Added client certificate exclusion paths setting to app service web a…

…nd function apps

internal/services/appservice/linux_function_app_data_source.go

@@ -38,6 +38,7 @@ type LinuxFunctionAppDataSourceModel struct {
 	BuiltinLogging            bool                                 `tfschema:"builtin_logging_enabled"`
 	ClientCertEnabled         bool                                 `tfschema:"client_certificate_enabled"`
 	ClientCertMode            string                               `tfschema:"client_certificate_mode"`
+	ClientCertExclusionPaths  string                               `tfschema:"client_certificate_exclusion_paths"`
 	ConnectionStrings         []helpers.ConnectionString           `tfschema:"connection_string"`
 	DailyMemoryTimeQuota      int                                  `tfschema:"daily_memory_time_quota"`
 	Enabled                   bool                                 `tfschema:"enabled"`
@@ -141,6 +142,12 @@ func (d LinuxFunctionAppDataSource) Attributes() map[string]*pluginsdk.Schema {
 			Computed: true,
 		},
 
+		"client_certificate_exclusion_paths": {
+			Type:        pluginsdk.TypeString,
+			Computed:    true,
+			Description: "Paths to exclude when using client certificates, separated by ;",
+		},
+
 		"connection_string": helpers.ConnectionStringSchemaComputed(),
 
 		"daily_memory_time_quota": {
@@ -295,16 +302,17 @@ func (d LinuxFunctionAppDataSource) Read() sdk.ResourceFunc {
 			}
 
 			state := LinuxFunctionAppDataSourceModel{
-				Name:                 id.SiteName,
-				ResourceGroup:        id.ResourceGroup,
-				ServicePlanId:        utils.NormalizeNilableString(props.ServerFarmID),
-				Location:             location.NormalizeNilable(functionApp.Location),
-				Enabled:              utils.NormaliseNilableBool(functionApp.Enabled),
-				ClientCertMode:       string(functionApp.ClientCertMode),
-				DailyMemoryTimeQuota: int(utils.NormaliseNilableInt32(props.DailyMemoryTimeQuota)),
-				StickySettings:       helpers.FlattenStickySettings(stickySettings.SlotConfigNames),
-				Tags:                 tags.ToTypedObject(functionApp.Tags),
-				Kind:                 utils.NormalizeNilableString(functionApp.Kind),
+				Name:                     id.SiteName,
+				ResourceGroup:            id.ResourceGroup,
+				ServicePlanId:            utils.NormalizeNilableString(props.ServerFarmID),
+				Location:                 location.NormalizeNilable(functionApp.Location),
+				Enabled:                  utils.NormaliseNilableBool(functionApp.Enabled),
+				ClientCertMode:           string(functionApp.ClientCertMode),
+				ClientCertExclusionPaths: utils.NormalizeNilableString(functionApp.ClientCertExclusionPaths),
+				DailyMemoryTimeQuota:     int(utils.NormaliseNilableInt32(props.DailyMemoryTimeQuota)),
+				StickySettings:           helpers.FlattenStickySettings(stickySettings.SlotConfigNames),
+				Tags:                     tags.ToTypedObject(functionApp.Tags),
+				Kind:                     utils.NormalizeNilableString(functionApp.Kind),
 			}
 
 			configResp, err := client.GetConfiguration(ctx, id.ResourceGroup, id.SiteName)

internal/services/appservice/linux_function_app_resource.go

@@ -45,6 +45,7 @@ type LinuxFunctionAppModel struct {
 	BuiltinLogging              bool                                 `tfschema:"builtin_logging_enabled"`
 	ClientCertEnabled           bool                                 `tfschema:"client_certificate_enabled"`
 	ClientCertMode              string                               `tfschema:"client_certificate_mode"`
+	ClientCertExclusionPaths    string                               `tfschema:"client_certificate_exclusion_paths"`
 	ConnectionStrings           []helpers.ConnectionString           `tfschema:"connection_string"`
 	DailyMemoryTimeQuota        int                                  `tfschema:"daily_memory_time_quota"` // TODO - Value ignored in for linux apps, even in Consumption plans?
 	Enabled                     bool                                 `tfschema:"enabled"`
@@ -190,6 +191,12 @@ func (r LinuxFunctionAppResource) Arguments() map[string]*pluginsdk.Schema {
 			Description: "The mode of the Function App's client certificates requirement for incoming requests. Possible values are `Required`, `Optional`, and `OptionalInteractiveUser` ",
 		},
 
+		"client_certificate_exclusion_paths": {
+			Type:        pluginsdk.TypeString,
+			Optional:    true,
+			Description: "Paths to exclude when using client certificates, separated by ;",
+		},
+
 		"connection_string": helpers.ConnectionStringSchema(),
 
 		"daily_memory_time_quota": {
@@ -708,6 +715,10 @@ func (r LinuxFunctionAppResource) Update() sdk.ResourceFunc {
 				existing.SiteProperties.ClientCertMode = web.ClientCertMode(state.ClientCertMode)
 			}
 
+			if metadata.ResourceData.HasChange("client_certificate_exclusion_paths") {
+				existing.SiteProperties.ClientCertExclusionPaths = utils.String(state.ClientCertExclusionPaths)
+			}
+
 			if metadata.ResourceData.HasChange("identity") {
 				expandedIdentity, err := expandIdentity(metadata.ResourceData.Get("identity").([]interface{}))
 				if err != nil {

internal/services/appservice/linux_function_app_resource_test.go

@@ -2088,6 +2088,7 @@ resource "azurerm_linux_function_app" "test" {
   builtin_logging_enabled    = false
   client_certificate_enabled = true
   client_certificate_mode    = "Required"
+  client_certificate_exclusion_paths =  "/foo;/bar;/hello;/world"
 
   connection_string {
     name  = "Second"
@@ -2256,6 +2257,7 @@ resource "azurerm_linux_function_app" "test" {
   builtin_logging_enabled    = false
   client_certificate_enabled = true
   client_certificate_mode    = "OptionalInteractiveUser"
+  client_certificate_exclusion_paths =  "/foo;/bar;/hello;/world"
 
   connection_string {
     name  = "First"

internal/services/appservice/linux_function_app_slot_resource.go

@@ -38,6 +38,7 @@ type LinuxFunctionAppSlotModel struct {
 	BuiltinLogging                bool                                     `tfschema:"builtin_logging_enabled"`
 	ClientCertEnabled             bool                                     `tfschema:"client_certificate_enabled"`
 	ClientCertMode                string                                   `tfschema:"client_certificate_mode"`
+	ClientCertExclusionPaths      string                                   `tfschema:"client_certificate_exclusion_paths"`
 	ConnectionStrings             []helpers.ConnectionString               `tfschema:"connection_string"`
 	DailyMemoryTimeQuota          int                                      `tfschema:"daily_memory_time_quota"` // TODO - Value ignored in for linux apps, even in Consumption plans?
 	Enabled                       bool                                     `tfschema:"enabled"`
@@ -173,6 +174,12 @@ func (r LinuxFunctionAppSlotResource) Arguments() map[string]*pluginsdk.Schema {
 			Description: "The mode of the Function App Slot's client certificates requirement for incoming requests. Possible values are `Required`, `Optional`, and `OptionalInteractiveUser`.",
 		},
 
+		"client_certificate_exclusion_paths": {
+			Type:        pluginsdk.TypeString,
+			Optional:    true,
+			Description: "Paths to exclude when using client certificates, separated by ;",
+		},
+
 		"connection_string": helpers.ConnectionStringSchema(),
 
 		"daily_memory_time_quota": {
@@ -431,13 +438,14 @@ func (r LinuxFunctionAppSlotResource) Create() sdk.ResourceFunc {
 				Kind:     utils.String("functionapp,linux"),
 				Identity: expandedIdentity,
 				SiteProperties: &web.SiteProperties{
-					ServerFarmID:         utils.String(servicePlanId.ID()),
-					Enabled:              utils.Bool(functionAppSlot.Enabled),
-					HTTPSOnly:            utils.Bool(functionAppSlot.HttpsOnly),
-					SiteConfig:           siteConfig,
-					ClientCertEnabled:    utils.Bool(functionAppSlot.ClientCertEnabled),
-					ClientCertMode:       web.ClientCertMode(functionAppSlot.ClientCertMode),
-					DailyMemoryTimeQuota: utils.Int32(int32(functionAppSlot.DailyMemoryTimeQuota)), // TODO - Investigate, setting appears silently ignored on Linux Function Apps?
+					ServerFarmID:             utils.String(servicePlanId.ID()),
+					Enabled:                  utils.Bool(functionAppSlot.Enabled),
+					HTTPSOnly:                utils.Bool(functionAppSlot.HttpsOnly),
+					SiteConfig:               siteConfig,
+					ClientCertEnabled:        utils.Bool(functionAppSlot.ClientCertEnabled),
+					ClientCertMode:           web.ClientCertMode(functionAppSlot.ClientCertMode),
+					ClientCertExclusionPaths: utils.String(functionAppSlot.ClientCertExclusionPaths),
+					DailyMemoryTimeQuota:     utils.Int32(int32(functionAppSlot.DailyMemoryTimeQuota)), // TODO - Investigate, setting appears silently ignored on Linux Function Apps?
 				},
 			}
 
@@ -563,6 +571,7 @@ func (r LinuxFunctionAppSlotResource) Read() sdk.ResourceFunc {
 				FunctionAppID:               parse.NewFunctionAppID(id.SubscriptionId, id.ResourceGroup, id.SiteName).ID(),
 				Enabled:                     utils.NormaliseNilableBool(functionApp.Enabled),
 				ClientCertMode:              string(functionApp.ClientCertMode),
+				ClientCertExclusionPaths:    utils.NormalizeNilableString(functionApp.ClientCertExclusionPaths),
 				DailyMemoryTimeQuota:        int(utils.NormaliseNilableInt32(props.DailyMemoryTimeQuota)),
 				Tags:                        tags.ToTypedObject(functionApp.Tags),
 				Kind:                        utils.NormalizeNilableString(functionApp.Kind),
@@ -678,6 +687,10 @@ func (r LinuxFunctionAppSlotResource) Update() sdk.ResourceFunc {
 				existing.SiteProperties.ClientCertMode = web.ClientCertMode(state.ClientCertMode)
 			}
 
+			if metadata.ResourceData.HasChange("client_certificate_exclusion_paths") {
+				existing.SiteProperties.ClientCertExclusionPaths = utils.String(state.ClientCertExclusionPaths)
+			}
+
 			if metadata.ResourceData.HasChange("identity") {
 				expandedIdentity, err := expandIdentity(metadata.ResourceData.Get("identity").([]interface{}))
 				if err != nil {

internal/services/appservice/linux_function_app_slot_resource_test.go

@@ -1544,6 +1544,7 @@ resource "azurerm_linux_function_app_slot" "test" {
   builtin_logging_enabled    = false
   client_certificate_enabled = true
   client_certificate_mode    = "Required"
+  client_certificate_exclusion_paths =  "/foo;/bar;/hello;/world"
 
   connection_string {
     name  = "Second"
@@ -1710,6 +1711,7 @@ resource "azurerm_linux_function_app_slot" "test" {
   builtin_logging_enabled    = false
   client_certificate_enabled = true
   client_certificate_mode    = "OptionalInteractiveUser"
+  client_certificate_exclusion_paths =  "/foo;/bar;/hello;/world"
 
   connection_string {
     name  = "First"

internal/services/appservice/linux_web_app_data_source.go

@@ -30,6 +30,7 @@ type LinuxWebAppDataSourceModel struct {
 	ClientAffinityEnabled         bool                       `tfschema:"client_affinity_enabled"`
 	ClientCertEnabled             bool                       `tfschema:"client_certificate_enabled"`
 	ClientCertMode                string                     `tfschema:"client_certificate_mode"`
+	ClientCertExclusionPaths      string                     `tfschema:"client_certificate_exclusion_paths"`
 	Enabled                       bool                       `tfschema:"enabled"`
 	HttpsOnly                     bool                       `tfschema:"https_only"`
 	KeyVaultReferenceIdentityID   string                     `tfschema:"key_vault_reference_identity_id"`
@@ -111,6 +112,12 @@ func (r LinuxWebAppDataSource) Attributes() map[string]*pluginsdk.Schema {
 			Computed: true,
 		},
 
+		"client_certificate_exclusion_paths": {
+			Type:        pluginsdk.TypeString,
+			Computed:    true,
+			Description: "Paths to exclude when using client certificates, separated by ;",
+		},
+
 		"connection_string": helpers.ConnectionStringSchemaComputed(),
 
 		"custom_domain_verification_id": {
@@ -281,6 +288,7 @@ func (r LinuxWebAppDataSource) Read() sdk.ResourceFunc {
 					webApp.ClientCertEnabled = *props.ClientCertEnabled
 				}
 				webApp.ClientCertMode = string(props.ClientCertMode)
+				webApp.ClientCertExclusionPaths = utils.NormalizeNilableString(props.ClientCertExclusionPaths)
 				webApp.CustomDomainVerificationId = utils.NormalizeNilableString(props.CustomDomainVerificationID)
 				webApp.DefaultHostname = utils.NormalizeNilableString(props.DefaultHostName)
 				if props.Enabled != nil {

internal/services/appservice/linux_web_app_resource.go

@@ -36,6 +36,7 @@ type LinuxWebAppModel struct {
 	ClientAffinityEnabled         bool                       `tfschema:"client_affinity_enabled"`
 	ClientCertEnabled             bool                       `tfschema:"client_certificate_enabled"`
 	ClientCertMode                string                     `tfschema:"client_certificate_mode"`
+	ClientCertExclusionPaths      string                     `tfschema:"client_certificate_exclusion_paths"`
 	Enabled                       bool                       `tfschema:"enabled"`
 	HttpsOnly                     bool                       `tfschema:"https_only"`
 	KeyVaultReferenceIdentityID   string                     `tfschema:"key_vault_reference_identity_id"`
@@ -113,6 +114,12 @@ func (r LinuxWebAppResource) Arguments() map[string]*pluginsdk.Schema {
 			}, false),
 		},
 
