terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[azuread_named_location] Lack of validation on CIDR masks in ip_ranges parameter

Open ShaheenK27 opened this issue 2 years ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.0.0
+ provider registry.terraform.io/hashicorp/azuread v2.20.0

Affected Resource(s)

  • azuread_named_location

Terraform Configuration Files

resource "azuread_named_location" "named-location-test01" {
  display_name = "named-location-test01"
  ip {
    ip_ranges = [
      "20.0.0.0/4",
      "2001:DB8::/64"            
    ]
    trusted = false
  }
}

Expected Behavior

  • Terraform should throw an error when an IP range with an invalid CIDR mask is specified in this parameter.

Actual Behavior

  • Terraform does not validate the CIDR masks and therefore, does not display any error/changes if CIDR range less than /8 is specified. Note: Terraform only performs a check on whether an IP range is in a valid format

  • The apply is successful and the the IP range is visible on the Portal but, when viewed in the edit section, the named location cannot be saved [the 'Save' button appears disabled/greyed out on the Portal] as long as the invalid IP range is a part of the named location.

1. First apply is successful

  azuread_named_location.named-location-test01: Creating...
  azuread_named_location.named-location-test01: Creation complete after 4s [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx]

  Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

2. Second apply shows no changes

  azuread_named_location.named-location-test01: Refreshing state... [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx]

  No changes. Your infrastructure matches the configuration.

  Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

  Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Important Factoids

  • As per the official Microsoft documentation, the CIDR mask in ip_ranges parameter should be greater than /8 (Therefore, ranges such as /4 or /6 aren't acceptable)

  • Azure Portal has proper validation for this and displays an error when an invalid CIDR is specified.

Steps to Reproduce

  • terraform apply with invalid CIDR mask in ip_ranges parameter

References

ShaheenK27 avatar Aug 02 '22 09:08 ShaheenK27

Hi @ShaheenK27, thanks for reporting this. This would seem to be an API bug since a seemingly invalid prefix length is accepted by the API without error. Unfortunately the Conditional Access API has quite a lot of validation bugs.

However in the interest of usability we'll look at adding this validation if it is feasible. Note that we cannot guarantee provider-level validation in all cases because we often don't have access to interpolated values until apply-time. Accordingly, I will also raise this as an API bug.

manicminer avatar Sep 01 '22 14:09 manicminer