I'm working with the Azure CAF using Terraform and as it does not seem to contain any provision for Bastion/RDP I have added/extended my solution to include one.
However, by default it is setting the Bastion traffic to go via the firewall for internet traffic, which breaks Bastion when installed into a vhub spoke (which is the only option available to me under the CAF).
The setting is simple enough to modify in the UI or via AZ CLI.
But, I'm trying to use azapi to change this.
This page:
seems to imply this is possible. My Terraform looks like this:
resource "azapi_update_resource" "update_bastion_vwan_connection" {
depends_on = [module.alz]
type = "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2023-11-01"
name = local.azurerm_virtual_hub_connection_bastion_name
parent_id = module.alz.azurerm_virtual_hub.virtual_wan["/subscriptions/${var.subscription_id_connectivity}/resourceGroups/${local.azurerm_resource_group_name}/providers/Microsoft.Network/virtualHubs/${local.azurerm_virtual_hub_name}"].id
body = jsonencode({
properties = {
enableInternetSecurity = false
}
})
}
The Terraform plan runs no problem, but the apply is failing with an 'invalid json' response (full error below).
╷
│ Error: Failed to update resource
│
│ with azapi_update_resource.update_bastion_vwan_connection,
│ on bastion.tf line 191, in resource "azapi_update_resource" "update_bastion_vwan_connection":
│ 191: resource "azapi_update_resource" "update_bastion_vwan_connection" {
│
│ updating "Resource: (ResourceId
│ \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-prod-uks-vwan-001/providers/Microsoft.Network/virtualHubs/vhub-prod-uks-conn-001/hubVirtualNetworkConnections/vhubconn-prod-uks-bas-001\"
│ / Api Version \"2023-11-01\")": PUT
│ https://management.azure.com/subscriptions/8098e6e4-2d0d-43ac-87f6-7d86e20f59ba/resourceGroups/rg-prod-uks-vwan-001/providers/Microsoft.Network/virtualHubs/vhub-prod-uks-conn-001/hubVirtualNetworkConnections/vhubconn-prod-uks-bas-001
│ --------------------------------------------------------------------------------
│ RESPONSE 400: 400 Bad Request
│ ERROR CODE: InvalidRequestFormat
│ --------------------------------------------------------------------------------
│ {
│ "error": {
│ "code": "InvalidRequestFormat",
│ "message": "Cannot parse the request.",
│ "details": [
│ {
│ "code": "InvalidJson",
│ "message": "Error converting value \"{\"properties\":{\"enableInternetSecurity\":false}}\" to type 'Microsoft.WindowsAzure.Networking.Nrp.Frontend.Contract.Csm.Public.HubVirtualNetworkConnection'. Path '', line 1, position 53."
│ }
│ ]
│ }
│ }
│ --------------------------------------------------------------------------------
│
I'm not quite sure what this error is telling me?
Can anyone provide any insight?
Got a response from the repo team.
https://github.com/Azure/terraform-provider-azapi/issues/631
This was down to the version I was using.
I noticed that you're using 2.0.0-beta, in this version, the body only supports HCL object and removes the support of JSON string. Please remove the jsonencode function and retry.
Their supplied alternate syntax worked correctly.