azurerm_linux_web_app ip_restrictions not working and undocumented behaviour

[PAKalucki]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.9

AzureRM Provider Version

3.9.0

Affected Resource(s)/Data Source(s)

azurerm_linux_web_app

Terraform Configuration Files

resource "azurerm_linux_web_app" "example1" {
  site_config {
    ip_restriction = {
      "ip_address" = "1.1.1.1/32"
    }
  }
}

resource "azurerm_linux_web_app" "example2" {
  site_config {
    ip_restriction = [{
      "ip_address" = "1.1.1.1/32"
    }]
  }
}

Debug Output/Panic Output

Error: Incorrect attribute value type
│
│   on modules/linux_web_app/main.tf line 51, in resource "azurerm_linux_web_app" "this":
│   51:       ip_restriction = [{
│   52:         ip_address = "1.1.1.1/32"
│   53:       }           ]
│
│ Inappropriate value for attribute "ip_restriction": element 0: attributes "action", "headers", "name", "priority", "service_tag", and "virtual_network_subnet_id" are required.

Expected Behaviour

ip_restriction block to work as documented

Actual Behaviour

Example1 resource returns Inappropriate value for attribute "ip_restriction": list of object required. Documentation does not specify that list is required ip_restriction - (Optional) One or more ip_restriction blocks as defined above.

Example2 resource with list returns Inappropriate value for attribute "ip_restriction": element 0: attributes "action", "headers", "name", "priority", "service_tag", and "virtual_network_subnet_id" are required. Attributes are documented as optional.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[maithilikkennards]

I am having a similar issue, where there is no terraform validation error but the ip restrictions are not being set on the linux we app. Plan does not recognize the newly added IP restrictions ip_restriction { name = "AllowFrontDoorRule" headers = [ { x_azure_fdid = [xxxx-xxxx-xxxx] x_fd_health_probe = [] x_forwarded_for = [] x_forwarded_host = [] } ] service_tag = "AzureFrontDoor.Backend" priority = 1 action = "Allow" } ip_restriction { name = "Deny all" ip_address = "0.0.0.0/0" priority = 2 action = "Deny" }

[NickGraham101]

Similarly to @maithilikkennards I'm trying to add an AllowRule for FrontDoor. In my case the rule was recognised but I had to specify all the ip_restriction properties, setting those that didn't apply to null. I'm using version 3.17.0 of the hashicorp/azurerm provider. I've also tested with 3.25.0 and saw the same problem with having to set null for any irrelevant properties.

  site_config {
    ip_restriction = [{
      name     = "FrontDoor"
      action   = "Allow"
      priority = 1
      headers = [{
        x_azure_fdid      = [ "00000000-0000-0000-0000-000000000000" ]
        x_fd_health_probe = []
        x_forwarded_for   = []
        x_forwarded_host  = []
      }]
      service_tag               = "AzureFrontDoor.Backend"
      ip_address                = null
      virtual_network_subnet_id = null
    }]
  }

(x_azure_fdid value obfuscated)

[f1nzer]

I am having a similar issue, where there is no terraform validation error but the ip restrictions are not being set on the linux we app. Plan does not recognize the newly added IP restrictions

I have exactly the same problem. ip_restriction can be set only for the initial creation of resources (azurerm_linux_web_app and azurerm_linux_web_app_slot for example), while later it can't be modified - changes are not recognized.

[latiosu]

Our team was facing the following error message when trying to create an Access Restriction where only Front Door traffic is allowed to reach App Service (using a ServiceTag of AzureFrontDoor.Backend):

IpSecurityRestriction is invalid.  Etiher IpAddress or VnetSubnetResourceId property must be specified.

It turns out that the ipAddress field is required for the value and tag for the type. The below azapi resource successfully creates the Site Traffic rule as a workaround.

resource "azapi_update_resource" "linux_web_app" {
  type      = "Microsoft.Web/sites@2022-03-01"
  name      = <web_app_name>
  parent_id = <resource_group_id>

  body = jsonencode({
    properties = {
      siteConfig = {
        ipSecurityRestrictions = [
          {
            action      = "Allow"
            description = "Only allow Azure Front Door traffic with matching FDID header."
            headers = {
              "X-Azure-FDID" : [<frontdoor_guid>]
            }
            ipAddress = "AzureFrontDoor.Backend"
            name      = "OnlyFrontDoorTraffic"
            priority  = 1
            tag       = "ServiceTag"
          }
        ]
      }
    }
  })
}

[xiaxyi]

@latiosu There is a dedicated property service_tag for service tag in ip_restriction block. Have you tried it?

[xiaxyi]

@NickGraham101 @maithilikkennards @PAKalucki The issue should be fixed now, can you confirm if you are still facing this issue or not?

[latiosu]

@latiosu There is a dedicated property service_tag for service tag in ip_restriction block. Have you tried it?

Hi @xiaxyi, we tried using the dedicated service_tag property and set it to AzureFrontDoor.Backend but it led to us receiving the following error:

IpSecurityRestriction is invalid.  Etiher IpAddress or VnetSubnetResourceId property must be specified.

[xiaxyi]

@latiosu Thanks for the feedbacks, can you share your full terraform config with me so I can try from my side? I see the config that you shared eariler is for azAPI provider.

[Joseluismantilla]

I have the same issue with linux_web_app and linux_function_app, so I had to use:

resource "azapi_update_resource" "this" {
  type = "Microsoft.Web/sites/config@2022-03-01"
  name = "web"
  parent_id = azurerm_linux_web_app.webapp.id
  body = jsonencode({
    properties = {
      publicNetworkAccess = "Enabled"
    }
  })
  lifecycle {
    replace_triggered_by = [
      azurerm_linux_web_app.webapp
    ]
  }
}

The only issue with the azapi is that it's always executed due to this is an update.

[robert-smith-docobo]

I have the latest release version of Terraform for Windows (1.5.4) and the azurerm provider (3.68.0) and get an equivalent problem with _azurerm_linux_web_app_, that is, Terraform accepts the entries to enable and configure a VPN for the web app, but when I apply the requested VPN configuration is ignored and I have to set it up interactively in the Azure web portal.

resource "azurerm_linux_web_app" "inward-ias-service" {

name = var.app_service_name

location = var.location

resource_group_name = var.resource_group_name

service_plan_id = var.app_service_plan_id

https_only = false

client_affinity_enabled = true

site_config {

vnet_route_all_enabled = true 

ip_restriction { 

   virtual_network_subnet_id = "/subscriptions/XXXXXXXXXXXXXXXXXXX/resourceGroups/XXXXXXX/providers/Microsoft.Network/virtualNetworks/XXXXXXXX/subnets/default" 

}  

application_stack { 

   docker_image_name = var.service_container_image_name 

   docker_registry_url = var.env_docker_registry_server_url 

   docker_registry_username = var.env_docker_registry_server_username 

   docker_registry_password =  var.env_docker_registry_server_password 

} 

}

app_settings = local.env_variables

}

[unkinected]

Just to add that this is also a problem on the Windows side, with both azurerm_windows_web_app and azurerm_windows_web_app_slot. I'm on Azurerm 3.68.0 and Terraform 1.5.3. Setting all the extraneous values to null as indicated by NickGraham101 doesn't work for me, but I'm going to try the azapi_update_resource and see if I can get my slots to update.