[AVM Module Issue]: Unable to create private endpoints for Private Link Scope when VNet is in different subscription #3835
Comments
JamesDawson
added
Needs: Triage 🔍
microsoft-github-policy-service
bot
added
the
Type: Bug 🐛
|
@JamesDawson, thanks for submitting this issue for the Important A member of the @Azure/avm-res-insights-privatelinkscope-module-owners-bicep or @Azure/avm-res-insights-privatelinkscope-module-contributors-bicep team will review it soon! |
microsoft-github-policy-service
bot
added
the
Status: Response Overdue 🚩
|
I was looking at using the Based on a skim read of the following search results, this seems to be an issue across the board: |
microsoft-github-policy-service
bot
added
the
Needs: Immediate Attention ‼️
AlexanderSehr
added
the
Needs: Core Team 🧞
|
Hey folks, The implementation would then change to module keyVault_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.9.0' = [
for (privateEndpoint, index) in (privateEndpoints ?? []): {
name: '${uniqueString(deployment().name, location)}-keyVault-PrivateEndpoint-${index}'
scope: scope: resourceGroup(
split((privateEndpoint.?subnetResourceId?? '//'), '/')[2],
split((privateEndpoint.?subnetResourceId?? '////'), '/')[4]
)
params: {
name: privateEndpoint.?name ?? 'pep-${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}'
(...)
subnetResourceId: privateEndpoint.subnetResourceId
location: privateEndpoint.?location ?? reference(
split(privateEndpoint.subnetResourceId, '/subnets/')[0],
'2020-06-01',
'Full'
).location
}
}
]Thoughts? cc: @eriqua, @ChrisSidebotham, @jtracey93 & @ReneHezser for awareness |
|
I think that makes sense (using the resource group of the subnet). Would there be a use-case where the location is a different one? |
|
Thanks @AlexanderSehr. That seems fine, although we would still need optional control over the resource group used to host the private endpoints. In a scenario where the network resources are managed by a central team, an application team may not have permissions to provision resources alongside the VNet. Therefore being able to specify an alternative resource group name, within the same subscription, would be necessary. |
|
Hey @JamesDawson, module keyVault_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.9.0' = [
for (privateEndpoint, index) in (privateEndpoints ?? []): {
name: '${uniqueString(deployment().name, location)}-keyVault-PrivateEndpoint-${index}'
scope: !empty(privateEndpoint.?resourceGroupResourceId)
? resourceGroup(
split((privateEndpoint.?resourceGroupResourceId ?? '//'), '/')[2],
split((privateEndpoint.?resourceGroupResourceId ?? '////'), '/')[4]
)
: resourceGroup(
split((privateEndpoint.?subnetResourceId ?? '//'), '/')[2],
split((privateEndpoint.?subnetResourceId ?? '////'), '/')[4]
)
params: {
name: privateEndpoint.?name ?? 'pep-${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}'
(...)
subnetResourceId: privateEndpoint.subnetResourceId
location: privateEndpoint.?location ?? reference(
split(privateEndpoint.subnetResourceId, '/subnets/')[0],
'2020-06-01',
'Full'
).location
}
}
]In other words: if a resource group resource Id is specified, it will deploy the private endpoint into this resource group (in whatever subscription that resource group is in). If not specified, it will default to deploying the private endpoint into the resource group & subscription of the used virtual network subnet. |
|
Yep that looks good @AlexanderSehr. |
AlexanderSehr
removed
Needs: Triage 🔍
Great, thanks @JamesDawson. |
|
Hey @JamesDawson, The subtile change would be from scope: resourceGroup(
split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[2],
split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[4]
)to scope: resourceGroup(
split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[2],
split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[4]
)While we'll be discussing this ASAP internally, and while both implementations will statify the requirements and are merely about the 'most common use case' - I'd be curious to hear your thoughts as well. I'll quote from @ahmadabdalla on this matter
Ref: #4449 |
github-project-automation
bot
moved this from Needs: Triage
to Done
in AVM - Module Issues
|
Cc @tyconsulting for visibility as he's originally raised this 💪 |
|
Thanks @AlexanderSehr, using the resource's RG seems like a sensible default. |
…by default (#4449) ## Description Background: #3835 (comment) Linked to: Azure/Azure-Verified-Modules#1857 Changes the deployment so that the main resource's (e.g., Key Vaults) RG is used as the default location for the PE. The already implemented `resourceGroupResourceId` will continue to allow the user to specify a different RG (in a different subscription, if needed). The primary change is from ```bicep scope: resourceGroup( split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[2], split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[4] ) ``` to ```bicep scope: resourceGroup( split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[2], split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[4] ) ``` I'll quote from @ahmadabdalla on this matter > In most scenarios, PEs are deployed alongside their main resource in their own RG vs. the VNET RG. Customer app teams may have subnet join permissions on a centralised VNET in a Landing zone, but may not have permissions to deploy into it. Also considering billing and resource lifecycle perspective. cc: @JamesDawson Ref: #4449 ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | | ## Type of Change <!-- Use the checkboxes [x] on the options that are relevant. --> - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [x] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation
…he subnet resource group (Azure#4132) ## Description - Adds UDTs - deploys private endpoint in the subnet resource group, if not explicitly specified Closes Azure#3835 Azure#4404 ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | [](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.res.insights.private-link-scope.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [x] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings
](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.res.insights.private-link-scope.yml){kind=link}
…by default (Azure#4449) ## Description Background: Azure#3835 (comment) Linked to: Azure/Azure-Verified-Modules#1857 Changes the deployment so that the main resource's (e.g., Key Vaults) RG is used as the default location for the PE. The already implemented `resourceGroupResourceId` will continue to allow the user to specify a different RG (in a different subscription, if needed). The primary change is from ```bicep scope: resourceGroup( split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[2], split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[4] ) ``` to ```bicep scope: resourceGroup( split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[2], split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[4] ) ``` I'll quote from @ahmadabdalla on this matter > In most scenarios, PEs are deployed alongside their main resource in their own RG vs. the VNET RG. Customer app teams may have subnet join permissions on a centralised VNET in a Landing zone, but may not have permissions to deploy into it. Also considering billing and resource lifecycle perspective. cc: @JamesDawson Ref: Azure#4449 ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | | ## Type of Change <!-- Use the checkboxes [x] on the options that are relevant. --> - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [x] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation
…he subnet resource group (Azure#4132) ## Description - Adds UDTs - deploys private endpoint in the subnet resource group, if not explicitly specified Closes Azure#3835 Azure#4404 ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | [](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.res.insights.private-link-scope.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [x] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings
…by default (Azure#4449) ## Description Background: Azure#3835 (comment) Linked to: Azure/Azure-Verified-Modules#1857 Changes the deployment so that the main resource's (e.g., Key Vaults) RG is used as the default location for the PE. The already implemented `resourceGroupResourceId` will continue to allow the user to specify a different RG (in a different subscription, if needed). The primary change is from ```bicep scope: resourceGroup( split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[2], split(privateEndpoint.?resourceGroupResourceId ?? privateEndpoint.?subnetResourceId, '/')[4] ) ``` to ```bicep scope: resourceGroup( split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[2], split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[4] ) ``` I'll quote from @ahmadabdalla on this matter > In most scenarios, PEs are deployed alongside their main resource in their own RG vs. the VNET RG. Customer app teams may have subnet join permissions on a centralised VNET in a Landing zone, but may not have permissions to deploy into it. Also considering billing and resource lifecycle perspective. cc: @JamesDawson Ref: Azure#4449 ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | | ## Type of Change <!-- Use the checkboxes [x] on the options that are relevant. --> - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [x] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation
Check for previous/existing GitHub issues
Issue Type?
Bug
Module Name
avm/res/insights/private-link-scope
(Optional) Module Version
0.5.2
Description
A deployment failure happens when the Private Link Scope resource is in a different subscription to the Virtual Network.
Generally the error is
ResourceGroupNotFoundon the private endpoint resource group (since it exists in a different subscription). If a resource group happens to exist with the same name in the PLS subscription, then the deployment produces anInvalidResourceReference.Private Endpoints must be provisioned in the same subscription as the Virtual Network they are connected to. Whilst this module allows you to customise the resource group for the private endpoint, it currently assumes the same subscription as the Private Link Scope resource.
To avoid needing another parameter, perhaps the scope on this line should infer the subscription from the subnet resource ID?
bicep-registry-modules/avm/res/insights/private-link-scope/main.bicep
Line 160 in 8ee8adb
(Optional) Correlation Id
No response
The text was updated successfully, but these errors were encountered: