From ff827168c3f9ce3778ee91fc872e1521c4beb526 Mon Sep 17 00:00:00 2001 From: Sebastian Rosander Date: Sat, 16 May 2020 14:19:15 +0200 Subject: [PATCH 1/6] Support for Action of Allow or Deny in ip_restriction --- azurerm/helpers/azure/app_service.go | 28 +++++++++++++++++++ .../tests/resource_arm_app_service_test.go | 9 ++++++ website/docs/d/app_service.html.markdown | 2 ++ website/docs/r/app_service.html.markdown | 2 ++ 4 files changed, 41 insertions(+) diff --git a/azurerm/helpers/azure/app_service.go b/azurerm/helpers/azure/app_service.go index ffa49969c936..e1c9ab55ccaa 100644 --- a/azurerm/helpers/azure/app_service.go +++ b/azurerm/helpers/azure/app_service.go @@ -328,6 +328,15 @@ func SchemaAppServiceSiteConfig() *schema.Schema { Computed: true, ValidateFunc: validation.IntBetween(1, 2147483647), }, + "action": { + Type: schema.TypeString, + Default: "Allow", + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + "Allow", + "Deny", + }, true), + }, }, }, }, @@ -705,6 +714,15 @@ func SchemaAppServiceDataSourceSiteConfig() *schema.Schema { Type: schema.TypeInt, Computed: true, }, + "action": { + Type: schema.TypeString, + Default: "Allow", + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + "Allow", + "Deny", + }, true), + }, }, }, }, @@ -1452,6 +1470,7 @@ func ExpandAppServiceSiteConfig(input interface{}) (*web.SiteConfig, error) { vNetSubnetID := restriction["virtual_network_subnet_id"].(string) name := restriction["name"].(string) priority := restriction["priority"].(int) + action := restriction["action"].(string) if vNetSubnetID != "" && ipAddress != "" { return siteConfig, fmt.Errorf(fmt.Sprintf("only one of `ip_address` or `virtual_network_subnet_id` can be set for `site_config.0.ip_restriction.%d`", i)) } @@ -1481,6 +1500,10 @@ func ExpandAppServiceSiteConfig(input interface{}) (*web.SiteConfig, error) { ipSecurityRestriction.Priority = utils.Int32(int32(priority)) } + if action != "" { + ipSecurityRestriction.Action = &action + } + restrictions = append(restrictions, ipSecurityRestriction) } siteConfig.IPSecurityRestrictions = &restrictions @@ -1615,6 +1638,11 @@ func FlattenAppServiceSiteConfig(input *web.SiteConfig) []interface{} { if priority := v.Priority; priority != nil { block["priority"] = *priority } + + if action := v.Action; action != nil { + block["action"] = *action + } + restrictions = append(restrictions, block) } } diff --git a/azurerm/internal/services/web/tests/resource_arm_app_service_test.go b/azurerm/internal/services/web/tests/resource_arm_app_service_test.go index e03eba2a8cf0..53927166da32 100644 --- a/azurerm/internal/services/web/tests/resource_arm_app_service_test.go +++ b/azurerm/internal/services/web/tests/resource_arm_app_service_test.go @@ -507,6 +507,7 @@ func TestAccAzureRMAppService_oneIpRestriction(t *testing.T) { Check: resource.ComposeTestCheckFunc( testCheckAzureRMAppServiceExists(data.ResourceName), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, data.ImportStep(), @@ -529,6 +530,7 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, data.ImportStep(), @@ -540,9 +542,11 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.ip_address", "20.20.20.0/24"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.name", "test-restriction-2"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.priority", "1234"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.1.action", "Deny"), ), }, data.ImportStep(), @@ -554,6 +558,7 @@ func TestAccAzureRMAppService_completeIpRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, data.ImportStep(), @@ -2643,6 +2648,7 @@ resource "azurerm_app_service" "test" { site_config { ip_restriction { ip_address = "10.10.10.10/32" + action = "Allow" } } } @@ -2682,6 +2688,7 @@ resource "azurerm_app_service" "test" { ip_address = "10.10.10.10/32" name = "test-restriction" priority = 123 + action = "Allow" } } } @@ -2721,12 +2728,14 @@ resource "azurerm_app_service" "test" { ip_address = "10.10.10.10/32" name = "test-restriction" priority = 123 + action = "Allow" } ip_restriction { ip_address = "20.20.20.0/24" name = "test-restriction-2" priority = 1234 + action = "Deny" } } } diff --git a/website/docs/d/app_service.html.markdown b/website/docs/d/app_service.html.markdown index c0507d70afa1..30ff6541e4e6 100644 --- a/website/docs/d/app_service.html.markdown +++ b/website/docs/d/app_service.html.markdown @@ -89,6 +89,8 @@ A `ip_restriction` block exports the following: * `priority` - The priority for this IP Restriction. +* `action` - Allow or Deny access for this IP range. + --- `site_config` supports the following: diff --git a/website/docs/r/app_service.html.markdown b/website/docs/r/app_service.html.markdown index c8db8d0a13cd..e6935a5656ea 100644 --- a/website/docs/r/app_service.html.markdown +++ b/website/docs/r/app_service.html.markdown @@ -319,6 +319,8 @@ A `ip_restriction` block supports the following: * `priority` - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified. +* `action` - (Optional) Allow or Deny access for this IP range. Defaults to Allow. + --- A `microsoft` block supports the following: From 3f39bbeb797e7259d97d7af8c8d31f6efb4567b7 Mon Sep 17 00:00:00 2001 From: Sebastian Rosander Date: Sat, 16 May 2020 15:30:31 +0200 Subject: [PATCH 2/6] Added verification for datatest --- azurerm/helpers/azure/app_service.go | 7 +------ .../services/web/tests/data_source_app_service_test.go | 1 + 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/azurerm/helpers/azure/app_service.go b/azurerm/helpers/azure/app_service.go index e1c9ab55ccaa..ba3bd9e8528f 100644 --- a/azurerm/helpers/azure/app_service.go +++ b/azurerm/helpers/azure/app_service.go @@ -716,12 +716,7 @@ func SchemaAppServiceDataSourceSiteConfig() *schema.Schema { }, "action": { Type: schema.TypeString, - Default: "Allow", - Optional: true, - ValidateFunc: validation.StringInSlice([]string{ - "Allow", - "Deny", - }, true), + Computed: true, }, }, }, diff --git a/azurerm/internal/services/web/tests/data_source_app_service_test.go b/azurerm/internal/services/web/tests/data_source_app_service_test.go index 570d1e9fcf53..6fdb697d5343 100644 --- a/azurerm/internal/services/web/tests/data_source_app_service_test.go +++ b/azurerm/internal/services/web/tests/data_source_app_service_test.go @@ -139,6 +139,7 @@ func TestAccDataSourceAzureRMAppService_ipRestriction(t *testing.T) { resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.ip_address", "10.10.10.10/32"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.name", "test-restriction"), resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.priority", "123"), + resource.TestCheckResourceAttr(data.ResourceName, "site_config.0.ip_restriction.0.action", "Allow"), ), }, }, From f996d027dfc21b0c37b53c59e79a46688997f14d Mon Sep 17 00:00:00 2001 From: Sebastian Rosander Date: Sat, 16 May 2020 15:57:03 +0200 Subject: [PATCH 3/6] Updates --- .../services/web/tests/resource_arm_app_service_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azurerm/internal/services/web/tests/resource_arm_app_service_test.go b/azurerm/internal/services/web/tests/resource_arm_app_service_test.go index 53927166da32..5314d7bf719c 100644 --- a/azurerm/internal/services/web/tests/resource_arm_app_service_test.go +++ b/azurerm/internal/services/web/tests/resource_arm_app_service_test.go @@ -2648,7 +2648,7 @@ resource "azurerm_app_service" "test" { site_config { ip_restriction { ip_address = "10.10.10.10/32" - action = "Allow" + action = "Allow" } } } @@ -2688,7 +2688,7 @@ resource "azurerm_app_service" "test" { ip_address = "10.10.10.10/32" name = "test-restriction" priority = 123 - action = "Allow" + action = "Allow" } } } From c005c415b4ddc85e398b7f5677fba46941c1cda7 Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 19 May 2020 18:10:12 -0700 Subject: [PATCH 4/6] Update app_service.html.markdown --- website/docs/d/app_service.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/d/app_service.html.markdown b/website/docs/d/app_service.html.markdown index 30ff6541e4e6..1a3942061ab9 100644 --- a/website/docs/d/app_service.html.markdown +++ b/website/docs/d/app_service.html.markdown @@ -89,7 +89,7 @@ A `ip_restriction` block exports the following: * `priority` - The priority for this IP Restriction. -* `action` - Allow or Deny access for this IP range. +* `action` - Does this restriction `Allow` or `Deny` access for this IP range? --- From 21c3880bb9404eb27e8a21780c3d13f44465efd2 Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 19 May 2020 18:10:54 -0700 Subject: [PATCH 5/6] Update app_service.html.markdown --- website/docs/r/app_service.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/app_service.html.markdown b/website/docs/r/app_service.html.markdown index e6935a5656ea..a814e7c8bf5d 100644 --- a/website/docs/r/app_service.html.markdown +++ b/website/docs/r/app_service.html.markdown @@ -319,7 +319,7 @@ A `ip_restriction` block supports the following: * `priority` - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified. -* `action` - (Optional) Allow or Deny access for this IP range. Defaults to Allow. +* `action` - (Optional) Does this restriction `Allow` or `Deny` access for this IP range. Defaults to `Allow`. --- From b5edf313ee2cbd16b4a8310cd9e08c8523771325 Mon Sep 17 00:00:00 2001 From: kt Date: Tue, 19 May 2020 19:12:10 -0700 Subject: [PATCH 6/6] Update azurerm/helpers/azure/app_service.go --- azurerm/helpers/azure/app_service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/helpers/azure/app_service.go b/azurerm/helpers/azure/app_service.go index ba3bd9e8528f..1c6c21cbd093 100644 --- a/azurerm/helpers/azure/app_service.go +++ b/azurerm/helpers/azure/app_service.go @@ -335,7 +335,7 @@ func SchemaAppServiceSiteConfig() *schema.Schema { ValidateFunc: validation.StringInSlice([]string{ "Allow", "Deny", - }, true), + }, false), }, }, },