search

Azure / terraform-azurerm-caf-enterprise-scale

Azure landing zones Terraform module
https://aka.ms/alz/tf
MIT License
842 stars 553 forks source link

Bug report: threat_intelligence_allowlist #949

Closed cndaan closed 3 months ago

cndaan commented 4 months ago

Community Note

Versions

terraform: 1.7.3

azure provider: 3.1

module: 5.2.1

Description

Describe the bug

lookup() requires a map as the first argument.

Setting the threat_intelligence_allowlist values results in an error message:

β”‚ Error: Too many threat_intelligence_allowlist blocks
β”‚
β”‚   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 331, in resource "azurerm_firewall_policy" "connectivity":
β”‚  331:     content {
β”‚
β”‚ No more than 1 "threat_intelligence_allowlist" blocks are allowed
β•΅
β•·
β”‚ Error: Invalid function argument
β”‚
β”‚   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 333, in resource "azurerm_firewall_policy" "connectivity":
β”‚  333:       fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ threat_intelligence_allowlist.value is list of string with 3 elements
β”‚
β”‚ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
β•΅
β•·
β”‚ Error: Invalid function argument
β”‚
β”‚   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 333, in resource "azurerm_firewall_policy" "connectivity":
β”‚  333:       fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ threat_intelligence_allowlist.value is list of string with 2 elements
β”‚
β”‚ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
β•΅
β•·
β”‚ Error: Invalid function argument
β”‚
β”‚   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 334, in resource "azurerm_firewall_policy" "connectivity":
β”‚  334:       ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ threat_intelligence_allowlist.value is list of string with 3 elements
β”‚
β”‚ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
β•΅
β•·
β”‚ Error: Invalid function argument
β”‚
β”‚   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 334, in resource "azurerm_firewall_policy" "connectivity":
β”‚  334:       ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ threat_intelligence_allowlist.value is list of string with 2 elements
β”‚
β”‚ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.

Steps to Reproduce

This is the firewall config I am using:

            azure_firewall = {
              enabled = true
              config = {
                address_prefix           = "10.100.0.0/24"
                enable_dns_proxy         = true
                dns_servers              = []
                sku_tier                 = "Standard"
                base_policy_id           = ""
                private_ip_ranges        = []
                threat_intelligence_mode = "Deny"

                threat_intelligence_allowlist = {
                  ip_addresses = ["10.10.0.0", "10.0.0.0"]
                  fqdns        = ["*.microsoft.com", "*.google.com", "*.facebook.com"]
                }
                intrusion_detection = "Deny"
                availability_zones = {
                  zone_1 = true
                  zone_2 = true
                  zone_3 = true
                }
              }
            }
cndaan commented 4 months ago

Found the issue and the fix.

The resources.connectivity.tf file has not been update like the resources.virtual_wan.tf file. The "threat_intelligence_allowlist" dynamic block needs to be updated in the resources.connectivity.tf file.

The code now is:

  dynamic "threat_intelligence_allowlist" {
    for_each = each.value.template.threat_intelligence_allowlist
    content {
      # Optional attributes
      fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
      ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
    }
  }

This needs to be this: (just like in resources.virtual_wan.tf file)

  dynamic "threat_intelligence_allowlist" {
    # Ensure that the dynamic block is created only if the allowlist is defined
    for_each = length(keys(each.value.template.threat_intelligence_allowlist)) > 0 ? [each.value.template.threat_intelligence_allowlist] : []

    content {
      # Optional attributes
      fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
      ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
    }
  }

Could someone apply this fix please?

jtracey93 commented 4 months ago

@cndaan Thanks for the investigation here. Would you like to submit a PR for consideration?

cndaan commented 3 months ago

@cndaan Thanks for the investigation here. Would you like to submit a PR for consideration?

Yes but I am having issues with creating a Pull Request at the moment. I don't have permission to push to this repository.

matt-FFFFFF commented 3 months ago

953 is merged so closing - thanks!