[Modules] Update private endpoint module reference to support location input and subnet location reference #3929
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Currently the nested private endpoint module in each resource has the hardcoded location that uses the reference function to capture the location from the subnet
While this is true where the private endpoint needs to be in the same location as the subnet. This requires any service principal / user deploying the module to have at least 'VNET Read' permissions.
In an environment where RBAC is assigned at the subnet level (i.e. shared VNET infra between different apps), this means that at least 2 RBAC roles are required for the user/service principal to be able to deploy a resource + private endpoint all together.
A workaround is to NOT use the PE feature in each module, but rather deploy the PE separately using the PE module where there is more control on that location
This PR addresses this issue by providing an option on the PE nested module to check if the user has passed the
location
property and use that, and then fall back to the existing implementation. This is backwards compatible with the existing implementation and supports the scenario where RBAC is done at the subnet level and not the VNET level.Pipeline references
Type of Change
Checklist