Bug report: threat_intelligence_allowlist

[cndaan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.7.3

azure provider: 3.1

module: 5.2.1

Description

Describe the bug

lookup() requires a map as the first argument.

Setting the threat_intelligence_allowlist values results in an error message:

│ Error: Too many threat_intelligence_allowlist blocks
│
│   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 331, in resource "azurerm_firewall_policy" "connectivity":
│  331:     content {
│
│ No more than 1 "threat_intelligence_allowlist" blocks are allowed
╵
╷
│ Error: Invalid function argument
│
│   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 333, in resource "azurerm_firewall_policy" "connectivity":
│  333:       fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
│     ├────────────────
│     │ threat_intelligence_allowlist.value is list of string with 3 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
╵
╷
│ Error: Invalid function argument
│
│   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 333, in resource "azurerm_firewall_policy" "connectivity":
│  333:       fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
│     ├────────────────
│     │ threat_intelligence_allowlist.value is list of string with 2 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
╵
╷
│ Error: Invalid function argument
│
│   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 334, in resource "azurerm_firewall_policy" "connectivity":
│  334:       ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
│     ├────────────────
│     │ threat_intelligence_allowlist.value is list of string with 3 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.
╵
╷
│ Error: Invalid function argument
│
│   on .terraform\modules\caf.enterprise_scale\resources.connectivity.tf line 334, in resource "azurerm_firewall_policy" "connectivity":
│  334:       ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
│     ├────────────────
│     │ threat_intelligence_allowlist.value is list of string with 2 elements
│
│ Invalid value for "inputMap" parameter: lookup() requires a map as the first argument.

Steps to Reproduce

This is the firewall config I am using:

            azure_firewall = {
              enabled = true
              config = {
                address_prefix           = "10.100.0.0/24"
                enable_dns_proxy         = true
                dns_servers              = []
                sku_tier                 = "Standard"
                base_policy_id           = ""
                private_ip_ranges        = []
                threat_intelligence_mode = "Deny"

                threat_intelligence_allowlist = {
                  ip_addresses = ["10.10.0.0", "10.0.0.0"]
                  fqdns        = ["*.microsoft.com", "*.google.com", "*.facebook.com"]
                }
                intrusion_detection = "Deny"
                availability_zones = {
                  zone_1 = true
                  zone_2 = true
                  zone_3 = true
                }
              }
            }

[cndaan]

Found the issue and the fix.

The resources.connectivity.tf file has not been update like the resources.virtual_wan.tf file. The "threat_intelligence_allowlist" dynamic block needs to be updated in the resources.connectivity.tf file.

The code now is:

  dynamic "threat_intelligence_allowlist" {
    for_each = each.value.template.threat_intelligence_allowlist
    content {
      # Optional attributes
      fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
      ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
    }
  }

This needs to be this: (just like in resources.virtual_wan.tf file)

  dynamic "threat_intelligence_allowlist" {
    # Ensure that the dynamic block is created only if the allowlist is defined
    for_each = length(keys(each.value.template.threat_intelligence_allowlist)) > 0 ? [each.value.template.threat_intelligence_allowlist] : []

    content {
      # Optional attributes
      fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
      ip_addresses = lookup(threat_intelligence_allowlist.value, "ip_addresses", null)
    }
  }

Could someone apply this fix please?

[jtracey93]

@cndaan Thanks for the investigation here. Would you like to submit a PR for consideration?

[cndaan]

@cndaan Thanks for the investigation here. Would you like to submit a PR for consideration?

Yes but I am having issues with creating a Pull Request at the moment. I don't have permission to push to this repository.

[matt-FFFFFF]

#953 is merged so closing - thanks!