bug: vNet peering gateway transit is backward

[WibblyDibbler]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

Please paste the output of terraform version command from within the initialized directory:

1.5.0

Please enter the module version that you are using:

3.3.0

Description

The azapi_resource references for peering_hub_outbound and peering_hub_inbound do not allow configuration of allowGatewayTransit. Oddly, peering_hub_outbound is hard-coded to false, and peering_hub_inbound is hard-coded to true. A typical hub-and-spoke network should have those swapped, i.e. the spoke should be able to allow gateway transit from networks not in the hub - not the other way around. Either way, let the module consumers decide which is allowed when in the event they have/want some non-standard network topology.

Steps to Reproduce

1. Set the lz_vending module's virtual_network_enabled = true and provide values for virtual_networks
2. There is nowhere to propagate configuration to allowGatewayTransit

Additional context

The terraform plan plan for module 3.4.1 shows no changes relative to this, and the module source indicates no support as of commit ID d17ad87e64fa81c0c7c068cde0fa575b4d4a3fef.

[matt-FFFFFF]

Hi @WibblyDibbler

Thanks for reporting. We are looking into this

[jtracey93]

Hi @WibblyDibbler,

From my investigation into this, I believe the way the peerings are configured are correct as they are.

You are certainly correct about not being able to toggle allowGatewayTransit today in the module however, you can toggle hub_peering_use_remote_gateways to control whether the spoke although I think I may of spotted a bug there.

Just doing some testing but initially this doesn't look to be incorrect.

cc: @matt-FFFFFF

[jtracey93]

Forgot to add this is the same as Bicep Sub Vending:

https://github.com/Azure/bicep-lz-vending/blob/main/src/self/subResourceWrapper/deploy.bicep#L194-L206

[jtracey93]

Okay so did some testing and I think how it is today is correct, see below for why.

Source: https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks/virtualnetworkpeerings?pivots=deployment-language-bicep

[WibblyDibbler]

I opened this issue because the peerings as displayed in the Azure Portal showed otherwise. Unfortunately, I did not take a screenshot, and the language appears to have changed - I have no idea how to verify that. Either way, this all looks good. Sorry for the run-around.