From 8c1bea030625ad68ebb71592bf8ea6471764a2fb Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Sat, 11 Nov 2023 17:17:02 +0100 Subject: [PATCH 01/18] add type and mappers --- .../containerapps/helpers/container_apps.go | 93 ++++++++++++++----- 1 file changed, 71 insertions(+), 22 deletions(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 50a1e8745b90..75a028064f5a 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -147,14 +147,15 @@ func FlattenContainerAppRegistries(input *[]containerapps.RegistryCredentials) [ } type Ingress struct { - AllowInsecure bool `tfschema:"allow_insecure_connections"` - CustomDomains []CustomDomain `tfschema:"custom_domain"` - IsExternal bool `tfschema:"external_enabled"` - FQDN string `tfschema:"fqdn"` - TargetPort int `tfschema:"target_port"` - ExposedPort int `tfschema:"exposed_port"` - TrafficWeights []TrafficWeight `tfschema:"traffic_weight"` - Transport string `tfschema:"transport"` + AllowInsecure bool `tfschema:"allow_insecure_connections"` + CustomDomains []CustomDomain `tfschema:"custom_domain"` + IsExternal bool `tfschema:"external_enabled"` + FQDN string `tfschema:"fqdn"` + TargetPort int `tfschema:"target_port"` + ExposedPort int `tfschema:"exposed_port"` + TrafficWeights []TrafficWeight `tfschema:"traffic_weight"` + Transport string `tfschema:"transport"` + IpSecurityRestrictions []IpSecurityRestriction `tfschema:"ip_security_restriction"` } func ContainerAppIngressSchema() *pluginsdk.Schema { @@ -271,13 +272,14 @@ func ExpandContainerAppIngress(input []Ingress, appName string) *containerapps.I ingress := input[0] result := &containerapps.Ingress{ - AllowInsecure: pointer.To(ingress.AllowInsecure), - CustomDomains: expandContainerAppIngressCustomDomain(ingress.CustomDomains), - External: pointer.To(ingress.IsExternal), - Fqdn: pointer.To(ingress.FQDN), - TargetPort: pointer.To(int64(ingress.TargetPort)), - ExposedPort: pointer.To(int64(ingress.ExposedPort)), - Traffic: expandContainerAppIngressTraffic(ingress.TrafficWeights, appName), + AllowInsecure: pointer.To(ingress.AllowInsecure), + CustomDomains: expandContainerAppIngressCustomDomain(ingress.CustomDomains), + External: pointer.To(ingress.IsExternal), + Fqdn: pointer.To(ingress.FQDN), + TargetPort: pointer.To(int64(ingress.TargetPort)), + ExposedPort: pointer.To(int64(ingress.ExposedPort)), + Traffic: expandContainerAppIngressTraffic(ingress.TrafficWeights, appName), + IPSecurityRestrictions: expandIpSecurityRestrictions(ingress.IpSecurityRestrictions, appName), } transport := containerapps.IngressTransportMethod(ingress.Transport) result.Transport = &transport @@ -292,13 +294,14 @@ func FlattenContainerAppIngress(input *containerapps.Ingress, appName string) [] ingress := *input result := Ingress{ - AllowInsecure: pointer.From(ingress.AllowInsecure), - CustomDomains: flattenContainerAppIngressCustomDomain(ingress.CustomDomains), - IsExternal: pointer.From(ingress.External), - FQDN: pointer.From(ingress.Fqdn), - TargetPort: int(pointer.From(ingress.TargetPort)), - ExposedPort: int(pointer.From(ingress.ExposedPort)), - TrafficWeights: flattenContainerAppIngressTraffic(ingress.Traffic, appName), + AllowInsecure: pointer.From(ingress.AllowInsecure), + CustomDomains: flattenContainerAppIngressCustomDomain(ingress.CustomDomains), + IsExternal: pointer.From(ingress.External), + FQDN: pointer.From(ingress.Fqdn), + TargetPort: int(pointer.From(ingress.TargetPort)), + ExposedPort: int(pointer.From(ingress.ExposedPort)), + TrafficWeights: flattenContainerAppIngressTraffic(ingress.Traffic, appName), + IpSecurityRestrictions: flattenContainerAppIngressIpSecurityRestrictions(ingress.IPSecurityRestrictions), } if ingress.Transport != nil { @@ -417,6 +420,26 @@ func flattenContainerAppIngressCustomDomain(input *[]containerapps.CustomDomain) return result } +func flattenContainerAppIngressIpSecurityRestrictions(input *[]containerapps.IPSecurityRestrictionRule) []IpSecurityRestriction { + if input == nil { + return []IpSecurityRestriction{} + } + + result := make([]IpSecurityRestriction, 0) + for _, v := range *input { + ipSecurityRestriction := IpSecurityRestriction{ + Description: string(*v.Description), + IpAddressRange: v.IPAddressRange, + Action: string(v.Action), + Name: v.Name, + } + + result = append(result, ipSecurityRestriction) + } + + return result +} + type TrafficWeight struct { Label string `tfschema:"label"` LatestRevision bool `tfschema:"latest_revision"` @@ -424,6 +447,13 @@ type TrafficWeight struct { Weight int `tfschema:"percentage"` } +type IpSecurityRestriction struct { + Action string `tfschema:"action"` + Description string `tfschema:"description"` + IpAddressRange string `tfschema:"ip_address_range"` + Name string `tfschema:"name"` +} + func ContainerAppIngressTrafficWeight() *pluginsdk.Schema { return &pluginsdk.Schema{ Type: pluginsdk.TypeList, @@ -542,6 +572,25 @@ func flattenContainerAppIngressTraffic(input *[]containerapps.TrafficWeight, app return result } +func expandIpSecurityRestrictions(input []IpSecurityRestriction, appName string) *[]containerapps.IPSecurityRestrictionRule { + if input == nil { + return &[]containerapps.IPSecurityRestrictionRule{} + } + + result := make([]containerapps.IPSecurityRestrictionRule, 0) + for _, v := range input { + ipSecurityRestrictionRule := containerapps.IPSecurityRestrictionRule{ + Action: containerapps.Action(v.Action), + Name: v.Name, + IPAddressRange: v.IpAddressRange, + Description: &v.Description, + } + result = append(result, ipSecurityRestrictionRule) + } + + return &result +} + type Dapr struct { AppId string `tfschema:"app_id"` AppPort int `tfschema:"app_port"` From 042ec45b8286f0069681d80a3d4d4678dc6b60ec Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Sat, 11 Nov 2023 17:30:32 +0100 Subject: [PATCH 02/18] add schema --- .../containerapps/helpers/container_apps.go | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 75a028064f5a..2654d63bcbd0 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -187,6 +187,8 @@ func ContainerAppIngressSchema() *pluginsdk.Schema { Description: "The FQDN of the ingress.", }, + "ip_security_restriction": ContainerAppIngressIpSecurityRestriction(), + "target_port": { Type: pluginsdk.TypeInt, Required: true, @@ -454,6 +456,43 @@ type IpSecurityRestriction struct { Name string `tfschema:"name"` } +func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { + return &pluginsdk.Schema{ + Type: pluginsdk.TypeList, + Required: false, + Elem: &pluginsdk.Resource{ + Schema: map[string]*pluginsdk.Schema{ + "action": { + Type: pluginsdk.TypeString, + Optional: false, + ValidateFunc: validation.StringIsNotEmpty, + Description: "The action. Allow or Deny.", + }, + + "description": { + Type: pluginsdk.TypeString, + Optional: true, + Description: "Describe the IP restriction rule that is being sent to the container-app.", + }, + + "ip_adress_range": { + Type: pluginsdk.TypeString, + Optional: false, + ValidateFunc: validation.IsCIDR, + Description: "CIDR notation to match incoming IP address.", + }, + + "name": { + Type: pluginsdk.TypeString, + Optional: false, + ValidateFunc: validation.StringIsNotEmpty, + Description: "Name for the IP restriction rule.", + }, + }, + }, + } +} + func ContainerAppIngressTrafficWeight() *pluginsdk.Schema { return &pluginsdk.Schema{ Type: pluginsdk.TypeList, From 01902ca8e24021567fc6e4ed5c12b8cfad23a1cb Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Sun, 12 Nov 2023 12:57:33 +0100 Subject: [PATCH 03/18] add test --- .../services/containerapps/container_app_resource_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index 03ba2e6ee6d6..87cd58b6e6f5 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -1205,6 +1205,12 @@ resource "azurerm_container_app" "test" { latest_revision = true percentage = 100 } + ip_security_restriction { + name = "test" + description = "test" + action = "Allow" + ip_adress_range = "0.0.0.0/0" + } } registry { From 342deaefe1c508fe979b48434d31f2d7e11397f8 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Sun, 12 Nov 2023 13:17:13 +0100 Subject: [PATCH 04/18] add docs --- website/docs/r/container_app.html.markdown | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/website/docs/r/container_app.html.markdown b/website/docs/r/container_app.html.markdown index 2419e71b7e3e..2eea5ff54a4d 100644 --- a/website/docs/r/container_app.html.markdown +++ b/website/docs/r/container_app.html.markdown @@ -337,6 +337,8 @@ An `ingress` block supports the following: * `external_enabled` - (Optional) Are connections to this Ingress from outside the Container App Environment enabled? Defaults to `false`. +* `ip_security_restriction` - (Optional) IP-filtering rules. + * `target_port` - (Required) The target port on the container for the Ingress traffic. * `exposed_port` - (Optional) The exposed port on the container for the Ingress traffic. @@ -361,6 +363,18 @@ A `custom_domain` block supports the following: --- +A `ip_security_restriction` block supports the following: + +* `action` - (Required) The IP-filter action. `Allow` or `Deny` + +* `description` - (Optional) Describe the IP restriction rule that is being sent to the container-app. + +* `ip_adress_range` - (Required) CIDR notation to match incoming IP address. + +* `name` - (Required) Name for the IP restriction rule. + +--- + A `traffic_weight` block supports the following: ~> **Note:** This block only applies when `revision_mode` is set to `Multiple`. From 107d4c4af48863a1a874de4dd536671a73c57bea Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Mon, 13 Nov 2023 00:39:27 +0100 Subject: [PATCH 05/18] more concise validation --- internal/services/containerapps/helpers/container_apps.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 2654d63bcbd0..0b4e6397ca95 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -465,7 +465,7 @@ func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { "action": { Type: pluginsdk.TypeString, Optional: false, - ValidateFunc: validation.StringIsNotEmpty, + ValidateFunc: validation.StringInSlice(containerapps.PossibleValuesForAction(), false), Description: "The action. Allow or Deny.", }, From 539b9848576e0554c4f69dd89a06721c65a67676 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Mon, 13 Nov 2023 14:04:21 +0100 Subject: [PATCH 06/18] fix typos --- internal/services/containerapps/container_app_resource_test.go | 2 +- internal/services/containerapps/helpers/container_apps.go | 2 +- website/docs/r/container_app.html.markdown | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index 87cd58b6e6f5..541d5e1312ba 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -1209,7 +1209,7 @@ resource "azurerm_container_app" "test" { name = "test" description = "test" action = "Allow" - ip_adress_range = "0.0.0.0/0" + ip_address_range = "0.0.0.0/0" } } diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 0b4e6397ca95..f7e4b36be41d 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -475,7 +475,7 @@ func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { Description: "Describe the IP restriction rule that is being sent to the container-app.", }, - "ip_adress_range": { + "ip_address_range": { Type: pluginsdk.TypeString, Optional: false, ValidateFunc: validation.IsCIDR, diff --git a/website/docs/r/container_app.html.markdown b/website/docs/r/container_app.html.markdown index 2eea5ff54a4d..a79bc7f48f47 100644 --- a/website/docs/r/container_app.html.markdown +++ b/website/docs/r/container_app.html.markdown @@ -369,7 +369,7 @@ A `ip_security_restriction` block supports the following: * `description` - (Optional) Describe the IP restriction rule that is being sent to the container-app. -* `ip_adress_range` - (Required) CIDR notation to match incoming IP address. +* `ip_address_range` - (Required) CIDR notation to match incoming IP address. * `name` - (Required) Name for the IP restriction rule. From 21a58e46f0c7fe09681034ba84ca50b3d0e07692 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Mon, 13 Nov 2023 14:06:38 +0100 Subject: [PATCH 07/18] drop unused arg --- internal/services/containerapps/helpers/container_apps.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index f7e4b36be41d..abdfacabae52 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -281,7 +281,7 @@ func ExpandContainerAppIngress(input []Ingress, appName string) *containerapps.I TargetPort: pointer.To(int64(ingress.TargetPort)), ExposedPort: pointer.To(int64(ingress.ExposedPort)), Traffic: expandContainerAppIngressTraffic(ingress.TrafficWeights, appName), - IPSecurityRestrictions: expandIpSecurityRestrictions(ingress.IpSecurityRestrictions, appName), + IPSecurityRestrictions: expandIpSecurityRestrictions(ingress.IpSecurityRestrictions), } transport := containerapps.IngressTransportMethod(ingress.Transport) result.Transport = &transport @@ -611,7 +611,7 @@ func flattenContainerAppIngressTraffic(input *[]containerapps.TrafficWeight, app return result } -func expandIpSecurityRestrictions(input []IpSecurityRestriction, appName string) *[]containerapps.IPSecurityRestrictionRule { +func expandIpSecurityRestrictions(input []IpSecurityRestriction) *[]containerapps.IPSecurityRestrictionRule { if input == nil { return &[]containerapps.IPSecurityRestrictionRule{} } From 800c7880e4d978bedebea5af3faea121c0947ed5 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Mon, 13 Nov 2023 14:34:02 +0100 Subject: [PATCH 08/18] fix lints --- internal/services/containerapps/helpers/container_apps.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index abdfacabae52..59476fe5d5f7 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -464,7 +464,7 @@ func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { Schema: map[string]*pluginsdk.Schema{ "action": { Type: pluginsdk.TypeString, - Optional: false, + Required: true, ValidateFunc: validation.StringInSlice(containerapps.PossibleValuesForAction(), false), Description: "The action. Allow or Deny.", }, @@ -477,14 +477,14 @@ func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { "ip_address_range": { Type: pluginsdk.TypeString, - Optional: false, + Required: true, ValidateFunc: validation.IsCIDR, Description: "CIDR notation to match incoming IP address.", }, "name": { Type: pluginsdk.TypeString, - Optional: false, + Required: true, ValidateFunc: validation.StringIsNotEmpty, Description: "Name for the IP restriction rule.", }, From cc480ad3a7180540005c618046a34ce8dbaacb64 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 23 Nov 2023 10:28:35 +0100 Subject: [PATCH 09/18] fix review-comment Signed-off-by: David J. M. Karlsen --- internal/services/containerapps/helpers/container_apps.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 59476fe5d5f7..1d0ba893a965 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -622,7 +622,7 @@ func expandIpSecurityRestrictions(input []IpSecurityRestriction) *[]containerapp Action: containerapps.Action(v.Action), Name: v.Name, IPAddressRange: v.IpAddressRange, - Description: &v.Description, + Description: pointer.To(v.Description), } result = append(result, ipSecurityRestrictionRule) } From 039646504d9b69bb9ef576865e927abedd4f2728 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 23 Nov 2023 10:29:22 +0100 Subject: [PATCH 10/18] Fix review-comment Co-authored-by: jackofallops <11830746+jackofallops@users.noreply.github.com> --- internal/services/containerapps/helpers/container_apps.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 1d0ba893a965..526a4534d1b0 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -459,7 +459,7 @@ type IpSecurityRestriction struct { func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { return &pluginsdk.Schema{ Type: pluginsdk.TypeList, - Required: false, + Optional: true, Elem: &pluginsdk.Resource{ Schema: map[string]*pluginsdk.Schema{ "action": { From 0d08ddbf4110c79914d918ecba9338aa942e72b0 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Fri, 24 Nov 2023 16:29:49 +0100 Subject: [PATCH 11/18] fix lint Signed-off-by: David J. M. Karlsen --- internal/services/containerapps/helpers/container_apps.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 526a4534d1b0..db8c79394beb 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -430,7 +430,7 @@ func flattenContainerAppIngressIpSecurityRestrictions(input *[]containerapps.IPS result := make([]IpSecurityRestriction, 0) for _, v := range *input { ipSecurityRestriction := IpSecurityRestriction{ - Description: string(*v.Description), + Description: *v.Description, IpAddressRange: v.IPAddressRange, Action: string(v.Action), Name: v.Name, From 2e3c81e8e3c7c8db60dac242c2dc28020cd1e7e6 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Fri, 24 Nov 2023 16:52:32 +0100 Subject: [PATCH 12/18] add test --- .../container_app_resource_test.go | 116 +++++++++++++++++- 1 file changed, 110 insertions(+), 6 deletions(-) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index 541d5e1312ba..af01acf8ba1f 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -390,6 +390,42 @@ func