Ingestion Private Endpoint for Purview Account

Saikiran7777 commented 2 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

To scan data factory and synapse we need to add Ingestion Private endpoints to Purview Account. From Portal we are able to do it but not from Terraform

New or Affected Resource(s)/Data Source(s)

azurerm_ingestion_privateendpoints

Potential Terraform Configuration

No response

References

No response

ms-henglu commented 2 years ago

Hi @Saikiran7777 ,

Thank you for taking time to open this issue!

Would you please try this generate private endpoint resource: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint?

Saikiran7777 commented 2 years ago

Thanks for your reply, but I don't think we can use private endpoints here, I've already tried using it, It creates private endpoints for managed resources but it doesn't ingest it.

Saikiran7777 commented 2 years ago

@ms-henglu This requires below parameters to ingest managed endpoints: Ingestion endpoint name Subscription name Virtual network name Subnet Private dns integration enabled -Private dns zone(storage blob) -Private dns zone(storage queue) -Private dns zone (eventhub)

All the three will be linked to managed resources

Saikiran7777 commented 1 year ago

@ms-henglu Any update on this?

ravulachetan commented 1 year ago

Hi; any update on this? Agree with Sai Kiran. we can create the private nedpoints for the Storage account and EventHub but it does not add to Purview ingestion blade.

truongm93 commented 1 year ago

@Saikiran7777 @RavulaChetan I was able to create the ingestion private endpoint by using the managed_resources output. I was able to deploy the following: 1 purview account 1 private endpoint for the managed storage account. subressource blob 1 private endpoint for the managed storage account. subressource queue 1 private endpoint for the managed eventhub. subressource namespace

Hope this help.

sample of code:

resource "azurerm_resource_group" "example" {
  name     = "purview-tf-rg"
  location = "eastus"
}

resource "azurerm_purview_account" "example" {
  name                = "purview-tf"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  public_network_enabled = false

  identity {
    type = "SystemAssigned"
  }
}

output "managed_storage_account" {
    value = element(azurerm_purview_account.example.managed_resources.*.storage_account_id,0)
}

 resource "azurerm_virtual_network" "example" {
   name                = "example-network"
   address_space       = ["10.0.0.0/16"]
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
 }
 resource "azurerm_subnet" "endpoint" {
   name                 = "endpoint"
   resource_group_name  = azurerm_resource_group.example.name
   virtual_network_name = azurerm_virtual_network.example.name
   address_prefixes     = ["10.0.2.0/24"]
   enforce_private_link_endpoint_network_policies = true
 }
 resource "azurerm_private_endpoint" "example" {
   name                = "purview-pep-sa-blob"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   subnet_id           = azurerm_subnet.endpoint.id
   private_service_connection {
     name                           = "purview-pep-sa-connection"
     private_connection_resource_id = element(azurerm_purview_account.example.managed_resources.*.storage_account_id,0)
     is_manual_connection           = false
     subresource_names              = ["blob"]           
   }
 }

  resource "azurerm_private_endpoint" "example2" {
   name                = "purview-pep-sa-queue"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   subnet_id           = azurerm_subnet.endpoint.id
   private_service_connection {
     name                           = "purview-pep-queue-connection"
     private_connection_resource_id = element(azurerm_purview_account.example.managed_resources.*.storage_account_id,0)
     is_manual_connection           = false
     subresource_names              = ["queue"]           
   }
 }

   resource "azurerm_private_endpoint" "example3" {
   name                = "purview-pep-eh-namespace"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   subnet_id           = azurerm_subnet.endpoint.id
   private_service_connection {
     name                           = "purview-pep-eh-connection"
     private_connection_resource_id = element(azurerm_purview_account.example.managed_resources.*.event_hub_namespace_id,0)
     is_manual_connection           = false
     subresource_names              = ["namespace"]           
   }
 }

marvinbuss commented 1 year ago

The private endpoints only show up in the portal, if you choose the right naming convention for the private endpoints. They need to have the suffix -blob, -namespace and -queue. If you do that they should show up under the ingestion PEs.

hashicorp / terraform-provider-azurerm