azurerm_firewall: support multiple ip_configuration blocks

[andrey-dubnik]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently it is only possible to have one ip_configuration block per azurerm_firewall resource where Azure Firewall actually supports multiple IP configurations. Having multiple IP addresses associated with a Firewall is essential...

Is this possible to enhance the module and add a feature to enable the multiple ip_configuration blocks?

New or Affected Resource(s)

• azurerm_firewall

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

[nexxai]

Hi @adubnik , could you please update your post to use the "Feature Request" template, found here: https://github.com/terraform-providers/terraform-provider-azurerm/issues/new?template=Feature_Request.md as it helps the developers quickly understand how your suggested feature might be implemented? Thanks.

[andrey-dubnik]

if we take a baseline https://www.terraform.io/docs/providers/azurerm/r/firewall.html

resource "azurerm_public_ip" "test-1" {
  name                = "testpip-1"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_public_ip" "test-2" {
  name                = "testpip-2"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  allocation_method   = "Static"
  sku                 = "Standard"
}

resource "azurerm_firewall" "test" {
  name                = "testfirewall"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"

  ip_configuration {
    name                 = "ip-configuration"
    subnet_id            = "${azurerm_subnet.test.id}"
    public_ip_address_ids = [
      "${azurerm_public_ip.test-1.id}",
      "${azurerm_public_ip.test-2.id}"
    ]
  }
}

public_ip_address_id -> takes 1 IP address ID
public_ip_address_ids -> takes a list of IP addresses IDs

Alternatively support multiple configurations

resource "azurerm_firewall" "test" {
  name                = "testfirewall"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"

  ip_configuration {
    name                 = "ip-configuration-1"
    subnet_id            = "${azurerm_subnet.test.id}"
    public_ip_address_id = "${azurerm_public_ip.test-1.id}"
  }

  ip_configuration {
    name                 = "ip-configuration-2"
    # subnet_id            = "${azurerm_subnet.test.id}" # - I don't think this should be mandatory as IP configuration #2 will sit on the same subnet most likely...
    public_ip_address_id = "${azurerm_public_ip.test-2.id}"
  }
}

[ekarlso]

Any idea on this ? We need it :D

[ekarlso]

cc @nexxai ?

[lsmadja]

hi,
i have the same request but i don't know if it's necessary to do something for its declaration ? Have you take this feature in your plans ?
If i put this secondary ip_configuration in azure plateforme, terraform script will not work after.
thanks

[naikajah]

Hi

I have just got this issue of terraform not allowing multiple ip_configuration block.

But instead of allowing multiple ip_configuration blocks I would rather go with having a resource that would attach the ip configuration with azure firewall. e.g.

`
resource "azurerm_firewall_ip_attachment" "first" {
firewall_id = azurerm_firewall.test.id
subnet_id = "${azurerm_subnet.test.id}"
public_ip_address_id = "${azurerm_public_ip.test-1.id}"
}

resource "azurerm_firewall_ip_attachment" "second" {
firewall_id = azurerm_firewall.test.id
subnet_id = "${azurerm_subnet.test.id}"
public_ip_address_id = "${azurerm_public_ip.test-2.id}"
}
`

Considering the use case of many ip_configurations attached to a single firewall. The above makes it independent rather than having loads of ip_configuration blocks in the same azurerm_firewall resource.

[provProdctl]

For all whose use-case involves NAT IPs, use a load balancer with Multiple NAT IP support solution instead.

[timja]

@houkms is updating the data resource in scope of this or another issue required?

[houkms]

@timja data source will also be updated here.

[ghost]

This has been released in version 1.37.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.37.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!