Add Settings: azurerm_eventhub_namespace - Firewalls and Virtual Networks

[midacts]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add the ability to manage eventhub namespace firewall and virtual network rules from Terraform.

New or Affected Resource(s)

• azurerm_eventhub_namespace

Potential Terraform Configuration

resource "azurerm_eventhub_namespace" "test" {
  name                = "acceptanceTestEventHubNamespace"
  location            = "West US"
  resource_group_name = "${azurerm_resource_group.test.name}"
  sku                 = "Basic"
  capacity            = 2

  vnet_access = [
    {
      virtual_network = 'test-vnet1'
      subnet          = 'test-subnet1'
    },
    {
      virtual_network = 'test-vnet2'
      subnet          = 'test-subnet2'
    },
  ]

  firewall_rules      = [
    "subnet1",
    "subnet2",
  ]

  tags {
    environment       = "Production"
  }
}

References

• https://docs.microsoft.com/mt-mt/Azure/event-hubs/event-hubs-ip-filtering

[AntonChernysh]

While we are waiting for this resource to be supported in Terraform, here's the way to do it with ARM deployment.
Let's say we have var allowed_ips of type list that is allowed_ips=["11.11.11.11","22.22.22.22","33.33.33.33]

First using template provider we create data source with all IP addresses from above variable:

# Preparing list of allowed IPs
data "template_file" "data_json" {
  template = <<JSON
{
      "ipMask": "$${ipMask}",
      "action": "allow"
    }
JSON

  count = "${length(var.allowed_ips)}"

  vars {
    ipMask = "${element(var.allowed_ips,count.index)}"
  }
}

And the deployment titself would look like this:
(Also below code has an example of how to deal with VNET subnet rules)

# ARM deployment
resource "azurerm_template_deployment" "ipwhitelist" {
  name                = "some-name-firewall"
  resource_group_name = "some-rg"

  template_body = <<JSON
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
     "_force_terraform_to_always_redeploy": "${timestamp()}"
  },
  "resources": [{
    "type": "Microsoft.EventHub/namespaces/networkRuleSets",
    "apiVersion": "2018-01-01-preview",
    "name": "eventhub-namespace-name/default",
    "location": "[resourceGroup().location]",
    "properties": {
        "defaultAction": "Deny",
        "virtualNetworkRules": [
            {
                "subnet": {
                    "id": "some-subnet1-id"
                },
                "ignoreMissingVnetServiceEndpoint": false
            },
            {
                "subnet": {
                    "id": "some-subnet2-id"
                },
                "ignoreMissingVnetServiceEndpoint": false
            }
        ],
        "ipRules": [${join(",", data.template_file.data_json.*.rendered)}]
    }
  }
  ]
}
JSON

  deployment_mode = "Incremental"
}

[AntonChernysh]

This is supported since v1.35.0
#4409
However it can only take single appearance of ip_rule, whereas it says in documentation ip_rule - (Optional) One or more ip_rule blocks as defined below.

[AntonChernysh]

Looks like it's fixed now in https://github.com/terraform-providers/terraform-provider-azurerm/releases/tag/v2.0.0
I'll give it a try Tomorrow.

[jbinko]

@midacts: I believe this is implemented already and this issue can be closed now. See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace

[favoretti]

Since this issue seems to have been addressed in the latest versions of the provider - I'm going to close it. Please open a new updated bug report if this is still relevant. Thank you.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.