feat(terraform): define variable-driven IP address restrictions

cal-itp · Nov 7, 2022 · 749f6ca · 749f6ca
1 parent 4909393
commit 749f6ca
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/terraform/app_service.tf b/terraform/app_service.tf
@@ -19,7 +19,13 @@ resource "azurerm_linux_web_app" "main" {
   https_only          = true
 
   site_config {
-    ftps_state             = "Disabled"
+    ftps_state = "Disabled"
+    dynamic "ip_restriction" {
+      for_each = var.IP_ADDRESS_WHITELIST
+      content {
+        ip_address = ip_restriction.value
+      }
+    }
     vnet_route_all_enabled = true
     application_stack {
       docker_image     = "ghcr.io/cal-itp/eligibility-server"

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -3,3 +3,7 @@
 variable "VELOCITY_ETL_SERVICE_PRINCIPAL_ID" {
   description = "Object ID from the registered application for the Velocity server ETL uploading: https://cloudsight.zendesk.com/hc/en-us/articles/360016785598-Azure-finding-your-service-principal-object-ID"
 }
+variable "IP_ADDRESS_WHITELIST" {
+  description = "List of IP addresses allowed to connect to the app service."
+  type        = list(any)
+}