Support for azurerm_dashboard_grafana managed private endpoints #23950
Comments
|
Thanks for raising this issue. I assume that Terraform is using the common resource "azurerm_private_endpoint" for this scenario so that TF has supported private endpoint with dashboard grafana. Please check whether it's as what you expect. Thanks. |
|
@neil-yechenwei they aren't the same thing. A private endpoint is about accessing the resource from within your virtual network, a managed private endpoint is about giving the resource access to things inside your virtual network. For example, this managed Grafana instance needs a managed private endpoint to be able to connect to, say, an Azure Monitor workspace with a private link that lives in your virtual network. I don't see that functionality supported by See: https://learn.microsoft.com/en-us/azure/managed-grafana/how-to-connect-to-data-source-privately Data Factory also has a managed private endpoint: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory_managed_private_endpoint |
|
Any update on this issue? |
|
AzApi, Bicep examples can be found here in learn.microsoft |
|
@yavuzkaymak that's what I'm doing for now, but it's extremely non-intuitive to get right, especially since you need a few different AzApi resources to get the full end-to-end experience; e.g., approving the endpoint. Here's some example code that's not quite complete (e.g., missing resource group definitions but they're referenced): resource "azurerm_dashboard_grafana" "this" {
name = "grafana"
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
api_key_enabled = false
deterministic_outbound_ip_enabled = true
public_network_access_enabled = false
tags = azurerm_resource_group.this.tags
grafana_major_version = "10"
identity {
type = "SystemAssigned"
}
azure_monitor_workspace_integrations {
resource_id = azurerm_monitor_workspace.this.id
}
}
resource "azapi_resource" "grafana_managed_private_endpoint_connection" {
type = "Microsoft.Dashboard/grafana/managedPrivateEndpoints@2022-10-01-preview"
name = azurerm_monitor_workspace.this.name
tags = azurerm_resource_group.this.tags
location = azurerm_resource_group.this.location
parent_id = azurerm_dashboard_grafana.this.id
body = jsonencode({
properties = {
groupIds = [
"prometheusMetrics"
]
privateLinkResourceId = azurerm_monitor_workspace.this.id
privateLinkResourceRegion = azurerm_resource_group.this.location
requestMessage = "Created by Terraform"
}
})
}
# the actual azurerm_monitor_workspace resource doesn't yet export the private endpoint connections information
# so we use the azapi provider to get that (once they've been created, otherwise things fail)
data "azapi_resource" "azurerm_monitor_workspace" {
type = "Microsoft.Monitor/accounts@2023-04-03"
resource_id = azurerm_monitor_workspace.this.id
response_export_values = ["properties.privateEndpointConnections"]
depends_on = [azapi_resource.grafana_managed_private_endpoint_connection]
}
# Retrieve the private endpoint connection name from the monitor account based on the private endpoint name
locals {
private_endpoint_connection_name = element([
for connection in jsondecode(data.azapi_resource.azurerm_monitor_workspace.output).properties.privateEndpointConnections
: connection.name
if endswith(connection.properties.privateEndpoint.id, "grafana-grafana-${azurerm_monitor_workspace.this.name}")
]
}
# Approve the managed private endpoints - this is rather hacky, but remarkably it works since the azurerm
# provider doesn't have the ability to do this natively yet
resource "azapi_update_resource" "grafana_managed_private_endpoint_connection_approval" {
type = "Microsoft.Monitor/accounts/privateEndpointConnections@2023-04-03"
name = local.private_endpoint_connection_name
parent_id = azurerm_monitor_workspace.this.id
body = jsonencode({
properties = {
privateLinkServiceConnectionState = {
actionsRequired = "None"
description = "Approved via Terraform"
status = "Approved"
}
}
})
depends_on = [azapi_resource.grafana_managed_private_endpoint_connection]
}
|
Totally agree. I just wanted to once more highlight that it requires a separate resource type and not possible with azurerm's private endpoint. |
|
I am struggling with this myself. I did not get your solution above to work. Have you found another solution for this since creating the issue? I don't necessary need the grafana to be private but I want the workplace and collection_endpoint to have |
|
@AxelTob not via Terraform, no. You can obviously achieve this manually, but the only way I've found is using the above. |
|
Still looking for this feature. Looks like it's available for other Azure services https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory_managed_private_endpoint in the TF resource provider |
Is there an existing issue for this?
Community Note
Description
Currently, there is no support for a managed private endpoint in a managed Grafana. This resource is required to enable private communications between e.g., Grafana and an Azure Monitor Workspace. Note that this is in preview.
New or Affected Resource(s)/Data Source(s)
azurerm_dashboard_grafana_managed_private_endpoint
Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: