Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't manually assign IP addresses to a private endpoint for iothub. #19432

Open
1 task done
jan-hudec opened this issue Nov 24, 2022 · 1 comment
Open
1 task done

Comments

@jan-hudec
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.5

AzureRM Provider Version

3.32.0

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint

Terraform Configuration Files

# -----------------------------------------------------------------
# Terraform config and variables
terraform {
  required_version = ">= 1.3.5"
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.32.0"
    }
  }
  backend "local" {
  }
}
provider "azurerm" {
  skip_provider_registration = true
  features {
  }
}
variable "rg" {
  type = string
  description = "resource group of the IoTHub and private endpoint"
}
variable "iothub" {
  type = string
  description = "the IoTHub name"
}
variable "netrg" {
  type = string
  description = "resource group of the VNet and private DNS zone"
}
variable "net" {
  type = string
  description = "name of the VNet"
}
variable "subnet" {
  type = string
  description = "name of the Subnet"
}

# -----------------------------------------------------------------
# References to the existing resources
data "azurerm_resource_group" "rg" {
  name = var.rg
}

data "azurerm_subnet" "net" {
  name = var.subnet
  virtual_network_name = var.net
  resource_group_name = var.netrg
}

data "azurerm_private_dns_zone" "devices" {
  name = "privatelink.azure-devices.net"
  resource_group_name = var.netrg
}

data "azurerm_private_dns_zone" "servicebus" {
  name = "privatelink.servicebus.windows.net"
  resource_group_name = var.netrg
}

# -----------------------------------------------------------------
# The IoTHub can't be just any, but must have high enough tier
# to have own servicebus endpoint, so…
resource "azurerm_iothub" "iothub" {
  name = var.iothub
  resource_group_name = data.azurerm_resource_group.rg.name
  location = data.azurerm_resource_group.rg.location

  sku {
    name = "S1"
    capacity = 1
  }
}

# -----------------------------------------------------------------
# This is a minimal private endpoint configuration that can be
# created. However if the private endpoint is created manually,
# it will have two `ip_configuration`s and that cannot be imported.
resource "azurerm_private_endpoint" "pe" {
  name = "${var.iothub}-pe"
  resource_group_name = data.azurerm_resource_group.rg.name
  location = data.azurerm_resource_group.rg.location

  subnet_id = data.azurerm_subnet.net.id
  custom_network_interface_name = "${var.iothub}-pe-nic"

  /* Without these two blocks, two IP addresses get allocated and
     assigned the two DNS names:
      - ${var.iothub}.azure-devices.net
      - ${var.iothub}<somerandomsuffix>.servicebus.windows.net
     But if I wanted to specify static addresses, I can't, because
     two blocks are not accepted here.
     
  ip_configuration {
    name = "iothub"
    private_ip_address = "10.0.7.231"
  }

  ip_configuration {
    name = "eventhub"
    private_ip_address = "10.0.7.232"
  }
  */

  private_dns_zone_group {
    name = var.netrg
    private_dns_zone_ids = [
      data.azurerm_private_dns_zone.devices.id,
      data.azurerm_private_dns_zone.servicebus.id,
    ]
  }

  private_service_connection {
    name = "iothub"
    private_connection_resource_id = azurerm_iothub.iothub.id
    is_manual_connection = false
    subresource_names = [ "iotHub" ]
  }
}

Debug Output/Panic Output

╷
│ Error: Too many ip_configuration blocks
│
│   on iothub-pe-test.tf line 100, in resource "azurerm_private_endpoint" "pe":
│  100:   ip_configuration {
│
│ No more than 1 "ip_configuration" blocks are allowed
╵

Expected Behaviour

I first had the private endpoint created manually, and tried to import it to the terraform definitions. The plan included this part:

      - ip_configuration {
          - name               = "iothub" -> null # forces replacement
          - private_ip_address = "10.0.7.4" -> null # forces replacement
          - subresource_name   = "iotHub" -> null # forces replacement
        }
      - ip_configuration {
          - name               = "eventhub" -> null # forces replacement
          - private_ip_address = "10.0.7.5" -> null # forces replacement
          - subresource_name   = "iotHub" -> null # forces replacement
        }

so I added those two ip_configuration blocks and expected terraform plan to say that no changes need to be done.

Actual Behaviour


│ Error: Too many ip_configuration blocks

│ on iothub-pe-test.tf line 100, in resource "azurerm_private_endpoint" "pe":
│ 100: ip_configuration {

│ No more than 1 "ip_configuration" blocks are allowed

Note that azurerm_network_interface does allow multiple ip_configuration blocks, but in this case the network interface is subordinate to the private endpoint, which does not.

Steps to Reproduce

Create an IoTHub, which must be at least S1 tier (the lower tiers don't have the servicebus endpoint), and either

  • create private endpoint for it manually, then try to coopt into terraform, or
  • try to create a private endpoint with explicitly assigned IP addresses

Important Factoids

No response

References

https://learn.microsoft.com/en-us/azure/templates/microsoft.network/privateendpoints says ipConfigurations is an array, and talks about it in plural, but https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint says (and the error confirms) only one ip_configuration block is allowed.

@jan-hudec jan-hudec added the bug label Nov 24, 2022
@github-actions github-actions bot removed the bug label Nov 24, 2022
@myc2h6o
Copy link
Contributor

myc2h6o commented Nov 25, 2022

Hi @jan-hudec thanks for opening the issue! PR #19389 is adding the support for multiple ip_configuration block, would you mind subscribing to it for update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants