Hello,
I have recently run into an issue when creating a subnet in without an nsg in Azure. The situation at hand is as follows. I work in a large corporate environment, where IT seniors manage our overall Azure Strategy. The intended workflow is for them to create a subscription with a vnet and nsg, and delegate access rights to other teams that require such a subscription. I am a part of one such team. Within the virtual network all PaaS services are required to disable public network access. For the time being, if a service requires access from on-premise network, a private_endpoint needs to be created. I am now in a situation where I need to create another subnet, and create private links to PaaS resources. However, an Azure Policy assignment prohibits me from doing so, stating Deny-Subnet-Without-Nsg., even though I do try to associate the subet with the existing nsg.
I am aware that one can create a azurerm_virtual_network and associate the nsg to subnet on creation, however this vnet is already created, and I have currently no option to alter it.
My code is as follows:
data "azurerm_virtual_network" "vnet" {
name = var.vnet.name
resource_group_name = var.vnet.rg_name
}
data "azurerm_network_security_group" "nsg" {
name = var.nsg.name
resource_group_name = var.nsg.rg_name
}
resource "azurerm_subnet" "snet" {
name = var.subnet.name
address_prefixes = var.subnet.address_prefixes
resource_group_name = data.azurerm_virtual_network.vnet.resource_group_name
virtual_network_name = data.azurerm_virtual_network.vnet.name
enforce_private_link_endpoint_network_policies = var.subnet.enforce_private_link_endpoint_network_policies
}
resource "azurerm_subnet_network_security_group_association" "snet_nsg_ass" {
subnet_id = azurerm_subnet.snet.id
network_security_group_id = data.azurerm_network_security_group.nsg.id
}
I kindly appreciate any advice or guidance towards solving this issue.
Best Regards