alex-frankel
commented
2 years ago I think this is a limitation in the design of complete mode, but should be addressed with deployment stacks which is now in private preview. cc @bmoore-msft as FYI
Closed kovalsky-tmz closed 2 years ago
alex-frankel
commented
2 years ago I think this is a limitation in the design of complete mode, but should be addressed with deployment stacks which is now in private preview. cc @bmoore-msft as FYI
kovalsky-tmz
commented
2 years ago so I understand that it's not possible to maintain IAAC private endpoints with NICs in Complete mode ?
alex-frankel
commented
2 years ago Yes. If there is a NIC getting automatically created on your behalf in the same RG as these other resources, then a complete mode deployment will attempt to delete that NIC on a redeployment because it is not declared in the bicep code. IOW, it is by design. This is one of many limitations of complete mode and why we are investing in Deployment Stacks to duplicate and extend the functionality of Complete mode, without the drawbacks.
kovalsky-tmz
commented
2 years ago @alex-frankel thanks for your help and informations.
bmoore-msft
commented
2 years ago @kowal20x7 - In general I don't think we ever recommend complete mode - there are too many latent behaviors. TL;DR deploymentStacks will only attempt to clean up resources that are in the template. So will help with this particular scenario, the flip side is that if the nic is implicitly created (i.e. not explicitly defined in the template) the stack will not clean it up even if you wanted it to... slightly separate issue, point being I'm interested in your scenario if it's related somehow...
kovalsky-tmz
commented
2 years ago @bmoore-msft yes that's exactly what I would need, to 'ignore' the resource (NIC in this case) from deletion while other resources will be deleted/modified if I wanted. I tried with 'Lock' on Resource but unfortunatelly Complete deployment return error because is trying to remove it anyway. Currently in my case I see that I need to move private endpoints with NICs to separate resource group and never use Complete mode there.
NSimpragaVolur
commented
1 year ago Just ran into this same issue! I feel like Complete mode is much better in terms of keeping the infrastructure clean and without any loose ends, but this is a major drawback. Basically any infra using private endpoints is unusable with 'Complete' deployment mode. Following this
straville
commented
1 year ago We've run into this issue as well and I've been scratching my head a couple of days. This doesn't feel like enterprise-grade IaC solution..
At some point I was investigating option to define the whole NIC in Bicep and simply pass that as property to the private endpoint being deployed, but it seems NIC creation is fully automatic and only PE's NIC name can be customized.
Will examine deployment stacks, but the situation isn't really acceptable.
dazinator
commented
1 year ago I opened a support ticket for this issues with Azure support. No one there has yet been able to confirm whether this is a problem - in fact it's been weeks just trying to get someone who can understand the issue at all. There is no documentation of this issue aside from this github issue, so if it is a known issue that will be addresses in future it would be great if this issue could perhaps be highlighted:-
jegadeesan-ponnusamy
commented
1 year ago I am facing the same issue with biceps, NIC and Private endpoints with complete mode deployment. The status of this issue is closed, but I couldnt find a solution or a workaround for this issue. Do anyone point me to the solution or workaround on this issue?
brwilkinson
commented
1 year ago @jegadeesan-ponnusamy
The reason it was Closed was because Complete Mode is known to be an incomplete solution for managing lifecycle. i.e. this was closed, with "will not fix" or "not planned". In the meantime, the recommendation would be to not use complete mode, given it's known limitations.
The new Deployment Stacks capability is currently being worked on/developed, which will be a more robust solution.
jegadeesan-ponnusamy
commented
1 year ago @brwilkinson - Thank you for your inputs. I will wait for your findings. Also, I am already handling the scenario mentioned in az#1511.
dazinator
commented
1 year ago The reason it was Closed was because
Complete Modeis known to be an incomplete solution for managing lifecycle. i.e. this was closed, with "will not fix" or "not planned". In the meantime, the recommendation would be to not use complete mode, given it's known limitations.The new
Deployment Stackscapability is currently being worked on/developed, which will be a more robust solution.
- I will do some testing on the scenario that you are hitting and see if I can come up with any workaround for complete mode that might cover this.
@brwilkinson It has been confirmed that the new deployment stacks will not solve this issue completely either. I have yet to conduxt a test. What makes you think deployment stack will fix it? I am thinking if the nic is not in the stack then if you deleted the stack it would either leave an orphaned nic, or would fail as the nic is in use.
brwilkinson
commented
1 year ago @dazinator agree. Will have to test.
kolendomichal
commented
1 year ago @brwilkinson Did you manage to test out this scenario? We have hit the exact same issue when trying to move our deployments to Complete mode :/
Hello, Im stuck on complete mode deployment of privateEndpoint, even if I try to deploy it first time, bicep creates it correctly but then trying to remove NIC with no reason and ofc it cant remove it because it's connected to private endpoint. In privateEndpoint resource Im using 'customNetworkInterfaceName' but with auto generate NIC name result is the same.
privateEndpoints resource is a part of entire module which Ive got in base template
'template' events:
Any idea for workaround on that? Thanks