diff --git a/internal/services/appservice/helpers/logic_apps.go b/internal/services/appservice/helpers/logic_apps.go index 3a16d4c8250d..0a41e5337556 100644 --- a/internal/services/appservice/helpers/logic_apps.go +++ b/internal/services/appservice/helpers/logic_apps.go @@ -32,6 +32,7 @@ type LogicAppSiteConfig struct { DotnetFrameworkVersion string `tfschema:"dotnet_framework_version"` VNETRouteAllEnabled bool `tfschema:"vnet_route_all_enabled"` AutoSwapSlotName string `tfschema:"auto_swap_slot_name"` + IpRestrictionDefaultAction string `tfschema:"ip_restriction_default_action"` PublicNetworkAccessEnabled bool `tfschema:"public_network_access_enabled,removedInNextMajorVersion"` } @@ -189,6 +190,12 @@ func SchemaLogicAppStandardSiteConfig() *pluginsdk.Schema { Computed: true, }, + "ip_restriction_default_action": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(webapps.PossibleValuesForDefaultAction(), false), + }, + "auto_swap_slot_name": { Type: pluginsdk.TypeString, Computed: true, diff --git a/internal/services/logic/logic_app_standard_data_source.go b/internal/services/logic/logic_app_standard_data_source.go index ff7231d95fdb..6876ff202c06 100644 --- a/internal/services/logic/logic_app_standard_data_source.go +++ b/internal/services/logic/logic_app_standard_data_source.go @@ -426,6 +426,8 @@ func flattenLogicAppStandardDataSourceSiteConfig(input *webapps.SiteConfig) []in result["vnet_route_all_enabled"] = pointer.From(input.VnetRouteAllEnabled) + result["ip_restriction_default_action"] = string(pointer.From(input.IPSecurityRestrictionsDefaultAction)) + results = append(results, result) return results } @@ -593,6 +595,11 @@ func schemaLogicAppStandardSiteConfigDataSource() *pluginsdk.Schema { Type: pluginsdk.TypeString, Computed: true, }, + + "ip_restriction_default_action": { + Type: pluginsdk.TypeString, + Computed: true, + }, }, }, } diff --git a/internal/services/logic/logic_app_standard_resource.go b/internal/services/logic/logic_app_standard_resource.go index 9e4705990535..07f5ea9cb584 100644 --- a/internal/services/logic/logic_app_standard_resource.go +++ b/internal/services/logic/logic_app_standard_resource.go @@ -983,6 +983,8 @@ func flattenLogicAppStandardSiteConfig(input *webapps.SiteConfig) []helpers.Logi result.VNETRouteAllEnabled = pointer.From(input.VnetRouteAllEnabled) + result.IpRestrictionDefaultAction = pointer.FromEnum(input.IPSecurityRestrictionsDefaultAction) + if !features.FivePointOh() { result.PublicNetworkAccessEnabled = strings.EqualFold(pointer.From(input.PublicNetworkAccess), helpers.PublicNetworkAccessEnabled) } @@ -1110,6 +1112,8 @@ func expandLogicAppStandardSiteConfigForCreate(d []helpers.LogicAppSiteConfig, m siteConfig.PublicNetworkAccess = pointer.To(reconcilePNA(metadata)) } + siteConfig.IPSecurityRestrictionsDefaultAction = pointer.ToEnum[webapps.DefaultAction](config.IpRestrictionDefaultAction) + return siteConfig, nil } @@ -1212,6 +1216,10 @@ func expandLogicAppStandardSiteConfigForUpdate(d []helpers.LogicAppSiteConfig, m siteConfig.AppSettings = mergeAppSettings(appSettings, o.(map[string]interface{}), n.(map[string]interface{}), metadata) } + if metadata.ResourceData.HasChange("site_config.0.ip_restriction_default_action") { + siteConfig.IPSecurityRestrictionsDefaultAction = pointer.ToEnum[webapps.DefaultAction](config.IpRestrictionDefaultAction) + } + return siteConfig, nil } diff --git a/internal/services/logic/logic_app_standard_resource_test.go b/internal/services/logic/logic_app_standard_resource_test.go index 0e4ee973c85d..aa63e78d0354 100644 --- a/internal/services/logic/logic_app_standard_resource_test.go +++ b/internal/services/logic/logic_app_standard_resource_test.go @@ -1666,7 +1666,8 @@ resource "azurerm_logic_app_standard" "test" { storage_account_access_key = azurerm_storage_account.test.primary_access_key site_config { - min_tls_version = 1.2 + min_tls_version = 1.2 + ip_restriction_default_action = "Allow" ip_restriction { ip_address = "10.10.10.10/32" name = "test-restriction" diff --git a/website/docs/d/logic_app_standard.html.markdown b/website/docs/d/logic_app_standard.html.markdown index 7fe691250114..0454b738334f 100644 --- a/website/docs/d/logic_app_standard.html.markdown +++ b/website/docs/d/logic_app_standard.html.markdown @@ -133,6 +133,8 @@ The `site_config` block exports the following: * `ip_restriction` - A list of `ip_restriction` objects representing IP restrictions as defined below. +* `ip_restriction_default_action` - The default action taken when no `ip_restriction` rules match. + * `scm_ip_restriction` - A list of `scm_ip_restriction` objects representing SCM IP restrictions as defined below. * `scm_use_main_ip_restriction` - Should the Logic App `ip_restriction` configuration be used for the SCM too. diff --git a/website/docs/r/logic_app_standard.html.markdown b/website/docs/r/logic_app_standard.html.markdown index bbc690f635ad..959bbd7c75c6 100644 --- a/website/docs/r/logic_app_standard.html.markdown +++ b/website/docs/r/logic_app_standard.html.markdown @@ -203,6 +203,10 @@ The `site_config` block supports the following: -> **Note:** User has to explicitly set `ip_restriction` to empty slice (`[]`) to remove it. +* `ip_restriction_default_action` - (Optional) The action to take when no `ip_restriction` rules match. Possible values are `Allow` and `Deny`. + +-> **Note:** If `ip_restriction_default_action` is not configured, it is implicitly set to `Allow` when no `ip_restriction` rules are defined and `Deny` when at least one `ip_restriction` rule is defined. + * `scm_ip_restriction` - (Optional) A list of `scm_ip_restriction` objects representing SCM IP restrictions as defined below. -> **Note:** User has to explicitly set `scm_ip_restriction` to empty slice (`[]`) to remove it.