Unable to add firewall rules on sql server -

khalls · June 2, 2022, 6:48am

Hi,
Created
sql server (set deny public to false in code) and created private link
But still unable to create firewall rules with error below. as the deny public is set to disabled after the build completes.

Error: status=400 Code=“DenyPublicEndpointEnabled” Message=“Unable to create or modify firewall rules when public network interface for the server is disabled. To manage server or database level firewall rules, please enable the public network interface.”

resource "azurerm_mssql_server" "this" {
  provider                     = azurerm.environment
  name                         = var.sql_server_name
  resource_group_name          = var.resource_group_name
  location                     = var.location
  version                      = var.sql_version
  administrator_login          = var.sql_admin
  administrator_login_password = var.sqladminpwd
  public_network_access_enabled = false
  tags                         = var.tags #merge(var.tags, var.tags_sql)
  
}
resource "azurerm_sql_active_directory_administrator" "this" {
  server_name         = azurerm_mssql_server.this.name
  resource_group_name = var.resource_group_name
  login               = data.azuread_group.databaseadmin.display_name
  tenant_id           = var.tenant_id
  object_id           = data.azuread_group.databaseadmin.object_id
}

resource "azurerm_private_endpoint" "this" {
  provider            = azurerm.environment
  name                = "pvt_endpoint_${var.sql_server_name}"
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = data.azurerm_subnet.restricted.id

  private_service_connection {

    name                           = "privatesvc_conn_${var.sql_server_name}"
    is_manual_connection           = "false"
    private_connection_resource_id = azurerm_mssql_server.this.id
    subresource_names              = ["sqlServer"]
  }

  depends_on                       = [azurerm_mssql_server.this]
  
  lifecycle {
    ignore_changes = [subnet_id]
  }

}

resource "azurerm_private_dns_a_record" "private_dns_a_record" {
  provider            = azurerm.sharedservice
  name                = azurerm_mssql_server.this.name
  zone_name           = var.private_dns_zone_name
  resource_group_name = var.resource_group_dns_zone
  ttl                 = 300
  records             = [data.azurerm_private_endpoint_connection.connection.private_service_connection.0.private_ip_address]
}

resource "azurerm_mssql_firewall_rule" "this" {
  #for_each = var.netskope_ip_address_range
  for_each = { for x in var.netskope_ip_address_range: x.name => x }

  name             = each.value.name
  server_id        = azurerm_mssql_server.this.id
  start_ip_address = each.value.range_min
  end_ip_address   = each.value.range_max
}