Terraform-provider-azurerm: Support App Service "Access Restrictions" functionality

Also interressed with this feature

I also need a way to set the IP restrictions on the SCM website, and this will need to be added both the azurerm_app_service resource and the azurerm_app_service_slot slot resource as well.

I propose an additonal block on the site config property like so:

resource "azurerm_app_service" "app_service" {
  name                    = local.name
  location                = var.location
  resource_group_name     = var.resource_group_name
  app_service_plan_id     = var.app_service_plan_id
  https_only              = true

  site_config {
    always_on                = true
    dotnet_framework_version = "v4.0"
    http2_enabled            = true

    default_documents = [
      "Default.htm",
    ]

   # Current network IP address restriction on app service
    ip_restriction {
      ip_address  = "1.2.3.4"
      subnet_mask = "255.255.255.255"
    }

   # Proposed new IP address restriction on app service SCM/KUDU website
    scm_ip_restriction {
      ip_address  = "5.6.7.8"
      subnet_mask = "255.255.255.255"
    }
  }
}

While we wait for official support the following template can be added in addition to the azurerm_app_service resource to set the scmIpSecurityRestrictions property using an AzureRM resource template:

resource "azurerm_template_deployment" "app-service-scm-ipwhitelist" {
  name                = "${var.application}-scm-ipwhitelist"
  resource_group_name = var.resource_group_name
  template_body       = <<JSON
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
     "_force_terraform_to_always_redeploy": "${timestamp()}"
  },
  "resources": [{
     "type":"Microsoft.Web/sites/config",
         "apiVersion":"2018-11-01",
         "name":"${azurerm_app_service.app_service.name}/web",
         "location":"[resourceGroup().location]",
         "properties":{
            "scmIpSecurityRestrictions":[
               {
                  "ipAddress":"${local.ip_to_whitelist}",
                  "action":"Allow",
                  "tag":"Default",
                  "priority":300,
                  "name":"allow-my-company-server",
                  "description":"useful description info..."
               }
            ]
         }
    }
  ]
}
JSON
  deployment_mode     = "Incremental"
}

Is it already implemented?

Looking at: https://www.terraform.io/docs/providers/azurerm/d/app_service.html

A ip_restriction block exports the following:

• ip_address - The IP Address used for this IP Restriction.
• subnet_mask - The Subnet mask used for this IP Restriction.

Is it already implemented?

Looking at: https://www.terraform.io/docs/providers/azurerm/d/app_service.html

Nope - still need the SCM IP restrictions

What is the reason to have ip restrictions for SCM endpoints, it's only allowed for authenticated users right?

Extra level of security based on where you are as well as who.

On Tue, 3 Dec 2019 at 16:38, brysk notifications@github.com wrote:

What is the reason to have ip restrictions for SCM endpoints, it's only
allowed for authenticated users right?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/terraform-providers/terraform-provider-azurerm/issues/3685?email_source=notifications&email_token=ABP3TFKRLGHD5PDC6DVLVKLQW2DQTA5CNFSM4HY2NGE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF2AEJA#issuecomment-561250852,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABP3TFL3GMOTDZP2DF7QKTLQW2DQTANCNFSM4HY2NGEQ
.

@brysk and @alastairtree - As to why locking-down your SCM network-connectivity should be done: Consider what happens when a developer angrily exits your organization. You no doubt disable their Azure AD identity, but SCM remains accessible from their home network using credentials stored directly within the App Service. They could access data, logs, and upload binaries. IMHO, this is an often overlooked aspect of securing Azure App Service, and warrants attention. Ideally, you'd cycle those credentials and you'd lock SCM down so it's only accessible from your corporate egress IPs.

thanks @JohnDelisle

credentials stored directly within the App Service

Can you please shed more light on it to explain how it works?

Sure thing @brysk -

The easiest way to demonstrate this would be to head to the Azure Portal, create a Resource Group, create an App Service Plan, and create an App Service. Go with a Windows-based ASP.NET App Service, for example.

Once that's done, open the App Service, click its "Deployment Center" blade, click on "FTP", and finally click the "Dashboard" button in the bottom-center. A dialog should pop on the right-hand side, providing the credential to use to access the App Service remotely.

If that credential is known to a bad actor, and your SCM IP restrictions are permissive, they can connect to your App Service from anywhere and publish a new binary, download logs etc.

This is a common theme in Azure - services that are by default internet accessible, where keys used to access them persist after employee termination. Unless you implement good key lifecycle-management and secure the front-end connectivity of the service, that is. Examples off the top of my head include Storage Account, Azure SQL Database, Cosmos, App Service, and basically any other Azure resource that uses its own keys/secrets/certs and is internet accessible. You can mitigate some of this through e.g. VNet endpoints, but that's not always practical.

@JohnDelisle

Thanks for your explanation but I can't agree with everything you said. I have just locked down access to SCM endpoint completely and it doesn't prevent me from accessing the FTP location to upload anything up there. Restrictions applied to SCP IP do not affect FTPS IP.

According to my understanding SCM endpoint is behind SSO and only authenticated and authorised users and services can access it. When an user is removed from AAD she/he will not be able to mess up with it.

HTTP BASIC auth won't be enabled and only Service Connection configured for Azure DevOps Pipeline will carry out deployments.

FTP/FTPS access to App Service can be disabled here: App Service -> Configuration -> General Settings -> FTP state

That's certainly different than my understanding - I'll test and confirm. Assuming you're right re: FTP connectivity, that introduces risks that can only be mitigate through cycling keys.. ouch. Thanks for the update.

See the relevant documentation: https://docs.microsoft.com/en-US/azure/app-service/app-service-ip-restrictions#programmatic-manipulation-of-access-restriction-rules
There is an API for that purpose, editing ipSecurityRestrictions property block on the web app

@tombuildsstuff any news please ?

As the main issue, access restrictions for the app service data plane, are already implemented, would it make sense to create a new issue focusing on the yet missingSCM restrictions? @tombuildsstuff ?

Is there any plan to implement ScmSiteAccessRestrictions? Both Azure Powershell and Az CLI support this feature.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!