Terraform-provider-azurerm: azurerm_app_service ip_restriction doesn't remove subnet_id when unset

Created on 6 Oct 2020  路  4Comments  路  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

  • Terraform v0.12.28
  • provider.azurerm v2.30.0

Affected Resource(s)

  • azurerm_app_service

Terraform Configuration Files


before


resource "azurerm_app_service" "app" {
  ...
  site_config {

    ip_restriction {
      ip_address                = null
      priority                  = 1000
      name                      = "InternalAppSubnet"
      action                    = "Allow"
      virtual_network_subnet_id = azurerm_subnet.app.id
      subnet_id                 = azurerm_subnet.app.id
    }
}

After


resource "azurerm_app_service" "app" {
  ...
  site_config {

    ip_restriction {
      ip_address                = 10.0.0.0/8
      priority                  = 1000
      name                      = "InternalAppSubnet"
      action                    = "Allow"
      virtual_network_subnet_id = null
      subnet_id                 = null
    }
}

Debug Output

Debug Output

Panic Output

Expected Behavior

When switching from using subnet's to IP addresses, the subnet should be blanked. This is more of an issue if the ip_restriction block is part of a dynamic nested block, as removing an item in the middle of the list will cause the plan to think it's changing them in sequence.

Actual Behavior

The plan tries to add the IP address is added to the existing restriction, but the subnet is not removed. This causes a failure as only 1 of the 2 can be set at a time.

Steps to Reproduce

  1. Plan and Apply the "before" block into Azure, so you have a subnet added as an IP restriction.
  2. Change the block to the "after" block
  3. Plan and Apply again.

Important Factoids

The above usecase is a minimal replication, the most common usecase will be using a dynamic block for the IP restrictions which is far more likely to cause the issue.

References

  • #0000
bug servicapp-service
Source
picture martinjt
👍19

All 4 comments

To solve this temporarily, I added a 'buffer' in the ip_restrictions list between the ip_address restrictions and the subnet restrictions. This way, when I add a new ip_address restriction, an element from my 'buffer' gets removed and the subnet restrictions don't change position in the array:

My ip address restriction

  ip_restriction_ip_whitelist = [for v in var.ip_whitelist : {
    name                      = "Terraform IP whitelist"
    ip_address                = k
    priority                  = 1000
    action                    = "Allow"
    subnet_id                 = null
    virtual_network_subnet_id = null
  }]

My subnet restriction

  ip_restriction_subnets = [for v in var.whitelisted_subnets : {
    virtual_network_subnet_id = v
    action                    = "Allow"
    name                      = "Terraform Subnet whitelist"
    priority                  = 2000
    ip_address                = null
    subnet_id                 = null

  }]

My previous ip_restriction list that caused issues when adding/removing ip addresses:

ip_restriction_all = concat(local.ip_restriction_ip_whitelist, local.ip_restriction_subnets)

How I solved it:

  dummylist = [for v in range(1, 255) : {
    // Due to https://github.com/terraform-providers/terraform-provider-azurerm/issues/8768, adding an IP to the ip restriction whitelist becomes very cumbersome.
    // You will end up with elements in the array that contain both an ip_address and a subnet. Because of this, applying will generate an error.
    name                      = "dummyIP-${v}"
    ip_address                = "169.254.0.${v}/32"
    priority                  = 10000
    action                    = "Deny"
    subnet_id                 = null
    virtual_network_subnet_id = null
  }]
  ip_restriction_all = concat(local.ip_restriction_ip_whitelist, slice(local.dummylist, length(local.ip_restriction_ip_whitelist) + 1, length(local.dummylist) ), local.ip_restriction_subnets)
w0ut0 picture w0ut0 on 3 Nov 2020

The solution @w0ut0 (we're colleagues) mentioned above didn't seem to work in the end :/ Another colleague of mine, @samueldumont, thinks it's because the provider sets empty strings instead of null when refreshing the state.

sdebruyn picture sdebruyn on 18 Nov 2020
👍1

I myself think that the cause of this issue is the duplicate subnet property. It seems like it's not properly copying null to the other property.

sdebruyn picture sdebruyn on 20 Nov 2020
👍1

@tombuildsstuff any news about this issue please ?

SadokLadhari picture SadokLadhari on 9 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rolandjohann picture rolandjohann  路  3Comments
pdeva picture pdeva  路  3Comments
rudolphjacksonm picture rudolphjacksonm  路  3Comments
Kanikamiglani31 picture Kanikamiglani31  路  3Comments
Faaux picture Faaux  路  3Comments