Support for azurerm_private_endpoint_connection data source inclusion of resourceGuid

[Avichelverma]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The azurerm_private_endpoint_connection has a data source block but it is missing an attribute property of resourceGuid that can be used by another service in recognizing the particular private endpoint. In this case, Elastic uses the private_endpoint_name and resourceGuid to approve the private endpoint that is being created. Kindly, see the reference below to understand elastic process of traffic rule approval.

New or Affected Resource(s)

• azurerm_private_endpoint_connection data source block

Potential Terraform Configuration

data "azurerm_private_endpoint_connection" "example" {
  name                = "example-private-endpoint"
  resource_group_name = "example-rg"
}

This data block needs to return the following attributes:

example = {
    id = ""
    location = ""
    name = ""
    private_service_connection = [
        {
            name = ""
            private_ip_address = ""
            request_response = ""
            status = ""
        }
    ]
    resource_group_name = ""
    timeout = ""
    + resourceGuid = "" // this particular attribute needs to be added in this data block
}

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_endpoint_connection https://www.elastic.co/blog/secure-your-deployments-on-elastic-cloud-with-azure-private-link

[WodansSon]

@Avichelverma, thank you for opening this issue. I currently am not aware of a way to get that value via the GO SDK. The Portal UI calls it resourceGUID, but under the covers that value is actually the Deployment GUID. The Deployment GUID is not returned from what I can see. 🙁 I will keep looking, but this may not be possible at this point in time.

[igor-kupczynski]

I've +1ed the issue, because I think it is a valid ask. We at Elastic require the customers to provide a GUID + name of the customers' private endpoints [0] in order to automatically approve their connection to our private link service via the Azure Management API.

We use the following call to approve the connection [1]: https://docs.microsoft.com/en-us/rest/api/virtualnetwork/private-link-services/update-private-endpoint-connection

It looks like this: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/privateLinkServices/{serviceName}/privateEndpointConnections/{peConnectionName}?api-version=2021-02-01

Now, it's not documented cleary, but {peConnectionName} is actually {first 43 characters of peEndpointName} DOT {prEndpointGuid} (e.g. test-pe-connection.00000000-0000-0000-0000-000000000000). Which makes sense, because the endpoint name is not unique, so you may have multiple endpoints with the same name connected to a single service.

Screenshot with a connection name to confirm [from a dev env, but with a "real" connection]


To put this into context:

• We [Elastic] offer our customers a way to connect to their Elastic Cloud workloads over Azure Private Link [0].
• The process is this:
  1. Customer creates Private Endpoint (PE) in their vnet connected to Elastic Cloud Private Link Service (in Elastic vnet)
  2. Customer inputs the PE guid and PE name to Elastic Cloud portal
  3. Elastic Cloud portal asks the Azure Mgmt Api to approve the connection (both PE name and guid are needed)

This works fine for customers who want to manage their PE via the Azure Portal as both name and guid are exposed there, but not so much for customers who manage their PE with terraform.

Hope that makes sense, let me know if some more details would help.

0: https://www.elastic.co/blog/secure-your-deployments-on-elastic-cloud-with-azure-private-link (looks for step 3) 1: https://docs.microsoft.com/en-us/rest/api/virtualnetwork/private-link-services/update-private-endpoint-connection

[tonythomasm]

+1

[sudarshntn]

+1

[miguelbrandao]

+1

[vmartinj]

+1

[cgroschupp]

my workaround for this problem:

data "azapi_resource" "elastic_privateendpoint_resource_guid" {
  type      = "Microsoft.Network/privateEndpoints@2022-01-01"
  name      = "<endpoint-name>"
  parent_id = "<resource_group_obj_id>"

  response_export_values = ["properties.resourceGuid"]
}

resource "ec_deployment_traffic_filter" "this" {
  name   = "<name>"
  region = "azure-westeurope"
  type   = "azure_private_endpoint"

  rule {
    azure_endpoint_name = "<azure_endpoint_name>"
    azure_endpoint_guid = jsondecode(data.azapi_resource.elastic_privateendpoint_resource_guid.output).properties.resourceGuid
  }
}

[james-woodbridge]

+1

[kuminin]

my workaround for this problem:

data "azapi_resource" "elastic_privateendpoint_resource_guid" {
  type      = "Microsoft.Network/privateEndpoints@2022-01-01"
  name      = "<endpoint-name>"
  parent_id = "<resource_group_obj_id>"

  response_export_values = ["properties.resourceGuid"]
}

resource "ec_deployment_traffic_filter" "this" {
  name   = "<name>"
  region = "azure-westeurope"
  type   = "azure_private_endpoint"

  rule {
    azure_endpoint_name = "<azure_endpoint_name>"
    azure_endpoint_guid = jsondecode(data.azapi_resource.elastic_privateendpoint_resource_guid.output).properties.resourceGuid
  }
}

I tried doing this. However I ran into issues where I was getting 404 for the resource not being found. I created another workaround where I leveraged the hashicorp/external provider to leverage az cmd to retrieve the results.

az login --service-principal -u $CLIENT_ID -p $CLIENT_SECRET --tenant $TENANT_ID
az resource show --ids $PRIVATE_ENDPOINT_RESOURCE_ID

[mmillican]

@cgroschupp's solution worked for me, but I still there's value in making the resourceGuid more of a "first class" property if it ever becomes available in the Go SDK.