terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Support for Azure Monitor Private Link Scope

Open ross-p-smith opened this issue 4 years ago • 11 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Allow azurerm provider to create/update Azure Monitor Private Link Scope resources: az cli reference. This is supported in the 2019-10-17 preview schema here. But I don't believe it is in the Azure Go SDK.

Implementing this will enable use of Azure Monitor behind Private Endpoints.

New or Affected Resource(s)

  • azurerm_monitor

Potential Terraform Configuration

resource "azurerm_monitor_private_link_scope" "example" {
  name = "example"
  log_analytics_workspace_id = "law_id"
}

ross-p-smith avatar Jan 06 '21 01:01 ross-p-smith

Depends on https://github.com/Azure/azure-sdk-for-go/issues/14090

tjcorr avatar May 19 '21 13:05 tjcorr

Deploying this for a large customer now and until this resource is added, we will have to attempt to use azurerm_template with an ARM for AMPLS.

robertdias avatar Aug 18 '21 16:08 robertdias

The resource has been implemented in provider 2.85. However, it has no meaningful properties next to name and resource_group_name. I'm confused.

geekzter avatar Nov 12 '21 15:11 geekzter

I think we have to wait for this PR for the azurerm_monitor_private_link_scoped_service resource to get merged and released

geekzter avatar Nov 12 '21 15:11 geekzter

@geekzter it has been merged

nick4fake avatar Dec 06 '21 02:12 nick4fake

I am not sure if I should open a new issue for this or if it makes sense to have it here. I am running into an issue with this resource now that it is available. When deploying the ALMPL scope the first scoped service seems to deploy fine. Any additional services either in the same Terraform Module, in a different, or even through the portal seem to have the same issue. In terraform it gives an async error and times out after around 15-20 minutes.

In troubleshooting this a bit more, I have found that if I go to the AMPL scope, choose the scope, choose the Private Endpoint Connections on the left, select the Private Endpoint, it has the following at the top of the screen as a warning:

"Please refresh the private endpoint to allow connectivity to all regions. " Right after clicking refresh, the second AMPL service resource provisions ok. Does anyone know what may be causing this? I am not seeing any options for location on this resource, but it shows global in the portal. Private Endpoint does not allow location to be global. Any thoughts?

dawsonar802 avatar Dec 13 '21 16:12 dawsonar802

According to the AMPLS design document you can attach up to 300 log analytics workspaces or application insigight. Looks like the PR above only support 1 attachment. Is it a limitation of the SDK or shall I open a new issue https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design

LaurentLesle avatar Mar 18 '22 02:03 LaurentLesle

Right after clicking refresh, the second AMPL service resource provisions ok. Does anyone know what may be causing this? I am not seeing any options for location on this resource, but it shows global in the portal. Private Endpoint does not allow location to be global. Any thoughts?

Hi Laurent,

Long time no speak, I hope you're well! We are also experiencing this issue with the second workspace link, as you said the documentation is clear that up to 300 workspaces are supported so I think an issue should be opened for this. In the meantime does anyone know if it's possible to hit that refresh button programatically?

Regards, David

davidsampson-hv avatar Mar 21 '22 12:03 davidsampson-hv

We are looking at deploying AMPLS and I am confused by the azurerm_monitor_private_link_scope having no access mode property. Does it default to open?

scott1138 avatar Jul 06 '22 13:07 scott1138

From what I have seen when deploying AMPLS it defaults Ingestion access mode to private and Query access mode to open. For the actual resources like LA or App Insights, when using the azurerm_monitor_private_link_scoped_service resource it sets both the "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" to No.

dawsonar802 avatar Jul 06 '22 13:07 dawsonar802

Jumping on this thread as noticed its still open, ideally support for DCE's which are currently not meeting the rules validation would be nice. Will try with azapi but may PR to change the validation

kaovd avatar Aug 11 '22 15:08 kaovd

Is there any further update, as "Accept queries from public networks not connected through a Private Link Scope" is still setting default open ?

swati-delphix avatar Jan 24 '23 13:01 swati-delphix