Fix circular reference in vnet module #1743
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR resolves a circular reference in the vNet module by switching name and ID lookups to the newly deployed vNet resource instead of the hub.routing outputs, ensuring private networkβenabled deployments succeed.
- Use
vNetNamefor the NSG name to remove dependency onhub.routing.networkName - Swap
hub.routing.networkIdwithvNet.idin private DNS zone resources - Reference subnets in script storage and endpoint resources via
vNet::β¦child resource IDs
Comments suppressed due to low confidence (3)
src/templates/finops-hub/modules/infrastructure.bicep:216
- Consider adding unit or integration tests to cover the updated private DNS zone attachment logic using
vNet.idto prevent regressions when deploying with private networks.
id: vNet.id
src/templates/finops-hub/modules/infrastructure.bicep:22
- [nitpick] Add an inline comment explaining why the NSG name has been switched to use
vNetNameinstead ofhub.routing.networkName, to clarify the refactoring intent.
var nsgName = '${vNetName}-nsg'
src/templates/finops-hub/modules/infrastructure.bicep:203
- [nitpick] There's a lot of duplicated code for private DNS zones (blob, dfs, queue, table). Consider parameterizing these definitions in a loop or extracting into a reusable module to reduce repetition and simplify future updates.
resource blobPrivateDnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' = if (hub.options.privateRouting) {
microsoft-github-policy-service
bot
added
Micro PR π¬
| @@ -213,7 +213,7 @@ resource blobPrivateDnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' = if | |||
| properties: { | |||
| registrationEnabled: false | |||
| virtualNetwork: { | |||
| id: hub.routing.networkId | |||
| id: vNet.id | |||
There was a problem hiding this comment.
FYI - I was on the fence whether to use an on-demand reference or the ID that we have to maintain anyway. I ran into issues using the reference in some cases so I tended to use the original ID to work around bicep dependency limitations. I'm not overly opinionated, however. Just wanted to share the reasoning behind it being an ID rather than a reference.
| @@ -303,7 +303,7 @@ resource scriptStorageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = i | |||
| defaultAction: 'Deny' | |||
| virtualNetworkRules: [ | |||
| { | |||
| id: hub.routing.subnets.scripts | |||
| id: vNet::scriptSubnet.id | |||
There was a problem hiding this comment.
I wouldn't recommend using this approach. While an on-demand reference sounds nice, nobody else can use that unless we document the names and treat them as an API that never changes. If we use the variable in hub.routing.subnets, then we can tell everyone to use that forever without worrying about the name, even if we change it. The reason for us to use that same variable is because if we don't, then there might be a latent bug if the variable gets out of sync. When we rely on the same variable customers will use for extensibility, then we're much less likely to ship a bug.
| id: vNet::scriptSubnet.id | |
| id: hub.routing.subnets.scripts |
| @@ -317,7 +317,7 @@ resource scriptEndpoint 'Microsoft.Network/privateEndpoints@2023-11-01' = if (hu | |||
| tags: getHubTags(hub, 'Microsoft.Network/privateEndpoints') | |||
| properties: { | |||
| subnet: { | |||
| id: hub.routing.subnets.storage | |||
| id: vNet::finopsHubSubnet.id | |||
There was a problem hiding this comment.
Same as above
| id: vNet::finopsHubSubnet.id | |
| id: hub.routing.subnets.storage |
| @@ -19,7 +19,7 @@ param hub HubProperties | |||
| var safeHubName = replace(replace(toLower(hub.name), '-', ''), '_', '') | |||
| // cSpell:ignore vnet | |||
| var vNetName = '${safeHubName}-vnet-${hub.location}' | |||
| var nsgName = '${hub.routing.networkName}-nsg' | |||
| var nsgName = '${vNetName}-nsg' | |||
There was a problem hiding this comment.
I would not recommend this change. The hub.routing.networkName property is available to all apps. We should use that as the source of truth. If that's the same as vNetName here, then remove vNetName.
| var nsgName = '${vNetName}-nsg' | |
| var nsgName = '${hub.routing.networkName}-nsg' |
| @@ -19,7 +19,7 @@ param hub HubProperties | |||
| var safeHubName = replace(replace(toLower(hub.name), '-', ''), '_', '') | |||
| // cSpell:ignore vnet | |||
| var vNetName = '${safeHubName}-vnet-${hub.location}' | |||
There was a problem hiding this comment.
I couldn't make this part of the next suggestion, but this line is a duplicate. The source of truth is in hub-types.bicep.
| var vNetName = '${safeHubName}-vnet-${hub.location}' |
microsoft-github-policy-service
bot
added
Needs: Attention π
|
@@MSBrett: you have some new feedback! Please review and resolve all comments and I'll let reviewers know by removing the |
π οΈ Description
Fix circular reference in vnet module which was causing private network enabled deployments to fail.
Fixes #1735
π· Screenshots
π Checklist
π¬ How did you test this change?
πββοΈ Do any of the following that apply?
π Did you update
docs/changelog.md?π Did you update documentation?