+		"client_certificate_exclusion_paths": {
+			Type:        pluginsdk.TypeString,
+			Optional:    true,
+			Description: "Paths to exclude when using client certificates, separated by ;",
+		},
+
 		"connection_string": helpers.ConnectionStringSchema(),
 
 		"enabled": {
@@ -292,13 +299,14 @@ func (r LinuxWebAppResource) Create() sdk.ResourceFunc {
 				Identity: expandedIdentity,
 				Tags:     tags.FromTypedObject(webApp.Tags),
 				SiteProperties: &web.SiteProperties{
-					ServerFarmID:          utils.String(webApp.ServicePlanId),
-					Enabled:               utils.Bool(webApp.Enabled),
-					HTTPSOnly:             utils.Bool(webApp.HttpsOnly),
-					SiteConfig:            siteConfig,
-					ClientAffinityEnabled: utils.Bool(webApp.ClientAffinityEnabled),
-					ClientCertEnabled:     utils.Bool(webApp.ClientCertEnabled),
-					ClientCertMode:        web.ClientCertMode(webApp.ClientCertMode),
+					ServerFarmID:             utils.String(webApp.ServicePlanId),
+					Enabled:                  utils.Bool(webApp.Enabled),
+					HTTPSOnly:                utils.Bool(webApp.HttpsOnly),
+					SiteConfig:               siteConfig,
+					ClientAffinityEnabled:    utils.Bool(webApp.ClientAffinityEnabled),
+					ClientCertEnabled:        utils.Bool(webApp.ClientCertEnabled),
+					ClientCertMode:           web.ClientCertMode(webApp.ClientCertMode),
+					ClientCertExclusionPaths: utils.String(webApp.ClientCertExclusionPaths),
 				},
 			}
 
@@ -469,6 +477,7 @@ func (r LinuxWebAppResource) Read() sdk.ResourceFunc {
 				ClientAffinityEnabled:       utils.NormaliseNilableBool(props.ClientAffinityEnabled),
 				ClientCertEnabled:           utils.NormaliseNilableBool(props.ClientCertEnabled),
 				ClientCertMode:              string(props.ClientCertMode),
+				ClientCertExclusionPaths:    utils.NormalizeNilableString(props.ClientCertExclusionPaths),
 				CustomDomainVerificationId:  utils.NormalizeNilableString(props.CustomDomainVerificationID),
 				DefaultHostname:             utils.NormalizeNilableString(props.DefaultHostName),
 				Kind:                        utils.NormalizeNilableString(webApp.Kind),
@@ -590,6 +599,9 @@ func (r LinuxWebAppResource) Update() sdk.ResourceFunc {
 			if metadata.ResourceData.HasChange("client_certificate_mode") {
 				existing.SiteProperties.ClientCertMode = web.ClientCertMode(state.ClientCertMode)
 			}
+			if metadata.ResourceData.HasChange("client_certificate_exclusion_paths") {
+				existing.SiteProperties.ClientCertExclusionPaths = utils.String(state.ClientCertExclusionPaths)
+			}
 
 			if metadata.ResourceData.HasChange("identity") {
 				expandedIdentity, err := expandIdentity(metadata.ResourceData.Get("identity").([]interface{}))

internal/services/appservice/linux_web_app_resource_test.go

@@ -1205,6 +1205,7 @@ resource "azurerm_linux_web_app" "test" {
   client_affinity_enabled    = true
   client_certificate_enabled = true
   client_certificate_mode    = "Optional"
+  client_certificate_exclusion_paths =  "/foo;/bar;/hello;/world"
 
   connection_string {
     name  = "First"
@@ -1379,6 +1380,7 @@ resource "azurerm_linux_web_app" "test" {
   client_affinity_enabled    = true
   client_certificate_enabled = true
   client_certificate_mode    = "Optional"
+  client_certificate_exclusion_paths =  "/foo;/bar;/hello;/world"
 
   connection_string {
     name  = "First"

internal/services/appservice/linux_web_app_slot_resource.go

@@ -32,6 +32,7 @@ type LinuxWebAppSlotModel struct {
 	ClientAffinityEnabled         bool                                `tfschema:"client_affinity_enabled"`
 	ClientCertEnabled             bool                                `tfschema:"client_certificate_enabled"`
 	ClientCertMode                string                              `tfschema:"client_certificate_mode"`
+	ClientCertExclusionPaths      string                              `tfschema:"client_certificate_exclusion_paths"`
 	Enabled                       bool                                `tfschema:"enabled"`
 	HttpsOnly                     bool                                `tfschema:"https_only"`
 	KeyVaultReferenceIdentityID   string                              `tfschema:"key_vault_reference_identity_id"`
@@ -116,6 +117,12 @@ func (r LinuxWebAppSlotResource) Arguments() map[string]*pluginsdk.Schema {
 			}, false),
 		},
 
+		"client_certificate_exclusion_paths": {
+			Type:        pluginsdk.TypeString,
+			Optional:    true,
+			Description: "Paths to exclude when using client certificates, separated by ;",
+		},
+
 		"connection_string": helpers.ConnectionStringSchema(),
 
 		"enabled": {
@@ -260,13 +267,14 @@ func (r LinuxWebAppSlotResource) Create() sdk.ResourceFunc {
 				Identity: expandedIdentity,
 				Tags:     tags.FromTypedObject(webAppSlot.Tags),
 				SiteProperties: &web.SiteProperties{
-					ServerFarmID:          siteProps.ServerFarmID,
-					Enabled:               utils.Bool(webAppSlot.Enabled),
-					HTTPSOnly:             utils.Bool(webAppSlot.HttpsOnly),
-					SiteConfig:            siteConfig,
-					ClientAffinityEnabled: utils.Bool(webAppSlot.ClientAffinityEnabled),
-					ClientCertEnabled:     utils.Bool(webAppSlot.ClientCertEnabled),
-					ClientCertMode:        web.ClientCertMode(webAppSlot.ClientCertMode),
+					ServerFarmID:             siteProps.ServerFarmID,
+					Enabled:                  utils.Bool(webAppSlot.Enabled),
+					HTTPSOnly:                utils.Bool(webAppSlot.HttpsOnly),
+					SiteConfig:               siteConfig,
+					ClientAffinityEnabled:    utils.Bool(webAppSlot.ClientAffinityEnabled),
+					ClientCertEnabled:        utils.Bool(webAppSlot.ClientCertEnabled),
+					ClientCertMode:           web.ClientCertMode(webAppSlot.ClientCertMode),
+					ClientCertExclusionPaths: utils.String(webAppSlot.ClientCertExclusionPaths),
 				},
 			}
 
@@ -419,6 +427,7 @@ func (r LinuxWebAppSlotResource) Read() sdk.ResourceFunc {
 				ClientAffinityEnabled:       utils.NormaliseNilableBool(props.ClientAffinityEnabled),
 				ClientCertEnabled:           utils.NormaliseNilableBool(props.ClientCertEnabled),
 				ClientCertMode:              string(props.ClientCertMode),
+				ClientCertExclusionPaths:    utils.NormalizeNilableString(props.ClientCertExclusionPaths),
 				CustomDomainVerificationId:  utils.NormalizeNilableString(props.CustomDomainVerificationID),
 				DefaultHostname:             utils.NormalizeNilableString(props.DefaultHostName),
 				Kind:                        utils.NormalizeNilableString(webApp.Kind),
@@ -532,6 +541,9 @@ func (r LinuxWebAppSlotResource) Update() sdk.ResourceFunc {
 			if metadata.ResourceData.HasChange("client_certificate_mode") {
 				existing.SiteProperties.ClientCertMode = web.ClientCertMode(state.ClientCertMode)
 			}
+			if metadata.ResourceData.HasChange("client_certificate_exclusion_paths") {
+				existing.SiteProperties.ClientCertExclusionPaths = utils.String(state.ClientCertExclusionPaths)
+			}
 
 			if metadata.ResourceData.HasChange("identity") {
 				expandedIdentity, err := expandIdentity(metadata.ResourceData.Get("identity").([]interface{}))

internal/services/appservice/linux_web_app_slot_resource_test.go

@@ -1105,6 +1105,7 @@ resource "azurerm_linux_web_app_slot" "test" {
   client_affinity_enabled    = true
   client_certificate_enabled = true
   client_certificate_mode    = "Optional"
+  client_certificate_exclusion_paths =  "/foo;/bar;/hello;/world"
 
   connection_string {
     name  = "First"