Support for publicNetworkAccess switch

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs

Mozilla Public License 2.0

4.54k stars 4.61k forks source link

Support for publicNetworkAccess switch #23809

Open ishanslab opened 11 months ago

ishanslab commented 11 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

azurerm_logic_app_standard does not have an argument to control Public Network Access. Can we add an argument like public_network_access which can be set to true or false to control the public access.

New or Affected Resource(s)/Data Source(s)

azurerm_logic_app_standard

Potential Terraform Configuration

resource "azurerm_logic_app_standard" "example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
  public_network_access      = "false"

  site_config {
    linux_fx_version = "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-appservice"
  }

  app_settings = {
    "DOCKER_REGISTRY_SERVER_URL"      = "https://<server-name>.azurecr.io"
    "DOCKER_REGISTRY_SERVER_USERNAME" = "username"
    "DOCKER_REGISTRY_SERVER_PASSWORD" = "password"
  }

}

References

No response

rcskosir commented 10 months ago

Thank you for taking the time to open this feature request!

gettek commented 8 months ago

This was thankfully introduced in v3.86.0 (see #24257).

But please correct me if I'm wrong @mbfrahry ; public_network_access_enabled unfortunately needs setting on both siteProperties & siteConfig (https://github.com/Azure/azure-rest-api-specs/issues/24681) same as in function apps, (and potentially other app services).

It is currently only set on siteConfig which I believe is causing the Policy failures:

logic_app_standard_resource:

if v, ok := config["public_network_access_enabled"]; ok {
pna := helpers.PublicNetworkAccessEnabled
if !v.(bool) {
    pna = helpers.PublicNetworkAccessDisabled
}
siteConfig.PublicNetworkAccess = pointer.To(pna)
}

linux_function_app_resource has on bothsiteProperties & siteConfig:


existing.SiteConfig.AppSettings = helpers.MergeUserAppSettings(siteConfig.AppSettings, state.AppSettings)

if metadata.ResourceData.HasChange("public_network_access_enabled") { pna := helpers.PublicNetworkAccessEnabled if !state.PublicNetworkAccess { pna = helpers.PublicNetworkAccessDisabled }

// (@jackofallops) - Values appear to need to be set in both SiteProperties and SiteConfig for now? https://github.com/Azure/azure-rest-api-specs/issues/24681
existing.PublicNetworkAccess = pointer.To(pna)
existing.SiteConfig.PublicNetworkAccess = existing.PublicNetworkAccess

}

russaram-bham commented 8 months ago

It seems this fix has not worked;

│ Error: creating Logic App Standard: (Site Name "la-sris-data-extract-dev-uksouth" / Resource Group "xxx-dev"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'xxxx-dev-uksouth' was disallowed by policy. Reasons: 'Public network access must be disabled for PaaS services.'. See error details for policy resource IDs." Target="la-sris-data-extract-dev-uksouth" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Web/sites","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Web/sites"},{"expression":"Microsoft.Web/sites/publicNetworkAccess","expressionKind":"Field","operator":"Exists","path":"properties.publicNetworkAccess","result":"True","targetValue":"false"}],"reason":"Public network access must be disabled for PaaS services."},"policyAssignmentDisplayName":"Public network access should be disabled for PaaS services","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/xxx-stars/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints","policyAssignmentName":"Deny-Public-Endpoints","policyAssignmentParameters":{},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/xxx-stars","policyDefinitionDisplayName":"App Service apps should disable public network access","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policyDefinitionName":"1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policyDefinitionReferenceId":"AsDenyPublicIP","policyExemptionIds":[],"policySetDefinitionDisplayName":"Public network access should be disabled for PaaS services","policySetDefinitionId":"/providers/Microsoft.Management/managementGroups/xxx/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints","policySetDefinitionName":"Deny-PublicPaaSEndpoints"},"type":"PolicyViolation"}]

GavinAlb commented 8 months ago

Hi, We are also having trouble with this. We are using AzureRM version 3.90.0.

We are utalising the 'public_network_access_enabled' flag that sits within the site_config section introduced in https://github.com/hashicorp/terraform-provider-azurerm/pull/24257

We have policies in our environment to enforce that we do not have these publicly accessible.

Terraform is breaking with the policy enforcement message as the provider seems to be not honoring the "false" flag we are giving against this property.

│ Error: creating Logic App Standard: (Site Name "logic-app-common" / Resource Group "xx-xx-001"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'logic-app-common' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/providers/Microsoft.Management/managementGroups/xxx-xxx-xxx/providers/Microsoft.Authorization/policyAssignments/xxxxxxxxx\"},\"policyDefinition\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/xxx-xxx-xxx\"}}]'." Target="logic-app-common" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Web/sites","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Web/sites"}.......................................

anwarnk commented 2 months ago

Hi, this issue has been outstanding for some time now. The PR is in a stale state, could someone please provide an update ?

arnaudluti commented 1 month ago

Hello It is normal that your TF deployment doesnt work with the public_network_access_enabled switch set to false. It seems to be not possible to yet to change this option to the "enabled from specific IPs". Using that, you could allow your CI/CD provider to permit Terraform deployments. In my case i use Azure DevOps as a CI/CD provider and using the service tags it works: But this needs to be set manually after the logic app was created by TF