Terraform Azure App Service - ip_restrictions
Asked Answered
P

4

6

I am trying to set the IP restrictions block in my Azure App Service App

When performing the Terraform plan or apply, I receive the following error: Error: azurerm_app_service.app-service-1: : invalid or unknown key: ip_restriction

I used ip_restriction per Terraform Documentation for App Service (Web Apps) Resources

Here is the AppService deployment code i am using:

resource "azurerm_app_service" "app-service-1" {
  name                    = "${var.app_service_1}"
  location                = "${data.azurerm_resource_group.core-rg.location}"
  resource_group_name     = "${data.azurerm_resource_group.core-rg.name}"
  app_service_plan_id     = "${data.azurerm_app_service_plan.app-service-plan-1.id}"
  https_only              = "True"
  enabled                 = "True"
  client_affinity_enabled = "True"

  site_config {
    always_on                 = "True"
    #default_documents        = ""
    dotnet_framework_version  = "v4.0"
    #http2_enabled            = ""
    #ip_restriction           = ""
    #java_version             = ""
    #java_container           = ""
    #java_container_version   = ""
    managed_pipeline_mode     = "Integrated"
    min_tls_version           = "1.2"
    #php_version              = ""
    #python_version           = ""
    remote_debugging_enabled  = "False"
    #remote_debugging_version = ""
    scm_type                  = "None"
    use_32_bit_worker_process = "False"
    websockets_enabled        = "True"
    #ftps_state               = ""
  }

  app_settings {
    "KeyVaultURI" = ""
    "WEBSITE_NODE_DEFAULT_VERSION" = "6.9.1"
  }

  ip_restriction {
   "ip_address"     = ""
   }

Thank you

Pistareen answered 24/10, 2018 at 17:26 Comment(3)
I believe you need to have a value assigned to ip_address. What happens when you put a valid IP address in there?Dreddy
Yes i had an IP in there, i removed it for this post. The error i receive from Terraform Apply, is claiming "invalid or unknown key: ip_restriction" as if it is not a supported command in Terraform, dispite the terraform documentation. Has anyone succesfully used ip_restriction { "ip_address" = "1.2.3.4" }. Documentation states subnetmask is optional, but first we need Terraform to recognize ip_restriction as a valid commandPistareen
Anyone have any ideas?Pistareen
P
8

For those interested, here is the method to use ipRestrictions in Terraform

ip Restrictions is part of the Site_Config {}

See how to use below:

AppService.tf:

resource "azurerm_app_service" "app-service-1" {
  name                    = "${var.app_service_1}"
  location                = "${data.azurerm_resource_group.core-rg.location}"
  resource_group_name     = "${data.azurerm_resource_group.core-rg.name}"
  app_service_plan_id     = "${data.azurerm_app_service_plan.app-service-plan-1.id}"
  https_only              = "True"
  enabled                 = "True"
  client_affinity_enabled = "True"
  site_config {
    always_on                 = "True"
    #default_documents        = ""
    dotnet_framework_version  = "v4.0"
    #http2_enabled            = ""
    #ip_restriction           = ""
    #java_version             = ""
    #java_container           = ""
    #java_container_version   = ""
    managed_pipeline_mode     = "Integrated"
    min_tls_version           = "1.2"
    #php_version              = ""
    #python_version           = ""
    remote_debugging_enabled  = "False"
    #remote_debugging_version = ""
    scm_type                  = "None"
    use_32_bit_worker_process = "False"
    websockets_enabled        = "True"
    #ftps_state               = ""
    ip_restriction {
      ip_address  = "${var.ip_address_1}"
    }
    ip_restriction {
      ip_address  = "${var.ip_address_2}"
    }
    ip_restriction {
      ip_address  = "${var.ip_address_3}"
    }
  }
  app_settings {
    "KeyVaultURI" = ""
    "WEBSITE_NODE_DEFAULT_VERSION" = "6.9.1"
    }
  }
Pistareen answered 31/10, 2018 at 19:48 Comment(1)
ip_address has to be CIDR notation and you cant set a name or set IP6 addresses which is a shameGonta
B
10

@jamies answer is unfortunately incorrect IP_restriction is not a list taking one or more but a repeatable block.

@gvazzana is the correct format. However, there is a trap.. that will cause the error you are seeing.

In Tf we are used to typing IP address's in full CIDR format eg 10.23.97.201/23 or 192.68.50.0/24, the azure portal for this section even displays them like this.

But for this particular block, in terraform, you have to do them old school. eg:

site_config {
  # For a single IP address
  ip_restriction {
      ip_address = "81.145.174.78"
      } 
  ip_restriction {
  # For an address range 
      ip_address = "10.240.101.0"
      subnet_mask = "255.255.255.0"
     }
}

This is of course a pain if you have a long list of address's and ranges.

