From f2777d5b2775bc2246cc44d922d6e7ea42a0e4ed Mon Sep 17 00:00:00 2001
From: Matthieu Nicolescu <mnicolescu@gmail.com>
Date: Wed, 27 Mar 2024 18:39:13 +0100
Subject: [PATCH] feat : Add ip_rules variable for az-acr tf module

---
 terraform/modules/az-acr/README.md            | Bin 4077 -> 8442 bytes
 terraform/modules/az-acr/main.tf              |  17 +++++++++++++++++
 .../az-acr/tests/acr_secure.tftest.hcl        |  13 +++++++------
 terraform/modules/az-acr/variables.tf         |   6 ++++++
 4 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/terraform/modules/az-acr/README.md b/terraform/modules/az-acr/README.md
index f79406c34575d44e5a8e1e67a62a0533dcd55211..c26309bcb8eba6e7179f996b98b8de96c6b15285 100644
GIT binary patch
literal 8442
zcmd^FO>Y}F5aqc*|HC4_B!|ca3bcUH1~A%-QP&NUxR*9qsggeywIx+6#Zchip7uSC
zMkHsc^{$dSC<?=}mK+Xe-h6O4>%Tu7xC2+XSMI|7<yNk83w*o9@6;__?Y?wh_}?=(
z0~P0TRD&&@aC-^LnR^Fr6RcQ7eD1;J%#HjGh2zt&8;S}mrg*;hyzbre=qG)W8Ko=S
zci>lGt#JL`J#llhe~G#G(2nviu=f-90;>)&`T{F|GqZ2qQ($6w{O&B5XI|REeeDMB
zTlWn<zuL-A+yslCq1Oa^-(YWx=WQ})QKU_3P*Co1vbu@l8@GnU7u)?)#OxELBM+;2
ziG65=B@n6bmuQt9wJSW=7++wY0cOYeMx3rOw#3f0I|81E8QP`ivcQ^4@Fw~L@S1_v
zB3xta8gw;2D=*0cG_+D|yF(y3!k)xtiP;HwjqzRfPVqYIq>tK>-Vv`4zL-Pm7E;jX
zuCPkurG#vh=Fk5WM(vtBgii4E6W}q2x5jy+>8U?@l<7YesF&UsB<>3rdvW1Nc?pCW
zJIhV1F(yI=nsoB_IFmew-^b7ClV+BqgodL>+q{&^H;fh0oH=3wf8a<7S?M8v_}HIh
zvW`+Rx1_X^g92a4KD+7FO2kYePGq1*7m(%>pG(9QGenTE0Jb&87M_NbsT7i-htOb#
zpBpy>1uZ)CcDeCub!-ZXIAWSvIcSq=8=|HJ58@{I#b)VPHsYbN#_wDw7-?oY@HP;u
zaHjj}K3J*@g_nTXa(^P;2TkVH6(rmbOJ*Qu)(iOH4R#(w3XLm8DU8$&KWtkcaE>|T
zyt6+S#rf2u#R#8yKNU>l{R)gz!{EbhyQz;73!V{A{U`Iy6xsUO7Udz%zqi|`e*P<!
z4NuAnziapxN1E7LI^rpmIShAGD^|zAK=o3*(p44wfWF6bl&9Gk`w`0v$XB>KFYk4P
zq<HKABNExl{c%tucC1@$tfxAyeQYajSLBplv3s-0e>$GWZw(|QD-tj3cNQ(FiNv!s
zdWX>FHT2>fYlCBNi3+~Qii+oeQug(^IlPCNLTbq-W^<2IpvWU-sT3a@hbQhO5D45D
zea!JA?9Ujz!*{9K!^y(z_c*>}vxG&%&gZbOG>XLWw&IkV5vyO(^b~*N{HjsIT5uiN
zl~t?EtzmP<W7~ZtJ{k2MWA)MToE|!-@}FUM)}-p;seS$pnOSw*0h<MC-{7MqDhI~5
z<RYHZq2g=m7xQ4ARL|r0m=B+0PI*N3<)#>RsiYXsLGKVNMItY)5cF=Z4R+-d-oLrq
zzPW>S5bID@2c_o}<d%9%ZkRP@<4UPnwZ@!ii4+5lFh?pkKBxS0*7{hUeQXx*#jZhW
z!C3ZoOMUv9nD?3yyq>v)bp>TB;W@0lX*X6GDV8>davW%Zm`68@?8m8(9dbJqiKKn;
z|F|mJ-u_FR*X&}gAQQb@GO9(~t|Gc&9iMb%&hNXgR%Bnn1JWKv*e&$H9xLxte%3hR
zugp-Xua&5FM!pit;g+t<`Khkng<W?Jir*RRd5cUacV4+~=q_5{h*r`8W3|KX#LDZ)
zZVzuBtPG`V!kaZM!rKcwT$G6Sl)Ft2i<LHS2!&tA&Io;+9X;hERrfTKORK{nx{CU}
zU#0l4UE1?VbA8S_DUbbal=4wabvb{Va(>PXQls`+HEuF8nnOosRA0TFymmjib9jm7
z4I9hN4z2X%(+;iHc)RKecIbIGsl4CqTUD@6d<CDj(XHb-t#vNwEj%>(n)lZD)=H`4
z{8vY}4MyaA=WT!LJIVXi<Z`kQOPk+P-)-W+8kXz!i=VLX!|N5#E^!n1e$IG#zo}{E
z4FlhiO#OK=?NsaNY9d3gu<JRVS|{g?{kinPS-DGuS_wa8eG|IyzW_(Rk=efwFK>q)
z>XPex+r5_6lgg5I#`R7pcgE%|BlM`n^Cc@NwOBIdPOA1bYB$ZZ=ZH(5)gjL|Gf%!_
z_JjA^_#Ij35=g#f59t^lDLr^r2D}kbURFv4-Y3xZyL$4LdRH%5-{Lhp?J+VjE+r&L
zwYC{6#n4iB!QHO;|KiRbrp1?Ic@#Ngu{yy!Fnj)Y^S<s;$sQPM2iET58}EEvSjht&
zV=bo4>$98QYI%<TJ~)M*>{78)T_9GZ>SmoDcVnghD4ZEVj3#y@wZGM+HquVqKdouj
A#Q*>R

