Cannot create a private endpoint for a web app slot

jadamsowers commented 2 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.4

AzureRM Provider Version

3.12.0

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint

Terraform Configuration Files

resource "azurerm_private_endpoint" "privateendpoint_slots" {
    for_each            = var.slots
    name                = "my-privateendpoint-${each.key}-${var.location_short}"
    location            = var.location
    resource_group_name = var.resource_group_name
    subnet_id           = var.endpoint_subnet_id

    private_dns_zone_group {
        name = "privatednszonegroup"
        private_dns_zone_ids = [var.private_dns_zone_id]
    }

    private_service_connection {
        name = "private-endpoint-connection"
        private_connection_resource_id = azurerm_windows_web_app_slot.slots[each.key].id
        subresource_names = ["sites"]
        is_manual_connection = false
    }
}

Debug Output/Panic Output

n/a

Expected Behaviour

I am creating a private endpoint for my Windows app service using azurerm_private_endpoint with no issues. The only thing I have changed to add a private endpoint for each web app slot is to change the private_connection_resource_id in the private_service_connection block to point to the slot id.

Actual Behaviour

Error: creating Private Endpoint "my-privateendpoint" (Resource Group "web-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidPrivateLinkServiceIdType" Message="Private link service Id /subscriptions/{guid}/resourceGroups/web-rg/providers/Microsoft.Web/sites/webapp/slots/dev has an invalid resource type. Permitted type(s): Microsoft.DocumentDB/databaseAccounts, Microsoft.Sql/servers, Microsoft.Network/privateLinkServices, Microsoft.Web/sites, Microsoft.Web/hostingEnvironments, Microsoft.Storage/storageAccounts, Microsoft.DBforPostgreSQL/servers, Microsoft.DBforMySQL/servers, Microsoft.DBforMariaDB/servers, Microsoft.KeyVault/vaults, Microsoft.Synapse/workspaces, Microsoft.AppConfiguration/configurationStores, Microsoft.Search/searchServices, Microsoft.ContainerService/managedClusters, Microsoft.Attestation/attestationProviders, Microsoft.Devices/IotHubs, Microsoft.Cache/Redis, Microsoft.SignalRService/SignalR, Microsoft.MachineLearningServices/workspaces, Microsoft.Batch/batchAccounts, Microsoft.ContainerRegistry/registries, Microsoft.RecoveryServices/vaults, Microsoft.EventGrid/topics, Microsoft.EventGrid/domains, Microsoft.EventHub/namespaces, Microsoft.ServiceBus/namespaces, Microsoft.Relay/namespaces, Microsoft.StorageSync/storageSyncServices, Microsoft.HealthcareApis/services, Microsoft.Automation/automationAccounts, Microsoft.Insights/privateLinkScopes, Microsoft.CognitiveServices/accounts, Microsoft.Compute/diskAccesses, Microsoft.Network/applicationgateways, Microsoft.Media/mediaservices, Microsoft.Sql/managedInstances, Microsoft.Migrate/assessmentProjects, Microsoft.Migrate/migrateProjects, Microsoft.DataFactory/factories, Microsoft.Authorization/resourceManagementPrivateLinks, Microsoft.Devices/ProvisioningServices, Microsoft.Synapse/privateLinkHubs, Microsoft.PowerBI/privateLinkServicesForPowerBI, Microsoft.Cache/redisEnterprise, Microsoft.HybridCompute/privateLinkScopes, Microsoft.OffAzure/mastersites, Microsoft.TimeSeriesInsights/environments, Microsoft.DigitalTwins/digitalTwinsInstances, Microsoft.Keyvault/managedHSMs, Microsoft.Kusto/clusters, Microsoft.Purview/accounts, Microsoft.Web/staticSites, Microsoft.SignalRService/webPubSub, Microsoft.DeviceUpdate/accounts, Microsoft.DBforPostgreSQL/serverGroupsv2, Microsoft.HealthcareApis/workspaces, Microsoft.ApiManagement/service, Microsoft.HDInsight/clusters, Microsoft.Media/videoanalyzers, Microsoft.IoTCentral/IoTApps, Microsoft.EventGrid/partnerNamespaces, Microsoft.BotService/botServices." Details=[]

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

xiaxyi commented 2 years ago

@jadamsowers I'm not sure if private endpoints supports app slot, I need to check and update accordingly.

xiaxyi commented 2 years ago

@jadamsowers The issue is caused by the property groupIds (subresource_names in terraform provider). The property won't take sites as a valid value.

Even through api, the PE cannot be created with the same error

I need to confirm about the valid value for a slot.

jadamsowers commented 2 years ago

Any update on this? Thanks!

schuettecarsten commented 2 years ago

@jadamsowers, @xiaxyi - According to #11147 from 2021, the solution is to use sites-<slotname> and the resource ID of the original app resource for private_connection_resource_id , not the slot's ID. I can confirm that this still works today.

xiaxyi commented 1 year ago

Thanks @schuettecarsten for the solution! @jadamsowers May I know if you tried the solution and can you let me how it goes?

rcskosir commented 1 year ago

Thanks for taking the time to open this issue. I am going to mark this issue as complete based on @schuettecarsten's solution above, but if you run into this again with the latest Terraform and Provider versions, please feel free to open a new issue

github-actions[bot] commented 6 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-azurerm