search

Azure / ResourceModules

This repository includes a CI platform for and collection of mature and curated Bicep modules. The platform supports both ARM and Bicep and can be leveraged using GitHub actions as well as Azure DevOps pipelines.
https://aka.ms/carml
MIT License
726 stars 457 forks source link

[Bug Report]: Event Hub namaspace network ruleset trustedServiceAccessEnabled logic is not correct #4452

Closed jachin84 closed 9 months ago

jachin84 commented 10 months ago

Describe the bug

The networkRuleSets in https://github.com/Azure/ResourceModules/blob/58691e44109c5991c29f5345944b3253be920a58/modules/event-hub/namespace/network-rule-set/main.bicep seem to have incorrectly logic. 

resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2022-01-01-preview' = {
  name: 'default'
  parent: namespace
  properties: {
    publicNetworkAccess: publicNetworkAccess
    defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction)
    trustedServiceAccessEnabled: publicNetworkAccess == 'Disabled' ? null : trustedServiceAccessEnabled
    ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules
    virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : networkRules
  }
}

The snippet above forces trustedServiceAccessEnabled to be null when publicNetworkAccess is set to "Disabled". This is incorrect. When using Private Endpoints this is the exact configuration that you need. image

{
    "id": "/subscriptions/blah/resourcegroups/rg-1/providers/Microsoft.EventHub/namespaces/evtns-t-01/networkrulesets/default",
    "name": "default",
    "type": "Microsoft.EventHub/Namespaces/NetworkRuleSets",
    "location": "australiaeast",
    "properties": {
        "publicNetworkAccess": "Disabled",
        "defaultAction": "Allow",
        "virtualNetworkRules": [],
        "ipRules": [],
        "trustedServiceAccessEnabled": true
    }
}

To reproduce

Deploy https://github.com/Azure/ResourceModules/blob/58691e44109c5991c29f5345944b3253be920a58/modules/event-hub/namespace/network-rule-set/main.bicep using:

Code snippet

No response

Relevant log output

No response

AlexanderSehr commented 9 months ago

Hey @jachin84, thanks for the issue and please excuse the late reply. I agree with your statement. As the module is not migrated to AVM yet, it should also be fixed in CARML as is. We'll see to get it in, thank you :)

AlexanderSehr commented 9 months ago

@eriqua - it has been a while, but the original addition of the entire feature happened in a PR you contributed. It would hence be cool to know if something would come to mind that we're not considering. I'll implement the change now regardless and then we can ever merge it or not. :)