Problem with IP Restriction rules in azurerm_app_service resource

[alexeyklots]

Hi,

We stepped into the strange problem while working with "IP Restriction" azurerm_app_service resource functionality. There is a need to manage this IP Restriction rules externally by using PowerShell script and not with Terraform. Below are detailed steps we followed:

1. We successfully applied needed restriction rules via script.
   

2. Then we decided to change tags (basically any change) for app_service resource via TF. After that rules became broken and we see this:
   

3. I've tried to add IP Restriction list to Lifecycle->Ignore Changes part of the app_service resource, like this:
   lifecycle {
   ignore_changes = [
   "site_config.0.scm_type",
   "site_config.0.ip_restriction"
   ]
   }
   But this does not help whenever we change IP restriction rules externally and then apply TF, rules became broken.

4. At the same time, looks like, current implementation of azurerm_app_service resource IP Restriction part is using old Azure API 2016-08-01 instead of 2018-02-01 (https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions). In old API you need just to specify 2 parameters: ip_address and subnet_mask. But for new API ip_restriction consists of the next parameters:
   {
   "ipAddress": "131.107.159.0/24",
   "action": "Allow",
   "tag": "Default",
   "priority": 100,
   "name": "allowed access"
   }
   So basically when TF Apply run against app_service resource it is using old API and this just break IP Restriction rules at all.

So I have two questions:

1. How can we ignore changes for IP Restriction rules applied externally?
2. What is the best way to handle such case?

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.7

• provider.azurerm v1.19.0
• provider.random v2.0.0
• provider.template v1.0.0

Affected Resource(s)

• azurerm_app_service

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[najgel]

Up until last week this was a nuisance but today when I logged in to check a azure web app in the portal the iprestrictions blade is broken because of this. The gui fails because of a null reference when trying to apply "tolower" to a property which makes me suspect the name property of the rule. If I use https://resources.azure.com/ to find the ip restriction rule in the app and add a name property to the rule the iprestrictions blade loads normally.

[jamie3]

We are experiencing the same issues.

[snerting]

This bug do our use of Terraform terrible. Without possible to add priority and name, our app service, would not work. This bug cause us to must add a manual step, where we must remember config this in portal after apply.

[jamie3]

In cases like this we usually use Powershell script.

[turjachaudhuri]

Has this issue been fixed yet?

[alexeyklots]

@turjachaudhuri, unfortunately no, it has to be fixed in next release (1.23) but it was moved to 1.25 release...

[turjachaudhuri]

Has this issue been fixed ? in Azure provider 1.25 version ? Or in any later version ? Can somebody let me know.

[terryjoycenhs]

No it hasn't which is annoying as it would be really useful to label the IP addresses in the portal.

[alastairtree]

While we wait for this to be updated the following code using azurerm templates can set the IpSecurityRestrictions and scmIpSecurityRestrictions properties on the site config on every terraform apply if added in addition to an existing app service resource deployment.

resource "azurerm_template_deployment" "ipwhitelist" {
  name                = "${var.application}-ipwhitelist"
  resource_group_name = var.resource_group_name
  template_body       = <<JSON
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
     "_force_terraform_to_always_redeploy": "${timestamp()}"
  },
  "resources": [{
     "type":"Microsoft.Web/sites/config",
         "apiVersion":"2018-11-01",
         "name":"${azurerm_app_service.app_service.name}/web",
         "location":"[resourceGroup().location]",
         "properties":{
            "IpSecurityRestrictions":[
               {
                  "ipAddress":"${local.some_address_to_allow}",
                  "action":"Allow",
                  "tag":"Default",
                  "priority":300,
                  "name":"Allow_My_Proxy",
                  "description":"useful info"
               }
            ],
          "scmIpSecurityRestrictions":[
               {
                  "ipAddress":"${local.some_address_to_allow}",
                  "action":"Allow",
                  "tag":"Default",
                  "priority":300,
                  "name":"Allow_My_Proxy",
                  "description":"useful info"
               }
            ]
         }
    }
  ]
}
JSON
  deployment_mode     = "Incremental"
}

[ravulachetan]

Is there a way to use ip_restriction with Type as 'Virtual Network' using Terraform?

