search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.58k stars 4.62k forks source link

Cosmos DB deployment differs from az cli #16628

Closed Insighter2k closed 2 years ago

Insighter2k commented 2 years ago

Is there an existing issue for this?

Community Note

Terraform Version

1.1.8

AzureRM Provider Version

3.3.0

Affected Resource(s)/Data Source(s)

azurerm_cosmosdb_account

Terraform Configuration Files

resource "azurerm_cosmosdb_account" "db" {
  name                                  = "${var.instance}-prime-${var.account_name}-cosmos"
  resource_group_name                   = var.resource_group_name
  location                              = var.location
  offer_type                            = "Standard"
  #Not usable without UserAssignedIdentity
  default_identity_type                 = "FirstPartyIdentity"
  ip_range_filter                       = var.ip_range_filter
  public_network_access_enabled         = false
  network_acl_bypass_for_azure_services = true

  identity {
    type = "SystemAssigned"
  }

  consistency_policy {
    consistency_level = "Session"
  }

  capabilities {
    name = "EnableServerless"
  }

  backup {
    type                = "Periodic"
    interval_in_minutes = 60
    retention_in_hours  = 24
    storage_redundancy  = "Geo"
  }

  geo_location {
    location          = var.location
    failover_priority = 0
  }
}

Debug Output/Panic Output

Request originated from IP XYZ through public internet. This is blocked by your Cosmos DB account firewall settings. More info: https://aka.ms/cosmosdb-tsg-forbidden
ActivityId: xyz, Microsoft.Azure.Documents.Common/2.14.0

Expected Behaviour

I can interact via my application (C#) or directly with the dataexplorer to upload / add new items.

Actual Behaviour

It doesnt work ,since I am being blocked. My IP is added to the selected network list.

This behaviour doesn't exist if I deploy my cosmos DB via powershell.

Steps to Reproduce

No response

Important Factoids

No response

References

Powershell script

az cosmosdb create `
-n "dev-prime-sql-12345-cosmos" `
-g "dev-cosmos-rg" `
--subscription "<my-sub>" `
--capabilities EnableServerless `
--default-consistency-level Session `
--backup-policy-type Periodic `
--backup-redundancy Zone `
--backup-interval 60 `
--backup-retention 24 `
--network-acl-bypass AzureServices `
--key-uri "<key-uri>" `
--assign-identity "<id>" `
--default-identity "UserAssignedIdentity=<id>"
tombuildsstuff commented 2 years ago

hi @Insighter2k

Thanks for opening this issue.

The Terraform Configuration above disables the public network access, whereas the Azure CLI enables this by default - which is why this can't connect. This forum is intended to be used for feature enhancements and bugs in the Azure Provider - so that we can keep this forum focused on that we instead ask that broader questions are raised using one of the Community Resources. As such I'm going to close this issue for the moment, but I believe you should be able to get an answer for this using one of the Community Resources.

Thanks!

Insighter2k commented 2 years ago

hi @Insighter2k

Thanks for opening this issue.

The Terraform Configuration above disables the public network access, whereas the Azure CLI enables this by default - which is why this can't connect. This forum is intended to be used for feature enhancements and bugs in the Azure Provider - so that we can keep this forum focused on that we instead ask that broader questions are raised using one of the Community Resources. As such I'm going to close this issue for the moment, but I believe you should be able to get an answer for this using one of the Community Resources.

Thanks!

Thanks for the heads up. The description was not clear to me, but I just tested it out and now I know what the problem was. Thank you for the help :-)

Kind regards

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.