Apim (private endpoint) named value, keyvault secret 404
I have an apim with a private endpoint. This is my code:
resource "azurerm_private_endpoint" "apim" {
name = "${var.organization}-apim-pep-${var.environment}"
location = var.azure_location
resource_group_name = var.resourcegroups.apim.name
subnet_id = data.azurerm_subnet.pep.id
private_service_connection {
name = "apim_private_service_connection"
private_connection_resource_id = azurerm_api_management.apim.id
is_manual_connection = false
subresource_names = ["Gateway"]
}
}
resource "azurerm_api_management" "apim" {
name = "${var.organization}-hub-${var.environment}-apim"
location = var.azure_location
resource_group_name = var.resourcegroups.apim.name
publisher_name = "${var.organization}-hub-${var.environment}-apim"
publisher_email = "email"
sku_name = "Developer_1"
identity {
type = "SystemAssigned, UserAssigned"
identity_ids = [
data.azurerm_user_assigned_identity.apim.id
]
}
}
I cannot resolve keyvault secrets. I get 404 on them. Earlier, when I had vnet integration and no private endpoint, I could resolve them. It is probably a networking issue then. However, I cannot change settings on the vnet because the network is done by azure, underwater (vnet type = 'None' per default). The subnet in which the private endpoint is deployed, has a service endpoint for Microsoft.KeyVault.
Which piece of the puzzle am I missing?
Solution
Apim (private endpoint) named value, keyvault secret 404:
If you cannot change the settings of a created virtual network, you must use a virtual network link resource provider named as azurerm_private_dns_zone_virtual_network_link to establish a network link connection for the keyvault. And also create a azurerm_private_dns_a_record
for the key vault and link to the virtual network which is hosting the private endpoint for an API management service.
Modified terraform code has given below:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "4.3.0"
}
}
}
provider "azurerm" {
features{}
subscription_id="fxxxx014"
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "examplejahresources"
location = "West Europe"
}
resource "azurerm_api_management" "apim" {
name = "newja-apim"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
publisher_name = "My Company-apim"
publisher_email = "company@terraform.io"
sku_name = "Developer_1"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_virtual_network" "example" {
name = "ejanetwork"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "service" {
name = "jahservice"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_key_vault" "example" {
name = "examplejahkeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get",
]
secret_permissions = [
"Get",
]
storage_permissions = [
"Get",
]
}
}
resource "azurerm_private_dns_zone" "example" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "test"
resource_group_name = azurerm_resource_group.example.name
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.example.id
}
resource "azurerm_private_dns_a_record" "example" {
name = azurerm_key_vault.example.name
zone_name = azurerm_private_dns_zone.example.name
resource_group_name = azurerm_resource_group.example.name
ttl = 300
records = ["10.0.180.17"]
}
resource "azurerm_private_endpoint" "apim" {
name = "jahendpoint"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.service.id
private_service_connection {
name = "apim_private_service_connection"
private_connection_resource_id = azurerm_api_management.apim.id
is_manual_connection = false
subresource_names = ["Gateway"]
}
}
resource "azurerm_private_endpoint" "keyvaultep" {
name = "jah-kv-pep"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.service.id
private_service_connection {
name = "keyvault_private_service_connection"
private_connection_resource_id = azurerm_key_vault.example.id
is_manual_connection = false
subresource_names = ["vault"]
}
}
Deployment succeeded:
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?