azurerm_app_service, azurerm_app_service_slot, azurerm_function_app: Support for site_config.ip_restrictions.headers / site_config.scm_ip_restrictions.headers

azurerm/internal/services/web/app_service.go

@@ -884,6 +884,52 @@ func schemaAppServiceIpRestriction() *schema.Schema {
 						"Deny",
 					}, false),
 				},
+
+				"headers": {
+					Type:       schema.TypeList,
+					Optional:   true,
+					Computed:   true,
+					MaxItems:   1,
+					ConfigMode: schema.SchemaConfigModeAttr,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"x_forwarded_host": {
+								Type:     schema.TypeSet,
+								Optional: true,
+								MaxItems: 8,
+								Elem: &schema.Schema{
+									Type: schema.TypeString,
+								},
+							},
+							"x_forwarded_for": {
+								Type:     schema.TypeSet,
+								Optional: true,
+								MaxItems: 8,
+								Elem: &schema.Schema{
+									Type:         schema.TypeString,
+									ValidateFunc: validation.IsCIDR,
+								},
+							},
+							"x_azure_fdid": {
+								Type:     schema.TypeSet,
+								Optional: true,
+								MaxItems: 8,
+								Elem: &schema.Schema{
+									Type:         schema.TypeString,
+									ValidateFunc: validation.IsUUID,
+								},
+							},
+							"x_fd_health_probe": {
+								Type:     schema.TypeSet,
+								Optional: true,
+								MaxItems: 8,
+								Elem: &schema.Schema{
+									Type: schema.TypeString,
+								},
+							},
+						},
+					},
+				},
 			},
 		},
 	}
@@ -1826,6 +1872,10 @@ func flattenAppServiceIpRestriction(input *[]web.IPSecurityRestriction) []interf
 			restriction["action"] = *action
 		}
 
+		if headers := v.Headers; headers != nil {
+			restriction["headers"] = flattenHeaders(headers)
+		}
+
 		restrictions = append(restrictions, restriction)
 	}
 
@@ -1946,9 +1996,61 @@ func expandAppServiceIpRestriction(input interface{}) ([]web.IPSecurityRestricti
 		if action != "" {
 			ipSecurityRestriction.Action = &action
 		}
+		if headers, ok := restriction["headers"]; ok {
+			ipSecurityRestriction.Headers = expandHeaders(headers.([]interface{}))
+		}
 
 		restrictions = append(restrictions, ipSecurityRestriction)
 	}
 
 	return restrictions, nil
 }
+
+func flattenHeaders(input map[string][]string) []interface{} {
+	output := make([]interface{}, 0)
+	headers := make(map[string]interface{})
+	if input == nil {
+		return output
+	}
+
+	if forwardedHost, ok := input["x-forwarded-host"]; ok && len(forwardedHost) > 0 {
+		headers["x_forwarded_host"] = forwardedHost
+	}
+	if forwardedFor, ok := input["x-forwarded-for"]; ok && len(forwardedFor) > 0 {
+		headers["x_forwarded_for"] = forwardedFor
+	}
+	if fdids, ok := input["x-azure-fdid"]; ok && len(fdids) > 0 {
+		headers["x_azure_fdid"] = fdids
+	}
+	if healthProbe, ok := input["x-fd-healthprobe"]; ok && len(healthProbe) > 0 {
+		headers["x_fd_health_probe"] = healthProbe
+	}
+
+	return append(output, headers)
+}
+
+func expandHeaders(input interface{}) map[string][]string {
+	output := make(map[string][]string)
+
+	for _, r := range input.([]interface{}) {
+		if r == nil {
+			continue
+		}
+
+		val := r.(map[string]interface{})
+		if raw := val["x_forwarded_host"].(*schema.Set).List(); len(raw) > 0 {
+			output["x-forwarded-host"] = *utils.ExpandStringSlice(raw)
+		}
+		if raw := val["x_forwarded_for"].(*schema.Set).List(); len(raw) > 0 {
+			output["x-forwarded-for"] = *utils.ExpandStringSlice(raw)
+		}
+		if raw := val["x_azure_fdid"].(*schema.Set).List(); len(raw) > 0 {
+			output["x-azure-fdid"] = *utils.ExpandStringSlice(raw)
+		}
+		if raw := val["x_fd_health_probe"].(*schema.Set).List(); len(raw) > 0 {
+			output["x-fd-healthprobe"] = *utils.ExpandStringSlice(raw)
+		}
+	}
+
+	return output
+}

azurerm/internal/services/web/app_service_resource_test.go

@@ -486,6 +486,16 @@ func TestAccAppService_completeIpRestriction(t *testing.T) {
 				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.name").HasValue("test-restriction"),
 				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.priority").HasValue("123"),
 				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.action").HasValue("Allow"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_forwarded_for.#").HasValue("2"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_forwarded_for.0").HasValue("2002::1234:abcd:ffff:c0a8:101/64"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_forwarded_for.1").HasValue("9.9.9.9/32"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_azure_fdid.#").HasValue("1"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_azure_fdid.0").HasValue("55ce4ed1-4b06-4bf1-b40e-4638452104da"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_fd_health_probe.#").HasValue("8"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_fd_health_probe.0").HasValue("1"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_fd_health_probe.7").HasValue("8"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_forwarded_host.#").HasValue("1"),
+				check.That(data.ResourceName).Key("site_config.0.ip_restriction.0.headers.0.x_forwarded_host.0").HasValue("example.com"),
 			),
 		},
 		data.ImportStep(),
@@ -2774,6 +2784,12 @@ resource "azurerm_app_service" "test" {
       name       = "test-restriction"
       priority   = 123
       action     = "Allow"
+      headers {
+        x_azure_fdid      = ["55ce4ed1-4b06-4bf1-b40e-4638452104da"]
+        x_fd_health_probe = ["1", "2", "3", "4", "5", "6", "7", "8"]
+        x_forwarded_for   = ["9.9.9.9/32", "2002::1234:abcd:ffff:c0a8:101/64"]
+        x_forwarded_host  = ["example.com"]
+      }
     }
   }
 }