diff --git a/azurerm/helpers/azure/app_service.go b/azurerm/helpers/azure/app_service.go index ffa49969c936..1c6c21cbd093 100644 --- a/azurerm/helpers/azure/app_service.go +++ b/azurerm/helpers/azure/app_service.go @@ -328,6 +328,15 @@ func SchemaAppServiceSiteConfig() *schema.Schema { Computed: true, ValidateFunc: validation.IntBetween(1, 2147483647), }, + "action": { + Type: schema.TypeString, + Default: "Allow", + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + "Allow", + "Deny", + }, false), + }, }, }, }, @@ -705,6 +714,10 @@ func SchemaAppServiceDataSourceSiteConfig() *schema.Schema { Type: schema.TypeInt, Computed: true, }, + "action": { + Type: schema.TypeString, + Computed: true, + }, }, }, }, @@ -1452,6 +1465,7 @@ func ExpandAppServiceSiteConfig(input interface{}) (*web.SiteConfig, error) { vNetSubnetID := restriction["virtual_network_subnet_id"].(string) name := restriction["name"].(string) priority := restriction["priority"].(int) + action := restriction["action"].(string) if vNetSubnetID != "" && ipAddress != "" { return siteConfig, fmt.Errorf(fmt.Sprintf("only one of `ip_address` or `virtual_network_subnet_id` can be set for `site_config.0.ip_restriction.%d`", i)) } @@ -1481,6 +1495,10 @@ func ExpandAppServiceSiteConfig(input interface{}) (*web.SiteConfig, error) { ipSecurityRestriction.Priority = utils.Int32(int32(priority)) } + if action != "" { + ipSecurityRestriction.Action = &action + } + restrictions = append(restrictions, ipSecurityRestriction) } siteConfig.IPSecurityRestrictions = &restrictions @@ -1615,6 +1633,11 @@ func FlattenAppServiceSiteConfig(input *web.SiteConfig) []interface{} { if priority := v.Priority; priority != nil { block["priority"] = *priority } + + if action := v.Action; action != nil { + block["action"] = *action + } + restrictions = append(restrictions, block) } } diff --git a/azurerm/internal/services/web/tests/data_source_app_service_test.go b/azurerm/internal/services/web/tests/data_source_app_service_test.go index 570d1e9fcf53..6fdb697d5343 100644 --- a/azurerm/internal/services/web/tests/data_source_app_service_test.go +++ b/azurerm/internal/services/web/tests/data_source_app_service_test.go @@ -139,6 +139,7 @@ func TestAccDataSourceAzureRMAppService_ipRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, }, diff --git a/azurerm/internal/services/web/tests/resource_arm_app_service_test.go b/azurerm/internal/services/web/tests/resource_arm_app_service_test.go index e03eba2a8cf0..5314d7bf719c 100644 --- a/azurerm/internal/services/web/tests/resource_arm_app_service_test.go +++ b/azurerm/internal/services/web/tests/resource_arm_app_service_test.go @@ -507,6 +507,7 @@ func TestAccAzureRMAppService_oneIpRestriction(t *testing.T) { Check: resource.ComposeTestCheckFunc( testCheckAzureRMAppServiceExists(data.ResourceName), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, data.ImportStep(), @@ -529,6 +530,7 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, data.ImportStep(), @@ -540,9 +542,11 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.ip_address", "20.20.20.0/24"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.name", "test-restriction-2"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.priority", "1234"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.action", "Deny"), ), }, data.ImportStep(), @@ -554,6 +558,7 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, data.ImportStep(), @@ -2643,6 +2648,7 @@ resource "azurerm_app_service" "test" { site_config { ip_restriction { ip_address = "10.10.10.10/32" + action = "Allow" } } } @@ -2682,6 +2688,7 @@ resource "azurerm_app_service" "test" { ip_address = "10.10.10.10/32" name = "test-restriction" priority = 123 + action = "Allow" } } } @@ -2721,12 +2728,14 @@ resource "azurerm_app_service" "test" { ip_address = "10.10.10.10/32" name = "test-restriction" priority = 123 + action = "Allow" } ip_restriction { ip_address = "20.20.20.0/24" name = "test-restriction-2" priority = 1234 + action = "Deny" } } } diff --git a/website/docs/d/app_service.html.markdown b/website/docs/d/app_service.html.markdown index c0507d70afa1..1a3942061ab9 100644 --- a/website/docs/d/app_service.html.markdown +++ b/website/docs/d/app_service.html.markdown @@ -89,6 +89,8 @@ A `ip_restriction` block exports the following: * `priority` - The priority for this IP Restriction. +* `action` - Does this restriction `Allow` or `Deny` access for this IP range? + --- `site_config` supports the following: diff --git a/website/docs/r/app_service.html.markdown b/website/docs/r/app_service.html.markdown index c8db8d0a13cd..a814e7c8bf5d 100644 --- a/website/docs/r/app_service.html.markdown +++ b/website/docs/r/app_service.html.markdown @@ -319,6 +319,8 @@ A `ip_restriction` block supports the following: * `priority` - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified. +* `action` - (Optional) Does this restriction `Allow` or `Deny` access for this IP range. Defaults to `Allow`. + --- A `microsoft` block supports the following: