azurerm_app_service, azurerm_app_service_slot, azurerm_function_app: Support for site_config.ip_restrictions.headers / site_config.scm_ip_restrictions.headers

[aristosvo]

Fixes #11156

Example

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_frontdoor" "example" {
  name                                         = "example-frontdoor-2191"
  resource_group_name                          = azurerm_resource_group.example.name
  enforce_backend_pools_certificate_name_check = false

  routing_rule {
    name               = "exampleRoutingRule1"
    accepted_protocols = ["Http", "Https"]
    patterns_to_match  = ["/*"]
    frontend_endpoints = ["exampleFrontendEndpoint1"]
    forwarding_configuration {
      forwarding_protocol = "MatchRequest"
      backend_pool_name   = "exampleBackendBing"
    }
  }

  backend_pool_load_balancing {
    name = "exampleLoadBalancingSettings1"
  }

  backend_pool_health_probe {
    name = "exampleHealthProbeSetting1"
  }

  backend_pool {
    name = "exampleBackendBing"
    backend {
      host_header = "www.bing.com"
      address     = "www.bing.com"
      http_port   = 80
      https_port  = 443
    }

    load_balancing_name = "exampleLoadBalancingSettings1"
    health_probe_name   = "exampleHealthProbeSetting1"
  }

  frontend_endpoint {
    name                              = "exampleFrontendEndpoint1"
    host_name                         = "example-frontdoor-2191.azurefd.net"
  }
}

resource "azurerm_app_service_plan" "example" {
  name                = "example-appserviceplan"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  sku {
    tier = "Standard"
    size = "S1"
  }
}

resource "azurerm_app_service" "example" {
  name                = "example-app-service-2191"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id

  site_config {
    dotnet_framework_version = "v4.0"
    scm_type = "None"

    scm_ip_restriction {
        action     = "Allow"
        name       = "test"
        ip_address = "8.8.8.8/32"
        priority   = 100
        headers {
            x_azure_fdid      = [azurerm_frontdoor.example.header_frontdoor_id]
            x_fd_health_probe = ["1"]
            x_forwarded_for   = ["9.9.9.9/32", "2002::1234:abcd:ffff:c0a8:101/64"]
            x_forwarded_host  = ["example.com"]
        }
    }
  }

  app_settings = {
    "SOME_KEY" = "some-value"
  }

  connection_string {
    name  = "Database"
    type  = "SQLServer"
    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
  }
}

Acceptance Tests

• Included in existing AccTest for ip_restrictions
• For create, update and explicit delete: TestAccAppService_zeroedIpRestrictionHeaders
• Docs

[aristosvo]

I believe it's now complete and ready for a thorough review:

❯ make acctests SERVICE='web' TESTARGS='-run=TestAccAppService_zeroedIpRestrictionHeaders'
==> Checking that code complies with gofmt requirements...
==> Checking that Custom Timeouts are used...
==> Checking that acceptance test packages are used...
TF_ACC=1 go test -v ./azurerm/internal/services/web -run=TestAccAppService_zeroedIpRestrictionHeaders -timeout 180m -ldflags="-X=github.com/terraform-providers/terraform-provider-azurerm/version.ProviderVersion=acc"
2021/04/20 20:44:39 [DEBUG] not using binary driver name, it's no longer needed
2021/04/20 20:44:40 [DEBUG] not using binary driver name, it's no longer needed
=== RUN   TestAccAppService_zeroedIpRestrictionHeaders
=== PAUSE TestAccAppService_zeroedIpRestrictionHeaders
=== CONT  TestAccAppService_zeroedIpRestrictionHeaders
--- PASS: TestAccAppService_zeroedIpRestrictionHeaders (400.28s)
PASS
ok      github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/web     403.909s

[jackofallops]

Hi @aristosvo - Thanks for the updates!

Could you add in the necessary lint ignores for the Sets with MaxItems (S018 - see the changed files tab), whilst not a fail, this will help us keep the linting clean.

I think it's also worth adding an additional note to the docs for these new properties to ensure users are aware that these headers are combined with the other settings so if used, all items must match for the rule to apply. WDYT?

Otherwise this LGTM so we should be able to get this merged as soon as this is done. 👍

[aristosvo]

Thanks! Fixed it, will check later today if it complies to all linting.

[katbyte]

Thanks @aristosvo - LGTM 👍

[ghost]

This has been released in version 2.57.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.57.0"
}
# ... other configuration ...

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.