Open ishanslab opened 11 months ago
Thank you for taking the time to open this feature request!
This was thankfully introduced in v3.86.0 (see #24257).
But please correct me if I'm wrong @mbfrahry ; public_network_access_enabled
unfortunately needs setting on both siteProperties
& siteConfig
(https://github.com/Azure/azure-rest-api-specs/issues/24681) same as in function apps, (and potentially other app services).
It is currently only set on siteConfig
which I believe is causing the Policy failures:
if v, ok := config["public_network_access_enabled"]; ok {
pna := helpers.PublicNetworkAccessEnabled
if !v.(bool) {
pna = helpers.PublicNetworkAccessDisabled
}
siteConfig.PublicNetworkAccess = pointer.To(pna)
}
linux_function_app_resource has on bothsiteProperties
& siteConfig
:
existing.SiteConfig.AppSettings = helpers.MergeUserAppSettings(siteConfig.AppSettings, state.AppSettings)
if metadata.ResourceData.HasChange("public_network_access_enabled") { pna := helpers.PublicNetworkAccessEnabled if !state.PublicNetworkAccess { pna = helpers.PublicNetworkAccessDisabled }
// (@jackofallops) - Values appear to need to be set in both SiteProperties and SiteConfig for now? https://github.com/Azure/azure-rest-api-specs/issues/24681
existing.PublicNetworkAccess = pointer.To(pna)
existing.SiteConfig.PublicNetworkAccess = existing.PublicNetworkAccess
}
It seems this fix has not worked;
│ Error: creating Logic App Standard: (Site Name "la-sris-data-extract-dev-uksouth" / Resource Group "xxx-dev"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'xxxx-dev-uksouth' was disallowed by policy. Reasons: 'Public network access must be disabled for PaaS services.'. See error details for policy resource IDs." Target="la-sris-data-extract-dev-uksouth" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Web/sites","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Web/sites"},{"expression":"Microsoft.Web/sites/publicNetworkAccess","expressionKind":"Field","operator":"Exists","path":"properties.publicNetworkAccess","result":"True","targetValue":"false"}],"reason":"Public network access must be disabled for PaaS services."},"policyAssignmentDisplayName":"Public network access should be disabled for PaaS services","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/xxx-stars/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints","policyAssignmentName":"Deny-Public-Endpoints","policyAssignmentParameters":{},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/xxx-stars","policyDefinitionDisplayName":"App Service apps should disable public network access","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policyDefinitionName":"1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policyDefinitionReferenceId":"AsDenyPublicIP","policyExemptionIds":[],"policySetDefinitionDisplayName":"Public network access should be disabled for PaaS services","policySetDefinitionId":"/providers/Microsoft.Management/managementGroups/xxx/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints","policySetDefinitionName":"Deny-PublicPaaSEndpoints"},"type":"PolicyViolation"}]
Hi, We are also having trouble with this. We are using AzureRM version 3.90.0.
We are utalising the 'public_network_access_enabled' flag that sits within the site_config section introduced in https://github.com/hashicorp/terraform-provider-azurerm/pull/24257
We have policies in our environment to enforce that we do not have these publicly accessible.
Terraform is breaking with the policy enforcement message as the provider seems to be not honoring the "false" flag we are giving against this property.
│ Error: creating Logic App Standard: (Site Name "logic-app-common" / Resource Group "xx-xx-001"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'logic-app-common' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/providers/Microsoft.Management/managementGroups/xxx-xxx-xxx/providers/Microsoft.Authorization/policyAssignments/xxxxxxxxx\"},\"policyDefinition\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/xxx-xxx-xxx\"}}]'." Target="logic-app-common" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Web/sites","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Web/sites"}.......................................
Hi, this issue has been outstanding for some time now. The PR is in a stale state, could someone please provide an update ?
Hello
It is normal that your TF deployment doesnt work with the public_network_access_enabled
switch set to false
.
It seems to be not possible to yet to change this option to the "enabled from specific IPs". Using that, you could allow your CI/CD provider to permit Terraform deployments. In my case i use Azure DevOps as a CI/CD provider and using the service tags it works:
But this needs to be set manually after the logic app was created by TF
Is there an existing issue for this?
Community Note
Description
azurerm_logic_app_standard does not have an argument to control Public Network Access. Can we add an argument like
public_network_access
which can be set totrue
orfalse
to control the public access.New or Affected Resource(s)/Data Source(s)
azurerm_logic_app_standard
Potential Terraform Configuration
References
No response