Terraform and Azure policy interaction issue

PLK
July 14, 2024
232 views
0 votes
2 Answers

We have a deployment of a VNET with bicep which works fine. Moving to Terraform and there are issues with Azure policy.

We have a policy which denies the creation of subnets with no NSGs. This is fine with Bicep as it seems to create the NSG link to the subnet as an atomic operation. Terraform doesn’t do this – it creates the subnet without an NSG attached and then runs a separate Terraform resource which connects them and so the subnet creation fails because of the policy. Same issue for Route tables.

Any general comment on this? There is no way to defer policy eval until after Terraform has finished and no inline way to force Terraform to do such things as an atomic operation …

Answers

Chosen as BEST ANSWER
- PLK
- July 14, 2024 at 2:23 pm
- 0 votes
0
Another example of the azurerm provider not being adequate and it appears that there is a reason it is done this way and HC don't intend to change this as it breaks other things. So, I reverted to the azapi provider and which works fine for creating subnets in this scenario as it does atomic creation, along with the NSG/RT link.

(Edit)

- RuiJarimba
- July 13, 2024 at 12:31 pm
- 0 votes
0
There is no way to defer policy eval until after Terraform has finished and no inline way to force Terraform to do such things as an atomic operation

You can create one or more subnets associated to Network Security Groups (NSG) using the subnet block of the azurerm_virtual_network resource:
```
resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  
  # ....

  subnet {
    name           = "subnet1"
    address_prefix = "10.0.1.0/24"
    security_group = azurerm_network_security_group.example.id
  }

  subnet {
    name           = "subnet2"
    address_prefix = "10.0.2.0/24"
    security_group = azurerm_network_security_group.example.id
  }
}
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.