data.ImportStep(),
@@ -540,9 +542,11 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"),
+					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.ip_address", "20.20.20.0/24"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.name", "test-restriction-2"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.priority", "1234"),
+					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.action", "Deny"),
 				),
 			},
 			data.ImportStep(),
@@ -554,6 +558,7 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) {
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"),
 					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"),
+					resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"),
 				),
 			},
 			data.ImportStep(),
@@ -2643,6 +2648,7 @@ resource "azurerm_app_service" "test" {
   site_config {
     ip_restriction {
       ip_address = "10.10.10.10/32"
+      action     = "Allow"
     }
   }
 }
@@ -2682,6 +2688,7 @@ resource "azurerm_app_service" "test" {
       ip_address = "10.10.10.10/32"
       name       = "test-restriction"
       priority   = 123
+      action     = "Allow"
     }
   }
 }
@@ -2721,12 +2728,14 @@ resource "azurerm_app_service" "test" {
       ip_address = "10.10.10.10/32"
       name       = "test-restriction"
       priority   = 123
+      action     = "Allow"
     }
 
     ip_restriction {
       ip_address = "20.20.20.0/24"
       name       = "test-restriction-2"
       priority   = 1234
+      action     = "Deny"
     }
   }
 }

diff --git a/website/docs/d/app_service.html.markdown b/website/docs/d/app_service.html.markdown
@@ -89,6 +89,8 @@ A `ip_restriction` block exports the following:
 
 * `priority` - The priority for this IP Restriction.
 
+* `action` - Does this restriction `Allow` or `Deny` access for this IP range?
+
 ---
 
 `site_config` supports the following:

diff --git a/website/docs/r/app_service.html.markdown b/website/docs/r/app_service.html.markdown
@@ -319,6 +319,8 @@ A `ip_restriction` block supports the following:
 
 * `priority` - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified.
 
+* `action` - (Optional) Does this restriction `Allow` or `Deny` access for this IP range. Defaults to `Allow`.  
+
 ---
 
 A `microsoft` block supports the following: