Support for "public network access" and firewall rules in Event Grid

[piotrgwiazda]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add the support for

• setting 'public-network-access' enabled/disabled to change public network access to "Public networks" or "Private networks only"
• Firewall IP ranges

Just like in

az eventgrid topic create \
    --resource-group $resourceGroupName \
    --name $topicName \
    --location $location \
    --public-network-access disabled
    --inbound-ip-rules <IP ADDR or CIDR MASK> allow 

New or Affected Resource(s)

• azurerm_eventgrid_topic
• azurerm_eventgrid_domain

Potential Terraform Configuration

Just follow the same pattern as in databases (PostgreSQL, Azure SQL etc) or event hub/service bus.

References

https://docs.microsoft.com/en-us/azure/event-grid/configure-firewall

• #0000

[jrauschenbusch]

Hi @piotrgwiazda,

i'm currently working on a solution for your issue. But i think the az-cli command you've depicted above is not working. As it seems, inbound-ip-rules can only be applied if public-network-access is set to true, which makes totally sense to me, as the you are then able to restrict the inbound traffic to any IP range. By the way: public-network-access is enabled by default. Just the ip filtering is currently missing. The other available mode is "private-endpoint-connections", which requires a second implementation step, as the PR would get far too huge.

[piotrgwiazda]

Hi. You are right that the inbound-ip-rules is irrelevant if the public network access is disabled. What I need to do is to disable public access totally and rely on private endpoints only.
However, in general the resource should support both. Maybe it is a good idea to divide it to two PRs, but the validation rules will be bound to each other.

[jrauschenbusch]

@piotrgwiazda Alright. You'll have to wait until the first PR is accepted as it's the common base. I'll start with an implementation tomorrow, but i think it will take some time as the private endpoints configuration model is not trivial.

[piotrgwiazda]

The Private Endpoint configuration for Event Grid works fine with the azurerm_private_endpoint resource. Nothing to do here.
I just needed to disable public network access with CLI ( in null_resource :/ )
For domain:

az eventgrid domain update -g $RESOURCE_GROUP_NAME -n $DOMAIN_NAME --public-network-access disabled

For standalone topic:

az eventgrid topic update -g $RESOURCE_GROUP_NAME -n $TOPIC_NAME --public-network-access disabled

Configuration of IP filters is a separate configuration. Correct.

[jrauschenbusch]

Yes, you're right. Here an example how to use it if one is searching for it.

resource "azurerm_eventgrid_domain" "example" {
  name                = "example-domain"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_virtual_network" "example" {
  name                = "example-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]

  enforce_private_link_endpoint_network_policies = true
}

resource "azurerm_private_endpoint" "example" {
  name                = "example-endpoint"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.example.id

  private_service_connection {
    name                           = "example-privateserviceconnection"
    private_connection_resource_id = azurerm_eventgrid_domain.example.id
    is_manual_connection           = false
    subresource_names              = ["domain"]
  }
}

If the related PR is merged, one is able to disable Public Network access via Terraform as well.

[ghost]

This has been released in version 2.43.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.43.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!