Using Vnet Peerings across subscriptions #1253
Comments
|
@tombuildsstuff I have updated the question with config. Hope this helps |
|
hey @Chris-Gray94 Thanks for opening this issue :) In the example above both resources are being allocated from the same version of the Provider (which in turn assumes permission over both subscriptions) - where you've got two Service Principals (one per subscription) - you need to create multiple versions of the provider with alias them (here's the Terraform documentation on that) and then alias them on the resources; for example here's an example of how to do this with the AzureRM Provider. This would mean in your specific case the configuration would look something like the following: Would you be able to take a look and see if that solves your issue? Thanks! |
|
Hi @tombuildsstuff, Thank you for your response and suggestion. However, this doesn't seem to have worked. I had to define the provider where the module is being called, as that was an error I was getting. Here is an example of the code I have tried: provider "azurerm" { client_id = "..." provider "azurerm" { client_id = "..." module "virtual_network" { Within the module I have the following code: resource "azurerm_virtual_network_peering" "dev-to-test" { resource "azurerm_virtual_network_peering" test-to-dev" { |
|
I'm using Azure Provider version 1.6.0 and I used the code below to create Virtual Network Peering across two Azure subscriptions without any issues. I hope the code below works for you situation. provider "azurerm" { provider "azurerm" { data "azurerm_resource_group" "rg1" { data "azurerm_resource_group" "rg2" { data "azurerm_virtual_network" "vnet1" { data "azurerm_virtual_network" "vnet2" { resource "azurerm_virtual_network_peering" "vnet-peer-1" { resource "azurerm_virtual_network_peering" "vnet-peer-2" { |
|
@webbj62 Is there any reason why you are creating the Vnets and Resource Groups using data instead of resource? |
|
@Chris-Gray94 I'm using data because the resources were already created in our environment prior to executing the script that I provided as an example. You should be able to create the resources at the same time. I would include "depends_on" in the "azurerm_virtual_network_peering" settings to ensure the virtual networks are created first. (Ex. depends_on["azurerm_virtual_network.vnet1", "azurerm_virtual_network.vnet2"] ) |
|
@Chris-Gray94 in the module you've posted above the same service principal ( |
|
i am having the same issue here. |
|
@tombuildsstuff Hi Tom, I left them both as Dev because Dev would have permissions in Test sub too. When I have tried creating a peering across to a subscription, I continually hit an issue where it does not have any permission over the other subscription. This happens regardless of whether I try the way you have suggested or not. |
|
@cripth Yes - I using the same clientID for both subscriptions because the principal is in the same Azure Active Directory. I assuming if you are using two different service principals in two different AAD accounts, then you would have pass different set service credentials. If they are in the same AAD account, make sure your service principal has contributor role access to both subscriptions. |
|
Hi all, I have come to same issue, even if I try using 2 providers it does not work. It comes with the Az login to basically re-login. Not sure if anyone has the same issue or if anyone has got it working. My SPN has contributor to both Subs but not sure if you can login in parallel as per providers. |
|
@cerocool1203, have you follow sample given by @webbj62. It should be straight forward thing, and can you post your code here |
|
👋 I'm going to close this question since it appears to have been resolved - if you're still seeing issues with this, as mentioned by @webbj62 in this comment please ensure the Service Principal you're using either has permissions to both Subscriptions; or that a different Service Principal is used for each Provider block (with the associated permissions) - as shown below: provider "azurerm" {
version = "=1.16.0"
tenant_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
subscription_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
client_id = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
client_secret = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
alias = "dev"
}
provider "azurerm" {
version = "=1.16.0"
tenant_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
subscription_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
client_id = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
client_secret = "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
alias = "test"
}
data "azurerm_virtual_network" "dev" {
name = "dev-network"
resource_group_name = "dev-network-rg"
provider = "azurerm.dev"
}
data "azurerm_virtual_network" "test" {
name = "test-network"
resource_group_name = "test-network-rg"
provider = "azurerm.test"
}
resource "azurerm_virtual_network_peering" "dev-to-test" {
name = "dev-to-test"
resource_group_name = "${data.azurerm_virtual_network.test.resource_group_name}"
virtual_network_name = "${data.azurerm_virtual_network.test.name}"
remote_virtual_network_id = "${data.azurerm_virtual_network.test.id}"
allow_virtual_network_access = true
allow_forwarded_traffic = true
provider = "azurerm.dev"
}
resource "azurerm_virtual_network_peering" "test-to-dev" {
name = "test-to-dev"
resource_group_name = "${data.azurerm_virtual_network.dev.resource_group_name}"
virtual_network_name = "${data.azurerm_virtual_network.dev.name}"
remote_virtual_network_id = "${data.azurerm_virtual_network.dev.id}"
allow_virtual_network_access = true
allow_forwarded_traffic = true
provider = "azurerm.test"
}Thanks! |
|
@tombuildsstuff this worked for me a few weeks back (you helped me out at MSFT community gardening day). We recently set up a new tenant with new subscriptions and I cant get the code above to work. I went and created a new role: and and copied down the app IDs and added it to the provider block how you have it above and I am getting the error below: My plan is to build: |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
I am not entirely sure which category this question should appear in.
We are trying to implement Vnet Peerings across multiple subscriptions. Each subscription has its own Service Principle. We have granted contributor permissions for one of the Service Principals to another subscription in which we are trying to create the Vnet Peering too. However, that Service Principal cannot find the resource group of the Vnet in which we want the Vnet Peering to peer too. This is causing us issues with us automating this process in Terraform. I have the code I believe I need for this to work, but I think we are having issues with Service Principals and permissions to get this working. The code I have works fine within the same subscription, just not across different subscriptions.
Can someone please advise?
Here is the code I have currently to do this:
The code above is an example of the vnet peerings I have. When I try to go to the vnet ID for the peerings I have in my code, within the portal, it goes straight to that particular vnet.
Many Thanks,
Chris
The text was updated successfully, but these errors were encountered: