eventhub_namespace public_network_access_enabled not working as documented

[Gerrit-K]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.2

AzureRM Provider Version

3.26.0

Affected Resource(s)/Data Source(s)

azurerm_eventhub_namespace

Terraform Configuration Files

"azurerm_eventhub_namespace": {
      "eventhub_namespace": {
        "auto_inflate_enabled": false,
        "capacity": 1,
        "lifecycle": {
          "ignore_changes": [
            "tags"
          ]
        },
        "location": "${var.location}",
        "maximum_throughput_units": 0,
        "name": "[REDACTED]",
        "network_rulesets": [
          {
            "default_action": "Deny",
            "ip_rule": [
              {
                "action": "Allow",
                "ip_mask": "[REDACTED]"
              }
            ],
            "trusted_service_access_enabled": null,
            "virtual_network_rule": null
          }
        ],
        "resource_group_name": "${var.resource_group_name}",
        "sku": "Standard"
      }
    }

Debug Output/Panic Output

Error: Incorrect attribute value type

  on cdk.tf.json line 443, in resource.azurerm_eventhub_namespace.eventhub_namespace:
 443:         "network_rulesets": [
 444:           {
 445:             "default_action": "Deny",
 446:             "ip_rule": [
 459:               {
 460:                 "action": "Allow",
 461:                 "ip_mask": "[REDACTED]"
 462:               }
 463:             ],
 464:             "trusted_service_access_enabled": null,
 465:             "virtual_network_rule": null
 466:           }
 467:         ],

Inappropriate value for attribute "network_rulesets": element 0: attribute
"public_network_access_enabled" is required.

Expected Behaviour

No error, since the documentation states that public_network_access_enabled should be optional on both, the root resource and network_rulesets block levels.

Actual Behaviour

Error, see "Debug output".

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[xiaxyi]

@Gerrit-K I didn't get any error about public_network_access_enabled property. The network config is created as what's defined in config. Can you share your tf config with me?

public_network_access_enabled is defined as optional + default and the default value is true. So, in theory, there won't be any error when creating the ehn.

[Gerrit-K]

@xiaxyi Thanks for your reply. I just played around with this a little bit and extracted an MRE from my (rather large and also partly confidential) tf file.

main.tf.json

```json { "provider": { "azurerm": [ { "features": { } } ] }, "resource": { "azurerm_resource_group": { "resource_group": { "location": "westeurope", "name": "testing-public-access" } }, "azurerm_eventhub_namespace": { "eventhub_namespace": { "auto_inflate_enabled": false, "capacity": 1, "lifecycle": { "ignore_changes": [ "tags" ] }, "location": "${azurerm_resource_group.resource_group.location}", "maximum_throughput_units": 0, "name": "${azurerm_resource_group.resource_group.name}", "network_rulesets": [ { "default_action": "Deny", "ip_rule": [ { "action": "Allow", "ip_mask": "1.2.3.4" } ], "trusted_service_access_enabled": null, "virtual_network_rule": null } ], "resource_group_name": "${azurerm_resource_group.resource_group.name}", "sku": "Standard" } } }, "terraform": { "required_providers": { "azurerm": { "source": "azurerm", "version": "3.26.0" } } } } ```

Some notes/observations:

• This seems to only happen on *.tf.json files, but not on *.tf files directly
• When adding "public_network_access_enabled": null, to network_rulesets, the error disappears (and the default of true will be used)
• The same happens for trusted_service_access_enabled and virtual_network_rule, which are both also optional, according to the documentation.
• In the original project, we use CDKTF to generate Terraform JSON from TypeScript, which is then applied on a remote TFE server. This is why we're bound to use JSON instead of HCL directly. And it's also the reason why trusted_service_access_enabled and virtual_network_rule are already set to null, because CDKTF automatically does that. If the error is correct and to be expected when using JSON and omitting optional properties, I'll rather raise an issue at the CDKTF provider to simply add "public_network_access_enabled": null when it's omitted in the TypeScript source code.

[sreekanth3107]

I am facing the same issue with latest version and i created a issues - 18485, followed with suggestions but still having same issues

[Gerrit-K]

@sreekanth3107 no I don't think your issue is connected to this one. Yes, it's the same property, but most likely it was just the wrong property name in your tf file. For me it works with a HCL (not JSON!) file and public_network_access_enabled.

[thrubovc]

this discrepancy between the documentation and azurerm provider behavior has been present since v3.21.0 edit: here's some HCL code from my eventhub_namespace resource

  network_rulesets = [
    {
      default_action                 = "Deny"
      trusted_service_access_enabled = false
      ip_rule                        = null
      virtual_network_rule           = null
    }
  ]

this is correctly configured according to the documentation, but as of v3.21.0, it no longer works. It works when I add public_network_access_enabled = null but that's not clear from the documentation. Or am I missing something?