search

ansible-collections / azure

Development area for Azure Collections
https://galaxy.ansible.com/azure/azcollection
GNU General Public License v3.0
246 stars 327 forks source link

azure_rm_privateendpoint missing parameter #973

Open polocato opened 2 years ago

polocato commented 2 years ago
SUMMARY

Private endpoint creation is failing when tenant is not authorized to access linked subscription az cli has an option: --manual-request true

ISSUE TYPE
COMPONENT NAME

azure_rm_privateendpoin

ANSIBLE VERSION
ansible 2.10.17
  config file = None
  configured module search path =  ['/home/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/xxx/.local/lib/python3.7/site-packages/ansible
  executable location = /home/xxxx/.local/bin/ansible
  python version = 3.7.5 (default, Dec  9 2021, 17:04:37) [GCC 8.4.0]
COLLECTION VERSION
# /home/xxx/.ansible/collections/ansible_collections
Collection         Version
------------------ -------
azure.azcollection 1.13.0

# /home/xxx/.local/lib/python3.7/site-packages/ansible_collections
Collection         Version
------------------ -------
azure.azcollection 1.4.0
CONFIGURATION
OS / ENVIRONMENT

WSL1 with ubuntu18.04

STEPS TO REPRODUCE

Setup prive endpoint when tenant is not authorized to access linked subscription ( e.g. different company)

- name: Azure
  hosts: localhost
  gather_facts: no
  collections:
    - azure.azcollection
  vars:
    az_rg: "xxxx-a.rg"
  tasks:
    - name: add endpoint
      azure_rm_privateendpoint:
        name: "private_endpoint_xxxx"
        tenant: "xxxxxxxx"
        auth_source: env
        resource_group: "xxxxx"
        private_link_service_connections:
          - name: "xxxxx"
            private_link_service_id: "xxxxx
        subnet:
          id:  "xxxxxx"
EXPECTED RESULTS

Private endpoint gets created

ACTUAL RESULTS

Playbook fails because it cant modify resources in the subscription 

"changed": false, "msg": "Error creating or updating private endpoint XXXX  (LinkedAuthorizationFailed) The client has permission to perform a
ction 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope XXXXXX  however the current tenant '********' is not authorized to access linked subscription
Fred-sun commented 2 years ago

@polocato Thank you for your attention. I'm sorry that I don't quite understand what you mean. Do you mean to add parameter ’manual-request' or do you want to specify different tenants ? Thank you very much!

polocato commented 2 years ago

Hello, thank you for looking into my request. I'd like to ask for manual-request parameter, from my perspective this is not a missing feature but a some kind of bug/missing core functionality. Without that parameter you can't create a private link between two unrelated companies. Best Regards

Fred-sun commented 1 year ago

@polocato Thank you for your reply, but I have checked the latest API and found that 'manual-request' is not supported and cannot be added for the time being. Once it is supported, we will add it as soon as possible. Thank you very much!

howardjones commented 2 days ago

I believe this is covered by the manual_private_link_service_connections field in the PrivateEndpoint object here: https://learn.microsoft.com/en-us/python/api/azure-mgmt-network/azure.mgmt.network.models.privateendpoint?view=azure-python

(Just ran into the same requirement)