literal 4077
zcmc&%OK%%D5Wf3YOzn$vkW{pX7KUrUiPFNTs|0@Zk~KEeF0~>oksFd5V*~&A%<#1<
zX{8tmis~YAX2|(CGaP<<{?lj#uiyT4HOue*%%|_(+`?#daddJ5H~dp0G+%RR&C$_J
zf$j;$M`ZF|tIwk38uiaGV`~o2@Gnk<lJI==JaWJAhhr4MIRlA?e;n6gZO*<ln(OuP
z#rcF?z=tq>I6a9LSu}Zt+y6TL{g?62xI6j(N0rTrdvt3*_P}nqQH?H0m4Mx~HR9Vs
zMUbM)yin3IA-T>quY|F>9kW6|oGz`c&Dms<q?T*V7D}(jLQNt}Gg&gT6ou0DBphP0
zVwM{_DOF)`b-*;)^+P9%dcxRYS~JNimxO$!ipT#3(3X=eG!*G8SvOP$DVkGm3N32u
zQVl+~Fy#x@tSlZT6i>Mma9<On-P$+{n$g)tnFw;6vvMtD&Lx|#c$q4Ngjtkg!8lv2
zmJK-_X38;RXv__W1=uAAX9JDl8iawcF<O3{E4BJag9Td|P9v#YMpEH=M1G0ONv>p$
zbrNBDP3BY?>JShWQA9VW9tKGX2fRwSejiG!n*$&#t~9S#qF|IKLgWS}LfzCm$ljoX
zyVryuU*jbKwScrS;H7Z!-CRcTT%qkL-YFrgS1!OG9`;8Un~Jo;wz()1*eJ_L*a6%S
z6R1ldR|G4l1g4!CqY8nyv4kgKm%auHJ^p@V7TZaTV~2sHL)b`8;O?;YXxxL>QW=&h
za+qv~%7@BD>iD)bmai|35tYRH-ygS_hzKmsJ4jLDB1N4SuWCh?_&O8^MTE)L`Is=A
zwHUsED@k2Ex}kCBf@ZY+4FBnz?!I9OzjR}6pOk*gHMaJA-qx79T)9S*+<A-4nPkBR
zubMOJ;W%VQ0C(Gh^h<zzgZB-7+pP=O&(2Iqejq1xGshd4hpn+0;Im|6*NR8-Mp?9?
zo<U{<-R)bJ!w2)LAfC_fzICRTw!Tjd(+sbt<aw>|Xzli4I)f}&44mVD(eM$v1>oK8
zgMYXu#%DIKv})?SU&c|Dc^zhBqpk<lg!Lx8?BKR^{N_9AUgIN$QN=zTqFS;xHNT|n
zB1-D6*!LI^yjioJ<2#2pk(PiZCPzF6n1luyPgP<2K?)!i$W?$X@U4U=Br;177AkHH
z)Qu(^yui}!<+{>u``b_g6OR%e*jVjJ-<>8{96V6487_~s=MPnfd2Av`9Cm1MLT;&j
z-~N5Sk>bSWFsy+!Ql$DF;yu!6(X0<N3Cu#uHH|yZG;^-;pK_O8GXIdpqBQQ&ShKqS
z#>ztt9IuJ7dlKYy2a+?aA5M(3{h_3M!3K+zyliC2<ZinmHNFK&KhSLUnhZlGbIfLR
z_@YKbEcsny57FeUZ;wcYkyIygsoV~M@6ywUPvJJ<jbf}3Z=NV`)WlM~M}A8^tSg!x
z{dp6=b{qr1a&6&~m^0GNLSbKk(I#1r;yz#A3!RvCzqJNV9>u%RqvrpFE>fgL*+VGG
z2<mDY`}#oeHaJqq<4RTd-GZ_B%+vRQlVw5JbF(3j9`A3ikv}mD1vcwB_f!$P02+gk
WI3RMh+kud<ozsW?+u5}LS^pK}_^uTI

