Applying changes to "azurerm_virtual_network" fails due to PrivateEndpointNetworkPoliciesCannotBeEnabledOnPrivateEndpointSubnet

[Grant-Rc]

Hello Team

first time logging an issue so please correct me if I'm wrong so i can learn.

I wanted to update my VNet to include some custom DNS Servers

resource "azurerm_virtual_network" "new" {
  provider            = "azurerm.deployment"
  name                = "azure-${var.service_name}-${var.environment}-vnet"
  resource_group_name = "${data.azurerm_resource_group.nwservices.name}"
  location            = "${data.azurerm_resource_group.nwservices.location}"
  address_space       = ["${var.vnet_cidr}"]
  dns_servers         = ["${var.dns_server1}","${var.dns_server2}"]

Running a Terraform Plan/Apply i get

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

   azurerm_virtual_network.new will be updated in-place
  ~ resource "azurerm_virtual_network" "new" {
        address_space       = [
            "192.168.0.0/24",
        ]
      ~ dns_servers         = [
          - "192.168.0.100",
          + "192.168.0.101",
        ]
...
Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

Error: Error Creating/Updating Virtual Network "azure-network" (Resource Group "azure-rg"): network.VirtualNetworksClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateEndpointNetworkPoliciesCannotBeEnabledOnPrivateEndpointSubnet" Message="Private endpoint network policies cannot be enabled on private endpoint subnet /subscriptions/......./azure-sn-1." Details=[]

  on main.tf line 49, in resource "azurerm_virtual_network" "new":
  49: resource "azurerm_virtual_network" "new" {

It turns out that this error is coming from Azure (as i have tried to enable via Powershell and i get the same error). I found out that someone manually disabled PrivateEndpointNetworkPolicies for 1 for the subnets in the vnet in order to attach a private endpoint (which they also added manually...).

https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy

Making the change to the DNS via the gui works, so somewhere in the Terraform code its is trying to revert this setting from Disabled to Enabled but the plan is only show the DNS change?
Looking on the web i have not found a way to set PrivateEndpointNetworkPolicies so its in the state via terraform in the AzureRM provider.

Terraform v0.12.9
AzureRm v1.28.0

Please let me know if there any more information you require.

[tombuildsstuff]

hi @Grant-Rc

Thanks for opening this issue.

At the time of writing unfortunately Private Link (and it's integration within the Subnet resource) isn't natively supported by the Azure Provider - which is why these fields aren't tracked/can't be configured. Support is being worked on however (and can be tracked in #4701) - but includes the ability to toggle these policies on/off within the Subnet.

Since this'll be fixed by #4701 I'm going to close this issue in favour of that one - would you mind subscribing to #4701 for updates?

Thanks!

[Grant-Rc]

Hello @tombuildsstuff

Thank you for the reply, if you could help me understand something. I'm not looking to manage Private link in Terraform, but ignore the private endpoint that someone setup. As this is on an existing managed subset, Terraform can now no longer apply previous / new configurations? in a sense it breaks terraform. With your comments i have 2 options, Remove the private endpoint (not really an option as this is production) or forget managing this subscription via Terraform until #4701 ?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!