azurerm_cosmosdb_account: ip_range_filter doesnt work any longer

[svaraksin-gd]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.3

AzureRM Provider Version

4.0.0

Affected Resource(s)/Data Source(s)

azurerm_cosmosdb_account

Terraform Configuration Files

resource "azurerm_cosmosdb_account" "main" {
  name                = var.name
  resource_group_name = var.resource_group_name
  location            = var.location
  offer_type          = var.offer_type

  create_mode                           = var.create_mode
  default_identity_type                 = var.default_identity_type
  kind                                  = var.kind
  ip_range_filter                       = var.ip_range_filter
  free_tier_enabled                     = var.free_tier_enabled
  analytical_storage_enabled            = var.analytical_storage_enabled
  automatic_failover_enabled            = var.automatic_failover_enabled
  public_network_access_enabled         = var.public_network_access_enabled
  is_virtual_network_filter_enabled     = var.is_virtual_network_filter_enabled
  key_vault_key_id                      = var.key_vault_key_id
  multiple_write_locations_enabled      = var.multiple_write_locations_enabled
  access_key_metadata_writes_enabled    = var.access_key_metadata_writes_enabled
  mongo_server_version                  = var.mongo_server_version
  network_acl_bypass_for_azure_services = var.network_acl_bypass_for_azure_services
  network_acl_bypass_ids                = var.network_acl_bypass_ids
  local_authentication_disabled         = var.local_authentication_disabled

  consistency_policy {
    consistency_level       = var.consistency_policy.consistency_level
    max_interval_in_seconds = try(var.consistency_policy.max_interval_in_seconds, null)
    max_staleness_prefix    = try(var.consistency_policy.max_staleness_prefix, null)
  }

  dynamic "geo_location" {
    for_each = var.geo_location
    content {
      location          = geo_location.value.location
      failover_priority = geo_location.value.failover_priority
      zone_redundant    = geo_location.value.zone_redundant
    }
  }

  dynamic "capabilities" {
    for_each = var.capabilities

    content {
      name = capabilities.value
    }
  }

  dynamic "virtual_network_rule" {
    for_each = var.virtual_network_rule == null ? [] : [1]

    content {
      id                                   = var.virtual_network_rule.id
      ignore_missing_vnet_service_endpoint = var.virtual_network_rule.ignore_missing_vnet_service_endpoint
    }
  }

  dynamic "backup" {
    for_each = var.backup == null ? [] : [1]

    content {
      type                = var.backup.type
      interval_in_minutes = var.backup.interval_in_minutes
      retention_in_hours  = var.backup.retention_in_hours
      storage_redundancy  = var.backup.storage_redundancy
    }
  }

  dynamic "cors_rule" {
    for_each = var.cors_rule == null ? [] : [1]

    content {
      allowed_headers    = var.cors_rule.allowed_headers
      allowed_methods    = var.cors_rule.allowed_methods
      allowed_origins    = var.cors_rule.allowed_origins
      exposed_headers    = var.cors_rule.exposed_headers
      max_age_in_seconds = var.cors_rule.max_age_in_seconds
    }
  }

  dynamic "identity" {
    for_each = var.identity == null ? [] : [1]

    content {
      type = var.identity.type
    }
  }

  dynamic "restore" {
    for_each = var.restore == null ? [] : [1]

    content {
      source_cosmosdb_account_id = var.restore.source_cosmosdb_account_id
      restore_timestamp_in_utc   = var.restore.restore_timestamp_in_utc

      database {
        name             = var.restore.database.name
        collection_names = var.restore.database.collection_names
      }
    }
  }

  dynamic "analytical_storage" {
    for_each = var.analytical_storage == null ? [] : [1]

    content {
      schema_type = var.analytical_storage.schema_type
    }
  }

  dynamic "capacity" {
    for_each = var.capacity == null ? [] : [1]

    content {
      total_throughput_limit = var.capacity.total_throughput_limit
    }
  }

  tags = var.tags
}

variable "ip_range_filter" {
  type = string
  default = "x.y.z.1,x.y.z.2,x.y.z.3"
}

Debug Output/Panic Output

Error: -23T03:44:10.893Z [ERROR] vertex "module.platform.module.cosmosdb[\"main\"].azurerm_cosmosdb_account.main" error: missing expected [
Error: -23T03:44:10.893Z [ERROR] vertex "module.platform.module.cosmosdb.azurerm_cosmosdb_account.main (expand)" error: missing expected [

Expected Behaviour

Es per documentation (wasn't changed neither before 4.0.0 nor after):

[ip_range_filter](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/cosmosdb_account#ip_range_filter) - (Optional) CosmosDB Firewall Support: This value specifies the set of IP addresses or IP address ranges in CIDR form to be included as the allowed list of client IPs for a given database account. IP addresses/ranges must be comma separated and must not contain any spaces.

Actual Behaviour

before 4.0.0:
it works as described in Terraform Configuration Files.
after 4.0.0:
it doesn't work, even if I set thisv ariable up to set type or even to list.
For string it started to fail on type error.
For set or list it started to fail on error: missing expected [

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[stephybun]

It appears we missed this one in our upgrade guide and subsequently the resource documentation when 4.0 went out, apologies for that and thank you for spotting this @svaraksin-gd!

I've opened #27165 to add this to the upgrade guide, as well as updated the property in the cosmosdb resource documentation. When upgrading to 4.0 you will need to convert the value you were supplying for ip_range_filter from a comma separated string into a list e.g.

ip_range_filter = ["55.0.1.0/24", "55.0.2.0/24"]

[svaraksin-gd]

Hello @stephybun
Thank you for your responce, but I believe ticket is closed too soon.

I'm afaraid youa re missed my part related to issue, when I specify this variable as list or set.
So the following configuration:

variable "ip_range_filter" {
  type = list(string)
  default = [
         "x.y.z.1",
         "x.y.z.2",
         "x.y.z.3"
  ]
}

fails with the following error:

Error: missing expected [

  with module.platform.module.cosmosdb["main"].azurerm_cosmosdb_account.main,
  on ../modules/resources/cosmosdb/main.tf line 10, in resource "azurerm_cosmosdb_account" "main":
  10:   ip_range_filter                       = var.ip_range_filter

Am I missing something?

[svaraksin-gd]

@stephybun More details.
I have been trying couple of more variations:

variable "ip_range_filter" {
  type    = set(string)
  default = ["0.0.0.0"]
}

variable "ip_range_filter" {
  type = list(string)
  default = ["0.0.0.0"]
}

variable "ip_range_filter" {
  type = string
  default = null
}
ip_range_filter  = var.ip_range_filter != null ? split(",", var.ip_range_filter) : []
ip_range_filter  = var.ip_range_filter != null ? split(",", var.ip_range_filter) : [""]
ip_range_filter  = var.ip_range_filter != null ? toset(split(",", var.ip_range_filter)) : toset([])
ip_range_filter  = var.ip_range_filter != null ? toset(split(",", var.ip_range_filter)) : toset([""])

All of them return

Error: missing expected [

  with module.platform.module.cosmosdb["main"].azurerm_cosmosdb_account.main,
  on ../modules/resources/cosmosdb/main.tf line 10, in resource "azurerm_cosmosdb_account" "main":

[izire-io]

@svaraksin-gd Same issue here.
Removing the cosmosdb account from the state and reimporting it back fixed it.

[stephybun]

Hey @svaraksin-gd, thanks for the additional information and thanks @izire-io for posting the solution!

Since the underlying type of the ip_range_filter property changed from a string to a set, Terraform is unable to decode the value that's in state. You need to remove the cosmosdb account from the state, update the ip_range_filter argument and then reimport it.

Apologies for omitting this in my initial response!

[svaraksin-gd]

@izire-io @stephybun Thank you both. It is working now.

[chamindac]

Cannot agree for closing this issue as removing terraform state and reimporting cosmos db resource to terraform state is not a real fix. It is rather a workaround may be doable in development envrironments. But in fully automated zero downtime deployment pipline scenarions with mutiple production environments having cosmos DBs, doing manual removal of terraform state and reimporting resource to terraform state is not a feasible task. So I think this bug should be fixed in terraform provider v4.0.1 (or at least in next version of v4) to allow smooth updates from v.3.116.0 so we can do an update to azurerm 4 without having to do manual state imports.
Having to fix the terraform config to new needs is fine but having to do remove and reimport state do a provider update, is simply not agreeable solution for automated infra deployments. This should be handled by provider.

Kindly consider a fix for next release to allow smooth updates from v3 to v4 with terraform config chagnes only and prevent demand for state removal and import. refer my issue even without ip range filter here #27242

[michelefa1988]

Agree, this should not be closed

[tim-chaffin]

+1 to re-opening this ticket.
I've had to do state file surgery to get this to work.
This is not a scalable solution at the enterprise tier, with hundreds of accounts.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.