Allow Container ~Group~ Ports to be specifically specified rather than aggregating the container ports

[granadacoder]

This feature request is about the public ports on the container_GROUP.

Looking at the source code here:

https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/azurerm/resource_arm_container_group.go

It looks like

containerGroupPorts = append(containerGroupPorts, containerGroupPort)

containerGroupPorts ( I think ) is a variable to concatenate the ports of the individual containers.

In the ARM template version, the container group (public) ports can be specified ~at the container group level.

  "resources": [
    {
      "name": "[parameters('resourceGroupName')]",
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2018-06-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "containers": [        
		
		"osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "TCP",
              "port": 443
            },
            {
              "protocol": "TCP",
              "port": 80
            }
          ],
          "dnsNameLabel": "[uniqueString( resourceGroup().id )]"
        }

So the idea (for security) is (of course) that your containers can talk to each other (on say, 20 ports for example), but you are only going to exposed a handful of ports publicly.

Mini example. webserver (container) is open to the world on 80/443. middleTier/webapi server is privately open some port. and some logging/service is privately available on some port. Aka, you don't want middleTier/webapi server or logging/service ports open to the world.

I know microsoft is paying attention to the container group ports, because the arm template is smart enough to know if you're trying to open a port on the container that is not in the container group.

[Deployment failed. Correlation ID: abc65f84-267f-abc3-8a7a-6fce6659e607. {
  "error": {
    "code": "UnreferencedIpAddressPorts",
    "message": "Following ports '443' in the 'ipAddress' are not used by any container in container group 'myContainerGroup'."
  }
}]

Anyway. Having a container_group parameters for ports that matches the ARM would be fantastic.

Sidenote, I'm basically trying to pull off (in terraform) what this article mentions.

This port will be accessible within the entire container group, but not from the outside world and not from other container groups either. Containers within a group can communicate with each other by using ‘localhost’ and the exposed container port.

Article here

GitHub code here

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

• azurerm_container_group

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

[joakimhellum]

Hi, made some tests and ended up with below potential terraform configuration:

resource "azurerm_resource_group" "nginx" {
  name     = "nginx-rg"
  location = "west europe"
}

resource "azurerm_container_group" "nginx" {
  name                = "nginx-aci"
  location            = "${azurerm_resource_group.vsts_agent.location}"
  resource_group_name = "${azurerm_resource_group.vsts_agent.name}"
  os_type             = "linux"
  ip_address_type     = "public"
  network_protocol    = "tcp" # Default is "tcp"
  ports               = ["80", "443"] # List of ports

  container {
    name             = "nginx"
    image            = "nginx"
    cpu              = "1"
    memory           = "2"
    network_protocol = "tcp" # Default is "tcp"
    ports            = ["80", "443"] # List of ports
  }
}

It seems container group can have either protocol TCP or UDP, but can't have both, also can't have duplicate ports. There is a check for unreferenced ports.

@tombuildsstuff would you accept community PR with attempt to implement this? It looks like multiple issues need to be solved in azurerm_container_group resource and this may be a good place to start. Thanks for any advice.

[tombuildsstuff]

hey @joakimhellum-in

Sorry for the delayed reply here.

@tombuildsstuff would you accept community PR with attempt to implement this? It looks like multiple issues need to be solved in azurerm_container_group resource and this may be a good place to start. Thanks for any advice.

Yes definitely - this commit as a part of #1740 shows how to deprecate one field in favour of another whilst allowing both to work - which should be what's needed in this case. Feel free to comment on this issue / on a PR with specific questions and we can take help as needed :)

Thanks!

[katbyte]

@joakimhellum-in,

I started on this months ago but never got around to finishing it. You may want to take a look at this branch as a starting point

[CumpsD]

Looking forward to this, I would like to bind both 443 and 80 to a container to simply support HTTPS, with a auto-redirect from HTTP->HTTPS, but have no idea how to do it without being able to specify multiple ports

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!