azurerm_firewall_policy_rule_collection_group - limit dnat rule des…

…tination port max number to 1 (#18766)

* limit destination port max number as 1 for server side limitation

* improve doc for only one destination port of dnat rule

* doc improve

Co-authored-by: stephybun <[email protected]>

Co-authored-by: xuwu1 <[email protected]>
Co-authored-by: stephybun <[email protected]>

internal/services/firewall/firewall_policy_rule_collection_group_resource.go

@@ -386,6 +386,8 @@ func resourceFirewallPolicyRuleCollectionGroup() *pluginsdk.Resource {
 									"destination_ports": {
 										Type:     pluginsdk.TypeList,
 										Optional: true,
+										// only support 1 destination port in one DNAT rule
+										MaxItems: 1,
 										Elem: &pluginsdk.Schema{
 											Type:         pluginsdk.TypeString,
 											ValidateFunc: azValidate.PortOrPortRangeWithin(1, 64000),

website/docs/r/firewall_policy_rule_collection_group.html.markdown

@@ -69,7 +69,7 @@ resource "azurerm_firewall_policy_rule_collection_group" "example" {
       protocols           = ["TCP", "UDP"]
       source_addresses    = ["10.0.0.1", "10.0.0.2"]
       destination_address = "192.168.1.1"
-      destination_ports   = ["80", "1000-2000"]
+      destination_ports   = ["80"]
       translated_address  = "192.168.0.1"
       translated_port     = "8080"
     }
@@ -192,7 +192,7 @@ A `rule` (NAT rule) block supports the following:
 
 * `destination_address` - (Optional) The destination IP address (including CIDR).
 
-* `destination_ports` - (Optional) Specifies a list of destination ports.
+* `destination_ports` - (Optional) Specifies a list of destination ports. Only one destination port is supported in a NAT rule.
 
 * `translated_address` - (Optional) Specifies the translated address.