From db942d950478d37980b859576b0a57f05d4bcc15 Mon Sep 17 00:00:00 2001
From: Marco Mari <130982006+mamari90@users.noreply.github.com>
Date: Thu, 21 Nov 2024 18:20:35 +0100
Subject: [PATCH] fix: Functions ip restriction configuration (#2579)
fix functions ip restriction configuration
---
src/domains/checkout-app/05_checkout_function.tf | 2 +-
src/domains/checkout-app/05_pagopa_proxy.tf | 3 ++-
src/domains/checkout-app/05_pagopa_proxy_ha.tf | 2 +-
src/domains/checkout-app/99_variables.tf | 10 ++++++++++
src/domains/checkout-app/README.md | 2 ++
src/domains/checkout-app/env/weu-dev/terraform.tfvars | 4 +++-
src/domains/checkout-app/env/weu-prod/terraform.tfvars | 4 +++-
src/domains/checkout-app/env/weu-uat/terraform.tfvars | 4 +++-
8 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/src/domains/checkout-app/05_checkout_function.tf b/src/domains/checkout-app/05_checkout_function.tf
index 7c0934fe5c..da63da1a37 100644
--- a/src/domains/checkout-app/05_checkout_function.tf
+++ b/src/domains/checkout-app/05_checkout_function.tf
@@ -89,7 +89,7 @@ module "checkout_function" {
allowed_subnets = [data.azurerm_subnet.apim_snet.id]
- ip_restriction_default_action = "Deny"
+ ip_restriction_default_action = var.checkout_ip_restriction_default_action
allowed_ips = []
diff --git a/src/domains/checkout-app/05_pagopa_proxy.tf b/src/domains/checkout-app/05_pagopa_proxy.tf
index 775600eff7..40566faba3 100644
--- a/src/domains/checkout-app/05_pagopa_proxy.tf
+++ b/src/domains/checkout-app/05_pagopa_proxy.tf
@@ -40,13 +40,14 @@ data "azurerm_redis_cache" "pagopa_proxy_redis" {
}
+
module "pagopa_proxy_app_service" {
source = "./.terraform/modules/__v3__/app_service"
depends_on = [
module.pagopa_proxy_snet
]
- ip_restriction_default_action = "Allow"
+ ip_restriction_default_action = var.pagopa_proxy_ip_restriction_default_action
resource_group_name = data.azurerm_resource_group.pagopa_proxy_rg.name
location = var.location
diff --git a/src/domains/checkout-app/05_pagopa_proxy_ha.tf b/src/domains/checkout-app/05_pagopa_proxy_ha.tf
index 98714a4184..867b63e9b0 100644
--- a/src/domains/checkout-app/05_pagopa_proxy_ha.tf
+++ b/src/domains/checkout-app/05_pagopa_proxy_ha.tf
@@ -4,7 +4,7 @@ module "pagopa_proxy_app_service_ha" {
depends_on = [
module.pagopa_proxy_snet_ha
]
- ip_restriction_default_action = "Allow"
+ ip_restriction_default_action = var.pagopa_proxy_ip_restriction_default_action
resource_group_name = data.azurerm_resource_group.pagopa_proxy_rg.name
location = var.location
diff --git a/src/domains/checkout-app/99_variables.tf b/src/domains/checkout-app/99_variables.tf
index 7084bbebb7..dc99d475a0 100644
--- a/src/domains/checkout-app/99_variables.tf
+++ b/src/domains/checkout-app/99_variables.tf
@@ -278,3 +278,13 @@ variable "pagopa_proxy_ha_enabled" {
type = bool
description = "(Required) enables the deployment of pagopa proxy in HA"
}
+
+variable "checkout_ip_restriction_default_action" {
+ type = string
+ description = "(Required) The Default action for traffic that does not match any ip_restriction rule. possible values include Allow and Deny. "
+}
+
+variable "pagopa_proxy_ip_restriction_default_action" {
+ type = string
+ description = "(Required) The Default action for traffic that does not match any ip_restriction rule. possible values include Allow and Deny. "
+}
diff --git a/src/domains/checkout-app/README.md b/src/domains/checkout-app/README.md
index 29e3a12093..9a036bafd7 100644
--- a/src/domains/checkout-app/README.md
+++ b/src/domains/checkout-app/README.md
@@ -105,6 +105,7 @@
| [checkout\_function\_sku\_tier](#input\_checkout\_function\_sku\_tier) | App service plan sku tier | `string` | `null` | no |
| [checkout\_function\_worker\_count](#input\_checkout\_function\_worker\_count) | (Optional) checkout function worker count number | `number` | `1` | no |
| [checkout\_function\_zone\_balancing\_enabled](#input\_checkout\_function\_zone\_balancing\_enabled) | (Optional) Enables zone balancing for checkout function | `bool` | `true` | no |
+| [checkout\_ip\_restriction\_default\_action](#input\_checkout\_ip\_restriction\_default\_action) | (Required) The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. | `string` | n/a | yes |
| [checkout\_pagopaproxy\_host](#input\_checkout\_pagopaproxy\_host) | pagopaproxy host | `string` | `null` | no |
| [cidr\_subnet\_checkout\_be](#input\_cidr\_subnet\_checkout\_be) | Address prefixes subnet checkout function | `list(string)` | `null` | no |
| [cidr\_subnet\_pagopa\_proxy](#input\_cidr\_subnet\_pagopa\_proxy) | Address prefixes subnet proxy | `list(string)` | `null` | no |
@@ -127,6 +128,7 @@
| [pagopa\_proxy\_autoscale\_maximum](#input\_pagopa\_proxy\_autoscale\_maximum) | The maximum number of instances for this resource. | `number` | `10` | no |
| [pagopa\_proxy\_autoscale\_minimum](#input\_pagopa\_proxy\_autoscale\_minimum) | The minimum number of instances for this resource. | `number` | `1` | no |
| [pagopa\_proxy\_ha\_enabled](#input\_pagopa\_proxy\_ha\_enabled) | (Required) enables the deployment of pagopa proxy in HA | `bool` | n/a | yes |
+| [pagopa\_proxy\_ip\_restriction\_default\_action](#input\_pagopa\_proxy\_ip\_restriction\_default\_action) | (Required) The Default action for traffic that does not match any ip\_restriction rule. possible values include Allow and Deny. | `string` | n/a | yes |
| [pagopa\_proxy\_plan\_sku](#input\_pagopa\_proxy\_plan\_sku) | (Required) pagopa proxy app service sku name | `string` | n/a | yes |
| [pagopa\_proxy\_vnet\_integration](#input\_pagopa\_proxy\_vnet\_integration) | (Optional) enables vnet integration for pagopa proxy app service | `bool` | `true` | no |
| [pagopa\_proxy\_zone\_balance\_enabled](#input\_pagopa\_proxy\_zone\_balance\_enabled) | (Optional) enables zone balancing for pagopa proxy app service | `bool` | `true` | no |
diff --git a/src/domains/checkout-app/env/weu-dev/terraform.tfvars b/src/domains/checkout-app/env/weu-dev/terraform.tfvars
index dbf0579231..bd633f5e62 100644
--- a/src/domains/checkout-app/env/weu-dev/terraform.tfvars
+++ b/src/domains/checkout-app/env/weu-dev/terraform.tfvars
@@ -55,4 +55,6 @@ checkout_function_autoscale_default = 1
checkout_function_zone_balancing_enabled = false
# ecommerce ingress hostname
-ecommerce_ingress_hostname = "weudev.ecommerce.internal.dev.platform.pagopa.it"
+ecommerce_ingress_hostname = "weudev.ecommerce.internal.dev.platform.pagopa.it"
+checkout_ip_restriction_default_action = "Allow"
+pagopa_proxy_ip_restriction_default_action = "Allow"
diff --git a/src/domains/checkout-app/env/weu-prod/terraform.tfvars b/src/domains/checkout-app/env/weu-prod/terraform.tfvars
index 098eaedfcb..39cf2e47eb 100644
--- a/src/domains/checkout-app/env/weu-prod/terraform.tfvars
+++ b/src/domains/checkout-app/env/weu-prod/terraform.tfvars
@@ -68,4 +68,6 @@ function_app_storage_account_info = {
advanced_threat_protection_enable = true
}
-checkout_cdn_storage_replication_type = "GZRS"
+checkout_cdn_storage_replication_type = "GZRS"
+checkout_ip_restriction_default_action = "Deny"
+pagopa_proxy_ip_restriction_default_action = "Deny"
diff --git a/src/domains/checkout-app/env/weu-uat/terraform.tfvars b/src/domains/checkout-app/env/weu-uat/terraform.tfvars
index 0fd80d8455..de7b9e9b09 100644
--- a/src/domains/checkout-app/env/weu-uat/terraform.tfvars
+++ b/src/domains/checkout-app/env/weu-uat/terraform.tfvars
@@ -55,4 +55,6 @@ checkout_function_autoscale_default = 1
checkout_function_zone_balancing_enabled = false
# ecommerce ingress hostname
-ecommerce_ingress_hostname = "weuuat.ecommerce.internal.uat.platform.pagopa.it"
+ecommerce_ingress_hostname = "weuuat.ecommerce.internal.uat.platform.pagopa.it"
+checkout_ip_restriction_default_action = "Allow"
+pagopa_proxy_ip_restriction_default_action = "Allow"