Recently I have been requested to configure a certain number of Azure services that requires to be private (no public endpoint).
While this seemed trivial to me, I ended up getting into a point where I could not deploy the rest of the configuration because I terraform could no longer access the resource.
As an example, deployed a KeyVault with a private endpoint and no public access… right after key vault was provisioned I wasn’t unable to deploy my certificates, secrets etc… because the client where terraform was running had no access to the KeyVault anymore.
So my question is:
What is the practice here? How do I ensure I deploy the main resource, its configurations and at the end I have all services private as its the objective?
If you are needing to access API endpoints which are not public you will either need to run Terraform from within the system or use a mechanism to forward requests into the system (e.g. using a bastion server with port forwarding or a VPN).
What if you use a SaaS platform for Infra-as-Code? Then what are the options?
Are you meaning using Terraform Cloud or something else?
With Terraform Cloud you can have runners within the environment which would then be able to access the APIs.
No. There are few SaaS platforms out there to deploy Infra-as-Code. When using those for example.
Most CI/CD systems have the idea of a “worker” (aka “agent”, “runner”, etc.) which is where the build/deploy steps are run (i.e. where Terraform is actually executed). It is that which needs to have access to the API endpoints, either by existing within an environment or via port forwarding/peering/VPN connections to allow the traffic in from outside the environment. One thing to be expecially careful of for that second option is the access control, as otherwise you could end up just exposing the API in a way that is no different from the public option.
Yes it makes total sense. But if the SaaS platform do not have such option and is a “blackbox”, do we have any other workarounds?
Thanks for sharing your inputs. Much appreciated.
If the platform can only access public endpoints then no it wouldn’t be possible.
As I mentioned you could expose the endpoint publically (via port forwarding, load balancers, VPNs, etc.) but that might defeat the point of making the endpoint private in the first place (and things like port forwding and VPNs would require support from the platform to exist generally).