Terraform-provider-azurerm: azurerm_app_service ip restrictions requiring IP and Subnet Id

Created on 19 Sep 2019 · 10Comments · Source: terraform-providers/terraform-provider-azurerm

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.4

provider.azuread v0.6.0
provider.azurerm v1.34.0

Affected Resource(s)

azurerm_app_service

Terraform Configuration Files

When setting ip_restrictions it seems both "ip_address" and "virtual_network_subnet_id" are required.

Debug Output

Inappropriate value for attribute "ip_restriction": element 0: attributes
"ip_address" and "virtual_network_subnet_id" are required.

Panic Output

Expected Behavior

Allowed to set up restrictions by only specifying an ip address and not a virtual network subnet id.

Actual Behavior

When setting ip_restrictions it seems both "ip_address" and "virtual_network_subnet_id" are required.

Steps to Reproduce

resource "azurerm_app_service" "app-service" {
  app_service_plan_id = "FooPlan"
  location            = "FooLocation"
  name                = "FooName"
  resource_group_name = "FooRG"

    site_config {
    ip_restriction = [{
        ip_address  = "10.199.1.1"
        subnet_mask = "255.255.255.255"
      } ]   
  }
}

Run

terraform init
terraform plan

question servicapp-service

Source

mluker

👍34

Most helpful comment

Could someone please point me to an accurate example of ip_restriction being used? As per the previous example of the workaround posted above, it seems odd that I would need to use a dynamic block to add a single IP address.

When I try to add a single IP address without using a dynamic block I get the following error:

"Inappropriate value for attribute "ip_restriction": list of object required."

Also the documentation for this on https://www.terraform.io/docs/providers/azurerm/r/app_service.html is wrong.

Thanks,

sephross on 1 Apr 2020

👍8

All 10 comments

We are receiving the error as well. Downgrading the provider back to 1.33.1 fixes it

mattbowes on 19 Sep 2019

👍2

Hi,

I can confirm, I recently have all CICD release having this settings who are now failed and as quick workaround I just comment this part (the Ip restriction remain as just previous, so it's not remove).

Regards
Alex

alex-3sr on 23 Sep 2019

I was able to bypass the error by changing my ip_restriction block

from this

site_config {
    ip_restriction = [
      for address in var.allowed_ip_addresses : {
        ip_address  = address
        subnet_mask = "255.255.255.255"        
      }
    ]
  }

to this

site_config {
    dynamic "ip_restriction" {
      for_each = var.allowed_ip_addresses
      content {
        ip_address  = ip_restriction.value
        subnet_mask = "255.255.255.255"
      }
    }
  }

It makes me wonder if the issue isn't really the app_service resource, but with Terraform in how multiple blocks vs arrays are handled.

kraihn on 4 Oct 2019

👍4

Is there a workaround if you need to set restrictions based on both ip addresses and subnets? Terraform validate seems to fail because "both are required" and then Terraform plan fails because "only one needs to be supplied".

I'm using Terraform version: 0.12.24 and azurerm version: 2.2.0

The azurerm version provider 1.33.1 doesn't recognize fields like os_type for function apps, which makes deploying a linux function app challenging.

antgonmir on 26 Mar 2020

When I try to add a single IP address without using a dynamic block I get the following error:

"Inappropriate value for attribute "ip_restriction": list of object required."

Also the documentation for this on https://www.terraform.io/docs/providers/azurerm/r/app_service.html is wrong.

Thanks,

sephross on 1 Apr 2020

👍8

For anyone facing this issue - there is a simple work-around that I verified to work in version 0.12.28.
Note the ip_address = null and populating both virtual_network_subnet_id and subnet_id.

    ip_restriction = [
      {
        ip_address                = null
        virtual_network_subnet_id = <reference_to_id>
        subnet_id                 = <reference_to_id>
        name                      = "<name>"
        description               = "<description>"
        priority                  = 10000
        action                    = "Allow"
      },
      (...)
    ]

Heer-Boaz on 23 Jul 2020

thanks @Heer-Boaz , your example did work for me and tf apply working but when i look at the azure resources, they are not right and all the priorities showing 65000, and empty names

ksooner on 20 Aug 2020

👍1

👋🏻

Taking a look through here it appears that this is possible as is shown in @Heer-Boaz's comment - and as such I'm going to close this issue for the moment - but if you're still having issues I believe you should be able to get an answer for this using one of the Community Resources.

Thanks!

tombuildsstuff on 21 Aug 2020

thanks @Heer-Boaz , your example did work for me and tf apply working but when i look at the azure resources, they are not right and all the priorities showing 65000, and empty names

@ksooner: good to see that the work-around works. I have the same issue with setting the priority; whether by using integers or string-values, the priority will always show as 65000 and the name will also be empty.

I think we should create a new issue for this.

Heer-Boaz on 21 Aug 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!