Failure to create `azurerm_private_endpoint

[bengesoff]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.5

AzureRM Provider Version

3.115.0

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint

Terraform Configuration Files

locals {
  pl_alias = "internal-ingress-nginx.837de879-b929-40fe-a7e5-673072f4b71e.westeurope.azure.privatelinkservice"
}

resource "azurerm_private_endpoint" "privatelink_grafana" {
  name                = "grafana-pl"
  location            = data.azurerm_resource_group.kubernetes.location
  resource_group_name = data.azurerm_resource_group.kubernetes.name
  subnet_id           = data.azurerm_subnet.kubernetes.id

  private_service_connection {
    name                              = "grafana-pl"
    is_manual_connection              = false
    private_connection_resource_alias = local.pl_alias
  }
}

Debug Output/Panic Output

Error: creating Private Endpoint (Subscription: "1f62296d-9176-438d-b0bd-8050fcd89c54" Resource Group Name: "rG-vnet-001_prod" Private Endpoint Name: "grafana-pl"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: LinkedInvalidPropertyId: Property id 'internal-ingress-nginx.837de879-b929-40fe-a7e5-673072f4b71e.westeurope.azure.privatelinkservice' at path 'properties.privateLinkServiceConnections[0].properties.privateLinkServiceId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.

Expected Behaviour

Should have succssfully used the private link service alias to create the private endpoint, and not tried to use it as a service ID.

Actual Behaviour

The creation failed because it sent the alias as an ID, despite the alias field being used in the provider. This failed validation in the Microsoft API, which was expecting a valid ID.

I believe this code could be the culprit https://github.com/hashicorp/terraform-provider-azurerm/blob/af0806e764913e72c3511bd2562e230715ab7709/internal/services/network/private_endpoint_resource.go#L754

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[cdituri]

@bengesoff not my area of expertise but can you try with is_manual_connection = true and request_message populated? Updating your supplied example to the below worked successfully on my end:

resource "azurerm_private_endpoint" "privatelink_grafana" {
  name                = "grafana-pl"
  location            = azurerm_resource_group.kubernetes.location
  resource_group_name = azurerm_resource_group.kubernetes.name
  subnet_id           = azurerm_subnet.kubernetes.id

  private_service_connection {
    name                              = "grafana-pl"
    is_manual_connection              = true
    request_message                   = "please?"
    private_connection_resource_alias = local.pl_alias
  }
}

---

The only reason I point this out is due to the Azure Private Endpoint, Connect by using an alias, documentation. Per the docs, do note that a manual request can still be auto approved with the appropriate service access configured. Relevant doc screenshot is below. Hope that unblocks you. Cheers.

[bengesoff]

@cdituri thank you Chris, that worked perfectly. I'm not completely sure if it was auto approved or manually approved, but the resource provisioned successfully in 45s so I would assume the former. Either way, workaround successful.

[rcskosir]

Thank you for taking the time to raise this! I am going to close this with @cdituri‘s response as an answer. If you have future questions, I suggest using the Community Resources, such as the Azure Provider forum.

[bengesoff]

@rcskosir even though @cdituri has kindly provided a workaround, I still think this is a bug. It should have worked without having to request a manual connection, but instead I received an error saying the alias was in the wrong format:

Error: creating Private Endpoint (Subscription: "1f62296d-9176-438d-b0bd-8050fcd89c54" Resource Group Name: "rG-vnet-001_prod" Private Endpoint Name: "grafana-pl"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: LinkedInvalidPropertyId: Property id 'internal-ingress-nginx.837de879-b929-40fe-a7e5-673072f4b71e.westeurope.azure.privatelinkservice' at path 'properties.privateLinkServiceConnections[0].properties.privateLinkServiceId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.

[harshavmb]

Hi @bengesoff ,

This was discussed already here & as @cdituri mentioned is_manual_connection must be enabled to pass manualPrivateLinkServiceConnections in the payload rather privateLinkServiceConnections.

I guess docs need to be updated to mention this bit better.