Support for publicNetworkAccess switch

[ishanslab]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

azurerm_logic_app_standard does not have an argument to control Public Network Access.
Can we add an argument like public_network_access which can be set to true or false to control the public access.

New or Affected Resource(s)/Data Source(s)

azurerm_logic_app_standard

Potential Terraform Configuration

resource "azurerm_logic_app_standard" "example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
  public_network_access      = "false"

  site_config {
    linux_fx_version = "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-appservice"
  }

  app_settings = {
    "DOCKER_REGISTRY_SERVER_URL"      = "https://<server-name>.azurecr.io"
    "DOCKER_REGISTRY_SERVER_USERNAME" = "username"
    "DOCKER_REGISTRY_SERVER_PASSWORD" = "password"
  }

}

References

No response

[rcskosir]

Thank you for taking the time to open this feature request!

[gettek]

This was thankfully introduced in v3.86.0 (see #24257).

But please correct me if I'm wrong @mbfrahry ; public_network_access_enabled unfortunately needs setting on both siteProperties & siteConfig (Azure/azure-rest-api-specs#24681) same as in function apps, (and potentially other app services).

It is currently only set on siteConfig which I believe is causing the Policy failures:

• logic_app_standard_resource:

if v, ok := config["public_network_access_enabled"]; ok {
	pna := helpers.PublicNetworkAccessEnabled
	if !v.(bool) {
		pna = helpers.PublicNetworkAccessDisabled
	}
	siteConfig.PublicNetworkAccess = pointer.To(pna)
}

• linux_function_app_resource has on bothsiteProperties & siteConfig:

existing.SiteConfig.AppSettings = helpers.MergeUserAppSettings(siteConfig.AppSettings, state.AppSettings)

if metadata.ResourceData.HasChange("public_network_access_enabled") {
	pna := helpers.PublicNetworkAccessEnabled
	if !state.PublicNetworkAccess {
		pna = helpers.PublicNetworkAccessDisabled
	}

	// (@jackofallops) - Values appear to need to be set in both SiteProperties and SiteConfig for now? https://github.com/Azure/azure-rest-api-specs/issues/24681
	existing.PublicNetworkAccess = pointer.To(pna)
	existing.SiteConfig.PublicNetworkAccess = existing.PublicNetworkAccess
}

[russaram-bham]

It seems this fix has not worked;

│ Error: creating Logic App Standard: (Site Name "la-sris-data-extract-dev-uksouth" / Resource Group "xxx-dev"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'xxxx-dev-uksouth' was disallowed by policy. Reasons: 'Public network access must be disabled for PaaS services.'. See error details for policy resource IDs." Target="la-sris-data-extract-dev-uksouth" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Web/sites","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Web/sites"},{"expression":"Microsoft.Web/sites/publicNetworkAccess","expressionKind":"Field","operator":"Exists","path":"properties.publicNetworkAccess","result":"True","targetValue":"false"}],"reason":"Public network access must be disabled for PaaS services."},"policyAssignmentDisplayName":"Public network access should be disabled for PaaS services","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/xxx-stars/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints","policyAssignmentName":"Deny-Public-Endpoints","policyAssignmentParameters":{},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/xxx-stars","policyDefinitionDisplayName":"App Service apps should disable public network access","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policyDefinitionName":"1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policyDefinitionReferenceId":"AsDenyPublicIP","policyExemptionIds":[],"policySetDefinitionDisplayName":"Public network access should be disabled for PaaS services","policySetDefinitionId":"/providers/Microsoft.Management/managementGroups/xxx/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints","policySetDefinitionName":"Deny-PublicPaaSEndpoints"},"type":"PolicyViolation"}]

[GavinAlb]

Hi,
We are also having trouble with this. We are using AzureRM version 3.90.0.

We are utalising the 'public_network_access_enabled' flag that sits within the site_config section introduced in
#24257

We have policies in our environment to enforce that we do not have these publicly accessible.

Terraform is breaking with the policy enforcement message as the provider seems to be not honoring the "false" flag we are giving against this property.

│ Error: creating Logic App Standard: (Site Name "logic-app-common" / Resource Group "xx-xx-001"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'logic-app-common' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/providers/Microsoft.Management/managementGroups/xxx-xxx-xxx/providers/Microsoft.Authorization/policyAssignments/xxxxxxxxx\"},\"policyDefinition\":{\"name\":\"App Service apps should disable public network access\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/xxx-xxx-xxx\"}}]'." Target="logic-app-common" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Web/sites","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Web/sites"}.......................................

[anwarnk]

Hi, this issue has been outstanding for some time now. The PR is in a stale state, could someone please provide an update ?

[arnaudluti]

Hello
It is normal that your TF deployment doesnt work with the public_network_access_enabled switch set to false.
It seems to be not possible to yet to change this option to the "enabled from specific IPs". Using that, you could allow your CI/CD provider to permit Terraform deployments. In my case i use Azure DevOps as a CI/CD provider and using the service tags it works:

But this needs to be set manually after the logic app was created by TF

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.