Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to disable SNAT in azurerm_firewall_policy #13553

Open
jkroepke opened this issue Sep 29, 2021 · 3 comments
Open

Unable to disable SNAT in azurerm_firewall_policy #13553

jkroepke opened this issue Sep 29, 2021 · 3 comments
Labels
question service/firewall v/2.x (legacy)

Comments

@jkroepke
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform: 1.0.5
AzureRM: 2.77.0

Affected Resource(s)

  • azurerm_firewall_policy

Terraform Configuration Files

resource "azurerm_firewall_policy" "base" {
  name                = "fw-${local.workspace}-${var.location}"
  location            = var.location
  resource_group_name = azurerm_resource_group.default.name
  private_ip_ranges   = []

  dns {
    proxy_enabled = true
    servers       = [var.hub_dns_forwarder_ip]
  }


  tags = local.tags
}

Debug Output

Panic Output

Expected Behaviour

The SNAT functionally is set to None or Empty inside Azure

Bildschirmfoto 2021-09-29 um 15 44 11

Actual Behaviour

│ Error: Not enough list items
│
│   with azurerm_firewall_policy.base,
│   on firewall_rules_base.tf line 6, in resource "azurerm_firewall_policy" "base":
│    6:   private_ip_ranges   = []
│
│ Attribute requires 1 item minimum, but config has only 0 declared.

Steps to Reproduce

  1. Create resource from above
  2. terraform apply

Important Factoids

References

  • #0000
@jackofallops
Copy link
Member

Hi @jkroepke - iirc omitting that property entirely should achieve your desired result. By attempting to specify a value, even an empty list, this effectively activates that part of the configuration.

@jkroepke
Copy link
Contributor Author

jkroepke commented Oct 1, 2021

@jackofallops

iirc omitting that property entirely

In this case, the default value (For all IP addresses except IANA RFC 1918 ranges; see the screen) is used inside azure

@segraef
Copy link

segraef commented Jul 11, 2022
edited
Loading

As per #10627 it should be implemented by now but omitting private_ip_ranges = ["0.0.0.0/0"] or private_ip_ranges = [] doesn't seem to have any effect on changing the setting to Never. The setting remains at the default setting For all IP addresses except IANA RFC 1918 ranges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question service/firewall v/2.x (legacy)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jkroepke @jackofallops @segraef @rcskosir