Test example "afd_private_link_service_to_LB" in module "avm-res-cdn-profile" fail

[zhangjiale-64]

Describe the issue:

Test the example avm-res-cdn-profile_example_afd_private_link_service_to_LB, there is an error occurs when we open the created resource in azure portal. The subnet/frontend subnet creation fails, because it attempt to enable network policy for the Private Link service on the subnet.
The error as follow：

Repro Steps:

1. Clone a terraform template, such as todo-python-mongo-terraform.
2. Replace the content of the sample afd_private_link_service_to_LB into the main.tf file of terraform, and comment out the content of the output.tf file in terraform.
3. Login in with command: az login, azd auth login .
4. Run azd provision.
5. Open the created resources in azure portal.

Module Version : 0.1.0

Expected behavior:
All resources can be created successfully, there is no error in azure portal.

@didayal-msft , @Poven795909 and @jongio for notification.

[didayal-msft]

Thanks for submitting the issue @zhangjiale-64
I wanted to confirm if the below setting or any other setting has been changed in the configuration?

Please feel free to connect internally

[zhangjiale-64]

Thanks for submitting the issue @zhangjiale-64 I wanted to confirm if the below setting or any other setting has been changed in the configuration?

Please feel free to connect internally

The settings in the configuration have not changed.

[Poven795909]

@zhangjiale-64 I will test at my end and will reach out to you offline for sync on this.

[Poven795909]

From the screenshot shared, it looks like the error is while applying NSG rules to the subnet. The example code doesnt apply any NSG rules. Looks like the issue due to some organizational policies applied at the subscription level automatically when new subnets are created. The issue is not reproducible at our end with the default configuration.

[v-xuto]

From the screenshot shared, it looks like the error is while applying NSG rules to the subnet. The example code doesnt apply any NSG rules. Looks like the issue due to some organizational policies applied at the subscription level automatically when new subnets are created. The issue is not reproducible at our end with the default configuration.

@jongio Any ideas?

[jongio]

I'm asking...

[Poven795909]

@jongio greetings! were you able to identify the policy impacting the deployment ? We discussed with the AVM core team and have agreed that this issue is related to a subscription policy and not related to the module. If this policy is related to the Azure landing zone , do let us know and we will reach out to the ALZ team for review.

[jongio]

I did ask around, but we aren't able to determine the cause of this based on the data we have. Yes, any help would be appreciated.

[Poven795909]

Opened an internal group chat to discuss further. We need access to the Azure SDK Developer Playground subscription to review the policies.

[Poven795909]

As discussed internally since the failure the is due to NSGs getting deployed through a DINE policy, this is not a module issue. As per terraforms official article for azurerm_subnet , NSGs are not supported for Private link services https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet . Please work internally to get necessary exceptions to the resource groups on these policies.