Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I set subnet delegation within the hub networks? #711

Open
djbark opened this issue May 12, 2023 · 6 comments
Open

How do I set subnet delegation within the hub networks? #711

djbark opened this issue May 12, 2023 · 6 comments
Assignees
@matt-FFFFFF
Labels
enhancement New feature or request

Comments

@djbark
Copy link

djbark commented May 12, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

I want to deploy a DNS Private Resolver within the hub networks, but to do so two new subnets are required with subnet delegation set to dnsResolvers.

Describe the solution you'd like

The ability to set subnet delegation in settings.connectivity.tf, or documentation on how to do that if it is already possible.

Additional context
@ghost ghost added the Needs: Triage 🔍 Needs triaging by the team label May 12, 2023
@matt-FFFFFF matt-FFFFFF added the enhancement New feature or request label May 12, 2023
@ghost ghost removed the Needs: Triage 🔍 Needs triaging by the team label May 12, 2023
@matt-FFFFFF matt-FFFFFF self-assigned this May 12, 2023
@matt-FFFFFF
Copy link
Member

Thanks for logging, we will add this to our backlog.

In the meantime, you can use the AzAPI provider and the azapi_update_resource to update the settings on a resource. This might work.

@picccard
Copy link

picccard commented May 13, 2023
edited
Loading

This issue was also mentioned in #505. At this comment a solution is suggested.

Could you try the solution and let us know if you have any issues?

Edit:
Did a test-deployment and got a subnet delegated by using the 'advanced' object in the local 'configure_connectivity_resources', see the bottom of my settings.connectivity.tf. Adding my files as a more complete example.

settings.connectivity.tf

Click to expand 
# Configure the connectivity resources settings.
locals {
  configure_connectivity_resources = {
    settings = {
      hub_networks = [
        {
          enabled = true
          config = {
            address_space                = ["10.100.0.0/16", ]
            location                     = "northeurope"
            link_to_ddos_protection_plan = false
            dns_servers                  = []
            bgp_community                = ""
            subnets = [
              {
                name                      = "mysubnet"
                address_prefixes          = ["10.100.10.0/24"]
                network_security_group_id = ""
                route_table_id            = ""
              }
            ]
            virtual_network_gateway = {
              enabled = false
            }
            azure_firewall = {
              enabled = false
            }
            spoke_virtual_network_resource_ids      = []
            enable_outbound_virtual_network_peering = true
            enable_hub_network_mesh_peering         = false
          }
        },
      ]
      vwan_hub_networks = []
      ddos_protection_plan = {
        enabled = false
      }
      dns = {
        enabled = false
      }
    }

    location = var.connectivity_resources_location
    tags     = var.connectivity_resources_tags
    advanced = {
      custom_settings_by_resource_type = {
        azurerm_subnet = {
          connectivity = {
            northeurope = {
              mysubnet = {
                delegation = [
                  {
                    name = "Microsoft.Network/dnsResolvers"
                    service_delegation = [
                      {
                        name = "Microsoft.Network/dnsResolvers"
                      }
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  }
}

main.tf

Click to expand 
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.54.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "core" {}

module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "=4.0.0"
  
  default_location = "northeurope"

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name

  deploy_connectivity_resources    = var.deploy_connectivity_resources
  subscription_id_connectivity     = data.azurerm_client_config.core.subscription_id
  configure_connectivity_resources = local.configure_connectivity_resources
}

terraform plan

Click to expand

Result:

Terraform will perform the following actions:

  # module.enterprise_scale.azurerm_subnet.connectivity["/subscriptions/xxxx-xxxx-xxxx-xxxxx-xxxxxxxx/resourceGroups/myorg-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/myorg-hub-northeurope/subnets/mysubnet"] will be created
  + resource "azurerm_subnet" "connectivity" {
      + address_prefixes                               = [
          + "10.100.10.0/24",
        ]
      + enforce_private_link_endpoint_network_policies = (known after apply)
      + enforce_private_link_service_network_policies  = (known after apply)
      + id                                             = (known after apply)
      + name                                           = "mysubnet"
      + private_endpoint_network_policies_enabled      = (known after apply)
      + private_link_service_network_policies_enabled  = (known after apply)
      + resource_group_name                            = "myorg-connectivity-northeurope"
      + virtual_network_name                           = "myorg-hub-northeurope"

      + delegation {
          + name = "Microsoft.Network/dnsResolvers"

          + service_delegation {
              + name = "Microsoft.Network/dnsResolvers"
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

@djbark
Copy link
Author

djbark commented May 15, 2023

@picccard Thanks - that solution worked for me. I wasn't aware that you can specify individual resources within the advanced settings.

@picccard picccard mentioned this issue May 15, 2023
Merged
10 tasks
@picccard
Copy link

These advanced features are not documented, for now.

terraform-azurerm-caf-enterprise-scale/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md

Lines 38 to 41 in 4a12396

The module allows for further customization of the connectivity resources through the `advanced` setting, however this is out-of-scope for this example.
> Use of the `advanced` setting is currently undocumented and experimental.
Please be aware that using this setting may result in future breaking changes.

Could you @matt-FFFFFF comment on whether subnet-delegations should be document with use of the advanced setting, or should this feature of delegating subnets be integrated into the subnet-schema as something optional?

subnets = optional(list(
  object({
    name                      = string
    address_prefixes          = list(string)
    network_security_group_id = optional(string, "")
    route_table_id            = optional(string, "")
    delegation_service_name   = optional(string, "") #  <<<<<<<< NEW PROPERTY
  })
), [])

Setting subnet delegation is completely missing in ALZ-Bicep, but PR Azure/ALZ-Bicep#526 suggest altering the subnet-schema

@matt-FFFFFF
Copy link
Member

matt-FFFFFF commented May 17, 2023
edited
Loading

Hi @picccard

The advanced block is flexible but not documented at all, we are working on how best to describe its capability in docs.

We don't have plans to add to the configure_connectivity_resources block

@matt-FFFFFF matt-FFFFFF mentioned this issue Jul 25, 2023
Closed
@FreddyAyala
Copy link

If apply fails and then try to apply it again for some reason it is trying to destroy the delegations:

` # module.connectivity.module.enterprise_scale.azurerm_subnet.connectivity["/subscriptions/yyyyy/resourceGroups/es-connectivity-canadaeast/providers/Microsoft.Network/virtualNetworks/es-hub-canadaeast/subnets/outboundsubnetdns"] will be updated in-place
~ resource "azurerm_subnet" "connectivity" {
id = "/subscriptions/8dfc81b4-9732-4b10-88ad-07cf9a644863/resourceGroups/es-connectivity-canadaeast/providers/Microsoft.Network/virtualNetworks/es-hub-canadaeast/subnets/outboundsubnetdns"
name = "outboundsubnetdns"
# (9 unchanged attributes hidden)

  - delegation {
      - name = "Microsoft.Network.dnsResolvers" -> null

      - service_delegation {
          - actions = [
              - "Microsoft.Network/virtualNetworks/subnets/join/action",
            ] -> null
          - name    = "Microsoft.Network/dnsResolvers" -> null
        }
    }
}`

So blocked in the deployment because private DNS Resolver is already present and delegations cannot be removed and replaced. This is a blocking point and delegation should be integrated in the subnet creation not afterwards using undocumented advanced settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matt-FFFFFF matt-FFFFFF

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@picccard @matt-FFFFFF @FreddyAyala @djbark