Az Firewall Private IP Range marked as invalid

[dtx3k]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.15.2
on linux_amd64

• provider registry.terraform.io/hashicorp/azurerm v2.55.0

Affected Resource(s)

azurerm_firewall

Terraform Configuration Files

resource "azurerm_firewall" "AFW-PL-Con" {
    name                = "AFW-PL-Con"
    location            = azurerm_resource_group.RG-PL-Con-VNETS.location
    resource_group_name = azurerm_resource_group.RG-PL-Con-VNETS.name
    private_ip_ranges   = [ "IANAPrivateRanges", " 145.86.0.0/16" ]

    ip_configuration {
        name                 = "AFW-PL-Con-IPConfig"
        subnet_id            = azurerm_subnet.SN-PL-Con-Hub-AZFirewall.id
        public_ip_address_id = azurerm_public_ip.PIP-PL-Con-AZFirewall.id
    }

    # dns_servers = [ "10.130.1.4", "10.130.1.5" ]

    tags = var.connecttag
}

Debug Output

Panic Output

Expected Behaviour

backstory:
The use of telling AZFW what the internal used IP's are is to let it know if it has to use SNAT on certain IP's ( or ranges) or not
some networks, especially larger or hosting company's use a public IP block on their edge / DMZ network
back in the days when we had more then enough ip's and when you would get a /16 subnet with your coffee at the gasstation that is

my / our on prem network has still a public IP block that is used internaly (yes we do own these)
so i need to tell AZFW that it should not use SNAT on that range and treat it as a internal block
the way that you do that is to add your public block beside the IANAPrivateRanges
this is the only way to prevent SNAT on that block by the AZFW.
so i was surprised that it didnt take the /16 block and even marked it as non CIDR,
thats why in my opinion this is a bug and not an enhancement

I expected that terraform would accept the public / non IANA Private IP as valid and proceed with the plan action

Note: adding this using az cli or using the azure UI works fine, tested and is valid
it is terraform not accepting the input

Actual Behaviour

Error in console when using terraform plan and/or terraform apply
marking my IP range invalid (which it is not) it is expecting a IP within the IANAPrivateRanges range
the whole idea of this function is to be able to step outside of the IANA Private Range

╷
│ Error: expected "private_ip_ranges.0" to be a valid IPv4 Value, got  145.86.0.0/16: invalid CIDR address:  145.86.0.0/16
│
│   with azurerm_firewall.AFW-PL-Con,
│   on AZFirewall.tf line 22, in resource "azurerm_firewall" "AFW-PL-Con":
│   22: resource "azurerm_firewall" "AFW-PL-Con" {
│
╵
╷
│ Error: expected private_ip_ranges.0 to be one of [IANAPrivateRanges], got  145.86.0.0/16
│
│   with azurerm_firewall.AFW-PL-Con,
│   on AZFirewall.tf line 22, in resource "azurerm_firewall" "AFW-PL-Con":
│   22: resource "azurerm_firewall" "AFW-PL-Con" {
│
╵

Steps to Reproduce

1. add hcl private_ip_ranges = [ "IANAPrivateRanges", " PUBLICIP" ] to the azurerm_firewall resource
   where PUBLICIP is any non IANAPrivateRanges IP

2. terraform plan

Important Factoids

none

References

• Support for Azure Firewall SNAT private ranges #7504
• azurerm_firewall: support snat private ip ranges #7535
• azurerm_firewall: support for private_ip_ranges #10627