Support for adding/removing subnet delegation after the subnet is created.

Magicloud commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The delegation can be added or removed via Terraform at the moment, but it is tied with azurerm_subnet resource. I cannot work on the delegation without touching the code for azurerm_subnet.

New or Affected Resource(s)

azurerm_subnet (AFFECTED)
azurerm_subnet_delegation (NEW)

Potential Terraform Configuration

resource "azurerm_subnet" "example" {
  name                 = "testsubnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_subnet_delegation" "example" {
    subnet_id = azurerm_subnet.example.id

    name = "acctestdelegation"

    service_delegation {
      name    = "Microsoft.ContainerInstance/containerGroups"
      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
    }
  }
}

References

0000

neil-yechenwei commented 3 years ago

Thanks for opening this issue. Seems this feature has been implemented in subnet resource. I assume you have to add/remove delegation block from subnet resource to implement it. Below is the example.

Adding delegation:

resource "azurerm_subnet" "test" {
  name                 = "testsubnettest01"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefix       = "10.1.0.0/24"

  delegation {
    name = "delegation"

    service_delegation {
      name    = "Microsoft.ContainerInstance/containerGroups"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

Removing delegation:

resource "azurerm_subnet" "test" {
  name                 = "testsubnettest01"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefix       = "10.1.0.0/24"
}

Magicloud commented 3 years ago

@neil-yechenwei Sorry, I did not make myself clear. Current design is hard to do abstraction. For example, I cannot make a VPC module without setting the delegation or exposing the subnets to users. Updated the original post.

renzo-cast commented 2 years ago

Another use-case for this is, which applies in our environment, is where the subnet is already created and provided to us. We don't want to import the subnet into state and just want to be able to manage (create/remove/change) the subnet delegation,

ukreddy-erwin commented 2 years ago

The azure_subnet resource can't be created due to the azure policy.

olicy identifiers: '[{"policyAssignment":{"name":"Deny-Subnet-Without-Nsg","id":"/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg"},"policyDefinition":{"name":"Subnets should have a Network Security Group ","id":"/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg"}}]'

As a remedy to the above one, we are creating subnet using as a block in vnet. But that doesn't have option for subnet delegation.

So what is the alternative for that?

alaczynski commented 2 years ago

There are cases when vnet with subnets are created by central privilege team due to organization policy. Other teams still have possibility to delegate subnet which is required by many services like function-app, databricks. In such cases having a possibility to delegate subnet as separate resource (like mentioned above azurerm_subnet_delegation) will be very useful. Currently, due to this limitation we have to use null_resouce with a bit of az cli scripting which is not ideal. If you are aware any better solution please advice.

delian commented 1 year ago

+1 here - we do have the same use case - pre-created subnet, to which we want to modify the service delegations, but we don't want to destroy the subnet as it is managed outside of our setup.

dastrobu commented 1 year ago

Any update or creative ideas on how to handle subnet Delegation on a provided subnet?

withakay commented 9 months ago

I am in a situation where there is a policy that denies the creation of subnets without a network security group, this means I have to create subnets as part of a azurerm_virtual_network resource which doesn't and won't allow delegation to be defined (see https://github.com/hashicorp/terraform-provider-azurerm/issues/11187 for why).

Currently I am resorting to hackery such as

  provisioner "local-exec" {
    command = <<-EOT
    az network vnet subnet update \
    --resource-group foo-rg \
    --name foo-subnet \
    --vnet-name foo-vnet \
    --delegations Microsoft.DBforPostgreSQL/flexibleServers \
    --service-endpoints Microsoft.Storage
EOT
  }

Having a provider native way to achieve this would be much nicer.

hashicorp / terraform-provider-azurerm