Merge pull request #1108 from fahedmarakbi/add-supports-https-traffic…

…-property-storage-accounts Add "supports https traffic only" property storage accounts
CompositionalIT · Jun 9, 2024 · 228781f · 228781f
2 parents c969cf3 + a049061
commit 228781f
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 0 deletions.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -3,6 +3,7 @@ Release Notes
 
 ## 1.8.11
 * Service Bus: Added support for setting max message size.
+* Storage accounts: Added support for setting https traffic only.
 * WebApp: Add new Premium V3 SKUs: Entry level SKU: `P0V3`, and memory optimised SKUs: `P1MV3, P2MV3, P3MV3, P4MV3, P5MV3`.
 
 ## 1.8.10

diff --git a/docs/content/api-overview/resources/storage-account.md b/docs/content/api-overview/resources/storage-account.md
@@ -46,6 +46,7 @@ The Storage Account builder creates storage accounts and their associated contai
 | grant_access | Given a managed identity (can be either user- or system- assigned), and a specific RoleId from the Roles module, grants access to the identity for the provided role. |
 | min_tls_version | Sets the minimum TLS version for the storage account |
 | disable_blob_public_access | Disables public (anonymous) access to blobs for the entire storage account |
+| supports_https_traffic_only | Allows https traffic only |
 | disable_shared_key_access | Disables shared key access for the storage account |
 | default_to_oauth_authentication | Defaults to OAuth (AAD) authentication for requests to blobs, queues and containers in the Azure portal |
 | use_azure_dns_zone | Change the DNS Endpoint type from `Standard` to `AzureDnsZone` |

diff --git a/src/Farmer/Arm/Storage.fs b/src/Farmer/Arm/Storage.fs
@@ -108,6 +108,7 @@ type StorageAccount =
                           ErrorPage: string option
                           ContentPath: string |} option
         MinTlsVersion: TlsVersion option
+        SupportsHttpsTrafficOnly: FeatureFlag option
         DnsZoneType: string option
         DisablePublicNetworkAccess: FeatureFlag option
         DisableBlobPublicAccess: FeatureFlag option
@@ -193,6 +194,11 @@ type StorageAccount =
                             | Some Tls11 -> "TLS1_1"
                             | Some Tls12 -> "TLS1_2"
                             | None -> null
+                        supportsHttpsTrafficOnly =
+                            match this.SupportsHttpsTrafficOnly with
+                            | Some FeatureFlag.Disabled -> "false"
+                            | Some FeatureFlag.Enabled -> "true"
+                            | None -> null
                         dnsEndpointType =
                             match this.DnsZoneType with
                             | Some s -> s

diff --git a/src/Farmer/Builders/Builders.Functions.fs b/src/Farmer/Builders/Builders.Functions.fs
@@ -391,6 +391,7 @@ type FunctionsConfig =
                         StaticWebsite = None
                         EnableHierarchicalNamespace = None
                         MinTlsVersion = None
+                        SupportsHttpsTrafficOnly = None
                         Tags = this.Tags
                         DnsZoneType = None
                         DisablePublicNetworkAccess = None

diff --git a/src/Farmer/Builders/Builders.Storage.fs b/src/Farmer/Builders/Builders.Storage.fs
@@ -72,6 +72,8 @@ type StorageAccountConfig =
         IsVersioningEnabled: List<Storage.StorageService * bool>
         /// Minimum TLS version
         MinTlsVersion: TlsVersion option
+        /// Supports Https Traffic Only
+        SupportsHttpsTrafficOnly: FeatureFlag option
         /// Tags to apply to the storage account
         Tags: Map<string, string>
         /// DNS endpoint type
@@ -127,6 +129,7 @@ type StorageAccountConfig =
                     NetworkAcls = this.NetworkAcls
                     StaticWebsite = this.StaticWebsite
                     MinTlsVersion = this.MinTlsVersion
+                    SupportsHttpsTrafficOnly = this.SupportsHttpsTrafficOnly
                     DnsZoneType = this.DnsZoneType
                     DisablePublicNetworkAccess = this.DisablePublicNetworkAccess
                     DisableBlobPublicAccess = this.DisableBlobPublicAccess
@@ -242,6 +245,7 @@ type StorageAccountBuilder() =
             Policies = []
             IsVersioningEnabled = []
             MinTlsVersion = None
+            SupportsHttpsTrafficOnly = None
             Tags = Map.empty
             DnsZoneType = None
             DisablePublicNetworkAccess = None
@@ -654,6 +658,15 @@ type StorageAccountBuilder() =
             MinTlsVersion = Some minTlsVersion
         }
 
+    /// Set support https traffic only
+    [<CustomOperation "supports_https_traffic_only">]
+    member _.SupportsHttpsTrafficOnly(state: StorageAccountConfig, ?supportsHttpsTrafficOnly: FeatureFlag) =
+        let flag = defaultArg supportsHttpsTrafficOnly FeatureFlag.Enabled
+
+        { state with
+            SupportsHttpsTrafficOnly = Some flag
+        }
+
     /// Set DNS Endpoint type
     [<CustomOperation "use_azure_dns_zone">]
     member _.SetDnsEndpointType(state: StorageAccountConfig) =

diff --git a/src/Farmer/Builders/Builders.Vm.fs b/src/Farmer/Builders/Builders.Vm.fs
@@ -261,6 +261,7 @@ type VmConfig =
                         StaticWebsite = None
                         EnableHierarchicalNamespace = None
                         MinTlsVersion = None
+                        SupportsHttpsTrafficOnly = None
                         Tags = this.Tags
                         DnsZoneType = None
                         DisablePublicNetworkAccess = None

diff --git a/src/Tests/Storage.fs b/src/Tests/Storage.fs
@@ -722,6 +722,44 @@ let tests =
                 Expect.equal resource.MinimumTlsVersion "TLS1_2" "Min TLS version is wrong"
             }
 
+            test "Test Disable HTTPS Traffic only" {
+                let resource =
+                    let account =
+                        storageAccount {
+                            name "mystorage123"
+                            supports_https_traffic_only FeatureFlag.Disabled
+                        }
+
+                    arm { add_resource account }
+
+                let jsn = resource.Template |> Writer.toJson
+                let jobj = jsn |> Newtonsoft.Json.Linq.JObject.Parse
+
+                Expect.equal
+                    (jobj.SelectToken("resources[0].properties.supportsHttpsTrafficOnly").ToString())
+                    "false"
+                    "https traffic only should be disabled"
+            }
+
+            test "Test Enable HTTPS Traffic only" {
+                let resource =
+                    let account =
+                        storageAccount {
+                            name "mystorage123"
+                            supports_https_traffic_only
+                        }
+
+                    arm { add_resource account }
+
+                let jsn = resource.Template |> Writer.toJson
+                let jobj = jsn |> Newtonsoft.Json.Linq.JObject.Parse
+
+                Expect.equal
+                    (jobj.SelectToken("resources[0].properties.supportsHttpsTrafficOnly").ToString())
+                    "true"
+                    "https traffic only should be enabled"
+            }
+
             test "dnsEndpointType can be set to AzureDnsZone" {
                 let resource =
                     let account =