Open kevinmatthews-kpmg opened 3 years ago
Would be nice for this to be done along with: Support CustomSubDomain in azurerm_cognitive_account #7338
Both are needed to get a private endpoint working correctly and securely.
Would also be nice if this supported "disabled" that is specified in azure portal.
@mbfrahry @pjolsen Why do I have to set custom_subdomain_name
when I use network ACLs?
│ Error: "network_acls": all of `custom_subdomain_name,network_acls` must be specified
any traction?
Any updates on why we have to set custom_subdomain_name when we use network_acls?
Same problem here. We are unable to configure the ACL directly from the module. As a workaround, we have a null resource built within the cognitive services to configure the ACL, while ignoring the changes of the ACL within the main module of cognitive services. However it is inefficient to work with null reosurces.
It seems that the adjustment to cognitive services mode on azurerm 2.69.0
(azurerm_cognitive_account supports ignore_missing_vnet_service_endpoint #12600
) ist not quit clean.
The new attribute ignore_missing_vnet_service_endpoint
is grouped togather with the subnet_id and should replace the old attribute virtual_network_subnet_ids.
However, in the tfstate you can still find virtual_network_subnet_ids
, which making conflict while apply the tf code.
"network_acls": [
{
"default_action": "Deny",
"ip_rules": [
"PUBLIC_ID"
],
"virtual_network_rules": [
{
"ignore_missing_vnet_service_endpoint": true,
"subnet_id": "SUBNET_ID"
}
],
"virtual_network_subnet_ids": [
"SUBNET_ID"
]
}
],
Hi, Is there any update about the issue?
So currently I got the feeling that it's not working at all.
I've tried a few different runs and currently:
network_acls {
default_action = "Deny"
ip_rules = local.allowed_ips
virtual_network_subnet_ids = [azurerm_subnet.mysubnet.id]
}
This works but only 'temporary' -> When I run terraform apply the subnet is being added. But if I execute Terraform Apply again, the Subnet is being removed from the cognitive_account!
The "new way" is not giving me anything at all no matter if I try like that:
network_acls {
default_action = "Deny"
ip_rules = local.allowed_ips
virtual_network_rules {
ignore_missing_vnet_service_endpoint = true
subnet_id = azurerm_subnet.mysubnet.id
}
}
Or like that:
network_acls {
default_action = "Deny"
ip_rules = local.allowed_ips
virtual_network_rules = [
{
ignore_missing_vnet_service_endpoint = true
subnet_id = azurerm_subnet.mysubnet.id
}
]
}
Both ways gives me the same result in Terraform Plan:
- virtual_network_rules = [] -> null
Any news on this?
virtual_network_subnet_ids
has been deprecated starting from v3.0 and the network rules are now configured by subnet_id
. There was an issue with the network rule and has been fixed within #13108. Below is a working example I tried with v3.58.0, it can create the azurerm_cognitive_account
with two subnets configured, and when updating the tags of it, it can keep the subnets as well.
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "test" {
name = "testrg"
location = "eastus"
}
resource "azurerm_virtual_network" "test" {
name = "testvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}
resource "azurerm_subnet" "test_a" {
name = "subneta"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.0.1.0/24"]
service_endpoints = ["Microsoft.CognitiveServices"]
}
resource "azurerm_subnet" "test_b" {
name = "subnetb"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.0.2.0/24"]
service_endpoints = ["Microsoft.CognitiveServices"]
}
resource "azurerm_cognitive_account" "test" {
name = "testaccount"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
kind = "Face"
sku_name = "S0"
custom_subdomain_name = "testaccount"
network_acls {
default_action = "Deny"
virtual_network_rules {
subnet_id = azurerm_subnet.test_a.id
ignore_missing_vnet_service_endpoint = false
}
virtual_network_rules {
subnet_id = azurerm_subnet.test_b.id
ignore_missing_vnet_service_endpoint = true
}
}
#tags = {
# a = 1
#}
}
@mbfrahry @pjolsen Why do I have to set
custom_subdomain_name
when I use network ACLs?│ Error: "network_acls": all of `custom_subdomain_name,network_acls` must be specified
The requirement of custom_subdomain_name
for network_acls
appears to come with this commit by @mbfrahry https://github.com/hashicorp/terraform-provider-azurerm/commit/aca32a0fcbf69b4d9b80734a9acc47530dc4d365.
The docs at https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks include two cases: vnet which requires a custom subdomain, and another one that only requires a list of IP addresses. It appears that the current implementation does not support the latter case.
Turning on firewall rules for your Cognitive Services account blocks incoming requests for data by default. In order to allow requests through, one of the following conditions needs to be met:
- The request should originate from a service operating within an Azure Virtual Network (VNet) on the allowed subnet list of the target Cognitive Services account. The endpoint in requests originated from VNet needs to be set as the custom subdomain of your Cognitive Services account.
- Or the request should originate from an allowed list of IP addresses.
@marcindulak the latter case shall be supported already with network_acls.ip_rules
I commented in https://github.com/hashicorp/terraform-provider-azurerm/issues/10041#issuecomment-1572638149, since I'm getting
Error: "network_acls": all of
custom_subdomain_name,network_acls
must be specified
with the resource defined like below. It's a case of a public, non-vnet access (case 2 in the Azure docs from my comment)
source "azurerm_cognitive_account" "this" {
name = "this"
resource_group_name = "this"
location = "westeurope"
kind = "FormRecognizer"
local_auth_enabled = true
outbound_network_access_restricted = true
public_network_access_enabled = true
sku_name = "S0"
identity {
type = "SystemAssigned"
}
network_acls {
default_action = "Deny"
ip_rules = ["IP1", "IP2"]
}
}
@marcindulak network acl settings are not functionable without the custom subdomain name. Though API allows it, we block it from the Terraform schema to ensure it can work when set.
Below is the screenshot from Azure Portal when custom subdomain name is not set:
and document for reference: https://learn.microsoft.com/azure/cognitive-services/speech-service/speech-service-vnet-service-endpoint#create-a-custom-domain-name
is anyone aware on how to disable the "Allow Azure services on the trusted services list to access this cognitive services account." checkbox reliably?
Seems there is no clean/easy way to do that?
The network rules don't take any bypass lists like other resources (i.e. storage accounts) or allow for IP rules with ranges (MS SQL).
Once the default is set to "Deny", the box is checked. If unchecked manually, terraform sees no drift which is worrying and leaves no ideas on how to control it.
Community Note
Description
Currently there doesn't seem to be a way of adding network rules on to cognitive services, this could be implemented identically to how it's done on storage accounts.
New or Affected Resource(s)
Potential Terraform Configuration
References
0000