Problem
After upgrading the azurerm provider to version v3.49.0 or newer, you may encounter an Unsupported argument error when applying a configuration for an App Service resource that uses a list syntax for the site_config block.
This change affects the ip_restriction and scm_ip_restriction arguments, which are no longer computed attributes. As a result, changes made to IP restrictions outside of Terraform will now produce a diff during planning.
Terraform will return the following error message.
Error: Unsupported argument on main.tf line 27, in resource "azurerm_windows_web_app" "web_app": 27: ip_restriction = [ An argument named "ip_restriction" is not expected here. Did you mean to define a block of type "ip_restriction"?
Cause
A breaking change in version v3.49.0 of the azurerm provider altered the schema for the ip_restriction and scm_ip_restriction arguments within the App Service site_config. These arguments are no longer defined as a list of objects but must now be configured as nested blocks.
Solution
To resolve this error, you must update your Terraform configuration to use a dynamic block to construct the ip_restriction and scm_ip_restriction blocks from a variable.
Update Configuration to Use a dynamic Block
Refactor your resource configuration to iterate over your list of IP restrictions using a dynamic block. This generates the required nested blocks that conform to the new provider schema.
dynamic "ip_restriction" {
for_each = var.ip_restrictions
content {
ip_address = ip_restriction.value.ip_address
name = ip_restriction.value.name
priority = ip_restriction.value.priority
action = ip_restriction.value.action
virtual_network_subnet_id = ip_restriction.value.virtual_network_subnet_id
service_tag = ip_restriction.value.service_tag
headers {
x_azure_fdid = lookup(ip_restriction.value.headers, "x_azure_fdid", null)
x_fd_health_probe = lookup(ip_restriction.value.headers, "x_fd_health_probe", null)
x_forwarded_for = lookup(ip_restriction.value.headers, "x_forwarded_for", null)
x_forwarded_host = lookup(ip_restriction.value.headers, "x_forwarded_host", null)
}
}
}
dynamic "scm_ip_restriction" {
for_each = var.scm_ip_restriction
content {
ip_address = scm_ip_restriction.value.ip_address
service_tag = scm_ip_restriction.value.service_tag
virtual_network_subnet_id = scm_ip_restriction.value.virtual_network_subnet_id
name = scm_ip_restriction.value.name
priority = scm_ip_restriction.value.priority
action = scm_ip_restriction.value.action
headers {
x_azure_fdid = lookup(scm_ip_restriction.value.headers, "x_azure_fdid", null)
x_fd_health_probe = lookup(scm_ip_restriction.value.headers, "x_fd_health_probe", null)
x_forwarded_for = lookup(scm_ip_restriction.value.headers, "x_forwarded_for", null)
x_forwarded_host = lookup(scm_ip_restriction.value.headers, "x_forwarded_host", null)
}
}
}