I have a working block of terraform vnet,subnet and NSG of it.
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-vn"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "example" {
name = "example-sn"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
service_endpoints = ["Microsoft.Storage"]
delegation {
name = "fs"
service_delegation {
name = "Microsoft.DBforPostgreSQL/flexibleServers"
actions = [
"Microsoft.Network/virtualNetworks/subnets/join/action",
]
}
}
}
resource "azurerm_private_dns_zone" "example" {
name = "example.postgres.database.azure.com"
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "exampleVnetZone.com"
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.example.id
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_postgresql_flexible_server" "example" {
name = "example-psqlflexibleserver2022"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "13"
delegated_subnet_id = azurerm_subnet.example.id
private_dns_zone_id = azurerm_private_dns_zone.example.id
administrator_login = "postgres"
administrator_password = "password@2020"
zone = "1"
storage_mb = 131072
sku_name = "GP_Standard_D2s_v3"
depends_on = [azurerm_private_dns_zone_virtual_network_link.example]
}
But I am getting create nsg before subnet policy error, so changed the subnet creation as below.
# Create Virtual Network
resource "azurerm_virtual_network" "aksvnet" {
name = "aks-network"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
address_space = ["10.0.0.0/8"]
subnet {
name = "aks-default-subnet"
address_prefix = "10.240.0.0/16"
security_group = azurerm_network_security_group.example.id
}
subnet {
name = "aks-postgres-subnet"
address_prefix = "10.230.2.0/24"
security_group = azurerm_network_security_group.example.id
service_endpoints = ["Microsoft.Storage"]
delegation {
name = "fs"
service_delegation {
name = "Microsoft.DBforPostgreSQL/flexibleServers"
actions = [
"Microsoft.Network/virtualNetworks/subnets/join/action",
]
}
}
}
}
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
But getting below errors.
Please suggest how to fix that.
Error: Unsupported argument
â
â on 11-virtual-network.tf line 17, in resource "azurerm_virtual_network" "aksvnet":
â 17: service_endpoints = ["Microsoft.Storage"]
â
â An argument named "service_endpoints" is not expected here.
âµ
â·
â Error: Unsupported block type
â
â on 11-virtual-network.tf line 18, in resource "azurerm_virtual_network" "aksvnet":
â 18: delegation {
â
â Blocks of type "delegation" are not expected here.
Even with below approach, I am getting policy error.
# Create Virtual Network
resource "azurerm_virtual_network" "aksvnet" {
name = "aks-network"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
address_space = ["10.0.0.0/8"]
subnet {
name = "aks-default-subnet"
address_prefix = "10.240.0.0/16"
security_group = azurerm_network_security_group.example.id
}
}
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.aks_rg.location
resource_group_name = azurerm_resource_group.aks_rg.name
security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.example.id
network_security_group_id = azurerm_network_security_group.example.id
}
resource "azurerm_subnet" "example" {
virtual_network_name = azurerm_virtual_network.aksvnet.name
name = "aks-postgres-subnet"
resource_group_name = azurerm_resource_group.aks_rg.name
address_prefixes = ["10.230.2.0/24"]
service_endpoints = ["Microsoft.Storage"]
delegation {
name = "fs"
service_delegation {
name = "Microsoft.DBforPostgreSQL/flexibleServers"
actions = [
"Microsoft.Network/virtualNetworks/subnets/join/action",
]
}
}
depends_on = [azurerm_virtual_network.aksvnet, azurerm_network_security_group.example]
}
I am getting error as below.
er-delete-dev"): network.SubnetsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error:
Code="RequestDisallowedByPolicy" Message="Resource
'aks-postgres-subnet' was disallowed by policy. Policy identifiers:
'[{"policyAssignment":{"name":"Deny-Subnet-Without-Nsg","id":"/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg"},"policyDefinition":{"name":"Subnets
should have a Network Security Group
","id":"/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg"}}]'."
Target="aks-postgres-subnet"
AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Network/virtualNetworks/subnets","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Network/virtualNetworks/subnets"},{"expression":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","expressionKind":"Field","operator":"Exists","path":"properties.networkSecurityGroup.id","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Deny-Subnet-Without-Nsg","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg","policyAssignmentName":"Deny-Subnet-Without-Nsg","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/QSFT-landingzones","policyDefinitionDisplayName":"Subnets
should have a Network Security Group
","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg","policyDefinitionName":"Deny-Subnet-Without-Nsg"},"type":"PolicyViolation"}]
â
â with azurerm_subnet.example,
â on 11-virtual-network.tf line 37, in resource "azurerm_subnet" "example":
â 37: resource "azurerm_subnet" "example" {
