Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_eventhub_namespace public_network_access_enabled doesn't working properly when network_rulesets block exists #18054

Closed
1 task done
omerfeldman2 opened this issue Aug 21, 2022 · 11 comments

Comments

@omerfeldman2
Copy link

omerfeldman2 commented Aug 21, 2022

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.5

AzureRM Provider Version

3.17.0

Affected Resource(s)/Data Source(s)

azurerm_eventhub_namespace

Terraform Configuration Files

resource "azurerm_eventhub_namespace" "namespace" {
  location            = var.location
  name                = var.name
  resource_group_name = var.resource_group_name
  sku                 = var.sku_tier

  zone_redundant = var.zone_redundant

  capacity                 = var.is_auto_inflate_enabled ? (var.force_override_throughput_units ? var.throughput_units : try(tonumber(data.azurerm_eventhub_namespace.namespace[0].capacity), var.throughput_units)) : var.throughput_units
  auto_inflate_enabled     = var.sku_tier != "Standard" ? false : var.is_auto_inflate_enabled
  maximum_throughput_units = (var.sku_tier != "Premium" && var.is_auto_inflate_enabled) ? var.maximum_throughput_units : 0

  local_authentication_enabled  = true
  public_network_access_enabled = false

  network_rulesets {
    default_action                 = "Allow"
    trusted_service_access_enabled = var.trusted_service_access_enabled
  }

  tags = var.tags

  depends_on = [data.azurerm_eventhub_namespace.namespace]
}

Debug Output/Panic Output

unfortunately i cannot provide the full debug file because of sensitive information,
the related debug output as i believe:

{"sku":{"name":"Standard","tier":"Standard","capacity":5},"id":"/subscriptions/<subscription-id>/resourceGroups/event-hub-namespace-test-rg/providers/Microsoft.EventHub/namespaces/ehn-testing","name":"ehn-testing","type":"Microsoft.EventHub/Namespaces","location":"West Europe","tags":{"env":"test","owner":"me"},"properties":{"minimumTlsVersion":"1.2","publicNetworkAccess":"Disabled","disableLocalAuth":false,"zoneRedundant":true,"isAutoInflateEnabled":true,"maximumThroughputUnits":10,"kafkaEnabled":true,"provisioningState":"Succeeded","metricId":"<subscription-id>:ehn-testing","createdAt":"2022-08-21T06:07:49.063Z","updatedAt":"2022-08-21T06:08:39.16Z","serviceBusEndpoint":"https://ehn-testing.servicebus.windows.net:443/","status":"Active"}}: timestamp=2022-08-21T09:08:57.854+0300

{"properties":{"defaultAction":"Allow","trustedServiceAccessEnabled":true}}: timestamp=2022-08-21T09:08:57.854+0300

{"sku":{"name":"Standard","tier":"Standard","capacity":5},"id":"/subscriptions/<subscription-id>/resourceGroups/event-hub-namespace-test-rg/providers/Microsoft.EventHub/namespaces/ehn-testing","name":"ehn-testing","type":"Microsoft.EventHub/Namespaces","location":"West Europe","tags":{"env":"test","owner":"me"},"properties":{"minimumTlsVersion":"1.2","publicNetworkAccess":"Enabled","disableLocalAuth":false,"zoneRedundant":true,"isAutoInflateEnabled":true,"maximumThroughputUnits":10,"kafkaEnabled":true,"provisioningState":"Succeeded","metricId":"<subscription-id>:ehn-testing","createdAt":"2022-08-21T06:07:49.063Z","updatedAt":"2022-08-21T06:09:05.043Z","serviceBusEndpoint":"https://ehn-testing.servicebus.windows.net:443/","status":"Active"}}: timestamp=2022-08-21T09:09:10.531+0300

{"id":"/subscriptions/<subscription-id>/resourceGroups/event-hub-namespace-test-rg/providers/Microsoft.EventHub/namespaces/ehn-testing/networkRuleSets/default","name":"default","type":"Microsoft.EventHub/Namespaces/NetworkRuleSets","location":"West Europe","properties":{"publicNetworkAccess":"Enabled","defaultAction":"Allow","virtualNetworkRules":[],"ipRules":[],"trustedServiceAccessEnabled":true}}: timestamp=2022-08-21T09:09:11.280+0300

2022-08-21T09:09:12.770+0300 [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value for module.event_hub_namespace.azurerm_eventhub_namespace.namespace, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .public_network_access_enabled: was cty.False, but now cty.True
      - .dedicated_cluster_id: was null, but now cty.StringVal("")

Expected Behaviour

eventhub namespace should be created with public access enabled fals
evh-creation
e

Actual Behaviour

eventhub namespace created with public access enabled tru
evh-portal-public-access
evh-portal-template-public-access
e
and when i rerun terraform apply without code changes:
evh-rerun

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

NOTE:
As i noticed the real problem is when you use the network_rulesets block, in the rulesets block there is also public_network_access_enabled attribute which is defaults to true.
therefore when you use the rulesets block the public_network_access_enabled attribute overrides the entered attribute.

@github-actions github-actions bot removed the bug label Aug 21, 2022
@omerfeldman2 omerfeldman2 changed the title azurerm_eventhub_namespace public_network_access_enabled doesn't working properly azurerm_eventhub_namespace public_network_access_enabled doesn't working properly when network_rulesets block exists Aug 21, 2022
@omerfeldman2
Copy link
Author

Is there any progress regarding this bug?

@omerfeldman2
Copy link
Author

omerfeldman2 commented Sep 5, 2022

Any help please?

@xiaxyi
Copy link
Contributor

xiaxyi commented Sep 6, 2022

Thanks @omerfeldman2 , does the override works the same via azure portal, the public_network_access value will also be override if you are setting the same config in the portal?

@omerfeldman2
Copy link
Author

If you deploy it with arm template the network_rulesets public_network_access_enabled attribute override the the regular public_network_access_enabled, unfortunately terraform doesn’t support to modify the override attribute and it default to true. Which means every time network_rulesets block is defined the event hub namespace will be created with public access.

@xiaxyi
Copy link
Contributor

xiaxyi commented Sep 7, 2022

If I set default_action = "Deny", the public_network_access will be override. Is this the override option that you are talking about?

@omerfeldman2
Copy link
Author

{
"type": "Microsoft.EventHub/namespaces/networkRuleSets",
"apiVersion": "2022-01-01-preview",
"name": "default",
"properties": {
"defaultAction": "string",
"ipRules": [
{
"action": "Allow",
"ipMask": "string"
}
],
"publicNetworkAccess": "string",
"trustedServiceAccessEnabled": "bool",
"virtualNetworkRules": [
{
"ignoreMissingVnetServiceEndpoint": "bool",
"subnet": {
"id": "string"
}
}
]
}
}

This is the arm template of network_rulesets block
As you can see there is here also public_network_access_enabled attribute, this is the override one

@xiaxyi
Copy link
Contributor

xiaxyi commented Sep 7, 2022

Thanks @omerfeldman2 , let me check the api and source code, will update once confirmed.

@omerfeldman2
Copy link
Author

Thanks, I really appreciate that.

@xiaxyi
Copy link
Contributor

xiaxyi commented Sep 9, 2022

Hi @omerfeldman2 , I've added the override property in the mentioned pr. I have restricted the value setting, the public network access setting in two places has to be the same, otherwise, there will be an error. You can track the status in the pr. Feel free to let me know if there is anything needed.

@omerfeldman2
Copy link
Author

Thanks a lot!!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants