Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request]: Add RoutingIntent child module to Virtual Hub module. #2427

Closed
annduda opened this issue Jul 11, 2023 · 7 comments · Fixed by #3040
Closed

[Feature Request]: Add RoutingIntent child module to Virtual Hub module. #2427

annduda opened this issue Jul 11, 2023 · 7 comments · Fixed by #3040
Assignees
Labels
Class: Resource Module 📦 This is a resource module Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue

Comments

@annduda
Copy link

annduda commented Jul 11, 2023

Description

Hi,

Could we have a routing Intent functionality for virtual Hub which would allow sending traffic to Azure Firewall:
https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualhubs/routingintent?pivots=deployment-language-bicep

resource symbolicname 'Microsoft.Network/virtualHubs/routingIntent@2023-02-01' = {
  name: 'string'
  parent: resourceSymbolicName
  properties: {
    routingPolicies: [
      {
        destinations: [
          'string'
        ]
        name: 'string'
        nextHop: 'string'
      }
    ]
  }
}
@AlexanderSehr AlexanderSehr changed the title [Feature Request]: [Feature Request]: Add routing intent functionality to Virtual Hub. Jul 24, 2023
@AlexanderSehr AlexanderSehr changed the title [Feature Request]: Add routing intent functionality to Virtual Hub. [Feature Request]: Add RoutingIntent child module to Virtual Hub module. Jul 24, 2023
@AlexanderSehr
Copy link
Contributor

Hey @annduda,
we sure can. I'll move the issue into the 'todo' state. Feel free to implement and contribute it yourself if you have the capacity. If not, we'll see to have it implemented by a member of the community :)

@annduda
Copy link
Author

annduda commented Jul 26, 2023

Hey @AlexanderSehr if nobody took it yet I can try :)

@AlexanderSehr
Copy link
Contributor

If you have the capacity, please do - and if you need support, please let me know :)

@AlexanderSehr AlexanderSehr transferred this issue from Azure/ResourceModules Jun 15, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Triage 🔍 Maintainers need to triage still label Jun 15, 2024
@AlexanderSehr AlexanderSehr added Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue Needs: Module Owner 📣 This module needs an owner to develop or maintain it Class: Resource Module 📦 This is a resource module labels Jun 15, 2024
@AlexanderSehr
Copy link
Contributor

Hey @arnoldna ,
I just migrated this issue over from CARML. Please take a look and triage if still relevant :)

@arnoldna arnoldna removed Needs: Triage 🔍 Maintainers need to triage still labels Jun 17, 2024
@github-project-automation github-project-automation bot moved this to Needs: Triage in AVM - Module Issues Jun 19, 2024
@arnoldna arnoldna removed the Needs: Module Owner 📣 This module needs an owner to develop or maintain it label Jul 8, 2024
@arnoldna arnoldna assigned arnoldna and unassigned arnoldna Jul 9, 2024
@arnoldna arnoldna moved this from Needs: Triage to In Development in AVM - Module Issues Jul 9, 2024
@arnoldna arnoldna moved this from To do to In progress in Backlog Jul 9, 2024
@arnoldna arnoldna moved this from In progress to Needs triage in Backlog Jul 9, 2024
@AlexanderSehr AlexanderSehr assigned arnoldna and unassigned arnoldna Jul 9, 2024
@ericscheffler
Copy link
Contributor

Working on this now

@ericscheffler
Copy link
Contributor

Running in to an issue with integrating this functionality; the problem is that this feature requires a firewall (Azure Firewall, for example), to be created and associated with the virtual hub before it is invoked, otherwise it will error out with an "invalid next hop" condition. In order for the firewall to be properly associated to the hub, it has to be created after the virtual hub, since the hub.id needs to be specified during the firewall creation (confirmed with the VWAN PG that providing the firewall.id during hub creation does nothing; it is a read-only parameter). The deployment flow needs to be:

  • Create the hub
  • Create the firewall (passing in hub resource id)
  • Invoke routing intent config

The requirement for a firewall effectively introduces a race condition; @ChrisSidebotham is going to discuss amongst the core team how to approach this issue. There are a couple different courses of action under consideration:

  • Leaving routing intent out of the virtual hub module and calling it from a VWAN pattern instead
  • Deploying the Azure Firewall as part of the virtual hub module
  • Something else?

Work is on-hold pending further direction.

@AlexanderSehr
Copy link
Contributor

AlexanderSehr commented Jul 20, 2024

Hey @ericscheffler,
thank you for the elaborate description 💪. Maybe I'm simplifying this too much, but wouldn't it work to

  • Implement the child module as a normal child module
  • Implement a test that creates a plain VirtualHub & Firewall in its dependencies - and then invoke the module in an idempotent way with the routing intent defined as a parameter

I did something similar for some CMK tests where I wanted to show how to do this with a System-Assigned identity. Similar issue: How to assign permissions to a MSI if the MSI is only created after the service is deployed for which I want to define CMK. Same solution: Deployed the vanilla service with a system-assigned identity in the test's dependencies, set the permissions, then invoked the module like nothing happened in an idempotent way. For reference: https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/cognitive-services/account/tests/e2e/system-assigned-cmk-encryption/main.test.bicep

arnoldna added a commit that referenced this issue Aug 13, 2024
## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.
-->

Adding support for configuring Routing Intent within a Virtual Hub. Due
to limitations within the Virtual Hub API, if a pattern is enabling
Routing Intent, the pattern _must_ create invoke this resource twice;
the first invocation creates the Virtual Hub, then the second idempotent
invocation updates the Virtual Hub with the Routing Intent
configuration:

1. Invoke Virtual Hub resource (output hub resource ID)
2. Invoke Firewall resource (pass in hub resource ID)
3. Invoke Virtual Hub resource again (pass in Routing Intent
configuration)

Input parameters for the Routing Intent configuration are:
_privateToFirewall bool
internetToFirewall bool_

Closes
[2427](#2427)

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->


[![avm.res.network.virtual-hub](https://github.com/ericscheffler/bicep-registry-modules/actions/workflows/avm.res.network.virtual-hub.yml/badge.svg?branch=Feature2427-VirtualHub_RoutingIntent)](https://github.com/ericscheffler/bicep-registry-modules/actions/workflows/avm.res.network.virtual-hub.yml)

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [X] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [X] Update to documentation

## Checklist

- [X] I'm sure there are no other open Pull Requests for the same
update/change
- [X] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [X] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: erschef_microsoft <[email protected]>
Co-authored-by: arnoldna <[email protected]>
@github-project-automation github-project-automation bot moved this from Needs triage to Done in Backlog Aug 13, 2024
@github-project-automation github-project-automation bot moved this from In Development to Done in AVM - Module Issues Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Class: Resource Module 📦 This is a resource module Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

4 participants