Unable to disable SNAT in azurerm_firewall_policy

[jkroepke]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform: 1.0.5 AzureRM: 2.77.0

Affected Resource(s)

• azurerm_firewall_policy

Terraform Configuration Files

resource "azurerm_firewall_policy" "base" {
  name                = "fw-${local.workspace}-${var.location}"
  location            = var.location
  resource_group_name = azurerm_resource_group.default.name
  private_ip_ranges   = []

  dns {
    proxy_enabled = true
    servers       = [var.hub_dns_forwarder_ip]
  }

  tags = local.tags
}

Debug Output

Panic Output

Expected Behaviour

The SNAT functionally is set to None or Empty inside Azure

Actual Behaviour

│ Error: Not enough list items
│
│   with azurerm_firewall_policy.base,
│   on firewall_rules_base.tf line 6, in resource "azurerm_firewall_policy" "base":
│    6:   private_ip_ranges   = []
│
│ Attribute requires 1 item minimum, but config has only 0 declared.

Steps to Reproduce

1. Create resource from above
2. terraform apply

Important Factoids

References

• 0000

[jackofallops]

Hi @jkroepke - iirc omitting that property entirely should achieve your desired result. By attempting to specify a value, even an empty list, this effectively activates that part of the configuration.

[jkroepke]

@jackofallops

iirc omitting that property entirely

In this case, the default value (For all IP addresses except IANA RFC 1918 ranges; see the screen) is used inside azure

[segraef]

As per https://github.com/hashicorp/terraform-provider-azurerm/pull/10627 it should be implemented by now but omitting private_ip_ranges = ["0.0.0.0/0"] or private_ip_ranges = [] doesn't seem to have any effect on changing the setting to Never. The setting remains at the default setting For all IP addresses except IANA RFC 1918 ranges.