Can't deploy a privatelink service with Terraform
Working on a Terraform script to deploy a Private Link Service. This a part of my script:
resource "azurerm_resource_group" "example" {
name = "RG6"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-vnet"
address_space = ["10.5.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.5.1.0/24"]
private_endpoint_network_policies_enabled = false
}
resource "azurerm_public_ip" "example" {
name = "example-api"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
allocation_method = "Static"
}
resource "azurerm_lb" "example" {
name = "example-lb"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
frontend_ip_configuration {
name = azurerm_public_ip.example.name
public_ip_address_id = azurerm_public_ip.example.id
}
}
resource "azurerm_private_link_service" "example" {
name = "example-privatelink"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
load_balancer_frontend_ip_configuration_ids = [azurerm_lb.example.frontend_ip_configuration[0].id]
auto_approval_subscription_ids = [local.subscription_id]
visibility_subscription_ids = [local.subscription_id]
nat_ip_configuration {
name = "primary"
subnet_id = azurerm_subnet.example.id
primary = true
private_ip_address = "10.5.1.17"
}
nat_ip_configuration {
name = "secondary"
private_ip_address = "10.5.1.18"
private_ip_address_version = "IPv4"
subnet_id = azurerm_subnet.example.id
primary = false
}
}
At run I get this error message:
│ Error: creating Private Link Service: (Name "example-privatelink" / Resource Group "RG6"): network.PrivateLinkServicesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateLinkServiceCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private link service /subscriptions/XXXXXXX/resourceGroups/RG6/providers/Microsoft.Network/privateLinkServices/example-privatelink cannot be created in a subnet /subscriptions/XXXXXXX/resourceGroups/RG6/providers/Microsoft.Network/virtualNetworks/example-vnet/subnets/example-subnet since it has private link service network policies enabled." Details=[] │ │ with azurerm_private_link_service.example, │ on config.tf line 83, in resource "azurerm_private_link_service" "example": │ 83: resource "azurerm_private_link_service" "example" {
My question
Why I get this message. I set this parameter false :
private_endpoint_network_policies_enabled = false
This is asked from doc: https://learn.microsoft.com/en-us/azure/private-link/private-link-faq
I tested for true just to check, same result.
This example is inspired from the doc: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_link_service
Can't deploy a privatelink service with Terraform
I do agree with fredrik for suggesting the same point.
The error you are encountered that subnet has private link service network policies enabled, which is preventing the creation of the private link service.
To resolve the issue, you should disable the private link service network policies for the subnet by setting the private_link_service_network_policies_enabled = false within the subnet module.
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "RG7"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-vnet"
address_space = ["10.5.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.5.1.0/24"]
private_endpoint_network_policies_enabled = false
private_link_service_network_policies_enabled = false
}
resource "azurerm_public_ip" "example" {
name = "example-api"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
allocation_method = "Static"
}
resource "azurerm_lb" "example" {
name = "example-lb"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
frontend_ip_configuration {
name = azurerm_public_ip.example.name
public_ip_address_id = azurerm_public_ip.example.id
}
}
resource "azurerm_private_link_service" "example" {
name = "example-privatelink"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
load_balancer_frontend_ip_configuration_ids = [azurerm_lb.example.frontend_ip_configuration[0].id]
auto_approval_subscription_ids = ["b83c1ed3-c5b6-44fb-b5ba-2b83a074c23f"]
visibility_subscription_ids = ["b83c1ed3-c5b6-44fb-b5ba-2b83a074c23f"]
nat_ip_configuration {
name = "primary"
subnet_id = azurerm_subnet.example.id
primary = true
private_ip_address = "10.5.1.17"
}
nat_ip_configuration {
name = "secondary"
private_ip_address = "10.5.1.18"
private_ip_address_version = "IPv4"
subnet_id = azurerm_subnet.example.id
primary = false
}
}
Terraform apply result, without using the private_link_service_network_policies_enabled = false in the subnet module.
Terraform apply result, after setting private_link_service_network_policies_enabled = false in the subnet module
Reference: azurerm_subnet
- Launch template mtc should not specify an instance profile. The noderole in your request will be used to construct an instance profile
- Terraform does not accept Snowflake account name
- How to Start postgres.exe and Change Postgres Account on an Azure Virtual Machine Using Terraform
- AWS Terraform Multiple deployments to single apigateway stage
- AWS Batch: Activating Previous Revisions marked as inactive
- How can I invalidate AWS CloudFront Distribution cache using Terraform?
- Terraform version error when deploying to AWS through jenkins?
- Unable to push image to ACR from terraform - could not get auth config (the credentialhelper did not work or was not found):
- Create kubernetes secret for docker registry - Terraform
- Lambda layer's contents don’t match the S3 object after deploying with Terraform
- how to refer to resources created with for_each in terraform
- How can we create same resource in multiple terraform providers?
- what is the privilege of the Postgres user created by gcp
- Why does terraformer not find plugin?
- How are data sources used in Terraform?
- Terraform docker_image Resource Fails With "invalid response status 403"
- Terraform Deployment of ECS Targets Failing
- Terraform retrieve existing aws_vpc object by id
- How to create a module for gitlab_user_runner and use the token every time a new runner is created in root
- What is the meaning of "authoritative" and "Non-authoritative" for GCP IAM bindings/members
- Azurerm: KeyVault Nested Item should contain 2 or 3 segments, got 10
- How can we split a terraform module into multiple modules
- Automate express route circuit gateway based on express route circuit provision status
- How to subdivide CIDR subnet in Terraform with cidrsubnet Function?
- Terraform AWS EKS add or edit nodes user_data
- Tofu/Terraform Docker provider error: failed to read downloaded context: failed to load cache key: Get "http://build-context-xxx": context not found
- Terraform AWS OpenSearch using Cognito module circular problem
- With Terraform, when using resource `aws_iam_access_key` and output to retrieve the secret key the result retrieved is "tostring(null)"
- Invalid template interpolation value
- Create cloudwatch scheduled expression based on a variable - expected expression but found "*"