Keyvault Private endpoint can't deploy in the desired resource group

[anasmohana]

Can't deploy private endpoint for Keyvault en the desired resource group even if we add lz_key and resource_group_key it's working fine in the storage account private endpoint. here is the code:

private_endpoints = { pe_caf = { vnet_key = "devops_region1" subnet_keys = ["private_endpoints"]

storage_accounts = {
  level0 = {
    name = "lzstl0jfmch_sa_pe"                       
    lz_key = "launchpad"                      
    resource_group_key = "level0"     

    private_service_connection = {
      name              = "psc-stg-level0"
      subresource_names = ["blob"]
    }
    private_dns = {
      zone_group_name = "privatelink.blob.core.windows.net"
      keys = ["dns1"]
    }
  }
}

keyvaults = {
  level0 = {
    name = "kv_pe"
    lz_key = "launchpad"
    resource_group_key = "bastion_launchpad"

    private_service_connection = {
      name = "psc-kv_rg1"
    }

    private_dns = {
      zone_group_name = "privatelink.vaultcore.azure.net"
      keys = ["dns2"]
    }
  }
}

} } looks like the key vault pe takes the default RG (vnet RG) all the time and we can't override that.

[evershade]

Having the same issue and I think I see the problem. In the nested subnet module at /modules/networking/private_links/endpoints/subnet/keyvaults.tf the code doesn't drill down into the LZ.

resource_group_name = try(var.resource_groups[each.value.resource_group_key].name, var.vnet_resource_group_name)

The storage_account.tf file goes into the actual LZ but there are several other files that also don't. Looks like the fix is to reference the LZ key before the RG key.

I'm going to take a stab at this as my first contribution.

[JoDexsph]

The same goes for Recovery Sevices Valuts, it seems only Storage Accounts PE created within the desired resource group.