Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App Service IpRestriction - sometimes fails with error about priority setting #6876

Closed
sebader opened this issue May 12, 2020 · 2 comments · Fixed by #7059
Closed

App Service IpRestriction - sometimes fails with error about priority setting #6876

sebader opened this issue May 12, 2020 · 2 comments · Fixed by #7059
Labels
service/app-service

Comments

@sebader
Copy link
Contributor

sebader commented May 12, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

AzureRM provider 2.9.0
TF 0.12.24

Affected Resource(s)

azurerm_app_service

Terraform Configuration Files

resource "azurerm_app_service" "app" {

  name                    = "xxxx"
  location                = var.location
  resource_group_name     = var.resource_group_name_windows
  app_service_plan_id     = var.app_service_plan_id


  site_config {
    # IP restrictions based on IP ranges
    "ip_restriction" {
        name       =" test"
        ip_address = "1.2.3.4/32"
      }
    }

Expected Behavior

Actual Behavior

I'm not sure how to repro this, but since the upgrade to 2.9.0 I sometimes get this error when updating an azurerm_app_service which has a couple of IP restrictions:

Error: [0m[0m[1mweb.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The parameter 'IpSecurityRestriction.Priority' has an invalid value. Details: Priority must be specified in an all or nothing manner.." Details=[{"Message":"The parameter 'IpSecurityRestriction.Priority' has an invalid value. Details: Priority must be specified in an all or nothing manner.."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"01033","Message":"The parameter 'IpSecurityRestriction.Priority' has an invalid value. Details: Priority must be specified in an all or nothing manner..","MessageTemplate":"The parameter '{0}' has an invalid value. Details: {1}.","Parameters":["IpSecurityRestriction.Priority","Priority must be specified in an all or nothing manner."]}}][0m

I assume this has something to do with #6705 so tagging @aqche
The only solution that I found so far was to delete the entire app service manually. Next time TF will recreate it correctly again.
Note that I am not actually setting any priority in my tf template (since it does not make any difference anyway since there are no deny rules).

Steps to Reproduce

Not really sure. It could be that manually adding and removing IP restriction to an app service through the portal causes this hiccup in TF?!

  1. terraform apply

Important Factoids

References
@aqche
Copy link
Contributor

aqche commented May 23, 2020

Thanks for finding this bug! As the error suggests, looks like either all ip restrictions must have priority specified or none at all. You cannot create some ip restrictions with a priority argument and some without. I was able to reproduce the error with the code below. The most straightforward way to address this is probably to set a default value for priority instead of trying to compute the value. I can work on getting a PR up for that.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "aqcheRG"
  location = "centralus"
}

resource "azurerm_app_service_plan" "test" {
  name                = "aqcheASP"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  sku {
    tier = "Standard"
    size = "S1"
  }
}

resource "azurerm_app_service" "test" {
  name                = "aqcheAS"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  app_service_plan_id = azurerm_app_service_plan.test.id

  site_config {
    ip_restriction {
      ip_address = "10.10.10.10/32"
      name       = "test-restriction"
      priority   = 123
    }

    ip_restriction {
      ip_address = "20.20.20.0/24"
      name       = "test-restriction-2"
    }
  }
}

@aqche aqche mentioned this issue May 23, 2020
Merged
@ghost
Copy link

ghost commented Jul 1, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@hashicorp hashicorp locked and limited conversation to collaborators Jul 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
service/app-service
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

azurerm_app_service ip_restriction - add default for priority aqche/terraform-provider-azurerm
3 participants
@sebader @mybayern1974 @aqche