terraform-provider-azurerm: Problem with IP Restriction rules in azurerm_app_service resource

Hi,

We stepped into the strange problem while working with “IP Restriction” azurerm_app_service resource functionality. There is a need to manage this IP Restriction rules externally by using PowerShell script and not with Terraform. Below are detailed steps we followed:

  1. We successfully applied needed restriction rules via script. image

  2. Then we decided to change tags (basically any change) for app_service resource via TF. After that rules became broken and we see this: pic2

  3. I’ve tried to add IP Restriction list to Lifecycle->Ignore Changes part of the app_service resource, like this: lifecycle { ignore_changes = [ “site_config.0.scm_type”, “site_config.0.ip_restriction” ] } But this does not help whenever we change IP restriction rules externally and then apply TF, rules became broken.

  4. At the same time, looks like, current implementation of azurerm_app_service resource IP Restriction part is using old Azure API 2016-08-01 instead of 2018-02-01 (https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions). In old API you need just to specify 2 parameters: ip_address and subnet_mask. But for new API ip_restriction consists of the next parameters: { “ipAddress”: “131.107.159.0/24”, “action”: “Allow”, “tag”: “Default”, “priority”: 100, “name”: “allowed access” } So basically when TF Apply run against app_service resource it is using old API and this just break IP Restriction rules at all.

So I have two questions:

  1. How can we ignore changes for IP Restriction rules applied externally?
  2. What is the best way to handle such case?

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.7

  • provider.azurerm v1.19.0
  • provider.random v2.0.0
  • provider.template v1.0.0

Affected Resource(s)

  • azurerm_app_service

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

  1. terraform apply

Important Factoids

References

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 45
  • Comments: 23 (2 by maintainers)

Most upvoted comments

I am running into the same issue as @mrboogiee When following the documentaton with optional params and only setting the ip_adress i get following error

Error: Incorrect attribute value type

  on maint.tf line 113, in resource "azurerm_app_service" "microservice":
 113:     ip_restriction = [{
 114:       action     = "Allow"
 115:       ip_address = "${azurerm_app_service.gateway.outbound_ip_address_list[0]}/32"
 116:       name       = "Allow Gateway Access from IP"
 117:       priority   = 100
 118:     }]

Inappropriate value for attribute "ip_restriction": element 0: attributes
"service_tag", "subnet_id", and "virtual_network_subnet_id" are required.

When adding these params as per error message with some dummy values i get the following error:

Error: Error expanding site_config for App Service "5i-terraform-user-svc" (Resource Group "5i-terraform"): only one of ip_address, service_tag or virtual_network_subnet_id can be set for an IP restriction

I got it working with

    ip_restriction = [{
      ip_address                = "${azurerm_app_service.gateway.outbound_ip_address_list[0]}/32"
      name                      = "Allow Gateway Access from IP"
      action                    = "Allow"
      virtual_network_subnet_id = null
      subnet_id                 = null
      priority                  = 100
      service_tag               = null
    }]
+9
Sebs030 on Feb 15, 2021

Is there a way to use ip_restriction with Type as ‘Virtual Network’ using Terraform?

+8
ravulachetan on Aug 13, 2019

Any chances it might be fixed anytime soon?

+4
vanmash on Aug 6, 2021

@JleruOHeP yes, there is just now an open PR for names and priorities 😃 https://github.com/terraform-providers/terraform-provider-azurerm/pull/6705

+3
sebader on May 1, 2020

have just upgraded to v2.43 and tried to get this working with the documentation on https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app but ran into the following issues with the below configuration:

 site_config {
    ip_restriction = [
      {
        name="Allow manual triggering from somewhere"
        ip_address = "1.2.3.4/24"
        action = "Allow"
        priority = "400"
      },
      {
        name = "Allow trigger from LogicApp"
        service_tag = "LogicApps"
        action = "Allow"
        priority = "300"
      },      
    ]  
  }

This resulted in the following error when executing plan:

Error: Incorrect attribute value type

  on functions.tf line 190, in resource "azurerm_function_app" "function":
 190:     ip_restriction = [
 191:       {
 192:         name="Allow manual triggering from somewhere"
 193:         ip_address = "1.2.3.4/24"
 194:         action = "Allow"
 195:         priority = "400"
 196:       },
 197:       {
 198:         name = "Allow trigger from LogicApp"
 199:         service_tag = "LogicApps"
 200:         action = "Allow"
 201:         priority = "300"
 202:       },
 203:     ]

Inappropriate value for attribute "ip_restriction": element 0: attributes
"service_tag", "subnet_id", and "virtual_network_subnet_id" are required.

If I then add the apparently (although the documentation says otherwise) required fields with empty values like below:

  site_config {
    ip_restriction = [
      {
        name="Allow manual triggering from somewhere"
        ip_address = "1.2.3.4/24"
        action = "Allow"
        priority = "400"
        service_tag = ""
        subnet_id = ""
        virtual_network_subnet_id = ""
      },
      {
        name = "Allow trigger from LogicApp"
        service_tag = "LogicApps"
        action = "Allow"
        priority = "300"
        ip_address = ""
        subnet_id = ""
        virtual_network_subnet_id = ""
      },
    ]
  }

I run into the following errors when executing plan:

Warning: "site_config.0.ip_restriction.0.subnet_id": [DEPRECATED] This field has been deprecated in favour of `virtual_network_subnet_id` and will be removed in a future version of the provider

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Warning: "site_config.0.ip_restriction.1.subnet_id": [DEPRECATED] This field has been deprecated in favour of `virtual_network_subnet_id` and will be removed in a future version of the provider

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.0.service_tag" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.0.subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.0.virtual_network_subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.1.virtual_network_subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.1.ip_address" to be a valid IPv4 Value, got : invalid CIDR address:

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.1.subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {
+2
mrboogiee on Jan 20, 2021

While we wait for this to be updated the following code using azurerm templates can set the IpSecurityRestrictions and scmIpSecurityRestrictions properties on the site config on every terraform apply if added in addition to an existing app service resource deployment.

resource "azurerm_template_deployment" "ipwhitelist" {
  name                = "${var.application}-ipwhitelist"
  resource_group_name = var.resource_group_name
  template_body       = <<JSON
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
     "_force_terraform_to_always_redeploy": "${timestamp()}"
  },
  "resources": [{
     "type":"Microsoft.Web/sites/config",
         "apiVersion":"2018-11-01",
         "name":"${azurerm_app_service.app_service.name}/web",
         "location":"[resourceGroup().location]",
         "properties":{
            "IpSecurityRestrictions":[
               {
                  "ipAddress":"${local.some_address_to_allow}",
                  "action":"Allow",
                  "tag":"Default",
                  "priority":300,
                  "name":"Allow_My_Proxy",
                  "description":"useful info"
               }
            ],
          "scmIpSecurityRestrictions":[
               {
                  "ipAddress":"${local.some_address_to_allow}",
                  "action":"Allow",
                  "tag":"Default",
                  "priority":300,
                  "name":"Allow_My_Proxy",
                  "description":"useful info"
               }
            ]
         }
    }
  ]
}
JSON
  deployment_mode     = "Incremental"
}
+2
alastairtree on Aug 9, 2019

No it hasn’t which is annoying as it would be really useful to label the IP addresses in the portal.

+2
terryjoycenhs on Jun 11, 2019

To add it as VNet restriction you use virtual_network_subnet_id :

    ip_restriction {
      virtual_network_subnet_id = "${data.azurerm_subnet.app_gateway_subnet.id}"
    }

But was there any progress on adding names and priorities?

+1
JleruOHeP on Apr 16, 2020
Read more comments on GitHub
← terraform-provider-azurerm: Private Link Endpoint resource doesn't accept DNS Alias
terraform-provider-azurerm: Redeploying a resource group and child resources fails with "Error: Resource group was not found" when using a data resource within a module →