Terraform-provider-azurerm: azurerm_firewall: support multiple ip_configuration blocks

Created on 9 Aug 2019 · 11Comments · Source: terraform-providers/terraform-provider-azurerm

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently it is only possible to have one ip_configuration block per azurerm_firewall resource where Azure Firewall actually supports multiple IP configurations. Having multiple IP addresses associated with a Firewall is essential...

Is this possible to enhance the module and add a feature to enable the multiple ip_configuration blocks?

New or Affected Resource(s)

azurerm_firewall

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

0000

enhancement servicfirewall

Source

andrey-dubnik

👍20

Most helpful comment

if we take a baseline https://www.terraform.io/docs/providers/azurerm/r/firewall.html

resource "azurerm_public_ip" "test-1" {
  name                = "testpip-1"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_public_ip" "test-2" {
  name                = "testpip-2"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_firewall" "test" {
  name                = "testfirewall"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"

  ip_configuration {
    name                 = "ip-configuration"
    subnet_id            = "${azurerm_subnet.test.id}"
    public_ip_address_ids = [
      "${azurerm_public_ip.test-1.id}",
      "${azurerm_public_ip.test-2.id}"
    ]
  }
}

public_ip_address_id -> takes 1 IP address ID
public_ip_address_ids -> takes a list of IP addresses IDs

Alternatively support multiple configurations

```
resource "azurerm_firewall" "test" {
name = "testfirewall"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"

ip_configuration {
name = "ip-configuration-1"
subnet_id = "${azurerm_subnet.test.id}"
public_ip_address_id = "${azurerm_public_ip.test-1.id}"
}

ip_configuration {
name = "ip-configuration-2"
# subnet_id = "${azurerm_subnet.test.id}" # - I don't think this should be mandatory as IP configuration #2 will sit on the same subnet most likely...
public_ip_address_id = "${azurerm_public_ip.test-2.id}"
}
}

andrey-dubnik on 12 Aug 2019

👍3

All 11 comments

Hi @adubnik , could you please update your post to use the "Feature Request" template, found here: https://github.com/terraform-providers/terraform-provider-azurerm/issues/new?template=Feature_Request.md as it helps the developers quickly understand how your suggested feature might be implemented? Thanks.

nexxai on 10 Aug 2019

if we take a baseline https://www.terraform.io/docs/providers/azurerm/r/firewall.html

resource "azurerm_public_ip" "test-1" {
  name                = "testpip-1"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_public_ip" "test-2" {
  name                = "testpip-2"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_firewall" "test" {
  name                = "testfirewall"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"

  ip_configuration {
    name                 = "ip-configuration"
    subnet_id            = "${azurerm_subnet.test.id}"
    public_ip_address_ids = [
      "${azurerm_public_ip.test-1.id}",
      "${azurerm_public_ip.test-2.id}"
    ]
  }
}

public_ip_address_id -> takes 1 IP address ID
public_ip_address_ids -> takes a list of IP addresses IDs

Alternatively support multiple configurations

```
resource "azurerm_firewall" "test" {
name = "testfirewall"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"

ip_configuration {
name = "ip-configuration-1"
subnet_id = "${azurerm_subnet.test.id}"
public_ip_address_id = "${azurerm_public_ip.test-1.id}"
}

andrey-dubnik on 12 Aug 2019

👍3

Any idea on this ? We need it :D

ekarlso on 19 Aug 2019

cc @nexxai ?

ekarlso on 21 Aug 2019

hi,
i have the same request but i don't know if it's necessary to do something for its declaration ? Have you take this feature in your plans ?
If i put this secondary ip_configuration in azure plateforme, terraform script will not work after.
thanks

lsmadja on 13 Sep 2019

I have just got this issue of terraform not allowing multiple ip_configuration block.

But instead of allowing multiple ip_configuration blocks I would rather go with having a resource that would attach the ip configuration with azure firewall. e.g.

`
resource "azurerm_firewall_ip_attachment" "first" {
firewall_id = azurerm_firewall.test.id
subnet_id = "${azurerm_subnet.test.id}"
public_ip_address_id = "${azurerm_public_ip.test-1.id}"
}

resource "azurerm_firewall_ip_attachment" "second" {
firewall_id = azurerm_firewall.test.id
subnet_id = "${azurerm_subnet.test.id}"
public_ip_address_id = "${azurerm_public_ip.test-2.id}"
}
`

Considering the use case of many ip_configurations attached to a single firewall. The above makes it independent rather than having loads of ip_configuration blocks in the same azurerm_firewall resource.

naikajah on 6 Nov 2019

For all whose use-case involves NAT IPs, use a load balancer with Multiple NAT IP support solution instead.

provProdctl on 6 Nov 2019

@houkms is updating the data resource in scope of this or another issue required?

timja on 12 Nov 2019

@timja data source will also be updated here.

houkms on 12 Nov 2019

This has been released in version 1.37.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.37.0"
}
# ... other configuration ...

hashibot[bot] on 26 Nov 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] on 29 Mar 2020

Was this page helpful?

0 / 5 - 0 ratings