Merge pull request #7 from meshcloud/feature/ip-address-string

florianow · web-flow · commit aa1ca731249b · 2025-10-09T14:44:32.000+02:00
Feature/ip address string
diff --git a/README.md b/README.md
@@ -163,7 +163,7 @@ No modules.
 | [azurerm_container_group.minio_aci_container_group](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/container_group) | resource |
 | [azurerm_key_vault.minio_kv](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/key_vault) | resource |
 | [azurerm_key_vault_access_policy.agw_policy](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.tf](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.minio_cert_policy](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_certificate.minio_cert](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/key_vault_certificate) | resource |
 | [azurerm_log_analytics_workspace.minio_law](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/log_analytics_workspace) | resource |
 | [azurerm_network_security_group.agw_nsg](https://registry.terraform.io/providers/hashicorp/azurerm/4.36.0/docs/resources/network_security_group) | resource |
@@ -188,7 +188,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_ip_addresses"></a> [allowed\_ip\_addresses](#input\_allowed\_ip\_addresses) | List of IP addresses that will be allowed to access the MinIO service (CIDR format, e.g., ['203.0.113.0/32', '192.168.1.0/24']) | `list(string)` | n/a | yes |
+| <a name="input_allowed_ip_addresses"></a> [allowed\_ip\_addresses](#input\_allowed\_ip\_addresses) | Comma-separated list of IP addresses that will be allowed to access the MinIO service in CIDR format. Example: '203.0.113.0/32' for a single IP or '10.10.10.2/32,192.168.1.0/24' for multiple IPs. | `string` | `"10.10.10.2/32"` | no |
 | <a name="input_coraza_waf_image"></a> [coraza\_waf\_image](#input\_coraza\_waf\_image) | Coraza WAF container image | `string` | `"ghcr.io/meshcloud/minio_azure_container_app/coraza-caddy:caddy-2.8-coraza-v2.0.0"` | no |
 | <a name="input_location"></a> [location](#input\_location) | Azure region for deployment | `string` | `"West Europe"` | no |
 | <a name="input_minio_image"></a> [minio\_image](#input\_minio\_image) | MinIO container image | `string` | `"quay.io/minio/minio:RELEASE.2025-04-22T22-12-26Z"` | no |
diff --git a/main.tf b/main.tf
@@ -83,7 +83,7 @@ resource "azurerm_key_vault" "minio_kv" {
   soft_delete_retention_days = 7
 }
 
-resource "azurerm_key_vault_access_policy" "tf" {
+resource "azurerm_key_vault_access_policy" "minio_cert_policy" {
   key_vault_id = azurerm_key_vault.minio_kv.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = data.azurerm_client_config.current.object_id
@@ -116,6 +116,7 @@ resource "azurerm_key_vault_certificate" "minio_cert" {
 
     }
   }
+  depends_on = [azurerm_key_vault_access_policy.minio_cert_policy]
 }
 
 resource "azurerm_user_assigned_identity" "agw_identity" {
@@ -147,31 +148,37 @@ resource "azurerm_network_security_group" "agw_nsg" {
   resource_group_name = azurerm_resource_group.minio_rg.name
 }
 
+locals {
+  allowed_ips_list = [
+    for ip in split(",", var.allowed_ip_addresses) : trimspace(ip)
+  ]
+}
+
 resource "azurerm_network_security_rule" "allow_https_ui" {
-  count                       = length(var.allowed_ip_addresses)
+  count                       = length(local.allowed_ips_list)
   name                        = "AllowHTTPS-UI-${count.index}"
   priority                    = 100 + count.index
   direction                   = "Inbound"
   access                      = "Allow"
   protocol                    = "Tcp"
   source_port_range           = "*"
   destination_port_range      = "443"
-  source_address_prefix       = var.allowed_ip_addresses[count.index]
+  source_address_prefix       = local.allowed_ips_list[count.index]
   destination_address_prefix  = "*"
   resource_group_name         = azurerm_resource_group.minio_rg.name
   network_security_group_name = azurerm_network_security_group.agw_nsg.name
 }
 
 resource "azurerm_network_security_rule" "allow_https_api" {
-  count                       = length(var.allowed_ip_addresses)
+  count                       = length(local.allowed_ips_list)
   name                        = "AllowHTTPS-API-${count.index}"
   priority                    = 200 + count.index
   direction                   = "Inbound"
   access                      = "Allow"
   protocol                    = "Tcp"
   source_port_range           = "*"
   destination_port_range      = "8443"
-  source_address_prefix       = var.allowed_ip_addresses[count.index]
+  source_address_prefix       = local.allowed_ips_list[count.index]
   destination_address_prefix  = "*"
   resource_group_name         = azurerm_resource_group.minio_rg.name
   network_security_group_name = azurerm_network_security_group.agw_nsg.name
diff --git a/variables.tf b/variables.tf
@@ -76,12 +76,13 @@ variable "coraza_waf_image" {
 }
 
 variable "allowed_ip_addresses" {
-  type        = list(string)
-  description = "List of IP addresses that will be allowed to access the MinIO service (CIDR format, e.g., ['203.0.113.0/32', '192.168.1.0/24'])"
+  type        = string
+  description = "Comma-separated list of IP addresses that will be allowed to access the MinIO service in CIDR format. Example: '203.0.113.0/32' for a single IP or '10.10.10.2/32,192.168.1.0/24' for multiple IPs."
+  default     = "10.10.10.2/32"
   validation {
     condition = alltrue([
-      for ip in var.allowed_ip_addresses : can(cidrhost(ip, 0))
+      for ip in split(",", var.allowed_ip_addresses) : can(cidrhost(trimspace(ip), 0))
     ])
-    error_message = "All IP addresses must be in valid CIDR format (e.g., '203.0.113.0/32' for a single IP or '192.168.1.0/24' for a subnet)."
+    error_message = "All IP addresses must be in valid CIDR format (e.g., '10.10.10.2/32' for a single IP or '192.168.1.0/24' for a subnet)."
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -76,12 +76,13 @@ variable "coraza_waf_image" {`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`variable "allowed_ip_addresses" {`
`79`		`- type = list(string)`
`80`		`- description = "List of IP addresses that will be allowed to access the MinIO service (CIDR format, e.g., ['203.0.113.0/32', '192.168.1.0/24'])"`
	`79`	`+ type = string`
	`80`	`+ description = "Comma-separated list of IP addresses that will be allowed to access the MinIO service in CIDR format. Example: '203.0.113.0/32' for a single IP or '10.10.10.2/32,192.168.1.0/24' for multiple IPs."`
	`81`	`+ default = "10.10.10.2/32"`
`81`	`82`	`validation {`
`82`	`83`	`condition = alltrue([`
`83`		`- for ip in var.allowed_ip_addresses : can(cidrhost(ip, 0))`
	`84`	`+ for ip in split(",", var.allowed_ip_addresses) : can(cidrhost(trimspace(ip), 0))`
`84`	`85`	`])`
`85`		`- error_message = "All IP addresses must be in valid CIDR format (e.g., '203.0.113.0/32' for a single IP or '192.168.1.0/24' for a subnet)."`
	`86`	`+ error_message = "All IP addresses must be in valid CIDR format (e.g., '10.10.10.2/32' for a single IP or '192.168.1.0/24' for a subnet)."`
`86`	`87`	`}`
`87`	`88`	`}`