Terraforms to create Azure API Management Private Endpoint

Question

I'm trying to script creation of an Azure API Management having a Private Endpoint within a VNET Subnet.

I'm able to create it manually no problem in Azure Portal, but can't quite figure out the terraform script.

The VNET and Subnet are created in a separate process, so they are not in the Terraform script but for the API Management piece I have:

resource "azurerm_api_management" "app" {
  location = var.the_location
  resource_group_name = "${var.the_resource_group}"
  name = "${var.the_prefix}-api-mgmt"
  publisher_email = var.api_mgmt_publisher_email
  publisher_name = var.api_mgmt_publisher_name
  sku_name = "${var.api_mgmt_sku}_1"
  tags = var.resource_tags }

resource "azurerm_private_endpoint" "endpoint" {
 name                = "${var.the_prefix}-api-privateendpoint"
 location            = var.the_location
 resource_group_name = var.the_resource_group
 subnet_id           = var.subnetId
 tags = var.resource_tags

 private_service_connection {
    name                           = "api-privateserviceconnection"
    private_connection_resource_id = azurerm_api_management.app.id
    is_manual_connection           = false
    subresource_names              = [] }}

The var.subnetId is the full id of the subnet ie.

/subscriptions/{subscriptionId}/resourceGroups/OpenEHR/providers/Microsoft.Network/virtualNetworks/OpenEHR-VNET/subnets/API-Subnet

The error I get is

Error: creating Private Endpoint "i365sabppdsdevtb-api-privateendpoint" (Resource Group "i365-uks-ehsabppds-devtb-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="MissingParameterOnPrivateLinkServiceConnection" Message="Private link service connection /subscriptions/8cb2b2d3-9411-46e4-926d-22d6378349bc/resourceGroups/i365-uks-ehsabppds-devtb-rg/providers/Microsoft.Network/privateEndpoints/i365sabppdsdevtb-api-privateendpoint/privateLinkServiceConnections/api-privateserviceconnection is missing required parameter 'group Id'." Details=[]

I think the error is something to so with subresource_names but I can't work out what to put in there.

I tried [ "sites" ] but then I get the error:

│ Error: creating Private Endpoint "i365sabppdsdevtb-api-privateendpoint" (Resource Group "i365-uks-ehsabppds-devtb-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateEndpointBadRequest" Message="Call to Microsoft.ApiManagement/service failed. Error message: The Request has invalid groupId sites." Details=[]

Any ideas, much appreciated.

Thanks.

I tried that I get this error: Error: creating Private Endpoint "i365sabppdsdevtb-api-privateendpoint" (Resource Group "i365-uks-ehsabppds-devtb-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateEndpointBadRequest" Message="Call to Microsoft.ApiManagement/service failed. Error message: The Request has invalid groupId sites." Details=[] — TimBunting, Nov 17 '22 at 11:19

score 1 · Accepted Answer · answered Nov 24 '22 at 12:41

Issue was caused because of the private service connection resource id and sub resource names. Please use below configuration

private_connection_resource_id  =  azurerm_api_management.app.id
subresource_names  =  ["Gateway"]

Find below code snippets for references

Step1: Copy below code from main tf file.

provider "azurerm" {
 features {}
 }
variable "prefix" {
  default = "rg_swar"
}

resource "azurerm_resource_group" "example" {
  name     = "rg_swar-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "service" {
  name                 = "service"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]

  enforce_private_link_service_network_policies = true
}

resource "azurerm_subnet" "endpoint" {
  name                 = "endpoint"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]

  enforce_private_link_endpoint_network_policies = true
}

resource "azurerm_public_ip" "example" {
  name                = "example-pip"
  sku                 = "Standard"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  allocation_method   = "Static"
}

resource "azurerm_lb" "example" {
  name                = "example-lb"
  sku                 = "Standard"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  frontend_ip_configuration {
    name                 = azurerm_public_ip.example.name
    public_ip_address_id = azurerm_public_ip.example.id
  }
}

resource "azurerm_private_link_service" "example" {
  name                = "example-privatelink"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  nat_ip_configuration {
    name      = azurerm_public_ip.example.name
    primary   = true
    subnet_id = azurerm_subnet.service.id
  }

  load_balancer_frontend_ip_configuration_ids = [
    azurerm_lb.example.frontend_ip_configuration.0.id,
  ]
}

resource "azurerm_api_management" "app" {
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  name = "swar-api-mgmt"
  publisher_email = "test@demo.com"
  publisher_name = "Swarna Demo"
  sku_name = "Developer_1"
  //tags = var.resource_tags 
  }
  resource "azurerm_private_endpoint" "example" {
  name                = "example-endpoint"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.endpoint.id

  private_service_connection {
    name                           = "example-privateserviceconnection"
   //private_connection_resource_id = azurerm_private_link_service.example.id
    private_connection_resource_id = azurerm_api_management.app.id
    subresource_names              = ["Gateway"]
    is_manual_connection           = false
  }
}

Step2: run below commands

terraform plan 
terraform apply -auto-approve

Review: Above code snippet will host the services into Azure Portal.

enter image description here

Hope this helps!

Terraforms to create Azure API Management Private Endpoint

1 Answers1