Regarding #1662: Allow Container ~Group~ Ports to be specifically specified rather than aggregating the container ports

[Dikymon]

This is basically a rehash of issue #1662 which was closed as part of #1930 but does not seem to fix the issue stated in #1662

A container groups exposed ports are still an aggregation of the defined containers ports, eventhough ARM allows for a subset of ports to be exposed or am I missing something?

See resource_arm_container_group.go

Thanks

[simondevolutions]

It is also the way I am understanding it. It would be very convenient since one of the points of deploying a container group is having internal communication inside your instance that doesn't need to be exposed.

[amasover]

This how-to from Microsoft is a really good example of the use-case.

Simplifying their example yaml a little bit to illustrate:

name: app-with-ssl
properties:
  ipAddress:
    ports:
    - port: 443
      protocol: TCP
    type: Public
  containers:
  - name: nginx-with-ssl
    properties:
      image: nginx
      ports:
      - port: 443
        protocol: TCP
  - name: my-app
    properties:
      image: mcr.microsoft.com/azuredocs/aci-helloworld
      ports:
      - port: 80
        protocol: TCP

I think a potential Terraform config could look like this:

resource "azurerm_container_group" "app-with-ssl" {
  name = "app-with-ssl"
  ip_address {
    type = "public"
    ports {
      port = 443
      protocol = "TCP"
  }
  container {
    name = "nginx-with-ssl"
    image = "nginx"
    ports {
      port = 443
      protocol = "TCP"
    }
  }
  container {
    name = "my-app"
    image = "mcr.microsoft.com/azuredocs/aci-helloworld"
    ports {
      port = 80
      protocol = "TCP"
    }
  }
}

But note that currently we set ip_address_type and dns_name_label both at the top level. So if we keep things closer to how they are today, the top part of that would look like this:

resource "azurerm_container_group" "app-with-ssl" {
  name = "app-with-ssl"
  ip_address_type = "public"
  ports {
    port = 443
    protocol = "TCP"
  }

Semantically it seems to me that setting dns_name_label, ports, and type on the ip_address makes more sense than setting them all separately underneath the top-level resource. But I'm no expert on Terraform conventions. And updating it at this point would break backwards compatibility.

Reference:

yaml reference
api reference

[FilBot3]

I'm not familiar with the code base, but would it be possible to make the ports section into a slice of map[string]string to store the Port and Protocol information?

I also didn't understand how to use the methods in the referenced Issue and PR in the initial post. If they do work, they're not reflected in the documentation either in a manner that I seemed to understand.

[ghost]

This has been released in version 2.57.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.57.0"
}
# ... other configuration ...

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.