network_rule_set in IoTHub are not applied correctly

[Tiduster]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.7

AzureRM Provider Version

3.2.0

Affected Resource(s)/Data Source(s)

azurerm_iothub

Terraform Configuration Files

resource "azurerm_iothub" "this" {
  name                = local.iothub_name
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location

  public_network_access_enabled = var.iothub_public_network_access_enabled

  sku {
    name     = var.iothub_sku_name
    capacity = var.iothub_sku_capacity
  }

  dynamic "network_rule_set" {
    for_each = length(var.iothub_network_rules) > 0 ? [1] : []
    content {
      apply_to_builtin_eventhub_endpoint = var.iothub_network_rules_apply_to_builtin_eventhub_endpoint

      dynamic "ip_rule" {
        for_each = var.iothub_network_rules
        content {
          name    = ip_rule.value.name
          ip_mask = ip_rule.value.ip_mask
        }
      }
    }
  }

  tags = local.tags
}

Debug Output/Panic Output

# azurerm_iothub.this will be updated in-place
  ~ resource "azurerm_iothub" "this" {
        id                            = "/subscriptions/***/resourceGroups/***/providers/Microsoft.Devices/IotHubs/***"
        name                          = "***"
        tags                          = {
            "environment" = "stag"
            "origin"      = "terraform"
            "project"     = "***"
        }
        # (14 unchanged attributes hidden)

      ~ network_rule_set {
            # (2 unchanged attributes hidden)

          + ip_rule {
              + action  = "Allow"
              + ip_mask = "***"
              + name    = "***"
            }
          + ip_rule {
              + action  = "Allow"
              + ip_mask = "***"
              + name    = "***"
            }
            # (1 unchanged block hidden)
        }

        # (3 unchanged blocks hidden)
    }

Expected Behaviour

Network rules are applied

Actual Behaviour

azurerm_iothub.this: Modifying... [id=/subscriptions//resourceGroups//providers/Microsoft.Devices/IotHubs/] ╷ │ Error: creating/updating Iot Hub: (Name "" / Resource Group ""): devices.IotHubResourceClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="Failed" Message="The async operation failed." InnerError={"unmarshalError":"json: cannot unmarshal number into Go struct field serviceErrorInternal.code of type string"} AdditionalInfo=[{"code":400059,"httpStatusCode":"BadRequest","message":"Request body validation failed. If you contact a support representative please include this correlation identifier: , timestamp: 2022-04-27 14:55:59Z, errorcode: IH400059."}] │ │ with azurerm_iothub.this, │ on main.tf line 38, in resource "azurerm_iothub" "this": │ 38: resource "azurerm_iothub" "this" { │ ╵ ERRO[0040] 1 error occurred:

• exit status 1

Steps to Reproduce

terraform apply

While debugging, I also find out the following issue:

╷ │ Error: expected network_rule_set.0.default_action to be one of [Allow Deny], got DefaultActionDeny │ │ with azurerm_iothub.this, │ on main.tf line 38, in resource "azurerm_iothub" "this": │ 38: resource "azurerm_iothub" "this" { │ ╵ ERRO[0020] 1 error occurred:

• exit status 1

This is NOT what the documentation is saying: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/iothub#default_action

A network_rule_set block supports the following: default_action: (Optional) Default Action for Network Rule Set. Possible values are DefaultActionDeny, DefaultActionAllow. Defaults to DefaultActionDeny.

Important Factoids

No response

References

No response

[Tiduster]

I found the issue, I don't know if you consider it like a "bug". I was using invalid character (like a space) in the naming of the rule. And Azure doesn't provide a useful error message.

Official documentation:

Provide a name for the IP Filter rule. This name must be a unique, case-insensitive, alphanumeric string up to 128 characters long. Only the ASCII 7-bit alphanumeric characters plus {'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''} are accepted.

The documentation issue about the default_action remains.

[github-actions[bot]]

This functionality has been released in v3.5.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.