[azuread_named_location] Lack of validation on CIDR masks in ip_ranges parameter

[ShaheenK27]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.0.0
+ provider registry.terraform.io/hashicorp/azuread v2.20.0

Affected Resource(s)

• azuread_named_location

Terraform Configuration Files

resource "azuread_named_location" "named-location-test01" {
  display_name = "named-location-test01"
  ip {
    ip_ranges = [
      "20.0.0.0/4",
      "2001:DB8::/64"            
    ]
    trusted = false
  }
}

Expected Behavior

• Terraform should throw an error when an IP range with an invalid CIDR mask is specified in this parameter.

Actual Behavior

• Terraform does not validate the CIDR masks and therefore, does not display any error/changes if CIDR range less than /8 is specified. Note: Terraform only performs a check on whether an IP range is in a valid format

• The apply is successful and the the IP range is visible on the Portal but, when viewed in the edit section, the named location cannot be saved [the 'Save' button appears disabled/greyed out on the Portal] as long as the invalid IP range is a part of the named location.

1. First apply is successful

  azuread_named_location.named-location-test01: Creating...
  azuread_named_location.named-location-test01: Creation complete after 4s [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx]

  Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

2. Second apply shows no changes

  azuread_named_location.named-location-test01: Refreshing state... [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx]

  No changes. Your infrastructure matches the configuration.

  Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

  Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Important Factoids

• As per the official Microsoft documentation, the CIDR mask in ip_ranges parameter should be greater than /8 (Therefore, ranges such as /4 or /6 aren't acceptable)

• Azure Portal has proper validation for this and displays an error when an invalid CIDR is specified.

Steps to Reproduce

• terraform apply with invalid CIDR mask in ip_ranges parameter

References

• Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#ip-address-ranges

[manicminer]

Hi @ShaheenK27, thanks for reporting this. This would seem to be an API bug since a seemingly invalid prefix length is accepted by the API without error. Unfortunately the Conditional Access API has quite a lot of validation bugs.

However in the interest of usability we'll look at adding this validation if it is feasible. Note that we cannot guarantee provider-level validation in all cases because we often don't have access to interpolated values until apply-time. Accordingly, I will also raise this as an API bug.