[JleruOHeP]

To add it as VNet restriction you use virtual_network_subnet_id :

    ip_restriction {
      virtual_network_subnet_id = "${data.azurerm_subnet.app_gateway_subnet.id}"
    }

But was there any progress on adding names and priorities?

[sebader]

@JleruOHeP yes, there is just now an open PR for names and priorities :) #6705

[Eslam10]

I am facing the same issue, was this fixed ?

[martinjt]

I'm pretty sure that this now works, other than some issues with changing between ip and subnet.

    ip_restriction {
      ip_address                = 10.0.0.0/8
      priority                  = 1000
      name                      = "InternalAppSubnet"
      action                    = "Allow"
      virtual_network_subnet_id = null
      subnet_id                 = null
    }

or

    ip_restriction {
      ip_address                = null
      priority                  = 1000
      name                      = "InternalAppSubnet"
      action                    = "Allow"
      virtual_network_subnet_id = var.connected_subnet_id
      subnet_id                 = var.connected_subnet_id
    }

Note setting both virtual_network_subnet_id and subnet_id to the same value

[alexmanie]

Hi @martinjt ,
What about working with "Service Tag" Access Restrictions?

Seems those rules are not supported yet. I'm right?

[martinjt]

I've not seen that in the terraform docs.

[mrboogiee]

have just upgraded to v2.43 and tried to get this working with the documentation on https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app but ran into the following issues with the below configuration:

 site_config {
    ip_restriction = [
      {
        name="Allow manual triggering from somewhere"
        ip_address = "1.2.3.4/24"
        action = "Allow"
        priority = "400"
      },
      {
        name = "Allow trigger from LogicApp"
        service_tag = "LogicApps"
        action = "Allow"
        priority = "300"
      },      
    ]  
  }

This resulted in the following error when executing plan:

Error: Incorrect attribute value type

  on functions.tf line 190, in resource "azurerm_function_app" "function":
 190:     ip_restriction = [
 191:       {
 192:         name="Allow manual triggering from somewhere"
 193:         ip_address = "1.2.3.4/24"
 194:         action = "Allow"
 195:         priority = "400"
 196:       },
 197:       {
 198:         name = "Allow trigger from LogicApp"
 199:         service_tag = "LogicApps"
 200:         action = "Allow"
 201:         priority = "300"
 202:       },
 203:     ]

Inappropriate value for attribute "ip_restriction": element 0: attributes
"service_tag", "subnet_id", and "virtual_network_subnet_id" are required.

If I then add the apparently (although the documentation says otherwise) required fields with empty values like below:

  site_config {
    ip_restriction = [
      {
        name="Allow manual triggering from somewhere"
        ip_address = "1.2.3.4/24"
        action = "Allow"
        priority = "400"
        service_tag = ""
        subnet_id = ""
        virtual_network_subnet_id = ""
      },
      {
        name = "Allow trigger from LogicApp"
        service_tag = "LogicApps"
        action = "Allow"
        priority = "300"
        ip_address = ""
        subnet_id = ""
        virtual_network_subnet_id = ""
      },
    ]
  }

I run into the following errors when executing plan:

Warning: "site_config.0.ip_restriction.0.subnet_id": [DEPRECATED] This field has been deprecated in favour of `virtual_network_subnet_id` and will be removed in a future version of the provider

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Warning: "site_config.0.ip_restriction.1.subnet_id": [DEPRECATED] This field has been deprecated in favour of `virtual_network_subnet_id` and will be removed in a future version of the provider

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.0.service_tag" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.0.subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.0.virtual_network_subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.1.virtual_network_subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.1.ip_address" to be a valid IPv4 Value, got : invalid CIDR address:

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {



Error: expected "site_config.0.ip_restriction.1.subnet_id" to not be an empty string, got

  on functions.tf line 173, in resource "azurerm_function_app" "function":
 173: resource "azurerm_function_app" "function" {

[mrboogiee]

for completeness sake, the documentation currently says the following:

A ip_restriction block supports the following:

ip_address - (Optional) The IP Address used for this IP Restriction in CIDR notation.

service_tag - (Optional) The Service Tag used for this IP Restriction.

virtual_network_subnet_id - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

NOTE:
One of either ip_address, service_tag or virtual_network_subnet_id must be specified

name - (Optional) The name for this IP Restriction.

priority - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, the priority is set to 65000 if not specified.

action - (Optional) Does this restriction Allow or Deny access for this IP range. Defaults to Allow.

[Sebs030]

I am running into the same issue as @mrboogiee
When following the documentaton with optional params and only setting the ip_adress i get following error

Error: Incorrect attribute value type

  on maint.tf line 113, in resource "azurerm_app_service" "microservice":
 113:     ip_restriction = [{
 114:       action     = "Allow"
 115:       ip_address = "${azurerm_app_service.gateway.outbound_ip_address_list[0]}/32"
 116:       name       = "Allow Gateway Access from IP"
 117:       priority   = 100
 118:     }]

Inappropriate value for attribute "ip_restriction": element 0: attributes
"service_tag", "subnet_id", and "virtual_network_subnet_id" are required.

When adding these params as per error message with some dummy values i get the following error:

Error: Error expanding site_config for App Service "5i-terraform-user-svc" (Resource Group "5i-terraform"): only one of ip_address, service_tag or virtual_network_subnet_id can be set for an IP restriction

I got it working with

    ip_restriction = [{
      ip_address                = "${azurerm_app_service.gateway.outbound_ip_address_list[0]}/32"
      name                      = "Allow Gateway Access from IP"
      action                    = "Allow"
      virtual_network_subnet_id = null
      subnet_id                 = null
      priority                  = 100
      service_tag               = null
    }]

[vanmash]

Any chances it might be fixed anytime soon?

[rellis-of-rhindleton]

I don't like leaving maybe-this-is-related comments in an issue, but... well, this could be related to the original issue. This issue was opened when azurerm_app_service was the resource; we are using the new azurerm_linux_web_app but apparently it works the same way.

I can't get Terraform to clear the ip_restriction list. I can change the entries by specifying different values. But I can't remove all entries.

If I specify an empty list (ip_restriction = []), the plan will show that the entry will be removed, and the apply will succeed. Yet the entry remains. This repeats indefinitely; the plan says the entry will be removed, but it is not.

Apparently ip_restriction uses Attributes-as-Blocks syntax underneath, so simply removing the blocks from the configuration -- or using dynamic blocks, which does the same thing -- causes Terraform to ignore any existing entries rather than remove them. For that kind of block you have to specify an empty list. But I tried just removing the blocks anyway, and it does indeed ignore the existing entry; the plan shows no action.

Per the linked Terraform doc, attributes as blocks is a legacy implementation and this might explain why things don't work, but of course now I'm just speculating.

[jaysson1710]

Hi guys,
I'm using dynamic block and get the same result
" only one of ip_address, service_tag, or virtual_network_subnet_id can be specified"

dynamic "ip_restriction" {
      for_each = var.ip_whitelist
      content {
        action = "Allow"
        ip_address = ip_restriction.value
        name = "Allow_vsts${index(var.ip_whitelist, "${ip_restriction.value}")}"
        priority = index(var.ip_whitelist, "${ip_restriction.value}") + 102
        service_tag = "Default"
      }
      
    }

have anybody used this approach?

[katbyte]

Hey all i am going to close this because the azurerm_app_service has been superceeded by the azurerm_linux_web_app and azurerm_windows_web_app resources.

If this is still an issue with v3.x of the provider and the new resources do let us know by opening a new issue, thanks!