azure icon indicating copy to clipboard operation
azure copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

azure_rm_privateendpoint missing parameter

Open polocato opened this issue 3 years ago • 5 comments

SUMMARY

Private endpoint creation is failing when tenant is not authorized to access linked subscription az cli has an option: --manual-request true

ISSUE TYPE
  • Bug Report
COMPONENT NAME

azure_rm_privateendpoin

ANSIBLE VERSION
ansible 2.10.17
  config file = None
  configured module search path =  ['/home/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/xxx/.local/lib/python3.7/site-packages/ansible
  executable location = /home/xxxx/.local/bin/ansible
  python version = 3.7.5 (default, Dec  9 2021, 17:04:37) [GCC 8.4.0]
COLLECTION VERSION
# /home/xxx/.ansible/collections/ansible_collections
Collection         Version
------------------ -------
azure.azcollection 1.13.0

# /home/xxx/.local/lib/python3.7/site-packages/ansible_collections
Collection         Version
------------------ -------
azure.azcollection 1.4.0
CONFIGURATION
OS / ENVIRONMENT

WSL1 with ubuntu18.04

STEPS TO REPRODUCE

Setup prive endpoint when tenant is not authorized to access linked subscription ( e.g. different company)

- name: Azure
  hosts: localhost
  gather_facts: no
  collections:
    - azure.azcollection
  vars:
    az_rg: "xxxx-a.rg"
  tasks:
    - name: add endpoint
      azure_rm_privateendpoint:
        name: "private_endpoint_xxxx"
        tenant: "xxxxxxxx"
        auth_source: env
        resource_group: "xxxxx"
        private_link_service_connections:
          - name: "xxxxx"
            private_link_service_id: "xxxxx
        subnet:
          id:  "xxxxxx"
EXPECTED RESULTS

Private endpoint gets created

ACTUAL RESULTS

Playbook fails because it cant modify resources in the subscription

"changed": false, "msg": "Error creating or updating private endpoint XXXX  (LinkedAuthorizationFailed) The client has permission to perform a
ction 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope XXXXXX  however the current tenant '********' is not authorized to access linked subscription

polocato avatar Sep 13 '22 13:09 polocato

@polocato Thank you for your attention. I'm sorry that I don't quite understand what you mean. Do you mean to add parameter ’manual-request' or do you want to specify different tenants ? Thank you very much!

Fred-sun avatar Sep 20 '22 06:09 Fred-sun

Hello, thank you for looking into my request. I'd like to ask for manual-request parameter, from my perspective this is not a missing feature but a some kind of bug/missing core functionality. Without that parameter you can't create a private link between two unrelated companies. Best Regards

polocato avatar Sep 20 '22 21:09 polocato

@polocato Thank you for your reply, but I have checked the latest API and found that 'manual-request' is not supported and cannot be added for the time being. Once it is supported, we will add it as soon as possible. Thank you very much!

Fred-sun avatar Sep 21 '22 06:09 Fred-sun