terraform-provider-azurerm: Error 400 on Creating CosmosDB with Private Link

Greetings,

Environment:

Terraform v0.12.8
AzureRM: 1.39.0

Trying to deploy CosmosDB on Azure with Private Link. Followed Microsoft guidelines on disabling network policies for private link - https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy. Getting an error 400, which is very generic in nature.

Code:

File: main.tf

resource "random_id" "id" {
  byte_length = 4
}

#Create resource group
resource "azurerm_resource_group" "resource_group" {
  name     = local.resource_group_name
  location = var.primary_location
  tags = var.tags
}

# Create Azure Cosmos Account 
resource "azurerm_cosmosdb_account" "account" {
  name                = lower("${var.account_kind}-${local.outapplicationname}-${random_id.id.hex}")
  location            = azurerm_resource_group.resource_group.location
  resource_group_name = azurerm_resource_group.resource_group.name
  # tags = var.tags
  offer_type          = "Standard"
  kind                = var.account_kind
  enable_automatic_failover = var.is_env_prod ? true : false
  is_virtual_network_filter_enabled = true # Default block all traffic with firewall
  ip_range_filter = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx" # Azure portal ips

  capabilities {
    name = var.account_capabilities
  }

  consistency_policy {
    consistency_level       = "${var.consistency_level}"
    max_interval_in_seconds = 310
    max_staleness_prefix    = 101000
  }

   dynamic "geo_location" {
    for_each = local.region_list
    content {
      location = geo_location.value
      # failover_priority = length (local.region_list) - 1
      failover_priority = index (local.region_list, "${geo_location.value}")
    }
  }

}

# Create private endpoints. If Production environment, in both primary and secondary regions. Non-prod environment, only in primary region.
resource "azurerm_private_endpoint" "endpoint" {
  count = var.is_env_prod ? 2 : 1
  name                = "${azurerm_cosmosdb_account.account.name}-${count.index}" #This is where alphabetical order is introduced.
  location            = "${local.region_list[count.index]}"
  resource_group_name = azurerm_resource_group.resource_group.name
  subnet_id           = "${local.subnet_list[count.index]}"

  private_service_connection {
    is_manual_connection       = false
    name                       = "${azurerm_cosmosdb_account.account.name}-${local.region_list[count.index]}-connection"
    private_connection_resource_id = azurerm_cosmosdb_account.account.id
    subresource_names          = [var.account_kind]
  }
}


# Diagnostic settings - Log analytics

resource "azurerm_monitor_diagnostic_setting" "log_analytics" {
  
  provider = azurerm.loganalyticssub
  name               = "${azurerm_cosmosdb_account.account.name}-analytics"
  target_resource_id = "${azurerm_cosmosdb_account.account.id}"
  log_analytics_workspace_id = "${data.azurerm_log_analytics_workspace.ws.id}"

  dynamic "log" {
    for_each = data.azurerm_monitor_diagnostic_categories.diag_category.logs
    content {
    category = log.value
    enabled = true
    retention_policy {
      enabled = false
    }
    }
  }

  metric {
    category = "AllMetrics"

    retention_policy {
      enabled = false
    }
  }
}

Error:


Terraform v0.12.8
Initializing plugins and modules...
2020/02/24 16:42:50 [DEBUG] Using modified User-Agent: Terraform/0.12.8 TFE/975bcd7c07
azurerm_resource_group.resource_group: Creating...
azurerm_resource_group.resource_group: Creation complete after 2s [id=/subscriptionsXXXXXXXXXXXXXXXXXXXXX/resourceGroups/cosmosdb-privatelink-nonprod-c043ab60]
azurerm_cosmosdb_account.account: Creating...
azurerm_cosmosdb_account.account: Still creating... [10s elapsed]
azurerm_cosmosdb_account.account: Still creating... [20s elapsed]
azurerm_cosmosdb_account.account: Still creating... [30s elapsed]
azurerm_cosmosdb_account.account: Still creating... [40s elapsed]
azurerm_cosmosdb_account.account: Still creating... [50s elapsed]
azurerm_cosmosdb_account.account: Still creating... [1m0s elapsed]
azurerm_cosmosdb_account.account: Still creating... [1m10s elapsed]
azurerm_cosmosdb_account.account: Still creating... [1m20s elapsed]
azurerm_cosmosdb_account.account: Still creating... [1m30s elapsed]
azurerm_cosmosdb_account.account: Still creating... [1m40s elapsed]
azurerm_cosmosdb_account.account: Still creating... [1m50s elapsed]
azurerm_cosmosdb_account.account: Still creating... [2m0s elapsed]
azurerm_cosmosdb_account.account: Still creating... [2m10s elapsed]
azurerm_cosmosdb_account.account: Still creating... [2m20s elapsed]
azurerm_cosmosdb_account.account: Still creating... [2m30s elapsed]
azurerm_cosmosdb_account.account: Still creating... [2m40s elapsed]
azurerm_cosmosdb_account.account: Still creating... [2m50s elapsed]
azurerm_cosmosdb_account.account: Still creating... [3m0s elapsed]
azurerm_cosmosdb_account.account: Still creating... [3m10s elapsed]
azurerm_cosmosdb_account.account: Still creating... [3m20s elapsed]
azurerm_cosmosdb_account.account: Still creating... [3m30s elapsed]
azurerm_cosmosdb_account.account: Still creating... [3m40s elapsed]
azurerm_cosmosdb_account.account: Still creating... [3m50s elapsed]
azurerm_cosmosdb_account.account: Still creating... [4m0s elapsed]
azurerm_cosmosdb_account.account: Still creating... [4m10s elapsed]
azurerm_cosmosdb_account.account: Still creating... [4m20s elapsed]
azurerm_cosmosdb_account.account: Still creating... [4m30s elapsed]
azurerm_cosmosdb_account.account: Still creating... [4m40s elapsed]
azurerm_cosmosdb_account.account: Creation complete after 4m41s [id=/subscriptions/XXXXXXXXXXXXXXXXXXXXX/resourceGroups/cosmosdb-privatelink-nonprod-c043ab60/providers/Microsoft.DocumentDB/databaseAccounts/mongodb-cosmosdb-privatelink-c043ab60]
data.azurerm_monitor_diagnostic_categories.diag_category: Refreshing state...
azurerm_private_endpoint.endpoint[0]: Creating...
azurerm_monitor_diagnostic_setting.log_analytics: Creating...
azurerm_monitor_diagnostic_setting.log_analytics: Creation complete after 4s [id=/subscriptions/XXXXXXXXXXXXXXXXXXXXX/resourceGroups/cosmosdb-privatelink-nonprod-c043ab60/providers/Microsoft.DocumentDB/databaseAccounts/mongodb-cosmosdb-privatelink-c043ab60|mongodb-cosmosdb-privatelink-c043ab60-analytics]

Error: Error creating Private Endpoint "mongodb-cosmosdb-privatelink-c043ab60-0" (Resource Group "cosmosdb-privatelink-nonprod-c043ab60"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InternalServerError" Message="An error occurred." Details=[]

  on main.tf line 46, in resource "azurerm_private_endpoint" "endpoint":
  46: resource "azurerm_private_endpoint" "endpoint" {

This error 400 is happening consistently. I deleted RG and CosmosDB account created and tried to re-created, but again got 400. It is such a generic error.

Anyone has a clue what is happening?

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18

Commits related to this issue

Most upvoted comments

@akamalov I was able to create PE for CosmosDB

Private endpoint is supported for MongoDB version 3.6 only. https://devblogs.microsoft.com/cosmosdb/azure-private-link-for-azure-cosmos-db-now-generally-available/

Terraform by default provisions CosmosDB-MongoDBv3.2, Hence Private Endpoint deployment fails.

Deployment succeeds after adding “EnableMongo” as capabilities. This provisions CosmosDB-MongoDBv3.6 and support the private endpoint.

capabilities { name = “EnableMongo” }

+1
prashantshetage on Apr 13, 2020
Read more comments on GitHub
← terraform-provider-azurerm: Error: cannot configure `extended_auditing_policy` in secondary create mode for Database: (Name "database" / Server Name "sql_server" / Resource Group "resource_group")
terraform-provider-azurerm: Error creating azurerm_hdinsight_spark_cluster for HDInsight on Azure with Terraform →