Terraform (and AzureRM Provider) Version
Terraform v0.14.8
provider registry.terraform.io/hashicorp/azurerm v2.55.0
Steps to Reproduce
Scenario 1: Initial Firewall setup
Initially app service setup created with some ip’s and subnets rules.
variable "whitelist_ips" {
default = ["117.113.40.33/32", "214.218.93.4/32", "116.48.126.131/32", "43.146.152.35/32"]
}
variable "whitelist_subnets" {
default = [ "subnet-id1", "subnet-id2", "subnet-id3", "subnet-id4"]
}
resource "azurerm_app_service" "nodejs_webserver" {
name = var.name
location = var.location
resource_group_name = var.resource_group_name
app_service_plan_id = var.app_service_plan_id
https_only = true
client_affinity_enabled = false
site_config {
scm_type = "None"
always_on = true
health_check_path = var.health_check_path
dynamic "ip_restriction" {
for_each = var.whitelist_ips
content {
ip_address = ip_restriction.value
}
}
dynamic "ip_restriction" {
for_each = var.whitelist_subnets
content {
virtual_network_subnet_id = ip_restriction.value
}
}
// whitelist subnet from its environment
ip_restriction {
virtual_network_subnet_id = var.subnet_id
}
// whitelist for gateway subnet
ip_restriction {
virtual_network_subnet_id = var.subnet_id_appgw
}
linux_fx_version = "NODE|12.16"
}
app_settings = merge(var.app_environment_setting,{
"APPINSIGHTS_INSTRUMENTATIONKEY"=azurerm_application_insights.app_insights.instrumentation_key
"WEBSITE_RUN_FROM_PACKAGE"=1
"DEPLOYMENT_SLOTNAME" = "production"
})
identity {
type = "SystemAssigned"
}
logs {
application_logs {
azure_blob_storage {
level = "Verbose"
retention_in_days = 30
sas_url = "https://${var.logs_storage_name}.blob.core.windows.net/${var.logs_storage_sas_url}"
}
}
http_logs {
azure_blob_storage {
retention_in_days = 30
sas_url = "https://${var.logs_storage_name}.blob.core.windows.net/${var.logs_storage_sas_url}"
}
}
}
backup {
name = "services-backup"
storage_account_url = "https://${var.backup_storage_account_name}.blob.core.windows.net/${var.backup_storage_account_container_name}${var.sas}&sr=b"
enabled = true
schedule {
frequency_interval = "1"
frequency_unit = "Day"
retention_period_in_days = 30
}
}
}
Scenario 2: Modified Firewall Setup
Added new ip address to the existing firewall rules and this is where issue started to appearing.
variable "whitelist_ips" {
// Added new ip: 2.132.229.14/32 to the list
default = ["117.113.40.33/32", "214.218.93.4/32", "116.48.126.131/32", "43.146.152.35/32", "2.132.229.14/32"]
}
Expected Behaviour
New IPs that I’m appending to the ‘whitelist_ips’ variable need to be added to the azure app service network access restriction list.
Actual Behaviour
New IPs are not being added to the app service firewall rules and terraform throws an error saying that “IpSecurityRestriction is invalid. Only IpAddress or VnetSubnetResourceId property must be specified.”
Here is the actual error message:
Error: web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code=“BadRequest” Message=“IpSecurityRestriction is invalid. Only IpAddress or VnetSubnetResourceId property must be specified.” Details=[{“Message”:“IpSecurityRestriction is invalid. Only IpAddress or VnetSubnetResourceId property must be specified.”},{“Code”:“BadRequest”},{“ErrorEntity”:{“Code”:“BadRequest”,“ExtendedCode”:“51021”,“Message”:“IpSecurityRestriction is invalid. Only IpAddress or VnetSubnetResourceId property must be specified.”,“MessageTemplate”:"{0} is invalid. {1}",“Parameters”:[“IpSecurityRestriction”,“Only IpAddress or VnetSubnetResourceId property must be specified.”]}}]
Observed While Testing
When there are some existing firewall rules for the app service and trying to add some more rules/ IP’s through the terraform it’s not accepting. Accepting only when all the existing firewall rules have been removed or else adding only the subnets.
Important Factoids
Our app services are running from the ‘West US’ location.