Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lifecycle using wildcard or regex #24516

Open
bernardmaltais opened this issue Apr 1, 2020 · 3 comments
Open

Lifecycle using wildcard or regex #24516

bernardmaltais opened this issue Apr 1, 2020 · 3 comments
Labels
enhancement lifecycle

Comments

@bernardmaltais
Copy link

bernardmaltais commented Apr 1, 2020
edited
Loading

Current Terraform Version

Terraform v0.12.23

Use-cases

I ran in a significant issue with Azure JIT and terraform. JIT is an Azure service that manage access to VMs that have public IP. It does so based on access request made by the user via the Azure portal.

To restrict and allow access to a VM Azure is adding/removing/renumbering rules to a subnet NSG... I think you can see the problem already...

If I make a change to a Terraform plan that originally deployed the NSG and apply it then Terraform notice the inconsistent state of the nsg and revert to what I originally deployed... resulting in an exposure of the VMs protected by JIT.

At the moment Azure Security Center does not track this modification done by terraform and still show the VMs as protected... giving a false sense of protection to Azure clients that use Terraform (and possibly other IaC tools). I can't believe I am the 1st one running into this corner case.

Having the ability to tell terraform to ignore some of the NSG rules using lifecycle would allow to leave alone the rules put in place by JIT and preserve the VM protection.

Attempted Solutions

I tried the following code but the resulte was that changes to the NSG rules in terraform would not apply any more:

resource "azurerm_network_security_group" "ScPcCNR-GodC_CoreNetwork-PAZ-nsg" {
  name                = "ScPcCNR-GodC_CoreNetwork-PAZ-nsg"
  location            = azurerm_resource_group.ScPc-GodC_CoreNetwork-rg.location
  resource_group_name = azurerm_resource_group.ScPc-GodC_CoreNetwork-rg.name
  lifecycle {
    ignore_changes = [
      security_rule,
    ]
  }
  security_rule {
...
  }
}

Proposal

Add support for wildcard/regex matching in lifecycle:

  lifecycle {
    ignore_changes = [
      security_rule.name = "SecurityCenter-*",
    ]
  }

References

None
@PatMyron
Copy link

PatMyron commented Apr 5, 2022
edited
Loading

#5666

@marcusfriede
Copy link

Hi.
Is there any progress here?
This is a very useful feature.

@crw
Copy link
Collaborator

crw commented Dec 13, 2023

@marcusfriede No update. For future viewers, if you would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement lifecycle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@crw @PatMyron @bernardmaltais @marcusfriede @pkolyvas