How to create service delagation to an existing subnet?

Below code will create a service while creating subnet.
Is there anyway to create a delegation to existing subnet?
The main purpose is, below code will be create error for policy Deny-Subnet-Without-Nsg. So, creating this subnet directly in the vnet block.


resource "azurerm_subnet" "example" {

  virtual_network_name = azurerm_virtual_network.aksvnet.name
  name                 = "aks-postgres-subnet"
  resource_group_name  = azurerm_resource_group.aks_rg.name
  address_prefixes     = ["10.230.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
  delegation {
    name = "fs"
    service_delegation {
      name = "Microsoft.DBforPostgreSQL/flexibleServers"
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
  depends_on = [azurerm_virtual_network.aksvnet, azurerm_network_security_group.example]
}

The below code don’t have option to add service delegation.


resource "azurerm_virtual_network" "aksvnet" {

  name                = "aks-network"

  location            = azurerm_resource_group.aks_rg.location

  resource_group_name = azurerm_resource_group.aks_rg.name

  address_space       = ["10.0.0.0/8"]

  subnet {

    name           = "aks-default-subnet"

    address_prefix = "10.240.0.0/16"

    security_group = azurerm_network_security_group.example.id

  }

  subnet {

    name           = "aks-postgres-subnet"

    address_prefix = "10.230.2.0/24"

    security_group = azurerm_network_security_group.example.id

  }

}

So thought to create a subnet first like above and apply the service delegation after that.
How to do it?

1 Like