Cannot link to virtual_network subnet from virtual_network_gateway as it cannot resolve the subnet name, and cannot link subnet to security group

[bizmate]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

2.99.0

Affected Resource(s)/Data Source(s)

azurerm_virtual_network_gateway

Terraform Configuration Files

resource "azurerm_virtual_network" "XYZ_Internal_vnet" {
  name                = "XYZ_Internal_vnet"
  address_space       = ["10.1.0.0/16"]
  location            = azurerm_resource_group.XYZ_rg.location
  resource_group_name = azurerm_resource_group.XYZ_rg.name

  subnet {
    name           = "XYZ_Internal_Enterprise_subnet"
    address_prefix = "10.1.1.0/24"
    security_group = azurerm_network_security_group.XYZ_Internal_Enterprise_nsg.id
  }

  subnet {
    name           = "XYZ_Internal_Management_subnet"
    address_prefix = "10.1.2.0/24"
    security_group = azurerm_network_security_group.XYZ_Internal_Management_nsg.id
  }

  subnet {
    name           = "XYZ_Internal_Secure_subnet"
    address_prefix = "10.1.3.0/24"
    security_group = azurerm_network_security_group.XYZ_Internal_Secure_nsg.id
  }

  subnet {
    name           = "GatewaySubnet"
    address_prefix = "10.1.0.0/24"
  }
}

// THE BELOW CAUSES CONFLICT. Subnets cannot be stand alone or both inline
//resource "azurerm_subnet" "XYZ_Internal_GatewaySubnet_subnet" {
//  name                 = "GatewaySubnet"
//  virtual_network_name = azurerm_virtual_network.XYZ_Internal_vnet.name
//  resource_group_name  = azurerm_resource_group.XYZ_rg.name
//  address_prefixes       = ["10.1.0.0/24"]
//}
//
resource "azurerm_virtual_network_gateway" "XYZ_VPN_Gateway" {
  name                = "XYZ_VPN_Gateway"
  location            = azurerm_resource_group.XYZ_rg.location
  resource_group_name = azurerm_resource_group.XYZ_rg.name

  type     = "Vpn"
  vpn_type = "RouteBased"
  sku      = "VpnGw1"

  ip_configuration {
    public_ip_address_id          = azurerm_public_ip.XYZ_VPN_public_ip.id
    private_ip_address_allocation = "Dynamic"
    #subnet_id                     = azurerm_virtual_network.XYZ_Internal_vnet.subnet[index(azurerm_virtual_network.XYZ_Internal_vnet.subnet.*.name, "GatewaySubnet")].id
    #subnet_id                     = azurerm_subnet.XYZ_Internal_GatewaySubnet_subnet.id
    subnet_id =                   azurerm_virtual_network.XYZ_Internal_vnet.subnet.*.id[3]
  }
}

resource "azurerm_public_ip" "XYZ_VPN_public_ip" {
  name                = "XYZ_VPN_public_ip"
  resource_group_name = azurerm_resource_group.XYZ_rg.name
  location            = azurerm_resource_group.XYZ_rg.location
  allocation_method   = "Dynamic"

  tags = {
    environment = "Production"
  }
}

Debug Output/Panic Output

╷
│ Error: expected ip_configuration.0.subnet_id to reference a gateway subnet with name GatewaySubnet
│ 
│   with azurerm_virtual_network_gateway.XYZ_VPN_Gateway,
│   on main.tf line 109, in resource "azurerm_virtual_network_gateway" "XYZ_VPN_Gateway":
│  109:     subnet_id =                   azurerm_virtual_network.XYZ_Internal_vnet.subnet.*.id[3]

Expected Behaviour

Should be able to reference the right subnet, inside a virtual network, from a virtual network gateway.

Also if the above is not possible extend the subnet resource to allow to specify a security group.

Actual Behaviour

Even if the subnet is named correctly as "GatewaySubnet" the response is suggesting differently.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

subnet
virtual network gateway

[tombuildsstuff]

hey @bizmate

In this instance the subnet block within the azurerm_virtual_network resource is a Set rather than a List - meaning that the ordering isn't guaranteed (and is based on a hash function, rather than the order defined in the config/API) - and thus the third item via the interpolation function may not necessarily be the third value defined in the Terraform Configuration above. Unfortunately the error message doesn't make this particularly clear, and as such I've opened #25484 to update this to include the (in this case interpolated) subnet name, when the Subnet name isn't GatewaySubnet.

You should be able to workaround this by using the azurerm_subnet data source to obtain the ID of the Subnet post-creation, noting that you'll need to use a depends_on on the azurerm_virtual_network resource itself in order to ensure the ordering - but that should allow you to provision this as required, would you be able to take a look?

Since the underlying validation message will be fixed by #25484, I'm going to close this issue for the moment - but if switching to use the Data Source as described above as the interpolated value doesn't fix this then please let us know and we can take another look.

Thanks!

[bizmate]

hi @tombuildsstuff thank you very much for the reply. I could use the azurerm_subnet and indeed this is how I initially coded it but as I mentioned this resource does not allow to link to network security group so if i create a virtual network without subnets and define them in azurerm_subnet I fail to see a way to link the subnet to the security group. Even in the security group i cannot see a way to link it to the subnet.

I think the solutions would be to :

• have a way to fetch the right subnet from the virtual network
• add a link to the NSR in the azurerm_subnet
• add a way to list subnets using the NSR inside the NSR

I dont want to transform this into a stackoverflow question so I hope my contribution actually help in the quality of the provider.

[tombuildsstuff]

@bizmate (as mentioned above) the azurerm_subnet Data Source can be used to reference the Subnet once it's created by the azurerm_virtual_network resource - rather than the azurerm_subnet Resource, which will allow consistently obtaining it's ID here.

[bizmate]

@tombuildsstuff I missed the data source suggestion, it worked, thank you... for some reason the gateway does not deploy with the definition above ... not sure what i am doing wrong

│ Error: Creating/Updating Virtual Network Gateway: (Name "XYZ_VPN_Gateway" / Resource Group "entp-project-256780"):
 network.VirtualNetworkGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- 
 Original Error: Code="PublicIpWithBasicSkuNotAllowedOnVPNGateways" 
 Message="Basic IP configuration for VPN Virtual Network Gateways is not supported. 
 Follow the link for more details : 
 https://go.microsoft.com/fwlink/p/?linkid=2241350 /subscriptions/45099685-79c7-467a-9195-c45bffe41c55/resourceGroups/entp-project-256780/providers/Microsoft.Network/virtualNetworkGateways/XYZ_VPN_Gateway" 
 Details=[]

I will keep looking

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.