0
votes

Firstly, I'm using Terraform on Azure

I'm trying to deploy an Azure Firewall using some azurerm_firewall_network_rule_collection. I want to be able to do a loop to deploy multiple rules collection containing a loop for many rules. In these rules, I want to call some source/destination addresses and when needed some ipgroups.

Today, with my code, I am able to deploy several rules collections containing different rules. Sadly, my code only works with IP addresses or cidrs and I want to be able to call some ipgroups (terraform allows it).

Here's my main.tf code for the rule collection

resource "azurerm_firewall_network_rule_collection" "hub_fw_rules_allow" {
    count               = length(var.network_rules)
    azure_firewall_name = join(" " , module.Create-AzureRmFirewall.fw_name)
    resource_group_name = module.Get-AzureRmResourceGroup-hub.rg_name
    name                = var.network_rule_names[count.index]
    priority            = element(var.network_rule_priorities, count.index)
    action              = element(var.network_rule_actions, count.index)
    dynamic "rule" {
        for_each = var.network_rules[count.index]
            content {
                name                  = rule.value.name
                description           = lookup(rule.value, "description", null)
                source_addresses      = lookup(rule.value, "source_addresses", null)
                source_ip_groups      = lookup(rule.value, "source_ip_groups" , null)
                destination_addresses = lookup(rule.value, "destination_addresses", null)
                destination_ip_groups = lookup(rule.value, "destination_ip_groups", null)
                destination_ports     = lookup(rule.value, "destination_ports", null)
                protocols             = lookup(rule.value, "protocols", null)
            }
    }
}

This is my tfvars file for my rules (value are set randomly for my tests)

network_rule_names      = ["network_rule_1", "network_rule_2"]
network_rule_priorities = [101 , 102]
network_rule_actions    = ["Allow", "Deny"]
network_rules = [ 
    [   
        {    
            name                  = "network_rule_1_rule_1"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]
            destination_ports     = [11]
            protocols             = ["TCP", "UDP"]
        },  
        {         
            name                  = "network_rule_1_rule_2"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]
            destination_ports     = [12]
            protocols             = ["TCP", "UDP"]
        }  
    ],

    [   
        {      
            name                  = "network_rule_2_rule_1"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]
            destination_ports     = [21]
            protocols             = ["TCP",]
        },  
        {          
            name                  = "network_rule_2_rule_2"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]   
            destination_ports     = [22]
            protocols             = ["TCP", "UDP"]
        }  
    ]
]

And my variables file looks like this :

variable "network_rules"{
    type = list#(any)
}
variable "fw_name"{}
variable "hub_fw_rules_allow_name"{}
variable "priority"{}
variable "network_rule_names" {
    type        = list(string)
    default     = [""]
}
variable "network_rule_priorities" {
    type        = list(number)
    default     = [101]
}
variable "network_rule_actions" {
    type        = list(string)
    default     = ["Deny"]
}

So, with this code, everything is working, terraform will deploy 2 rules collection containing 2 rules each, and I can create new rules quickly just my opening new "{}". (if you have ideas to improve this, they are appreciated)

So what's the problem?

I want to use some ip groups for some rules, I want to be able to use either ipgroups, either ips. That's why I have this line: source_ip_groups = lookup(rule.value, "source_ip_groups", null) in my main file.

I want to be able to do this in my tfvars file for a rule :

{          
name                  = "network_rule_2_rule_ipgroup"
source_ip_groups      = ["/subscriptions/xx-xx-xx/resourceGroups/rgp-xx-xxx/providers/Microsoft.Network/ipGroups/ipgr-name-xx"]
destination_ip_groups = ["/subscriptions/xx-xx-xx/resourceGroups/rgp-xx-xxx/providers/Microsoft.Network/ipGroups/other-ipgr-name-xx"]   
destination_ports     = [22]
protocols             = ["TCP", "UDP"]
}   

And when I do this, I got an error on all my network_rules block on my tfvars file with a: The given value is not valid for variable "network_rules": all list elements must have the same type.

There I don't know what I can do, I tried to change the way I call my ip group id, with a element function, same error...

I tried to "play" with the punctuation by removing quotes or "[]" too...

I want to keep my loops, because I will have a LOT of rules to create.

If you have ideas on how I can call the ids for my rules, It can be great.

Thanks you all!!

1
Does the reply solve your issue?Nancy Xiong
Adding all the elements of my variable network_rules even if some are "null" solved my problem !TontonJuju

1 Answers

0
votes

The direct method is to define the same type element for the variable "network_rules".

network_rules = [ 
    [   
        {    
            name                  = "network_rule_1_rule_1"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]
            destination_ports     = [11]
            protocols             = ["TCP", "UDP"]
            source_ip_groups      = []
            destination_ip_groups = []
        },  
        {         
            name                  = "network_rule_1_rule_2"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]
            destination_ports     = [12]
            protocols             = ["TCP", "UDP"]
            source_ip_groups      = []
            destination_ip_groups = []
        }
    ],

    [   
        {      
            name                  = "network_rule_2_rule_1"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]
            destination_ports     = [21]
            protocols             = ["TCP",]
            source_ip_groups      = []
            destination_ip_groups = []
        },  
        {          
            name                  = "network_rule_2_rule_2"
            source_addresses      = ["10.1.0.0/16"]
            destination_addresses = ["10.8.8.8", "8.10.4.4"]   
            destination_ports     = [22]
            protocols             = ["TCP", "UDP"]
            source_ip_groups      = []
            destination_ip_groups = []
        },
        {          
            name                  = "network_rule_2_rule_ipgroup"        
            source_addresses      = []
            destination_addresses = []   
            destination_ports     = [22]
            protocols             = ["TCP", "UDP"]
            source_ip_groups      = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/xxx"]
            destination_ip_groups = ["/subscriptions/xxx/resourceGroups/xxxRG/providers/Microsoft.Network/ipGroups/ipgxxx"]
        }   
    ]
]