From 3450a5cc37bf51dd1b3f714e396a5560aacf58c5 Mon Sep 17 00:00:00 2001 From: Taher Daroly <41846928+tdaroly@users.noreply.github.com> Date: Fri, 12 Aug 2022 02:20:27 -0500 Subject: [PATCH] adding ip-restriction feat (#19841) * adding ip-restriction feat * remove from stable, add to preview * fix lintDiff error * fix modelvalidation error * fix formatting changes * rename names, add note to all allow or all deny * fix spell check error * update name and examples * rename `ipAddress` to `ipAddressRange` * making small change to re-run build pipeline * trigger GitHub actions * resolve comments Co-authored-by: Taher Darolywala --- .../2022-06-01-preview/ContainerApps.json | 45 +++++++++++++++++++ .../ContainerApps_CreateOrUpdate.json | 28 ++++++++++++ .../examples/ContainerApps_Get.json | 14 ++++++ .../ContainerApps_ListByResourceGroup.json | 14 ++++++ .../ContainerApps_ListBySubscription.json | 14 ++++++ .../examples/ContainerApps_Patch.json | 14 ++++++ 6 files changed, 129 insertions(+) diff --git a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/ContainerApps.json b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/ContainerApps.json index 133b79e24831..83c5ae9a0ca0 100644 --- a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/ContainerApps.json +++ b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/ContainerApps.json @@ -676,6 +676,16 @@ "allowInsecure": { "description": "Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections", "type": "boolean" + }, + "ipSecurityRestrictions": { + "description": "Rules to restrict incoming IP address.", + "type": "array", + "items": { + "$ref": "#/definitions/IpSecurityRestrictionRule" + }, + "x-ms-identifiers": [ + "name" + ] } } }, @@ -791,6 +801,41 @@ } } }, + "IpSecurityRestrictionRule": { + "description": "Rule to restrict incoming IP address.", + "type": "object", + "required": [ + "name", + "ipAddressRange", + "action" + ], + "properties": { + "name": { + "description": "Name for the IP restriction rule.", + "type": "string" + }, + "description": { + "description": "Describe the IP restriction rule that is being sent to the container-app. This is an optional field.", + "type": "string" + }, + "ipAddressRange": { + "description": "CIDR notation to match incoming IP address", + "type": "string" + }, + "action": { + "description": "Allow or Deny rules to determine for incoming IP. Note: Rules can only consist of ALL Allow or ALL Deny", + "enum": [ + "Allow", + "Deny" + ], + "type": "string", + "x-ms-enum": { + "name": "action", + "modelAsString": true + } + } + } + }, "CustomHostnameAnalysisResult": { "description": "Custom domain analysis.", "type": "object", diff --git a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_CreateOrUpdate.json b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_CreateOrUpdate.json index 9f61e117c5d5..f18b29998785 100644 --- a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_CreateOrUpdate.json +++ b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_CreateOrUpdate.json @@ -30,6 +30,20 @@ "revisionName": "testcontainerApp0-ab1234", "label": "production" } + ], + "ipSecurityRestrictions": [ + { + "name": "Allow work IP A subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/32", + "action": "Allow" + }, + { + "name": "Allow work IP B subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/8", + "action": "Allow" + } ] }, "dapr": { @@ -125,6 +139,20 @@ "revisionName": "testcontainerApp0-ab4321", "label": "staging" } + ], + "ipSecurityRestrictions": [ + { + "name": "Allow work IP A subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/32", + "action": "Allow" + }, + { + "name": "Allow work IP B subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/8", + "action": "Allow" + } ] }, "dapr": { diff --git a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Get.json b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Get.json index 6dc081dbf2a1..6ae766c16cc0 100644 --- a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Get.json +++ b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Get.json @@ -45,6 +45,20 @@ "revisionName": "testcontainerApp0-ab4321", "label": "staging" } + ], + "ipSecurityRestrictions": [ + { + "name": "Allow work IP A subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/32", + "action": "Allow" + }, + { + "name": "Allow work IP B subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/8", + "action": "Allow" + } ] }, "dapr": { diff --git a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListByResourceGroup.json b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListByResourceGroup.json index 97044f912769..171c38bc7c24 100644 --- a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListByResourceGroup.json +++ b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListByResourceGroup.json @@ -46,6 +46,20 @@ "revisionName": "testcontainerApp0-ab4321", "label": "staging" } + ], + "ipSecurityRestrictions": [ + { + "name": "Allow work IP A subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/32", + "action": "Allow" + }, + { + "name": "Allow work IP B subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/8", + "action": "Allow" + } ] }, "dapr": { diff --git a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListBySubscription.json b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListBySubscription.json index f9734aeba0b6..18e9a386e84b 100644 --- a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListBySubscription.json +++ b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_ListBySubscription.json @@ -45,6 +45,20 @@ "revisionName": "testcontainerApp0-ab4321", "label": "staging" } + ], + "ipSecurityRestrictions": [ + { + "name": "Allow work IP A subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/32", + "action": "Allow" + }, + { + "name": "Allow work IP B subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/8", + "action": "Allow" + } ] }, "dapr": { diff --git a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Patch.json b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Patch.json index 8ee6577e1ddb..4c34c4d74fa0 100644 --- a/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Patch.json +++ b/specification/app/resource-manager/Microsoft.App/preview/2022-06-01-preview/examples/ContainerApps_Patch.json @@ -33,6 +33,20 @@ "revisionName": "testcontainerApp0-ab1234", "label": "production" } + ], + "ipSecurityRestrictions": [ + { + "name": "Allow work IP A subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/32", + "action": "Allow" + }, + { + "name": "Allow work IP B subnet", + "description": "Allowing all IP's within the subnet below to access containerapp", + "ipAddressRange": "192.168.1.1/8", + "action": "Allow" + } ] }, "dapr": {