From 354ebe6c90d9588ae192ad153cbe9acb8125108a Mon Sep 17 00:00:00 2001 From: sugar-cat7 Date: Sun, 14 Apr 2024 01:35:30 +0900 Subject: [PATCH 1/4] fix: allows IP restrictions without requiring CIDR --- .../container_app_resource_test.go | 44 +++++++++++++++++++ .../containerapps/helpers/container_apps.go | 2 +- internal/tf/validation/pluginsdk.go | 15 +++++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/internal/services/containerapps/container_app_resource_test.go b/internal/services/containerapps/container_app_resource_test.go index 0c94934914cc..94b1cda1da32 100644 --- a/internal/services/containerapps/container_app_resource_test.go +++ b/internal/services/containerapps/container_app_resource_test.go @@ -526,6 +526,13 @@ func TestAccContainerAppResource_ipSecurityRulesUpdate(t *testing.T) { ), }, data.ImportStep(), + { + Config: r.ingressSecurityRestrictionNotIncludedCIDR(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), { Config: r.basic(data), Check: acceptance.ComposeTestCheckFunc( @@ -2487,6 +2494,43 @@ resource "azurerm_container_app" "test" { `, r.template(data), data.RandomInteger) } +func (r ContainerAppResource) ingressSecurityRestrictionNotIncludedCIDR(data acceptance.TestData) string { + return fmt.Sprintf(` +%s + +resource "azurerm_container_app" "test" { + name = "acctest-capp-%[2]d" + resource_group_name = azurerm_resource_group.test.name + container_app_environment_id = azurerm_container_app_environment.test.id + revision_mode = "Single" + + template { + container { + name = "acctest-cont-%[2]d" + image = "jackofallops/azure-containerapps-python-acctest:v0.0.1" + cpu = 0.25 + memory = "0.5Gi" + } + } + + ingress { + target_port = 5000 + ip_security_restriction { + name = "test" + description = "test" + action = "Allow" + ip_address_range = "10.1.0.0" + } + + traffic_weight { + latest_revision = true + percentage = 100 + } + } +} +`, r.template(data), data.RandomInteger) +} + func (r ContainerAppResource) scaleRulesUpdate(data acceptance.TestData) string { return fmt.Sprintf(` %s diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 707bcf28ac41..96119ea4c97b 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -484,7 +484,7 @@ func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { "ip_address_range": { Type: pluginsdk.TypeString, Required: true, - ValidateFunc: validation.IsCIDR, + ValidateFunc: validation.IsIPAddressOrCIDR, Description: "CIDR notation to match incoming IP address.", }, diff --git a/internal/tf/validation/pluginsdk.go b/internal/tf/validation/pluginsdk.go index fa739cec9560..59bfd78b54fd 100644 --- a/internal/tf/validation/pluginsdk.go +++ b/internal/tf/validation/pluginsdk.go @@ -143,6 +143,21 @@ func IsIPv6Address(i interface{}, k string) ([]string, []error) { return validation.IsIPv6Address(i, k) } +// IsIPAddressOrCIDR validates if the input is either a valid IP address or a CIDR notation +func IsIPAddressOrCIDR(i interface{}, k string) ([]string, []error) { + warningsIP, errorsIP := IsIPAddress(i, k) + if len(errorsIP) == 0 { + return warningsIP, nil + } + + warningsCIDR, errorsCIDR := IsCIDR(i, k) + if len(errorsCIDR) == 0 { + return warningsCIDR, nil + } + + return append(warningsIP, warningsCIDR...), append(errorsIP, errorsCIDR...) +} + // IsMonth id a SchemaValidateFunc which tests if the provided value is of type string and a valid english month func IsMonth(ignoreCase bool) func(interface{}, string) ([]string, []error) { return validation.IsMonth(ignoreCase) From 36498b6fe62668ed139119bd1bf9e7c5f39bde9b Mon Sep 17 00:00:00 2001 From: sugar-cat7 Date: Mon, 15 Apr 2024 21:19:41 +0900 Subject: [PATCH 2/4] fix: Modify to use the validation utility --- internal/services/containerapps/helpers/container_apps.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 96119ea4c97b..9d3f1613e20d 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -484,7 +484,7 @@ func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { "ip_address_range": { Type: pluginsdk.TypeString, Required: true, - ValidateFunc: validation.IsIPAddressOrCIDR, + ValidateFunc: validation.Any(validation.IsCIDR, validation.IsIPAddress), Description: "CIDR notation to match incoming IP address.", }, From 004312f6fd96d5005f9ca9a17f04e629b2aa8d45 Mon Sep 17 00:00:00 2001 From: sugar-cat7 Date: Mon, 15 Apr 2024 21:20:52 +0900 Subject: [PATCH 3/4] remove: unnecessary functions --- internal/tf/validation/pluginsdk.go | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/internal/tf/validation/pluginsdk.go b/internal/tf/validation/pluginsdk.go index 59bfd78b54fd..fa739cec9560 100644 --- a/internal/tf/validation/pluginsdk.go +++ b/internal/tf/validation/pluginsdk.go @@ -143,21 +143,6 @@ func IsIPv6Address(i interface{}, k string) ([]string, []error) { return validation.IsIPv6Address(i, k) } -// IsIPAddressOrCIDR validates if the input is either a valid IP address or a CIDR notation -func IsIPAddressOrCIDR(i interface{}, k string) ([]string, []error) { - warningsIP, errorsIP := IsIPAddress(i, k) - if len(errorsIP) == 0 { - return warningsIP, nil - } - - warningsCIDR, errorsCIDR := IsCIDR(i, k) - if len(errorsCIDR) == 0 { - return warningsCIDR, nil - } - - return append(warningsIP, warningsCIDR...), append(errorsIP, errorsCIDR...) -} - // IsMonth id a SchemaValidateFunc which tests if the provided value is of type string and a valid english month func IsMonth(ignoreCase bool) func(interface{}, string) ([]string, []error) { return validation.IsMonth(ignoreCase) From b7e7568f453883675f644e7c5954ec9fe72b2f37 Mon Sep 17 00:00:00 2001 From: sugar-cat7 Date: Mon, 15 Apr 2024 21:33:43 +0900 Subject: [PATCH 4/4] chore: modify docs and description --- internal/services/containerapps/helpers/container_apps.go | 2 +- website/docs/r/container_app.html.markdown | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go index 9d3f1613e20d..c516c022a7f3 100644 --- a/internal/services/containerapps/helpers/container_apps.go +++ b/internal/services/containerapps/helpers/container_apps.go @@ -485,7 +485,7 @@ func ContainerAppIngressIpSecurityRestriction() *pluginsdk.Schema { Type: pluginsdk.TypeString, Required: true, ValidateFunc: validation.Any(validation.IsCIDR, validation.IsIPAddress), - Description: "CIDR notation to match incoming IP address.", + Description: "The incoming IP address or range of IP addresses (in CIDR notation).", }, "name": { diff --git a/website/docs/r/container_app.html.markdown b/website/docs/r/container_app.html.markdown index 71b094be586c..348e965dbb0e 100644 --- a/website/docs/r/container_app.html.markdown +++ b/website/docs/r/container_app.html.markdown @@ -413,7 +413,7 @@ A `ip_security_restriction` block supports the following: * `description` - (Optional) Describe the IP restriction rule that is being sent to the container-app. -* `ip_address_range` - (Required) CIDR notation to match incoming IP address. +* `ip_address_range` - (Required) The incoming IP address or range of IP addresses (in CIDR notation). * `name` - (Required) Name for the IP restriction rule.