4
votes

I am trying to set the IP restrictions block in my Azure App Service App

When performing the Terraform plan or apply, I receive the following error: Error: azurerm_app_service.app-service-1: : invalid or unknown key: ip_restriction

I used ip_restriction per Terraform Documentation for App Service (Web Apps) Resources

Here is the AppService deployment code i am using:

resource "azurerm_app_service" "app-service-1" {
  name                    = "${var.app_service_1}"
  location                = "${data.azurerm_resource_group.core-rg.location}"
  resource_group_name     = "${data.azurerm_resource_group.core-rg.name}"
  app_service_plan_id     = "${data.azurerm_app_service_plan.app-service-plan-1.id}"
  https_only              = "True"
  enabled                 = "True"
  client_affinity_enabled = "True"

  site_config {
    always_on                 = "True"
    #default_documents        = ""
    dotnet_framework_version  = "v4.0"
    #http2_enabled            = ""
    #ip_restriction           = ""
    #java_version             = ""
    #java_container           = ""
    #java_container_version   = ""
    managed_pipeline_mode     = "Integrated"
    min_tls_version           = "1.2"
    #php_version              = ""
    #python_version           = ""
    remote_debugging_enabled  = "False"
    #remote_debugging_version = ""
    scm_type                  = "None"
    use_32_bit_worker_process = "False"
    websockets_enabled        = "True"
    #ftps_state               = ""
  }

  app_settings {
    "KeyVaultURI" = ""
    "WEBSITE_NODE_DEFAULT_VERSION" = "6.9.1"
  }

  ip_restriction {
   "ip_address"     = ""
   }

Thank you

3
I believe you need to have a value assigned to ip_address. What happens when you put a valid IP address in there?kenlukas
Yes i had an IP in there, i removed it for this post. The error i receive from Terraform Apply, is claiming "invalid or unknown key: ip_restriction" as if it is not a supported command in Terraform, dispite the terraform documentation. Has anyone succesfully used ip_restriction { "ip_address" = "1.2.3.4" }. Documentation states subnetmask is optional, but first we need Terraform to recognize ip_restriction as a valid commandGvazzana
Anyone have any ideas?Gvazzana

3 Answers

6
votes

For those interested, here is the method to use ipRestrictions in Terraform

ip Restrictions is part of the Site_Config {}

See how to use below:

AppService.tf:

resource "azurerm_app_service" "app-service-1" {
  name                    = "${var.app_service_1}"
  location                = "${data.azurerm_resource_group.core-rg.location}"
  resource_group_name     = "${data.azurerm_resource_group.core-rg.name}"
  app_service_plan_id     = "${data.azurerm_app_service_plan.app-service-plan-1.id}"
  https_only              = "True"
  enabled                 = "True"
  client_affinity_enabled = "True"
  site_config {
    always_on                 = "True"
    #default_documents        = ""
    dotnet_framework_version  = "v4.0"
    #http2_enabled            = ""
    #ip_restriction           = ""
    #java_version             = ""
    #java_container           = ""
    #java_container_version   = ""
    managed_pipeline_mode     = "Integrated"
    min_tls_version           = "1.2"
    #php_version              = ""
    #python_version           = ""
    remote_debugging_enabled  = "False"
    #remote_debugging_version = ""
    scm_type                  = "None"
    use_32_bit_worker_process = "False"
    websockets_enabled        = "True"
    #ftps_state               = ""
    ip_restriction {
      ip_address  = "${var.ip_address_1}"
    }
    ip_restriction {
      ip_address  = "${var.ip_address_2}"
    }
    ip_restriction {
      ip_address  = "${var.ip_address_3}"
    }
  }
  app_settings {
    "KeyVaultURI" = ""
    "WEBSITE_NODE_DEFAULT_VERSION" = "6.9.1"
    }
  }
6
votes

@jamies answer is unfortunately incorrect IP_restriction is not a list taking one or more but a repeatable block.

@gvazzana is the correct format. However, there is a trap.. that will cause the error you are seeing.

In Tf we are used to typing IP address's in full CIDR format eg 10.23.97.201/23 or 192.68.50.0/24, the azure portal for this section even displays them like this.

But for this particular block, in terraform, you have to do them old school. eg:

site_config {
  # For a single IP address
  ip_restriction {
      ip_address = "81.145.174.78"
      } 
  ip_restriction {
  # For an address range 
      ip_address = "10.240.101.0"
      subnet_mask = "255.255.255.0"
     }
}

This is of course a pain if you have a long list of address's and ranges.

Now that terraform version 0.12.0 is upon us we should be able to take advantage of the new dynamic block styles and cidrhost and cidrmask functions in order to simplify things.

eg:

dynamic "ip_restriction" {
for_each = var.ip_address_list
  content {
    ip_address  = cidrhost(ip_restriction.value,0)
    subnet_mask = cidrmask(ip_restriction.value)
  }
}

tested with Terraform v0.12.13

1
votes

So you are running into a syntax error. The documentation can be confusing to read as I have learned over the last year. If you read the section on ip_restriction it says that it takes one or more. This means that it expects an array.

There is also a section of the documentation that tells you that it inside the array it expects an object that has the properties of ip_address and subnet_mask. That is here

So to fix your issue you need the following for ip_restriction.

ip_restriction = [
    {
        ip_address = "10.0.0.0"
    }
]

Hope this helps.