Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linux_web_app: PUT request does not include ipSecurityRestrictionsDefaultAction property on resource update #25517

Open
1 task done
andaryjo opened this issue Apr 4, 2024 · 0 comments
Open
1 task done

linux_web_app: PUT request does not include ipSecurityRestrictionsDefaultAction property on resource update #25517

andaryjo opened this issue Apr 4, 2024 · 0 comments
Labels
service/app-service v/3.x

Comments

@andaryjo
Copy link
Contributor

andaryjo commented Apr 4, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.4

AzureRM Provider Version

3.97.1

Affected Resource(s)/Data Source(s)

azurerm_linux_web_app

Terraform Configuration Files

resource "azurerm_linux_web_app" "mustsucceed" {
  name                = "policytestrandom2"
  resource_group_name = data.azurerm_resource_group.rg.name
  location            = azurerm_service_plan.plan.location
  service_plan_id     = azurerm_service_plan.plan.id

  public_network_access_enabled = true

  site_config {
    ip_restriction_default_action     = "Deny"
    scm_ip_restriction_default_action = "Deny"

    ip_restriction {
      name       = "valid rule"
      action     = "Allow"
      priority   = 100
      ip_address = "1.1.1.1/32"
    }
  }
}

Debug Output/Panic Output

...

{"id":"/subscriptions/xxx/resourceGroups/rg-spoke/providers/Microsoft.Web/sites/policytestqdtxfj2","kind":"app,linux","location":"France Central","name":"policytestqdtxfj2","properties":{"availabilityState":"Normal","clientAffinityEnabled":false,"clientCertEnabled":false,"clientCertMode":"Required","containerSize":0,"customDomainVerificationId":"D8E56DE0A38E304A9F1C8F9396E862CED024F77D2560B1BC54DD81B1EEA61D50","dailyMemoryTimeQuota":0,"defaultHostName":"policytestqdtxfj2.azurewebsites.net","enabled":true,"enabledHostNames":["policytestqdtxfj2.azurewebsites.net","policytestqdtxfj2.scm.azurewebsites.net"],"httpsOnly":false,"hostNameSslStates":[{"hostType":"Standard","name":"policytestqdtxfj2.azurewebsites.net","sslState":"Disabled"},{"hostType":"Repository","name":"policytestqdtxfj2.scm.azurewebsites.net","sslState":"Disabled"}],"hostNames":["policytestqdtxfj2.azurewebsites.net"],"hostNamesDisabled":false,"hyperV":false,"isXenon":false,"keyVaultReferenceIdentity":"SystemAssigned","lastModifiedTimeUtc":"2024-04-04T22:05:19.27","outboundIpAddresses":"20.19.106.11,20.19.106.85,20.19.106.95,20.19.106.96,20.19.106.101,20.19.106.103,20.111.1.12","possibleOutboundIpAddresses":"20.19.104.108,20.19.104.246,20.19.105.79,20.19.105.111,20.19.105.235,20.19.106.1,20.19.106.11,20.19.106.85,20.19.106.95,20.19.106.96,20.19.106.101,20.19.106.103,20.19.106.106,20.19.106.108,20.19.106.120,20.74.115.97,20.19.106.128,20.19.106.130,20.19.106.132,20.19.106.137,20.19.106.139,20.19.106.143,20.74.118.32,20.74.27.96,20.111.1.12","publicNetworkAccess":"Enabled","redundancyMode":"None","repositorySiteName":"policytestqdtxfj2","reserved":true,"resourceGroup":"rg-spoke","scmSiteAlsoStopped":false,"serverFarmId":"/subscriptions/xxx/resourceGroups/rg-spoke/providers/Microsoft.Web/serverfarms/policytestqdtxfj","siteConfig":{"acrUseManagedIdentityCreds":false,"alwaysOn":true,"autoHealEnabled":false,"functionAppScaleLimit":0,"http20Enabled":false,"ipSecurityRestrictions":[{"action":"Allow","ipAddress":"1.1.1.1/32","name":"valid rule","priority":100},{"action":"Deny","ipAddress":"3.3.3.3/32","name":"valid rule 3","priority":100}],"linuxFxVersion":"","localMySqlEnabled":false,"minimumElasticInstanceCount":0,"numberOfWorkers":1,"remoteDebuggingEnabled":false,"scmIpSecurityRestrictionsUseMain":false,"use32BitWorkerProcess":true,"vnetRouteAllEnabled":false,"webSocketsEnabled":false},"state":"Running","storageAccountRequired":false,"usageState":"Normal","vnetContentShareEnabled":false,"vnetImagePullEnabled":false,"vnetRouteAllEnabled":false},"type":"Microsoft.Web/sites"}: timestamp="2024-04-05T00:12:35.298+0200"
2024-04-05T00:12:35.300+0200 [DEBUG] provider.terraform-provider-azurerm: PUT https://management.azure.com/subscriptions/xxx/resourceGroups/rg-spoke/providers/Microsoft.Web/sites/policytestqdtxfj2?api-version=2023-01-01: timestamp="2024-04-05T00:12:35.298+0200"
2024-04-05T00:12:35.938+0200 [DEBUG] provider.terraform-provider-azurerm: AzureRM Response for https://management.azure.com/subscriptions/xxx/resourceGroups/rg-spoke/providers/Microsoft.Web/sites/policytestqdtxfj2?api-version=2023-01-01:
HTTP/2.0 403 Forbidden

...

Expected Behaviour

The Terraform provider performs an update on the Web App resource. Since it uses a PUT request for that, it should include the ipSecurityRestrictionsDefaultAction property which got recently introduced in #25131.

We are using Azure Policies to validate that App Services always have the default action set to "Deny" in case the resource has public network access enabled. Azure Policies in "deny" mode can only evaluate the payload of the deployment request, not the actual current resource configuration in case the resource already exists. If a Web App already has ipSecurityRestrictionsDefaultAction set to "Deny", but PUT API requests updating that resource don't include the property, there is no way for the policy framework to evaluate it.

This behavior is limited to PUT requests. If you were to use a PATCH request, the Azure Management API would calculate the diff on the existing resource before handing over the deployment request to the policy evaluation framework (at least that is my understanding, which might be wrong, since there is no documentation whatsoever on this).

Bottom line is: If you do PUT requests, you have to include ALL resource properties in the request and the Azure Policy framework expects you to do so. This is in line with RFC 5789.

Note that I have been trying to explain that in length back in #24519 (comment) before that PR got closed.

Actual Behaviour

The Terraform provider only includes the ipSecurityRestrictionsDefaultAction property in its PUT request when you change it. Same goes for scmIpSecurityRestrictionsDefaultAction.

Steps to Reproduce

Deploy a azurerm_linux_web_app resource with public_network_access_enabled = true and ip_restriction_default_action = "Deny".

Set the log level to debug.

Update some properties in the azurerm_linux_web_app resource. The logged PUT request won't include the ip_restriction_default_action property.

Important Factoids

No response

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/app-service v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andaryjo