I have some questions regarding the service endpoint locations of virtual networks.
How the service endpoints configuration is provisioned on Azure is depicted in the image below (I blanked some stuff to be on the safe side):
Part of the source code (slightly simplified):
resource "azurerm_virtual_network" "vnet" {
name = "${local.rd_stage}-vnet"
resource_group_name = azurerm_resource_group.rg[0].name
address_space = [
local.chosen_vnet_address]
location = var.location
tags = merge(var.azure_tags, local.tk_tag, local.address_tag)
}
resource "azurerm_subnet" "subnet" {
name = "${local.rd_stage}-sn"
resource_group_name = azurerm_resource_group.rg[0].name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = [
local.chosen_subnet_address]
service_endpoints = [
"Microsoft.Storage",
"Microsoft.KeyVault",
"Microsoft.ContainerRegistry"]
}
resource "azurerm_container_registry" "aml_acr" {
name = "${local.rd_suffix}registry"
resource_group_name = azurerm_resource_group.rg[0].name
location = var.location
sku = "Basic"
admin_enabled = true
tags = var.azure_tags
}
The variable var.location
is set to “westeurope”.
Still the service endpoint location is still wide-open for the Azure container registry. Therefore I have some questions:
- Does this have to be like this (constraint from Azure, is there any documentation on this)?
- If not, can I somehow restrict the location of service endpoints via Terraform?
- If not, might there be a way via ARM templates?
Thank you very much for your help:)