TestAccContainerAppResource_scaleRulesUpdate(t *testing.T) { }) } +func TestAccContainerAppResource_ipSecurityRulesUpdate(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_container_app", "test") + r := ContainerAppResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.ingressSecurityRestriction(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.ingressSecurityRestrictionUpdate(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func (r ContainerAppResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { id, err := containerapps.ParseContainerAppID(state.ID) if err != nil { @@ -1205,12 +1241,6 @@ resource "azurerm_container_app" "test" { latest_revision = true percentage = 100 } - ip_security_restriction { - name = "test" - description = "test" - action = "Allow" - ip_address_range = "0.0.0.0/0" - } } registry { @@ -1672,6 +1702,80 @@ resource "azurerm_container_app" "test" { `, r.template(data), data.RandomInteger) } +func (r ContainerAppResource) ingressSecurityRestriction(data acceptance.TestData) string { + return fmt.Sprintf(` +%s + +resource "azurerm_container_app" "test" { + name = "acctest-capp-%[2]d" + resource_group_name = azurerm_resource_group.test.name + container_app_environment_id = azurerm_container_app_environment.test.id + revision_mode = "Single" + + template { + container { + name = "acctest-cont-%[2]d" + image = "jackofallops/azure-containerapps-python-acctest:v0.0.1" + cpu = 0.25 + memory = "0.5Gi" + } + } + + ingress { + target_port = 5000 + ip_security_restriction = [ + { + name = "test" + description = "test" + action = "Allow" + ip_address_range = "0.0.0.0/0" + } + ] + } +} +`, r.template(data), data.RandomInteger) +} + +func (r ContainerAppResource) ingressSecurityRestrictionUpdate(data acceptance.TestData) string { + return fmt.Sprintf(` +%s + +resource "azurerm_container_app" "test" { + name = "acctest-capp-%[2]d" + resource_group_name = azurerm_resource_group.test.name + container_app_environment_id = azurerm_container_app_environment.test.id + revision_mode = "Single" + + template { + container { + name = "acctest-cont-%[2]d" + image = "jackofallops/azure-containerapps-python-acctest:v0.0.1" + cpu = 0.25 + memory = "0.5Gi" + } + } + + ingress { + target_port = 5000 + ip_security_restriction = [ + { + name = "test" + description = "test" + action = "Allow" + ip_address_range = "0.0.0.0/0" + }, + { + name = "test2" + description = "test2" + action = "Deny" + ip_address_range = "10.0.0.0/8" + } + ] + } +} +`, r.template(data), data.RandomInteger) +} + func (r ContainerAppResource) scaleRulesUpdate(data acceptance.TestData) string { return fmt.Sprintf(` %s From a607285d8c4dba3912df5936d016f116d6282f3c Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Mon, 27 Nov 2023 09:57:40 +0100 Subject: [PATCH 13/18] fix formatting --- .../container_app_resource_test.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index af01acf8ba1f..50d0f595f5ed 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -1725,9 +1725,9 @@ resource "azurerm_container_app" "test" { target_port = 5000 ip_security_restriction = [ { - name = "test" - description = "test" - action = "Allow" + name = "test" + description = "test" + action = "Allow" ip_address_range = "0.0.0.0/0" } ] @@ -1759,15 +1759,15 @@ resource "azurerm_container_app" "test" { target_port = 5000 ip_security_restriction = [ { - name = "test" - description = "test" - action = "Allow" + name = "test" + description = "test" + action = "Allow" ip_address_range = "0.0.0.0/0" }, { - name = "test2" - description = "test2" - action = "Deny" + name = "test2" + description = "test2" + action = "Deny" ip_address_range = "10.0.0.0/8" } ] From b1987cfe12d230876b0b5f68b0a248a01e28dd14 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Tue, 28 Nov 2023 19:24:05 +0100 Subject: [PATCH 14/18] Update internal/services/containerapps/container_app_resource_test.go Co-authored-by: jackofallops <11830746+jackofallops@users.noreply.github.com> --- .../containerapps/container_app_resource_test.