Now that terraform version 0.12.0 is upon us we should be able to take advantage of the new dynamic block styles and cidrhost and cidrmask functions in order to simplify things.

eg:

dynamic "ip_restriction" {
for_each = var.ip_address_list
  content {
    ip_address  = cidrhost(ip_restriction.value,0)
    subnet_mask = cidrmask(ip_restriction.value)
  }
}

tested with Terraform v0.12.13

Barvick answered 20/11, 2019 at 9:38 Comment(3)
Thank you, great info. Switching to tf v12 from v11 is going to be tough. So many changes will have to happen, and will break code I’m sure!Pistareen
Exactly what I needed! Except I think the function for subnet_mask needs to be cdrnetmask(...). I couldn't get it to work unless I changed it like this: content { ip_address = cidrhost(ip_restriction.value,0) subnet_id = cidrnetmask(ip_restriction.value) } I found this in the docs here.Browning
@jamie's answer is actually valid. It's a documented and working alternative syntax for for repeated blocks. In this situation it's even preferable since using a dynamic block does not properly remove the ip_restriction settings since it doesn't explicitly set it to an empty block.Uniform
P
8

For those interested, here is the method to use ipRestrictions in Terraform

ip Restrictions is part of the Site_Config {}

See how to use below:

AppService.tf:

resource "azurerm_app_service" "app-service-1" {
  name                    = "${var.app_service_1}"
  location                = "${data.azurerm_resource_group.core-rg.location}"
  resource_group_name     = "${data.azurerm_resource_group.core-rg.name}"
  app_service_plan_id     = "${data.azurerm_app_service_plan.app-service-plan-1.id}"
  https_only              = "True"
  enabled                 = "True"
  client_affinity_enabled = "True"
  site_config {
    always_on                 = "True"
    #default_documents        = ""
    dotnet_framework_version  = "v4.0"
    #http2_enabled            = ""
    #ip_restriction           = ""
    #java_version             = ""
    #java_container           = ""
    #java_container_version   = ""
    managed_pipeline_mode     = "Integrated"
    min_tls_version           = "1.2"
    #php_version              = ""
    #python_version           = ""
    remote_debugging_enabled  = "False"
    #remote_debugging_version = ""
    scm_type                  = "None"
    use_32_bit_worker_process = "False"
    websockets_enabled        = "True"
    #ftps_state               = ""
    ip_restriction {
      ip_address  = "${var.ip_address_1}"
    }
    ip_restriction {
      ip_address  = "${var.ip_address_2}"
    }
    ip_restriction {
      ip_address  = "${var.ip_address_3}"
    }
  }
  app_settings {
    "KeyVaultURI" = ""
    "WEBSITE_NODE_DEFAULT_VERSION" = "6.9.1"
    }
  }
Pistareen answered 31/10, 2018 at 19:48 Comment(1)
ip_address has to be CIDR notation and you cant set a name or set IP6 addresses which is a shameGonta
G
3

So you are running into a syntax error. The documentation can be confusing to read as I have learned over the last year. If you read the section on ip_restriction it says that it takes one or more. This means that it expects an array.

There is also a section of the documentation that tells you that it inside the array it expects an object that has the properties of ip_address and subnet_mask. That is here

So to fix your issue you need the following for ip_restriction.

ip_restriction = [
    {
        ip_address = "10.0.0.0"
    }
]

Hope this helps.

Gnosticize answered 26/10, 2018 at 13:42 Comment(3)
Thank you for the information. That is indeed confusing and almost contradictions information from Terraform! I believe that will resolve the issue. Thanks again!Pistareen
If this answers your question, please be sure mark it as the answer as it will help others know.Gnosticize
I finally got a chance to try this live, and it does not accept that format either Error: azurerm_app_service.app-service-1: : invalid or unknown key: ip_restrictionPistareen
M
0
resource "azurerm_service_plan" "asp" {
  name                = local.serviceplanName
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  os_type             = "Windows"
  sku_name            = "S1"
}

resource "azurerm_windows_web_app" "app" {
  name                = local.webappName
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  service_plan_id     = azurerm_service_plan.asp.id

  site_config {
    application_stack {
      current_stack  = "dotnet"
      dotnet_version = "v6.0"
    }
    ip_restriction {
      action     = "Deny"
      ip_address = "0.0.0.0/0"
      name       = "Deny_AllTraffic"
      priority   = 200
    }
  }

  logs {
    detailed_error_messages = true
    http_logs {
      azure_blob_storage {
        retention_in_days = 7
        sas_url           = "https://${azurerm_storage_account.st.name}.blob.core.windows.net/${azurerm_storage_container.st_con.name}${data.azurerm_storage_account_blob_container_sas.stg_sas.sas}"
      }
    }
  }

}

Merilee answered 10/7 at 15:8 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.