From 1a1f3ad9dbf12e7633e3ec89c4d3554109714b5e Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Fri, 16 Feb 2024 15:16:23 +0100 Subject: [PATCH] fix: restrict container apps to apim ip (#448) APIM is set up and we want to restrict incoming requests to the APIM IP to close them down for public access. --- .azure/applications/web-api-eu/main.bicep | 3 +++ .azure/applications/web-api-eu/staging.bicepparam | 1 + .azure/applications/web-api-eu/test.bicepparam | 1 + .azure/applications/web-api-so/main.bicep | 3 +++ .azure/applications/web-api-so/staging.bicepparam | 1 + .azure/applications/web-api-so/test.bicepparam | 1 + .azure/modules/containerApp/main.bicep | 9 ++++++++- 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.azure/applications/web-api-eu/main.bicep b/.azure/applications/web-api-eu/main.bicep index 7de2ad411..aca633672 100644 --- a/.azure/applications/web-api-eu/main.bicep +++ b/.azure/applications/web-api-eu/main.bicep @@ -6,6 +6,8 @@ param imageTag string param environment string @minLength(3) param location string +@minLength(3) +param apimIp string @minLength(3) @secure() @@ -64,6 +66,7 @@ module containerApp '../../modules/containerApp/main.bicep' = { location: location envVariables: containerAppEnvVars containerAppEnvId: containerAppEnvironment.id + apimIp: apimIp } } diff --git a/.azure/applications/web-api-eu/staging.bicepparam b/.azure/applications/web-api-eu/staging.bicepparam index fdc6bc1fa..447dcb2be 100644 --- a/.azure/applications/web-api-eu/staging.bicepparam +++ b/.azure/applications/web-api-eu/staging.bicepparam @@ -2,6 +2,7 @@ using './main.bicep' param environment = 'staging' param location = 'norwayeast' +param apimIp = '51.13.86.131' param imageTag = readEnvironmentVariable('IMAGE_TAG') // secrets diff --git a/.azure/applications/web-api-eu/test.bicepparam b/.azure/applications/web-api-eu/test.bicepparam index 3d72092e7..9df5c026b 100644 --- a/.azure/applications/web-api-eu/test.bicepparam +++ b/.azure/applications/web-api-eu/test.bicepparam @@ -2,6 +2,7 @@ using './main.bicep' param environment = 'test' param location = 'norwayeast' +param apimIp = '51.120.88.69' param imageTag = readEnvironmentVariable('IMAGE_TAG') // secrets diff --git a/.azure/applications/web-api-so/main.bicep b/.azure/applications/web-api-so/main.bicep index dcfc4eb21..e0d3a969c 100644 --- a/.azure/applications/web-api-so/main.bicep +++ b/.azure/applications/web-api-so/main.bicep @@ -6,6 +6,8 @@ param imageTag string param environment string @minLength(3) param location string +@minLength(3) +param apimIp string @minLength(3) @secure() @@ -68,6 +70,7 @@ module containerApp '../../modules/containerApp/main.bicep' = { location: location envVariables: containerAppEnvVars containerAppEnvId: containerAppEnvironment.id + apimIp: apimIp } } diff --git a/.azure/applications/web-api-so/staging.bicepparam b/.azure/applications/web-api-so/staging.bicepparam index fdc6bc1fa..447dcb2be 100644 --- a/.azure/applications/web-api-so/staging.bicepparam +++ b/.azure/applications/web-api-so/staging.bicepparam @@ -2,6 +2,7 @@ using './main.bicep' param environment = 'staging' param location = 'norwayeast' +param apimIp = '51.13.86.131' param imageTag = readEnvironmentVariable('IMAGE_TAG') // secrets diff --git a/.azure/applications/web-api-so/test.bicepparam b/.azure/applications/web-api-so/test.bicepparam index 3d72092e7..9df5c026b 100644 --- a/.azure/applications/web-api-so/test.bicepparam +++ b/.azure/applications/web-api-so/test.bicepparam @@ -2,6 +2,7 @@ using './main.bicep' param environment = 'test' param location = 'norwayeast' +param apimIp = '51.120.88.69' param imageTag = readEnvironmentVariable('IMAGE_TAG') // secrets diff --git a/.azure/modules/containerApp/main.bicep b/.azure/modules/containerApp/main.bicep index de91632f1..38e3b9f56 100644 --- a/.azure/modules/containerApp/main.bicep +++ b/.azure/modules/containerApp/main.bicep @@ -3,6 +3,7 @@ param envVariables array = [] param port int = 8080 param name string param image string +param apimIp string param containerAppEnvId string @@ -30,7 +31,13 @@ var probes = [ var ingress = { targetPort: port external: true - ipSecurityRestrictions: [] + ipSecurityRestrictions: [ + { + name: 'apim' + action: 'Allow' + ipAddressRange: apimIp + } + ] } resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {