publicNetworkAccess for azurerm_eventhub_namespace

[cvs79]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add support for publicNetworkAccess in the azurerm_eventhub_namespace resource.

New or Affected Resource(s)

• azurerm_eventhub_namespace

Potential Terraform Configuration

resource "azurerm_eventhub_namespace" "runtime_shared_eventhub" {
  name                = "example"
  location            = "westeurope"
  resource_group_name = "example"
  sku                 = "Standard"
  capacity            = 1
  network_rulesets = [{
    publicNetworkAccess            = "Disabled"
    default_action                 = "Deny"
    trusted_service_access_enabled = true
    ip_rule                        = []
    virtual_network_rule           = []
  }]
}

References

• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace

[gysiedebruyn]

To accomodate this change the underlying API version needs to be updated to at least v2021-11-01. In recent dealings with MS Support the underlying implementation has changed somewhat, this might call for this only to be added to v3 of azurerm if determined to be a breaking change.

This is what we ran into, the default_action property is now readOnly, it will always return Allow unless an IP or VNET rule is set (see the 3rd point under this heading, it is true for IP and VNET rules as well as Private-Link).

The documentation seems to not be 100% up to date and in our testing we have found that the only way to ensure that there is no public access to the event-hub is to:

1. Set the new publicNetworkAccess property to Disabled, this the "main" toggle and does not care if any IP/VNET rules specified.
2. As per the Important Points heading in the above article, at least one IP/VNET rule should be associated with the network rule set.

We also confirmed that using the current azurerm version (v2.91.0), which employs the v2017-04-01 API, and only setting the default_action to Deny, does not block public access (see above article again).

[cvs79]

Agreed, the publicNetworkAccess toggle controls the main functionality. However if I read https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/eventhub/eventhub_namespace_resource.go correctly the current provider is already using the 021-01-01-preview api version.

[gysiedebruyn]

The one of concern relates to the network rule sets, that refers to 2018-01-01 version (line 20), it should be updated to the latest version. I tested that version using Postman it does not know about publicNetworkAccess:

curl --location --request PUT 'https://management.azure.com/subscriptions/my-subscription-id/resourceGroups/my-rg/providers/Microsoft.EventHub/namespaces/my-eh/networkRuleSets/default?api-version=2018-01-01-preview' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer myToken' \
--data-raw '{
    "properties": {
        "defaultAction": "Deny",
        "trustedServiceAccessEnabled": false,
        "ipRules": [
            {
                "ipMask": "127.0.0.1",
                "action": "Allow"
            }
        ],
        "virtualNetworkRules": []
    }
}'

returns:

{
    "id": "/subscriptions/my-subscription-id/resourceGroups/my-rg/providers/Microsoft.EventHub/namespaces/my-eh/networkRuleSets/default",
    "name": "default",
    "type": "Microsoft.EventHub/Namespaces/NetworkRuleSets",
    "location": "Australia East",
    "properties": {
        "defaultAction": "Deny",
        "virtualNetworkRules": [],
        "ipRules": [
            {
                "ipMask": "127.0.0.1",
                "action": "Allow"
            }
        ]
    }
}

It does not return publicNetworkAccess set with any value, whether you pass it as a parameter or not. It is not implemented in the 2018-01-01 version for network rule sets.

If I use either the 2021-06-01-preview or 2021-11-01 API versions it returns/defaults a value for publicNetworkAccess if not specified in the API call:

curl --location --request PUT 'https://management.azure.com/subscriptions/my-subscription-id/resourceGroups/my-rg/providers/Microsoft.EventHub/namespaces/my-eh/networkRuleSets/default?api-version=2021-11-01' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer myToken' \
--data-raw '{
    "properties": {
        "defaultAction": "Deny",
        "trustedServiceAccessEnabled": false,
        "ipRules": [
            {
                "ipMask": "127.0.0.1",
                "action": "Allow"
            }
        ],
        "virtualNetworkRules": []
    }
}'

Result:

{
    "id": "/subscriptions/my-subscription-id/resourceGroups/my-rg/providers/Microsoft.EventHub/namespaces/my-eh/networkRuleSets/default",
    "name": "default",
    "type": "Microsoft.EventHub/Namespaces/NetworkRuleSets",
    "location": "Australia East",
    "properties": {
        "publicNetworkAccess": "Enabled",
        "defaultAction": "Deny",
        "virtualNetworkRules": [],
        "ipRules": [
            {
                "ipMask": "127.0.0.1",
                "action": "Allow"
            }
        ]
    }
}

It defaults to Enabled if not set in the API call

[katbyte]

closed by #17194

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.