You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
backstory:
The use of telling AZFW what the internal used IP's are is to let it know if it has to use SNAT on certain IP's ( or ranges) or not
some networks, especially larger or hosting company's use a public IP block on their edge / DMZ network
back in the days when we had more then enough ip's and when you would get a /16 subnet with your coffee at the gasstation that is
my / our on prem network has still a public IP block that is used internaly (yes we do own these)
so i need to tell AZFW that it should not use SNAT on that range and treat it as a internal block
the way that you do that is to add your public block beside the IANAPrivateRanges
this is the only way to prevent SNAT on that block by the AZFW.
so i was surprised that it didnt take the /16 block and even marked it as non CIDR,
thats why in my opinion this is a bug and not an enhancement
I expected that terraform would accept the public / non IANA Private IP as valid and proceed with the plan action
Note: adding this using az cli or using the azure UI works fine, tested and is valid
it is terraform not accepting the input
Actual Behaviour
Error in console when using terraform plan and/or terraform apply
marking my IP range invalid (which it is not) it is expecting a IP within the IANAPrivateRanges range
the whole idea of this function is to be able to step outside of the IANA Private Range
╷│ Error: expected "private_ip_ranges.0" to be a valid IPv4 Value, got 145.86.0.0/16: invalid CIDR address: 145.86.0.0/16││ with azurerm_firewall.AFW-PL-Con,│ on AZFirewall.tf line 22, in resource "azurerm_firewall" "AFW-PL-Con":│ 22: resource "azurerm_firewall" "AFW-PL-Con" {│╵╷│ Error: expected private_ip_ranges.0 to be one of [IANAPrivateRanges], got 145.86.0.0/16││ with azurerm_firewall.AFW-PL-Con,│ on AZFirewall.tf line 22, in resource "azurerm_firewall" "AFW-PL-Con":│ 22: resource "azurerm_firewall" "AFW-PL-Con" {│╵
Steps to Reproduce
add hcl private_ip_ranges = [ "IANAPrivateRanges", " PUBLICIP" ] to the azurerm_firewall resource
where PUBLICIP is any non IANAPrivateRanges IP
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.15.2
on linux_amd64
Affected Resource(s)
azurerm_firewall
Terraform Configuration Files
Debug Output
Panic Output
Expected Behaviour
backstory:
The use of telling AZFW what the internal used IP's are is to let it know if it has to use SNAT on certain IP's ( or ranges) or not
some networks, especially larger or hosting company's use a public IP block on their edge / DMZ network
back in the days when we had more then enough ip's and when you would get a /16 subnet with your coffee at the gasstation that is
my / our on prem network has still a public IP block that is used internaly (yes we do own these)
so i need to tell AZFW that it should not use SNAT on that range and treat it as a internal block
the way that you do that is to add your public block beside the IANAPrivateRanges
this is the only way to prevent SNAT on that block by the AZFW.
so i was surprised that it didnt take the /16 block and even marked it as non CIDR,
thats why in my opinion this is a bug and not an enhancement
I expected that terraform would accept the public / non IANA Private IP as valid and proceed with the plan action
Note: adding this using az cli or using the azure UI works fine, tested and is valid
it is terraform not accepting the input
Actual Behaviour
Error in console when using terraform plan and/or terraform apply
marking my IP range invalid (which it is not) it is expecting a IP within the IANAPrivateRanges range
the whole idea of this function is to be able to step outside of the IANA Private Range
Steps to Reproduce
add
hcl private_ip_ranges = [ "IANAPrivateRanges", " PUBLICIP" ]
to the azurerm_firewall resourcewhere PUBLICIP is any non IANAPrivateRanges IP
terraform plan
Important Factoids
none
References
private_ip_ranges
#10627The text was updated successfully, but these errors were encountered: