Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamic block with for_each within network_rule_set inside azurerm_container_registry won't work #20721

Closed
1 task done
lukriv opened this issue Mar 1, 2023 · 2 comments · Fixed by #26547
Closed
1 task done

Dynamic block with for_each within network_rule_set inside azurerm_container_registry won't work #20721

lukriv opened this issue Mar 1, 2023 · 2 comments · Fixed by #26547
Labels
breaking-change bug service/container-registry v/3.x
Milestone
v4.0.0

Comments

@lukriv
Copy link

lukriv commented Mar 1, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.9

AzureRM Provider Version

3.45.0

Affected Resource(s)/Data Source(s)

azurerm_container_registry

Terraform Configuration Files

variable "subscription_id" {}

variable "tenant_id" {}

variable "client_id" {}

variable "client_secret" {}

locals {
	acr_allowed_ips = ["10.0.0.1"]
}

provider "azurerm" {
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
  client_id       = var.client_id
  client_secret   = var.client_secret
  features {}
}

resource "azurerm_container_registry" "acr_premium" {

  name                = "TestACR"
  resource_group_name = "TestRG"
  location            = "westeurope"
  sku                 = "Premium"
  admin_enabled       = false
  anonymous_pull_enabled = false

  network_rule_set {
    default_action = "Deny"
    
    dynamic "ip_rule" {
      for_each =  local.acr_allowed_ips
      content {
        action = "Allow"
        ip_range = ip_rule.value
      }
    }
  }

}

Debug Output/Panic Output

https://gist.github.com/lukriv/4452346e124d6d32d7086e5199bb2607

Expected Behaviour

Premium ACR is created without problems with one or more ip_rule in network_rule_set.

Actual Behaviour

│ Error: Unknown variable

│ on main.tf line 34, in resource "azurerm_container_registry" "acr_premium":
│ 34: for_each = local.acr_allowed_ips

│ There is no variable named "local".
If you use external variable and refers it as "var.variablename" it returns same error with note: There is no variable named "var".

Steps to Reproduce

  1. terraform plan
    (or terraform apply)

Important Factoids

No response

References

No response
@lukriv lukriv added the bug label Mar 1, 2023
@github-actions github-actions bot removed the bug label Mar 1, 2023
@magodo
Copy link
Collaborator

magodo commented Mar 2, 2023

@lukriv Sorry thay you run into this issue. The reason is because the ip_rule (even the network_rule_set) is defined with ConfigMode: pluginsdk.SchemaConfigModeAttr, which makes it to be an attribute even though it looks like a block in the HCL:

terraform-provider-azurerm/internal/services/containers/container_registry_resource.go

Lines 1111 to 1114 in a89b236

"ip_rule": {
Type: pluginsdk.TypeSet,
Optional: true,
ConfigMode: pluginsdk.SchemaConfigModeAttr,

The reason for making it an attribute is to allow users to reset the ip_rule to an empty list by ip_rule = [] syntax. Especially, this is needed for network_rule_set when changing sku from Premium to Basic. But I'm not sure whether we should also do this for the ip_rule. Whilst, we are not able to simply revert it since it will then otherwise breaks the usage of assigning to an empty slice. We can introduce that change in v4.0 though.

@magodo magodo added this to the v4.0.0 milestone Mar 2, 2023
@schwing
Copy link

schwing commented Jun 9, 2023
edited
Loading

I ran into the same issue and managed a bit of a hacky workaround. As mentioned above, ip_rule can be a list, so you can use a for loop to generate ip_rule as a list with multiple rules like this:

  network_rule_set {
    default_action = "Deny"

    ip_rule = [
      for ip in local.acr_allowed_ips : {
        action   = "Allow"
        ip_range = ip
      }
    ]
  }

The end result works the same way a dynamic block would, and it successfully adds the IP addresses to the ACR firewall rules.

@stephybun stephybun mentioned this issue Jul 5, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking-change bug service/container-registry v/3.x
Projects
None yet
Milestone
v4.0.0
Development

Successfully merging a pull request may close this issue.

azurerm_container_registry - remove ConfigModeAttr for 4.0 hashicorp/terraform-provider-azurerm
4 participants
@schwing @magodo @lukriv @catriona-m