Reputation: 37
Force Replacement in azurerm_cdn_frontdoor_security_policy terraform
I am running terraform code to provision the Security policy to associate in WAF in Azure Front Door
MY issue is when i add new end_points under each domain terraform making force change in all existing endpoints i dont want to disturb the existing endpoints. only we need to append the new endpoints and configure the secure [![enter code here][1]][1]policy .
Upvotes: 0
Views: 67
Answers (1)
Reputation: 2261
Force Replacement in azurerm_cdn_frontdoor_security_policy terraform
I understand the requirement, but the issue seems to with the terraform configuration when youre trying to refering the end_points terraform is recreating again as new resource instead of appending new one.
This action happens because terraform treats changes inside the firewall -> association -> domain blocks as immutable and this results in recreation.
To overcome this issue, we can use lifecycle block as mentioned below.
demo configuration:
resource "azurerm_cdn_frontdoor_firewall_policy" "cdn_frontdoor_firewall_policy" {
for_each = { for policy in var.security_policies : policy.waf_policy_domain => policy }
name = "waf${each.key}"
resource_group_name = azurerm_resource_group.rg.name
sku_name = azurerm_cdn_frontdoor_profile.cdn_frontdoor_profile.sku_name
enabled = true
mode = "Prevention"
}
data "azurerm_cdn_frontdoor_firewall_policy" "waf" {
for_each = { for policy in var.security_policies : policy.waf_policy_domain => policy }
name = azurerm_cdn_frontdoor_firewall_policy.cdn_frontdoor_firewall_policy[each.key].name
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_cdn_frontdoor_security_policy" "cdn_frontdoor_security_policies" {
for_each = { for policy in var.security_policies : policy.domain => policy }
name = "${var.name}${each.key}"
cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.cdn_frontdoor_profile.id
security_policies {
firewall {
cdn_frontdoor_firewall_policy_id = data.azurerm_cdn_frontdoor_firewall_policy.waf[each.value.waf_policy_domain].id
dynamic "association" {
for_each = each.value.associations
content {
patterns_to_match = association.value.patterns_to_match
dynamic "domain" {
for_each = toset(each.value.end_points)
content {
cdn_frontdoor_domain_id = azurerm_cdn_frontdoor_endpoint.cdn_frontdoor_endpoints[domain.value].id
}
}
}
}
}
}
lifecycle {
ignore_changes = [security_policies]
}
depends_on = [
azurerm_cdn_frontdoor_firewall_policy.cdn_frontdoor_firewall_policy,
azurerm_cdn_frontdoor_endpoint.cdn_frontdoor_endpoints
]
}
Deployement:
refer:
https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes
Upvotes: 0
Related Questions
- Make WAF policy to only allow Azure Load Testing or Azure Services
- Resource id force replacement observed at Terraform Plan stage after importing resource due to case sensitivity (Azurerm module, Azure cloud)
- Update-AzFrontDoorWafPolicy - update particular managed rule action
- How to apply WAF policy to Front door?
- Getting Terraform resource already exists error with resource just created by Terraform
- Where to add Custom domain on WordPress hosted on Azure VM behind Azure Front Door?
- Queries on WordPress on Azure
- Multiple frontend_enpoint in Azure Front Door with Terraform