Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug Report]: Event Hub namaspace network ruleset trustedServiceAccessEnabled logic is not correct #4452

Closed
jachin84 opened this issue Jan 10, 2024 · 2 comments · Fixed by #4470
Closed

[Bug Report]: Event Hub namaspace network ruleset trustedServiceAccessEnabled logic is not correct #4452

jachin84 opened this issue Jan 10, 2024 · 2 comments · Fixed by #4470
Assignees
@AlexanderSehr
Labels
bug Something isn't working [cat] modules category: modules

Comments

@jachin84
Copy link

Describe the bug

The networkRuleSets in https://github.com/Azure/ResourceModules/blob/58691e44109c5991c29f5345944b3253be920a58/modules/event-hub/namespace/network-rule-set/main.bicep seem to have incorrectly logic.

resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2022-01-01-preview' = {
  name: 'default'
  parent: namespace
  properties: {
    publicNetworkAccess: publicNetworkAccess
    defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction)
    trustedServiceAccessEnabled: publicNetworkAccess == 'Disabled' ? null : trustedServiceAccessEnabled
    ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules
    virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : networkRules
  }
}

The snippet above forces trustedServiceAccessEnabled to be null when publicNetworkAccess is set to "Disabled". This is incorrect. When using Private Endpoints this is the exact configuration that you need.
image

{
    "id": "/subscriptions/blah/resourcegroups/rg-1/providers/Microsoft.EventHub/namespaces/evtns-t-01/networkrulesets/default",
    "name": "default",
    "type": "Microsoft.EventHub/Namespaces/NetworkRuleSets",
    "location": "australiaeast",
    "properties": {
        "publicNetworkAccess": "Disabled",
        "defaultAction": "Allow",
        "virtualNetworkRules": [],
        "ipRules": [],
        "trustedServiceAccessEnabled": true
    }
}

To reproduce

Deploy https://github.com/Azure/ResourceModules/blob/58691e44109c5991c29f5345944b3253be920a58/modules/event-hub/namespace/network-rule-set/main.bicep using:

  • publicNetworkAccess = 'Disabled'
  • trustedServiceAccessEnabled = true

Code snippet

No response

Relevant log output

No response
@jachin84 jachin84 added the bug Something isn't working label Jan 10, 2024
@github-project-automation github-project-automation bot moved this to Needs triage in Bug board Jan 10, 2024
@AlexanderSehr
Copy link
Contributor

Hey @jachin84,
thanks for the issue and please excuse the late reply. I agree with your statement. As the module is not migrated to AVM yet, it should also be fixed in CARML as is. We'll see to get it in, thank you :)

@AlexanderSehr AlexanderSehr moved this from Needs triage to High priority in Bug board Feb 1, 2024
@AlexanderSehr AlexanderSehr added the [cat] modules category: modules label Feb 1, 2024
@AlexanderSehr AlexanderSehr self-assigned this Feb 1, 2024
@AlexanderSehr
Copy link
Contributor

@eriqua - it has been a while, but the original addition of the entire feature happened in a PR you contributed. It would hence be cool to know if something would come to mind that we're not considering. I'll implement the change now regardless and then we can ever merge it or not. :)

@AlexanderSehr AlexanderSehr linked a pull request Feb 1, 2024 that will close this issue
[Fixes] Event Hub Namespace : Updated behavior of NetworkRuleSet #4470
Merged
4 tasks
@github-project-automation github-project-automation bot moved this from High priority to Closed in Bug board Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexanderSehr AlexanderSehr

Labels
bug Something isn't working [cat] modules category: modules
Projects
Bug board
Status: Closed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fixes] Event Hub Namespace : Updated behavior of NetworkRuleSet Azure/ResourceModules
2 participants
@jachin84 @AlexanderSehr