-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lifecycle using wildcard or regex #24516
Labels
Comments
Hi. |
@marcusfriede No update. For future viewers, if you would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Terraform Version
Use-cases
I ran in a significant issue with Azure JIT and terraform. JIT is an Azure service that manage access to VMs that have public IP. It does so based on access request made by the user via the Azure portal.
To restrict and allow access to a VM Azure is adding/removing/renumbering rules to a subnet NSG... I think you can see the problem already...
If I make a change to a Terraform plan that originally deployed the NSG and apply it then Terraform notice the inconsistent state of the nsg and revert to what I originally deployed... resulting in an exposure of the VMs protected by JIT.
At the moment Azure Security Center does not track this modification done by terraform and still show the VMs as protected... giving a false sense of protection to Azure clients that use Terraform (and possibly other IaC tools). I can't believe I am the 1st one running into this corner case.
Having the ability to tell terraform to ignore some of the NSG rules using lifecycle would allow to leave alone the rules put in place by JIT and preserve the VM protection.
Attempted Solutions
I tried the following code but the resulte was that changes to the NSG rules in terraform would not apply any more:
Proposal
Add support for wildcard/regex matching in lifecycle:
References
None
The text was updated successfully, but these errors were encountered: