Support for Private Endpoint Network Policies, not just enabled/disabled

rvdouderaa commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In azurem_subnet there is the option private_endpoint_network_policies_enabled, which accepts (obviously) only true or false.

However, there are more options. Eg. when setting PrivateEndpointNetworkPolicies using powershell the options are:

disabled
NetworkSecurityGroupEnabled
RouteTableEnabled
enabled

When setting NetworkingSecurityGroupEnabled using powershell, Terraform wants to revert this on the next run

Terraform will perform the following actions:private_endpoint_network_policies_enabled      = false -> true

New or Affected Resource(s)/Data Source(s)

azurerm_subnet

Potential Terraform Configuration

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]

  private_endpoint_network_policies = "NetworkSecurityGroupEnabled"
}



### References

https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-powershell

sinbai commented 1 year ago

@rvdouderaa thanks for opening this issue. Since Terraform relies on the Azure rest API for Azure resource management. Per the latest Azure API, privateEndpointNetworkPolicies only supports Enabled and Disabled . So Terraform could not support NetworkSecurityGroupEnabled and RouteTableEnabled until the Azure API includes them.

rvdouderaa commented 1 year ago

@sinbai The learn link in the issue describes 4 options.

The possible values for the privateEndpointNetworkPolicies are Disabled, NetworkSecurityGroupEnabled, RouteTableEnabled, and Enabled.

It show a JSON example with a 2019 API version?

https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-json#enable-network-policy

sinbai commented 1 year ago

@rvdouderaa I have filed an API issue to track this inconsistency. Let's wait for the response from the API team.

Marcel1805 commented 10 months ago

@sinbai meanwhile the API is now capable for more options for PrivateEndpointNetworkPolicies, therefore the azurerm provider could be updated. Thank you!

PwshPally commented 8 months ago

@sinbai It looks like the API side has been fixed. https://github.com/Azure/azure-rest-api-specs/blob/main/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/virtualNetwork.json#L1602

swati-delphix commented 5 months ago

When this gets updated? Also as per documentation, if we just enabled it, it still work for network security group to restrict network for private endpoint , right ?

man0s commented 4 months ago

+1 on this one..

pascalkrielen commented 1 month ago

It seems the options are available now:

katbyte commented 2 weeks ago

closing based on @pascalkrielen 's comment

hashicorp / terraform-provider-azurerm