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index 50d0f595f5ed..c1eecd4b7f6f 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -1723,14 +1723,17 @@ resource "azurerm_container_app" "test" { ingress { target_port = 5000 - ip_security_restriction = [ - { + ip_security_restriction { name = "test" description = "test" action = "Allow" ip_address_range = "0.0.0.0/0" } - ] + + traffic_weight { + latest_revision = true + percentage = 100 + } } } `, r.template(data), data.RandomInteger) From d76578cba8f8a2c5faab2ec542bca3bc88a9ce7e Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Tue, 28 Nov 2023 19:24:21 +0100 Subject: [PATCH 15/18] Update internal/services/containerapps/container_app_resource_test.go Co-authored-by: jackofallops <11830746+jackofallops@users.noreply.github.com> --- .../container_app_resource_test.go | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index c1eecd4b7f6f..a91a193e1a86 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -1760,20 +1760,24 @@ resource "azurerm_container_app" "test" { ingress { target_port = 5000 - ip_security_restriction = [ - { - name = "test" - description = "test" - action = "Allow" - ip_address_range = "0.0.0.0/0" - }, - { - name = "test2" - description = "test2" - action = "Deny" - ip_address_range = "10.0.0.0/8" - } - ] + ip_security_restriction { + name = "test" + description = "test" + action = "Allow" + ip_address_range = "10.1.0.0/16" + } + + ip_security_restriction { + name = "test2" + description = "test2" + action = "Allow" + ip_address_range = "10.2.0.0/16" + } + + traffic_weight { + latest_revision = true + percentage = 100 + } } } `, r.template(data), data.RandomInteger) From bf6e4728a57a41db4c13b5a7a511f02de4f74f77 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Tue, 28 Nov 2023 19:24:30 +0100 Subject: [PATCH 16/18] Update website/docs/r/container_app.html.markdown Co-authored-by: jackofallops <11830746+jackofallops@users.noreply.github.com> --- website/docs/r/container_app.html.markdown | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/docs/r/container_app.html.markdown b/website/docs/r/container_app.html.markdown index a79bc7f48f47..d35e2582c9a3 100644 --- a/website/docs/r/container_app.html.markdown +++ b/website/docs/r/container_app.html.markdown @@ -365,7 +365,9 @@ A `custom_domain` block supports the following: A `ip_security_restriction` block supports the following: -* `action` - (Required) The IP-filter action. `Allow` or `Deny` +* `action` - (Required) The IP-filter action. `Allow` or `Deny`. + +~> **NOTE:** The `action` types in an all `ip_security_restriction` blocks must be the same for the `ingress`, mixing `Allow` and `Deny` rules is not currently supported by the service. * `description` - (Optional) Describe the IP restriction rule that is being sent to the container-app. From f35ac0c98076e7662cf65625ab50e526b9e85771 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Tue, 28 Nov 2023 19:26:52 +0100 Subject: [PATCH 17/18] fix formatting --- .../containerapps/container_app_resource_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index a91a193e1a86..97b97eac25c3 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -1724,16 +1724,16 @@ resource "azurerm_container_app" "test" { ingress { target_port = 5000 ip_security_restriction { - name = "test" - description = "test" - action = "Allow" - ip_address_range = "0.0.0.0/0" - } + name = "test" + description = "test" + action = "Allow" + ip_address_range = "0.0.0.0/0" + } traffic_weight { latest_revision = true percentage = 100 - } + } } } `, r.template(data), data.RandomInteger) From 80b878ec1fab444f32ff574b15fd0f70f3779dac Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Tue, 28 Nov 2023 19:27:23 +0100 Subject: [PATCH 18/18] Update internal/services/containerapps/helpers/container_apps.go Co-authored-by: jackofallops <11830746+jackofallops@users.noreply.github.com> --- internal/services/containerapps/helpers/container_apps.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index db8c79394beb..9a020924f6e2 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -430,7 +430,7 @@ func flattenContainerAppIngressIpSecurityRestrictions(input *[]containerapps.IPS result := make([]IpSecurityRestriction, 0) for _, v := range *input { ipSecurityRestriction := IpSecurityRestriction{ - Description: *v.Description, + Description: pointer.From(v.Description), IpAddressRange: v.IPAddressRange, Action: string(v.Action), Name: v.Name,