From f301530be1927080fa3052cf76a0e5e1763333ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hein=20Tonny=20K=C3=B8ien?= <hein.koien@blinq.no>
Date: Tue, 16 Jan 2024 08:07:07 +0100
Subject: [PATCH] Fix issues with threat_intelligence_allowlist variable type
 and dynamic block

---
 modules/connectivity/variables.tf | 4 ++--
 resources.virtual_wan.tf          | 5 ++++-
 variables.tf                      | 4 ++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/modules/connectivity/variables.tf b/modules/connectivity/variables.tf
index 76aaa8ca8..e31e4f976 100644
--- a/modules/connectivity/variables.tf
+++ b/modules/connectivity/variables.tf
@@ -126,7 +126,7 @@ variable "settings" {
               base_policy_id                = optional(string, "")
               private_ip_ranges             = optional(list(string), [])
               threat_intelligence_mode      = optional(string, "Alert")
-              threat_intelligence_allowlist = optional(list(string), [])
+              threat_intelligence_allowlist = optional(map(list(string)), {})
               availability_zones = optional(object({
                 zone_1 = optional(bool, true)
                 zone_2 = optional(bool, true)
@@ -200,7 +200,7 @@ variable "settings" {
               base_policy_id                = optional(string, "")
               private_ip_ranges             = optional(list(string), [])
               threat_intelligence_mode      = optional(string, "Alert")
-              threat_intelligence_allowlist = optional(list(string), [])
+              threat_intelligence_allowlist = optional(map(list(string)), {})
               availability_zones = optional(object({
                 zone_1 = optional(bool, true)
                 zone_2 = optional(bool, true)
diff --git a/resources.virtual_wan.tf b/resources.virtual_wan.tf
index 537c2e1e5..9aceec5b5 100644
--- a/resources.virtual_wan.tf
+++ b/resources.virtual_wan.tf
@@ -232,7 +232,9 @@ resource "azurerm_firewall_policy" "virtual_wan" {
   }
 
   dynamic "threat_intelligence_allowlist" {
-    for_each = each.value.template.threat_intelligence_allowlist
+    # Ensure that the dynamic block is created only if the allowlist is defined
+    for_each = length(keys(each.value.template.threat_intelligence_allowlist)) > 0 ? [each.value.template.threat_intelligence_allowlist] : []
+
     content {
       # Optional attributes
       fqdns        = lookup(threat_intelligence_allowlist.value, "fqdns", null)
@@ -240,6 +242,7 @@ resource "azurerm_firewall_policy" "virtual_wan" {
     }
   }
 
+
   # Set explicit dependencies
   depends_on = [
     azurerm_resource_group.connectivity,
diff --git a/variables.tf b/variables.tf
index a406169c0..01febda8f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -239,7 +239,7 @@ variable "configure_connectivity_resources" {
                 base_policy_id                = optional(string, "")
                 private_ip_ranges             = optional(list(string), [])
                 threat_intelligence_mode      = optional(string, "Alert")
-                threat_intelligence_allowlist = optional(list(string), [])
+                threat_intelligence_allowlist = optional(map(list(string)), {})
                 availability_zones = optional(object({
                   zone_1 = optional(bool, true)
                   zone_2 = optional(bool, true)
@@ -313,7 +313,7 @@ variable "configure_connectivity_resources" {
                 base_policy_id                = optional(string, "")
                 private_ip_ranges             = optional(list(string), [])
                 threat_intelligence_mode      = optional(string, "Alert")
-                threat_intelligence_allowlist = optional(list(string), [])
+                threat_intelligence_allowlist = optional(map(list(string)), {})
                 availability_zones = optional(object({
                   zone_1 = optional(bool, true)
                   zone_2 = optional(bool, true)