Merge pull request #37 from using-system/features/acr-update

feat : Add ip_rules variable for az-acr tf module
using-system · Mar 27, 2024 · 7b12ed1 · 7b12ed1
2 parents 6b4c4f3 + f2777d5
commit 7b12ed1
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 6 deletions.
diff --git a/terraform/modules/az-acr/README.md b/terraform/modules/az-acr/README.md
diff --git a/terraform/modules/az-acr/main.tf b/terraform/modules/az-acr/main.tf
@@ -26,6 +26,23 @@ resource "azurerm_container_registry" "acr" {
     }
   }
 
+  dynamic "network_rule_set" {
+    for_each = length(var.ip_rules) > 0 ? [1] : []
+
+    content {
+      default_action = "Deny"
+
+      dynamic "ip_rule" {
+        for_each = var.ip_rules
+
+        content {
+          action   = "Allow"
+          ip_range = ip_rule.value
+        }
+      }
+    }
+  }
+
   zone_redundancy_enabled = var.zone_redundancy_enabled
 
   identity {

diff --git a/terraform/modules/az-acr/tests/acr_secure.tftest.hcl b/terraform/modules/az-acr/tests/acr_secure.tftest.hcl
@@ -14,11 +14,11 @@ run "plan" {
   command = plan
 
   variables {
-    name                        = "usingsystemazacrtest1"
-    location                    = run.setup.resource_group_location
-    resource_group_name         = run.setup.resource_group_name
-
-    tags                        = { Environment = "Test" }
+    name                          = "usingsystemazacrtest1"
+    location                      = run.setup.resource_group_location
+    resource_group_name           = run.setup.resource_group_name
+    ip_rules                      = ["20.75.211.8/29", "20.99.157.152/29"]
+    tags                          = { Environment = "Test" }
   }
 
   assert {
@@ -126,7 +126,8 @@ run "apply" {
         name                        = "usingsystemazacrtest1"
         location                    = run.setup.resource_group_location
         resource_group_name         = run.setup.resource_group_name
-
+        ip_rules                    = ["20.75.211.8/29", "20.99.157.152/29"]
+
         tags                        = { Environment = "Test" }
     }
 

diff --git a/terraform/modules/az-acr/variables.tf b/terraform/modules/az-acr/variables.tf
@@ -87,6 +87,12 @@ variable "identity_ids" {
   default     = []
 }
 
+variable "ip_rules" {
+  description = "List of IP rules to allow on the acr."
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "Tags to associate with resources."
   type        = map(string)
Name	Type
azurerm_container_registry.acr	resource
azurerm_management_lock.acr	resource
Name	Description	Type	Default	Required
admin_enabled	Determines if the admin user is enabled	`bool`	`false`	no
enable_lock_on_acr	Determines if the lock on acr is enabled	`bool`	`true`	no
georeplication_locations	List of locations for the georeplication	`list(string)`	`[]`	no
identity_ids	A list of identities associated with the acr.	`list(string)`	`[]`	no
identity_type	The type of identity used for the acr.	`string`	`"SystemAssigned"`	no
location	Azure Region Location	`any`	n/a	yes
name	Name of the acr	`any`	n/a	yes
network_rule_bypass_option	Determines if the network rule bypass option is enabled	`string`	`"None"`	no
public_network_access_enabled	Determines if the public network access is enabled	`bool`	`false`	no
quarantine_policy_enabled	Determines if the quarantine policy is enabled	`bool`	`true`	no
resource_group_name	Resource group name of the acr	`any`	n/a	yes
retention_policy_days	Number of days to retain an untagged manifest after which it gets purged	`number`	`7`	no
retention_policy_enabled	Determines if the retention policy is enabled	`bool`	`true`	no
sku	The SKU name of the container registry.	`string`	`"Premium"`	no
tags	Tags to associate with resources.	`map(string)`	n/a	yes
trust_policy_enabled	Determines if the trust policy is enabled	`bool`	`true`	no
zone_redundancy_enabled	Determines if the zone redundancy is enabled	`bool`	`true`	no
Name	Description
admin_password	The Username associated with the Container Registry Admin account - if the admin account is enabled
admin_username	The Username associated with the Container Registry Admin account - if the admin account is enabled
id	The ID of the Container Registry
login_server	The URL that can be used to log into the container registry