diff --git a/terraform/modules/az-acr/main.tf b/terraform/modules/az-acr/main.tf
index 2cd43234..cdf56f11 100644
--- a/terraform/modules/az-acr/main.tf
+++ b/terraform/modules/az-acr/main.tf
@@ -26,6 +26,23 @@ resource "azurerm_container_registry" "acr" {
     }
   }
 
+  dynamic "network_rule_set" {
+    for_each = length(var.ip_rules) > 0 ? [1] : []
+
+    content {
+      default_action = "Deny"
+
+      dynamic "ip_rule" {
+        for_each = var.ip_rules
+
+        content {
+          action   = "Allow"
+          ip_range = ip_rule.value
+        }
+      }
+    }
+  }
+
   zone_redundancy_enabled = var.zone_redundancy_enabled
 
   identity {
diff --git a/terraform/modules/az-acr/tests/acr_secure.tftest.hcl b/terraform/modules/az-acr/tests/acr_secure.tftest.hcl
index 84893a78..d786e0b7 100644
--- a/terraform/modules/az-acr/tests/acr_secure.tftest.hcl
+++ b/terraform/modules/az-acr/tests/acr_secure.tftest.hcl
@@ -14,11 +14,11 @@ run "plan" {
   command = plan
 
   variables {
-    name                        = "usingsystemazacrtest1"
-    location                    = run.setup.resource_group_location
-    resource_group_name         = run.setup.resource_group_name
-    
-    tags                        = { Environment = "Test" }
+    name                          = "usingsystemazacrtest1"
+    location                      = run.setup.resource_group_location
+    resource_group_name           = run.setup.resource_group_name
+    ip_rules                      = ["20.75.211.8/29", "20.99.157.152/29"]
+    tags                          = { Environment = "Test" }
   }
 
   assert {
@@ -126,7 +126,8 @@ run "apply" {
         name                        = "usingsystemazacrtest1"
         location                    = run.setup.resource_group_location
         resource_group_name         = run.setup.resource_group_name
-    
+        ip_rules                    = ["20.75.211.8/29", "20.99.157.152/29"]
+        
         tags                        = { Environment = "Test" }
     }
 
diff --git a/terraform/modules/az-acr/variables.tf b/terraform/modules/az-acr/variables.tf
index 1c21c359..502cb519 100644
--- a/terraform/modules/az-acr/variables.tf
+++ b/terraform/modules/az-acr/variables.tf
@@ -87,6 +87,12 @@ variable "identity_ids" {
   default     = []
 }
 
+variable "ip_rules" {
+  description = "List of IP rules to allow on the acr."
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "Tags to associate with resources."
   type        = map(string)