Search code examples
azureterraformazure-rm

How to include multiple address prefixes in the same admin rule using Terraform AzureRm

I am using azurerm_network_manager_admin_rule resource to create an admin rule for the virtual network manager resource. I can only pass in one address prefix per rule. Is there a way to use multiple address prefixes in the same rule?

Here is the error message:

Error: creating Network Manager Admin Rule: (Rule Name "example" / Rule Collection Name "example-rule-collection" / Security Admin Configuration Name "ISD" / Network Manager Name "AzureNetworkManager" / Resource Group "resourceGroup-test"): network.AdminRulesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="AddressPrefix [1.1.1.1/1,2.2.2.2/2,3.3.3.3/3,4.4.4.4/4] has invalid format."
│
│   with module.avnm.azurerm_network_manager_admin_rule.avnm-security-admin-collection-rule["example"],
│   on ..\..\main.tf line 31, in resource "azurerm_network_manager_admin_rule" "avnm-security-admin-collection-rule":
│   31: resource "azurerm_network_manager_admin_rule" "avnm-security-admin-collection-rule" {
│
│ creating Network Manager Admin Rule: (Rule Name "example" / Rule Collection Name "example-rule-collection" / Security Admin Configuration Name "ISD" / Network Manager Name "AzureNetworkManager" / Resource Group "resourceGroup-test"): network.AdminRulesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: 
│ autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="AddressPrefix [1.1.1.1/1,2.2.2.2/2,3.3.3.3/3,4.4.4.4/4] has invalid format."

(some names and the IP addresses have been changed from original error message)

Solution

  • When using the azurerm network manager admin rule resource, it is not possible to use "multiple address prefixes" in a single admin rule.

    Alternatively, you can create multiple admin rules, each with a unique address prefix.

    Eg:

    resource "azurerm_network_manager_admin_rule"  "first-rule" {}
resource "azurerm_network_manager_admin_rule"  "second-rule"{}

    According to the terraform registry, it is possible to create multiple address prefixes inside the destination or source address blocks. I tried it in my environment after making few changes to the sample script and it worked for me as follows.

    main.tf:

    data "azurerm_subscription" "current" {
}
resource "azurerm_resource_group" "main" {
  name     = "<resourcegroup>"
  location = "EastUs"
}

resource "azurerm_network_manager" "main" {
  name                = "<networkmanager>"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  scope {
    subscription_ids = [data.azurerm_subscription.current.id]
  }
  scope_accesses = ["Connectivity", "SecurityAdmin"]
  description    = "network manager"
}

resource "azurerm_network_manager_network_group" "main" {
  name               = "<networkgroup>"
  network_manager_id = azurerm_network_manager.main.id
}

resource "azurerm_network_manager_security_admin_configuration" "example" {
  name               = "<admin-conf>"
  network_manager_id = azurerm_network_manager.main.id
}

resource "azurerm_network_manager_admin_rule_collection" "main" {
  name                            = "<admin-rule-collection>"
  security_admin_configuration_id = azurerm_network_manager_security_admin_configuration.main.id
  network_group_ids               = [azurerm_network_manager_network_group.main.id]
}

resource "azurerm_network_manager_admin_rule" "main" {
  name                     = "<adminrule>"
  admin_rule_collection_id = azurerm_network_manager_admin_rule_collection.main.id
  action                   = "Deny"
  direction                = "Outbound"
  priority                 = 1
  protocol                 = "Tcp"
  source_port_ranges       = ["80", "1024-65535"]
  destination_port_ranges  = ["80"]
  source {
    address_prefix_type = ""
    address_prefix      = "Internet"
  }
   destination {
    address_prefix_type = "IPPrefix"
    address_prefix      = "10.1.0.1"
  }
  destination {
    address_prefix_type = "IPPrefix"
    address_prefix      = "10.0.0.0/24"
  }
  description = "admin rule"
}

    Executed terraform init & validated the configuration using terraform validate:

    enter image description here

    Executed terraform plan:

    enter image description here

    Executed terraform apply:

    enter image description here

    Deployed successfully in portal with multiple destination address prefixes:

    enter image description here