Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure CN - MinimumApiVersionNotSpecifiedForPrivateEndpointASG #26295

Open
1 task done
henkepa opened this issue Jun 11, 2024 · 0 comments
Open
1 task done

Azure CN - MinimumApiVersionNotSpecifiedForPrivateEndpointASG #26295

henkepa opened this issue Jun 11, 2024 · 0 comments
Labels
azure/china service/network v/3.x

Comments

@henkepa
Copy link

henkepa commented Jun 11, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.5

AzureRM Provider Version

3.107.0

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint_application_security_group_association

Terraform Configuration Files

## https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account
resource "azurerm_storage_account" "default" {
  name                     = var.StorageAccountDefaultName
  resource_group_name      = azurerm_resource_group.rmp-shared.name
  location                 = azurerm_resource_group.rmp-shared.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  public_network_access_enabled = var.StorageAccountDefaultPublicNetworkAccessEnabled

  network_rules {
    default_action = "Deny"
    ip_rules       = concat(var.SchindlerAzureFirewallEuNorthPublicIps, var.SchindlerAzureWebgatewayEuNorthPublicIps, var.SchindlerAzureFirewallCnNorth3PublicIps, var.SchindlerAzureWebgatewayCnNorth3PublicIps)
    bypass         = [ "AzureServices" ]
  }

  lifecycle { 
    prevent_destroy = true  
  }

  tags = local.DefaultTags
}

data "azurerm_storage_account" "default" {
  name                = var.StorageAccountDefaultName
  resource_group_name = azurerm_resource_group.rmp-shared.name
}

## https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint
resource "azurerm_private_endpoint" "sa-default-blob" {
  name                = "pe-sa-${var.StorageAccountDefaultName}-private-blob"
  resource_group_name = azurerm_resource_group.rmp-shared.name
  location            = azurerm_resource_group.rmp-shared.location
  subnet_id           = "/subscriptions/${var.AzureAccountSubscriptionNumber}/resourceGroups/${var.RgSharedInfrastructureName}/providers/Microsoft.Network/virtualNetworks/${var.VnetDefaultName}/subnets/${var.VnetDefaultRmpSubnetName}"

  ip_configuration {
    name               = "ipc-sa-${var.StorageAccountDefaultName}-private-blob"
    private_ip_address = cidrhost(local.VnetDefaultSnetSubnetRmpIpv4, var.StorageAccountDefaultBlobIpSuffix)
    member_name        = "blob"
    subresource_name   = "blob"
  }
  private_service_connection {
    name                           = "psc-sa-default-blob"
    private_connection_resource_id = data.azurerm_storage_account.default.id
    is_manual_connection           = false
    subresource_names              = [ "blob" ] ## https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
  }

  tags = local.DefaultTags
}

## https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_security_group
data "azurerm_application_security_group" "sa-default-blob" {
  name                = "${var.AsgNamePrefix}sa-default-blob"
  resource_group_name = data.azurerm_resource_group.shared.name
}

## https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint_application_security_group_association
#NOT YET SUPPORTED IN CN 
resource "azurerm_private_endpoint_application_security_group_association" "sa-default-blob" {
  private_endpoint_id           = azurerm_private_endpoint.sa-default-blob.id
  application_security_group_id = data.azurerm_application_security_group.sa-default-blob.id
}

Debug Output/Panic Output

Error: creating Private Endpoint (Subscription: "****"
│ Resource Group Name: "****"
│ Private Endpoint Name: "****"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: MinimumApiVersionNotSpecifiedForPrivateEndpointASG: Specified api-version 2023-11-01 does not meet the minimum required api-version 2021-03-01 for application security group support in 
private endpoint. Use api-version 2021-03-01 or remove ApplicationSecurityGroup property from the request body.
│
│   with azurerm_private_endpoint_application_security_group_association.sa-default-blob,
│   on sa.tf line 60, in resource "azurerm_private_endpoint_application_security_group_association" "sa-default-blob":
│   60: resource "azurerm_private_endpoint_application_security_group_association" "sa-default-blob" {
│
│ creating Private Endpoint (Subscription: "*****"
│ Resource Group Name: "*****"
│ Private Endpoint Name: "***"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: MinimumApiVersionNotSpecifiedForPrivateEndpointASG: Specified api-version 2023-11-01 does not meet the minimum required api-version 2021-03-01 for application security group support in 
│ private endpoint. Use api-version 2021-03-01 or remove ApplicationSecurityGroup property from the request body.

Expected Behaviour

Update of the PE to attached the ASG

Actual Behaviour

Errors

Steps to Reproduce

Run the azurerm_private_endpoint_application_security_group_association against a Private Endpoint that is bound to a Storage Account in Azure CN

Important Factoids

No response

References

No response
@henkepa henkepa changed the title Azure CN - MinimumApiVersionNotSpecifiedForPrivateEndpointASG: Specified api-version 2023-11-01 does not meet the minimum required api-version 2021-03-01 for application security group support │ in private endpoint. Use api-version 2021-03-01 or remove ApplicationSecurityGroup property from the request body. Azure CN - MinimumApiVersionNotSpecifiedForPrivateEndpointASG: Specified api-version 2023-11-01 does not meet the minimum required api-version 2021-03-01 for application security group support in private endpoint Jun 11, 2024
@henkepa henkepa changed the title Azure CN - MinimumApiVersionNotSpecifiedForPrivateEndpointASG: Specified api-version 2023-11-01 does not meet the minimum required api-version 2021-03-01 for application security group support in private endpoint Azure CN - MinimumApiVersionNotSpecifiedForPrivateEndpointASG Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
azure/china service/network v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tombuildsstuff @henkepa