search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
41.66k stars 9.41k forks source link

azurerm_logic_app_standard and "App Service apps should disable public network access" Policy #35419

Open sentryzero opened 2 days ago

sentryzero commented 2 days ago

Terraform Version

Terraform v1.9.0
on windows_386
+ provider registry.terraform.io/hashicorp/azuread v0.11.0
+ provider registry.terraform.io/hashicorp/azurerm v3.106.0
+ provider registry.terraform.io/hashicorp/null v2.1.2
+ provider registry.terraform.io/hashicorp/random v2.3.1
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/tls v2.2.0

Terraform Configuration Files

provider "azurerm" {
  features {
    app_configuration {
      purge_soft_delete_on_destroy = true
      recover_soft_deleted         = false
    }
  } # This empty features block is required for the AzureRM provider
  skip_provider_registration = true
}

provider "azuread" {
  version = "~> 0.7"
}

provider "random" {
  version = "~> 2.2"
}

provider "template" {
  version = "~> 2.1"
}

provider "null" {
  version = "~> 2.1"
}

provider "tls" {
  version = "~> 2.1"
}

# Configure the AzureRM Backend in Azure
terraform {
  required_version = ">= 1.3.4, < 2.0.0"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      # version = ">= 3.106.0, < 4.0.0"
      version = "= 3.106.0"
    }
  }
  backend "azurerm" {
    container_name       = "statefiles"
    storage_account_name = "xxxxxxxxxxxxx"
    resource_group_name  = "xxxxxxxxxxxxxxxxx"
    key                  = "xxxxxxxxxxxxx.terraform.tfstate"
  }
}

Debug Output

 Error: creating Logic App Standard: (Site Name "logicapp-gndemo-dev-01" / Resource Group "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'logicapp-gndemo-dev-01' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"},\"policyDefinition\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"}}]'." Target="logicapp-gndemo-dev-01" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Web/sites","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Web/sites"},{"expression":"Microsoft.Web/sites/publicNetworkAccess","expressionKind":"Field","operator":"Exists","path":"properties.publicNetworkAccess","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"App Service apps should disable public network access","policyAssignmentId":"/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","policyAssignmentName":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","policyAssignmentParameters":{"effect":"Deny"},"policyAssignmentScope":"/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","policyDefinitionDisplayName":"App Service apps should disable public network access","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","policyDefinitionName":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","policyExemptionIds":[]},"type":"PolicyViolation"}]
│

Expected Behavior

The following should deploy a Logic App and bypass the Azure Policy. This should happen as the site_config block has the public_network_access_enabled flag set to false.

Actual Behavior

The Policy "App Service apps should disable public network access" prevents the deployment as the default value of true is parsed first.

Steps to Reproduce

module "storage_account" {
  source              = "./modules/blobstorage"
  resource_group_name = data.azurerm_resource_group.rg.name
  azure_region        = var.azure_region
  tags                = local.tags
  vnet_enabled        = var.vnet_enabled

  storage_account_name = local.logic_app_storage_account_name

  subnet_ids = []

  key_vault_id                        = module.keyvault.key_vault_id
  altius_office_ip_addresses          = var.altius_office_ip_addresses
  store_connection_string_in_keyvault = true
  keyvault_secret_name                = "logicappstoragestring"
  lock_resource                       = false

  # module dependency
  key_vault_terraform_sp_access_policy_id = module.keyvault.key_vault_terraform_sp_access_policy_id
}

resource "azurerm_app_service_plan" "asp" {
  name                = local.logic_applan_name
  location            = var.azure_region
  resource_group_name = data.azurerm_resource_group.rg.name
  tags                = var.tags
  kind = "elastic"

  sku {
    tier = "WorkflowStandard"
    size = "WS1"
  }
}

resource "azurerm_logic_app_standard" "example" {
  name                = local.logicapp_name
  location            = var.azure_region
  resource_group_name = data.azurerm_resource_group.rg.name
  app_service_plan_id        = azurerm_app_service_plan.asp.id
  storage_account_name       = module.storage_account.storage_resource_name
  storage_account_access_key = module.storage_account.storage_access_key

  site_config {
    public_network_access_enabled = false
  }

  app_settings = {
  }

}

Additional Context

https://github.com/hashicorp/terraform-provider-azurerm/issues/23809

References

No response

sentryzero commented 2 days ago

logic app code block

resource "azurerm_logic_app_standard" "example" { name = local.logicapp_name location = var.azure_region resource_group_name = data.azurerm_resource_group.rg.name app_service_plan_id = azurerm_app_service_plan.asp.id storage_account_name = module.storage_account.storage_resource_name storage_account_access_key = module.storage_account.storage_access_key

site_config { public_network_access_enabled = false }

app_settings = { }

}

apparentlymart commented 2 days ago

Hi @sentryzero,

The error message you've shared and the behaviour you described seem to belong to the Azure provider rather than to Terraform Core.

Are you suggesting that Terraform Core should have done something differently here to allow the provider to work?

We can only change behaviours of Terraform Core in this repository, so if this is a problem with the Azure provider's own behaviour then we'd need to discuss that in the provider's repository instead. If you are requesting that Terraform Core should behave differently then it would help if you could state the problem in more general terms, without referring to the Azure provider features directly.

Thanks!