Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Eventhub public_network_access_enabled =false is not working in azure rm terraform #18717

Open
1 task done
dhanasri-kolagana opened this issue Oct 12, 2022 · 7 comments
Open
1 task done

Comments

@dhanasri-kolagana
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.2

AzureRM Provider Version

3.25.0

Affected Resource(s)/Data Source(s)

Eventhub namespace

Terraform Configuration Files

resource "azurerm_eventhub_namespace" "eventhub_namespace" {
  name                = var.name
  location            = var.location
  resource_group_name = var.rg_name
  sku                 = var.sku
  capacity            = var.capacity
  tags                = var.tags
  public_network_access_enabled = false
 
  dynamic "identity" {
    for_each = var.identity_type != null ? ["identity"] : []
    content {
      type = var.identity_type
      # Avoid perpetual changes if SystemAssigned and identity_ids is not null
      identity_ids = var.identity_type == "UserAssigned" ? var.identity_ids : null
    }
  }
  dynamic "network_rulesets" {
    for_each = [var.network_rulesets]    
    content {      
      default_action =  lookup(network_rulesets.value, "default_action", "Deny")
      public_network_access_enabled = lookup(network_rulesets.value, "public_network_access", false)
      trusted_service_access_enabled = lookup(network_rulesets.value, "trusted_service_access_enabled", false)
    
      dynamic "virtual_network_rule" {
        for_each = lookup(network_rulesets.value, "virtual_network_rule", null) != null ? ["virtual_network_rule"] : []
        content {
          subnet_id     = lookup(network_rulesets.value.virtual_network_rule, "subnet_id", null)
          ignore_missing_virtual_network_service_endpoint = lookup(network_rulesets.value.virtual_network_rule, "ignore_missing_virtual_network_service_endpoint", false)
        }
      }
    }
  }
      
}

Debug Output/Panic Output

Error: Unsupported argument
│ 
│   on eventhub.tf line 9, in module "eventhub-namespace":
│    9:   public_network_access_enabled = false
│ 
│ An argument named "public_network_access_enabled" is not expected here.
╵
Operation failed: failed running terraform plan (exit 1)



Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Expected Behaviour

public network should be disabled

Actual Behaviour

No response

Steps to Reproduce

terraform plan

Important Factoids

No response

References

#18054

tried to change version but no luck

@Amier3
Copy link
Contributor

Amier3 commented Oct 12, 2022

Hey @xiaxyi , could you take a look at this?

@xiaxyi
Copy link
Contributor

xiaxyi commented Oct 13, 2022

@Amier3 checking

@xiaxyi
Copy link
Contributor

xiaxyi commented Oct 13, 2022

@dhanasri-kolagana I see you are using dynamic and for_each for the network rule sets, may I know how many network_rulesets are you having in for_each = [var.network_rulesets].

do you mind helping me to test below example config and see if the public_network_access_enabled can be recongnized or not?

resource "azurerm_eventhub_namespace" "eventhub_namespace" {
  name                          = "tftest-ehn-publicNetwork"
  location                      = azurerm_resource_group.test.location
  resource_group_name           = azurerm_resource_group.test.name
  sku                           = "Premium"
  capacity                      = 1
  public_network_access_enabled = false

  network_rulesets {
    default_action                 = "Deny"
    public_network_access_enabled  = false
    trusted_service_access_enabled = false

    virtual_network_rule {
      subnet_id                                       = azurerm_subnet.test.id
      ignore_missing_virtual_network_service_endpoint = false
    }
  }

}

@xiaxyi
Copy link
Contributor

xiaxyi commented Nov 7, 2022

Hi @dhanasri-kolagana , any update?

@jr8279
Copy link

jr8279 commented Dec 16, 2022

Any updates on this?

I'm using Terraform 1.2.7 and AzureRM 3.36.0.
When I try to set public_network_access_enabled=false with a Private Endpoint set and null ip_rule and null virtual_network_rule I get the following error:

Error: the value of public network access of namespace should be the same as of the network rulesets

network_rulesets = [ { default_action = "Deny" trusted_service_access_enabled = true public_network_access_enabled = false ip_rule = var.enable_private_endpoint == true ? [] : [for mask in local.ipmasks_pr: { ip_mask = mask, action = "Allow"}] virtual_network_rule = var.enable_private_endpoint == true ? [] : [for subnet in local.subnetids_pr: { subnet_id = subnet, ignore_missing_virtual_network_service_endpoint = false}] }, ]

@jr8279
Copy link

jr8279 commented Dec 16, 2022

I found today that setting default_action=Deny sets the "Public Network Access" radio buttons to "Selected Networks", and setting public_network_access_enabled=false sets the radio buttons to "Deny".
If you want to disable all network access and only use a Private Endpoint you need to set default_action=Deny and public_network_access_enabled=false.
If you want to whitelist IPs or vNets for access you need to set default_action=Deny and public_network_access_enabled=true. Doing this requires at least 1 IP or vNet to be added to the configuration.

Additionally, public_network_access_enabled is set in 2 locations; one in Microsoft.EventHub/namespaces, and a second in Microsoft.EventHub/namespaces/networkRuleSets, and these must match. If this is intentional, the documentation needs to be updated to reflect this. But I would expect the argument to only be set once and then be used to update the Azure resource in both locations with the same value.

    {
        "type": "Microsoft.EventHub/namespaces",
        "properties": {
            "minimumTlsVersion": "1.2",
           "publicNetworkAccess": "Disabled",
            "disableLocalAuth": false,
            "zoneRedundant": false,
            "isAutoInflateEnabled": false,
            "maximumThroughputUnits": 0,
            "kafkaEnabled": true
        }
    },

    {
        "type": "Microsoft.EventHub/namespaces/networkRuleSets",
        "properties": {
           "publicNetworkAccess": "Disabled",
            "defaultAction": "Deny",
            "virtualNetworkRules": [
                {
                    "subnet": {....
        }
    }

@tspearconquest
Copy link
Contributor

Hi, any update on this?

I'm working to secure our event hub to private endpoints only. My terraform code looks like:

resource "azurerm_eventhub_namespace" "default" {
  name                = coalesce(var.name_override, module.name_generator.value)
  location            = var.region
  resource_group_name = local.rg_name

  depends_on = [azurerm_resource_group.default]

  sku            = "Standard"
  zone_redundant = var.zone_redundant

  public_network_access_enabled = false

  network_rulesets {
    default_action = "Deny"

    public_network_access_enabled  = false
    trusted_service_access_enabled = false
  }

  tags = var.common_tags

  lifecycle {
    ignore_changes = [
      tags["zz_created_date"]
    ]
  }
}

I also have a private endpoint configured. This event hub is where we send Kubernetes audit logs via the azurerm_monitor_diagnostic_settings resource, and in my test event hub where I applied this update, the messages which were coming in stopped.

I confirmed that the private endpoint DNS resolves from a VM in the subnet where the endpoint is connected, however after running terraform apply, the audit logs stopped coming into the event hub.

Now after starting to type this, I also tried setting trusted_service_access_enabled = true in the network_rulesets block above and ran terraform apply again.

I confirmed pretty much right away after setting trusted_service_access_enabled = true that the messages are able to come in again; so it appears that when using Diagnostic Settings to send any kind of logs/events to the Event Hub, you must allow trusted service access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants