PS D:\TaskFlow\terraform> terraform apply
random_id.acr_suffix: Refreshing state... [id=meATKA]
tls_private_key.main: Refreshing state... [id=230ef8a93a35c81d801c08960c566336e0397e2f]
azurerm_resource_group.main: Refreshing state... [id=/subscriptions/079f14e5-201e-43cb-8ac0-3da23d698a06/resourceGroups/taskflow-rg]
azurerm_private_dns_zone.main: Refreshing state... [id=/subscriptions/079f14e5-201e-43cb-8ac0-3da23d698a06/resourceGroups/taskflow-rg/providers/Microsoft.Network/privateDnsZones/taskflow-postgres.database.azure.com]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
Terraform will perform the following actions:
azurerm_container_registry.main will be created
- resource "azurerm_container_registry" "main" {
- admin_enabled = true
- admin_password = (sensitive value)
- admin_username = (known after apply)
- encryption = (known after apply)
- export_policy_enabled = true
- id = (known after apply)
- location = "centralus"
- login_server = (known after apply)
- name = "taskflowacr99e01328"
- network_rule_bypass_option = "AzureServices"
- network_rule_set = (known after apply)
- public_network_access_enabled = true
- resource_group_name = "taskflow-rg"
- retention_policy = (known after apply)
- sku = "Basic"
- tags = {
}
- trust_policy = (known after apply)
- zone_redundancy_enabled = false
}
azurerm_linux_virtual_machine.app_vm will be created
- resource "azurerm_linux_virtual_machine" "app_vm" {
- admin_username = "azureuser"
- allow_extension_operations = true
- bypass_platform_safety_checks_on_user_schedule_enabled = false
- computer_name = (known after apply)
- custom_data = (sensitive value)
- disable_password_authentication = true
- disk_controller_type = (known after apply)
- extensions_time_budget = "PT1H30M"
- id = (known after apply)
- location = "centralus"
- max_bid_price = -1
- name = "taskflow-app-vm"
- network_interface_ids = (known after apply)
- patch_assessment_mode = "ImageDefault"
- patch_mode = "ImageDefault"
- platform_fault_domain = -1
- priority = "Regular"
- private_ip_address = (known after apply)
- private_ip_addresses = (known after apply)
- provision_vm_agent = true
- public_ip_address = (known after apply)
- public_ip_addresses = (known after apply)
- resource_group_name = "taskflow-rg"
- size = "Standard_B1s"
- tags = {
- "Name" = "taskflow-app-vm"
}
- virtual_machine_id = (known after apply)
- vm_agent_platform_updates_enabled = false
- admin_ssh_key {
At least one attribute in this block is (or was) sensitive,
so its contents will not be displayed.
}
- os_disk {
- caching = "ReadWrite"
- disk_size_gb = (known after apply)
- name = (known after apply)
- storage_account_type = "Standard_LRS"
- write_accelerator_enabled = false
}
- source_image_reference {
- offer = "0001-com-ubuntu-server-jammy"
- publisher = "Canonical"
- sku = "22_04-lts-gen2"
- version = "latest"
}
- termination_notification (known after apply)
}
azurerm_linux_virtual_machine.bastion will be created
- resource "azurerm_linux_virtual_machine" "bastion" {
- admin_username = "azureuser"
- allow_extension_operations = true
- bypass_platform_safety_checks_on_user_schedule_enabled = false
- computer_name = (known after apply)
- custom_data = (sensitive value)
- disable_password_authentication = true
- disk_controller_type = (known after apply)
- extensions_time_budget = "PT1H30M"
- id = (known after apply)
- location = "centralus"
- max_bid_price = -1
- name = "taskflow-bastion"
- network_interface_ids = (known after apply)
- patch_assessment_mode = "ImageDefault"
- patch_mode = "ImageDefault"
- platform_fault_domain = -1
- priority = "Regular"
- private_ip_address = (known after apply)
- private_ip_addresses = (known after apply)
- provision_vm_agent = true
- public_ip_address = (known after apply)
- public_ip_addresses = (known after apply)
- resource_group_name = "taskflow-rg"
- size = "Standard_B1s"
- tags = {
- "Name" = "taskflow-bastion"
}
- virtual_machine_id = (known after apply)
- vm_agent_platform_updates_enabled = false
- admin_ssh_key {
At least one attribute in this block is (or was) sensitive,
so its contents will not be displayed.
}
- os_disk {
- caching = "ReadWrite"
- disk_size_gb = (known after apply)
- name = (known after apply)
- storage_account_type = "Standard_LRS"
- write_accelerator_enabled = false
}
- source_image_reference {
- offer = "0001-com-ubuntu-server-jammy"
- publisher = "Canonical"
- sku = "22_04-lts-gen2"
- version = "latest"
}
- termination_notification (known after apply)
}
azurerm_network_interface.app_vm will be created
- resource "azurerm_network_interface" "app_vm" {
- accelerated_networking_enabled = (known after apply)
- applied_dns_servers = (known after apply)
- dns_servers = (known after apply)
- enable_accelerated_networking = (known after apply)
- enable_ip_forwarding = (known after apply)
- id = (known after apply)
- internal_domain_name_suffix = (known after apply)
- ip_forwarding_enabled = (known after apply)
- location = "centralus"
- mac_address = (known after apply)
- name = "taskflow-app-vm-nic"
- private_ip_address = (known after apply)
- private_ip_addresses = (known after apply)
- resource_group_name = "taskflow-rg"
- tags = {
- "Name" = "taskflow-app-vm-nic"
}
- virtual_machine_id = (known after apply)
- ip_configuration {
- gateway_load_balancer_frontend_ip_configuration_id = (known after apply)
- name = "internal"
- primary = (known after apply)
- private_ip_address = (known after apply)
- private_ip_address_allocation = "Dynamic"
- private_ip_address_version = "IPv4"
- public_ip_address_id = (known after apply)
- subnet_id = (known after apply)
}
}
azurerm_network_interface.bastion will be created
- resource "azurerm_network_interface" "bastion" {
- accelerated_networking_enabled = (known after apply)
- applied_dns_servers = (known after apply)
- dns_servers = (known after apply)
- enable_accelerated_networking = (known after apply)
- enable_ip_forwarding = (known after apply)
- id = (known after apply)
- internal_domain_name_suffix = (known after apply)
- ip_forwarding_enabled = (known after apply)
- location = "centralus"
- mac_address = (known after apply)
- name = "taskflow-bastion-nic"
- private_ip_address = (known after apply)
- private_ip_addresses = (known after apply)
- resource_group_name = "taskflow-rg"
- tags = {
- "Name" = "taskflow-bastion-nic"
}
- virtual_machine_id = (known after apply)
- ip_configuration {
- gateway_load_balancer_frontend_ip_configuration_id = (known after apply)
- name = "internal"
- primary = (known after apply)
- private_ip_address = (known after apply)
- private_ip_address_allocation = "Dynamic"
- private_ip_address_version = "IPv4"
- public_ip_address_id = (known after apply)
- subnet_id = (known after apply)
}
}
azurerm_network_security_group.app_vm will be created
- resource "azurerm_network_security_group" "app_vm" {
- id = (known after apply)
- location = "centralus"
- name = "taskflow-app-vm-nsg"
- resource_group_name = "taskflow-rg"
- security_rule = [
- {
- access = "Allow"
- destination_address_prefix = "*"
- destination_address_prefixes = []
- destination_application_security_group_ids = []
- destination_port_range = "*"
- destination_port_ranges = []
- direction = "Outbound"
- name = "AllowAllOutbound"
- priority = 100
- protocol = "*"
- source_address_prefix = "*"
- source_address_prefixes = []
- source_application_security_group_ids = []
- source_port_range = "*"
- source_port_ranges = []
(1 unchanged attribute hidden)
},
- {
- access = "Allow"
- destination_address_prefix = "*"
- destination_address_prefixes = []
- destination_application_security_group_ids = []
- destination_port_range = "22"
- destination_port_ranges = []
- direction = "Inbound"
- name = "SSHFromBastion"
- priority = 1001
- protocol = "Tcp"
- source_address_prefix = "10.0.1.0/24"
- source_address_prefixes = []
- source_application_security_group_ids = []
- source_port_range = "*"
- source_port_ranges = []
(1 unchanged attribute hidden)
},
- {
- access = "Allow"
- destination_address_prefix = "*"
- destination_address_prefixes = []
- destination_application_security_group_ids = []
- destination_port_range = "5000"
- destination_port_ranges = []
- direction = "Inbound"
- name = "HTTP"
- priority = 1002
- protocol = "Tcp"
- source_address_prefix = "*"
- source_address_prefixes = []
- source_application_security_group_ids = []
- source_port_range = "*"
- source_port_ranges = []
(1 unchanged attribute hidden)
},
]
- tags = {
- "Name" = "taskflow-app-vm-nsg"
}
}
azurerm_network_security_group.bastion will be created
- resource "azurerm_network_security_group" "bastion" {
- id = (known after apply)
- location = "centralus"
- name = "taskflow-bastion-nsg"
- resource_group_name = "taskflow-rg"
- security_rule = [
- {
- access = "Allow"
- destination_address_prefix = "*"
- destination_address_prefixes = []
- destination_application_security_group_ids = []
- destination_port_range = "*"
- destination_port_ranges = []
- direction = "Outbound"
- name = "AllowAllOutbound"
- priority = 100
- protocol = "*"
- source_address_prefix = "*"
- source_address_prefixes = []
- source_application_security_group_ids = []
- source_port_range = "*"
- source_port_ranges = []
(1 unchanged attribute hidden)
},
- {
- access = "Allow"
- destination_address_prefix = "*"
- destination_address_prefixes = []
- destination_application_security_group_ids = []
- destination_port_range = "22"
- destination_port_ranges = []
- direction = "Inbound"
- name = "SSH"
- priority = 1001
- protocol = "Tcp"
- source_address_prefix = "*"
- source_address_prefixes = []
- source_application_security_group_ids = []
- source_port_range = "*"
- source_port_ranges = []
(1 unchanged attribute hidden)
},
]
- tags = {
- "Name" = "taskflow-bastion-nsg"
}
}
azurerm_postgresql_flexible_server.main will be created
- resource "azurerm_postgresql_flexible_server" "main" {
- administrator_login = (sensitive value)
- administrator_password = (sensitive value)
- auto_grow_enabled = false
- backup_retention_days = 7
- delegated_subnet_id = (known after apply)
- fqdn = (known after apply)
- geo_redundant_backup_enabled = false
- id = (known after apply)
- location = "centralus"
- name = "taskflow-db"
- private_dns_zone_id = "/subscriptions/079f14e5-201e-43cb-8ac0-3da23d698a06/resourceGroups/taskflow-rg/providers/Microsoft.Network/privateDnsZones/taskflow-postgres.database.azure.com"
- public_network_access_enabled = true
- resource_group_name = "taskflow-rg"
- sku_name = "B_Standard_B1ms"
- storage_mb = 32768
- storage_tier = (known after apply)
- tags = {
}
- version = "15"
- zone = "1"
- authentication (known after apply)
}
azurerm_postgresql_flexible_server_database.main will be created
- resource "azurerm_postgresql_flexible_server_database" "main" {
- charset = "utf8"
- collation = "en_US.utf8"
- id = (known after apply)
- name = "taskflow"
- server_id = (known after apply)
}
azurerm_postgresql_flexible_server_firewall_rule.app_vm will be created
- resource "azurerm_postgresql_flexible_server_firewall_rule" "app_vm" {
- end_ip_address = "10.0.10.254"
- id = (known after apply)
- name = "AllowAppVM"
- server_id = (known after apply)
- start_ip_address = "10.0.10.0"
}
azurerm_private_dns_zone_virtual_network_link.main will be created
- resource "azurerm_private_dns_zone_virtual_network_link" "main" {
- id = (known after apply)
- name = "taskflow-dns-link"
- private_dns_zone_name = "taskflow-postgres.database.azure.com"
- registration_enabled = false
- resource_group_name = "taskflow-rg"
- virtual_network_id = (known after apply)
}
azurerm_public_ip.app_vm will be created
- resource "azurerm_public_ip" "app_vm" {
- allocation_method = "Static"
- ddos_protection_mode = "VirtualNetworkInherited"
- fqdn = (known after apply)
- id = (known after apply)
- idle_timeout_in_minutes = 4
- ip_address = (known after apply)
- ip_version = "IPv4"
- location = "centralus"
- name = "taskflow-app-vm-pip"
- resource_group_name = "taskflow-rg"
- sku = "Basic"
- sku_tier = "Regional"
- tags = {
- "Name" = "taskflow-app-vm-pip"
}
}
azurerm_public_ip.bastion will be created
- resource "azurerm_public_ip" "bastion" {
- allocation_method = "Static"
- ddos_protection_mode = "VirtualNetworkInherited"
- fqdn = (known after apply)
- id = (known after apply)
- idle_timeout_in_minutes = 4
- ip_address = (known after apply)
- ip_version = "IPv4"
- location = "centralus"
- name = "taskflow-bastion-pip"
- resource_group_name = "taskflow-rg"
- sku = "Basic"
- sku_tier = "Regional"
- tags = {
- "Name" = "taskflow-bastion-pip"
}
}
azurerm_subnet.private_app will be created
- resource "azurerm_subnet" "private_app" {
- address_prefixes = [
]
- default_outbound_access_enabled = true
- enforce_private_link_endpoint_network_policies = (known after apply)
- enforce_private_link_service_network_policies = (known after apply)
- id = (known after apply)
- name = "taskflow-private-app-subnet"
- private_endpoint_network_policies = (known after apply)
- private_endpoint_network_policies_enabled = (known after apply)
- private_link_service_network_policies_enabled = (known after apply)
- resource_group_name = "taskflow-rg"
- virtual_network_name = "taskflow-vnet"
}
azurerm_subnet.private_db will be created
- resource "azurerm_subnet" "private_db" {
- address_prefixes = [
]
- default_outbound_access_enabled = true
- enforce_private_link_endpoint_network_policies = (known after apply)
- enforce_private_link_service_network_policies = (known after apply)
- id = (known after apply)
- name = "taskflow-private-db-subnet"
- private_endpoint_network_policies = (known after apply)
- private_endpoint_network_policies_enabled = (known after apply)
- private_link_service_network_policies_enabled = (known after apply)
- resource_group_name = "taskflow-rg"
- virtual_network_name = "taskflow-vnet"
- delegation {
- name = "delegation"
- service_delegation {
- actions = [
- "Microsoft.Network/virtualNetworks/subnets/join/action",
]
- name = "Microsoft.DBforPostgreSQL/flexibleServers"
}
}
}
azurerm_subnet.public will be created
- resource "azurerm_subnet" "public" {
- address_prefixes = [
]
- default_outbound_access_enabled = true
- enforce_private_link_endpoint_network_policies = (known after apply)
- enforce_private_link_service_network_policies = (known after apply)
- id = (known after apply)
- name = "taskflow-public-subnet"
- private_endpoint_network_policies = (known after apply)
- private_endpoint_network_policies_enabled = (known after apply)
- private_link_service_network_policies_enabled = (known after apply)
- resource_group_name = "taskflow-rg"
- virtual_network_name = "taskflow-vnet"
}
azurerm_subnet_network_security_group_association.private_app will be created
- resource "azurerm_subnet_network_security_group_association" "private_app" {
- id = (known after apply)
- network_security_group_id = (known after apply)
- subnet_id = (known after apply)
}
azurerm_subnet_network_security_group_association.public will be created
- resource "azurerm_subnet_network_security_group_association" "public" {
- id = (known after apply)
- network_security_group_id = (known after apply)
- subnet_id = (known after apply)
}
azurerm_virtual_network.main will be created
- resource "azurerm_virtual_network" "main" {
- address_space = [
]
- dns_servers = (known after apply)
- guid = (known after apply)
- id = (known after apply)
- location = "centralus"
- name = "taskflow-vnet"
- resource_group_name = "taskflow-rg"
- subnet = (known after apply)
- tags = {
}
}
Plan: 19 to add, 0 to change, 0 to destroy.
Changes to Outputs:
- acr_login_server = (known after apply)
- acr_name = "taskflowacr99e01328"
- app_url = (known after apply)
- app_vm_private_ip = (known after apply)
- app_vm_public_ip = (known after apply)
- bastion_public_ip = (known after apply)
- db_fqdn = (sensitive value)
- db_host = (sensitive value)
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
azurerm_virtual_network.main: Creating...
azurerm_public_ip.app_vm: Creating...
azurerm_public_ip.bastion: Creating...
azurerm_network_security_group.bastion: Creating...
azurerm_container_registry.main: Creating...
╷
│ Error: creating Virtual Network (Subscription: "079f14e5-201e-43cb-8ac0-3da23d698a06"
│ Resource Group Name: "taskflow-rg"
│ Virtual Network Name: "taskflow-vnet"): performing CreateOrUpdate: unexpected status 403 (403 Forbidden) with error: RequestDisallowedByAzure: Resource 'taskflow-vnet' was disallowed by Azure: This policy maintains a set of best available regions where your subscription can deploy resources. The objective of this policy is to ensure that your subscription has full access to Azure services with optimal performance. Should you need additional or different regions, contact support..
│
│ with azurerm_virtual_network.main,
│ on main.tf line 40, in resource "azurerm_virtual_network" "main":
│ 40: resource "azurerm_virtual_network" "main" {
│
╵
╷
│ Error: creating Network Security Group (Subscription: "079f14e5-201e-43cb-8ac0-3da23d698a06"
│ Resource Group Name: "taskflow-rg"
│ Network Security Group Name: "taskflow-bastion-nsg"): performing CreateOrUpdate: unexpected status 403 (403 Forbidden) with error: RequestDisallowedByAzure: Resource 'taskflow-bastion-nsg' was disallowed by Azure: This policy maintains a set of best available regions where your subscription can deploy resources. The objective of this policy is to ensure that your subscription has full access to Azure services with optimal performance. Should you need additional or different regions, contact support..
│
│ with azurerm_network_security_group.bastion,
│ on main.tf line 86, in resource "azurerm_network_security_group" "bastion":
│ 86: resource "azurerm_network_security_group" "bastion" {
│
╵
╷
│ Error: updating Public I P Address (Subscription: "079f14e5-201e-43cb-8ac0-3da23d698a06"
│ Resource Group Name: "taskflow-rg"
│ Public I P Addresses Name: "taskflow-bastion-pip"): performing CreateOrUpdate: unexpected status 403 (403 Forbidden) with error: RequestDisallowedByAzure: Resource 'taskflow-bastion-pip' was disallowed by Azure: This policy maintains a set of best available regions where your subscription can deploy resources. The objective of this policy is to ensure that your subscription has full access to Azure services with optimal performance. Should you need additional or different regions, contact support..
│
│ with azurerm_public_ip.bastion,
│ on main.tf line 179, in resource "azurerm_public_ip" "bastion":
│ 179: resource "azurerm_public_ip" "bastion" {
│
╵
╷
│ Error: updating Public I P Address (Subscription: "079f14e5-201e-43cb-8ac0-3da23d698a06"
│ Resource Group Name: "taskflow-rg"
│ Public I P Addresses Name: "taskflow-app-vm-pip"): performing CreateOrUpdate: unexpected status 403 (403 Forbidden) with error: RequestDisallowedByAzure: Resource 'taskflow-app-vm-pip' was disallowed by Azure: This policy maintains a set of best available regions where your subscription can deploy resources. The objective of this policy is to ensure that your subscription has full access to Azure services with optimal performance. Should you need additional or different regions, contact support..
│
│ with azurerm_public_ip.app_vm,
│ on main.tf line 192, in resource "azurerm_public_ip" "app_vm":
│ 192: resource "azurerm_public_ip" "app_vm" {
│
╵
╷
│ Error: creating Registry (Subscription: "079f14e5-201e-43cb-8ac0-3da23d698a06"
│ Resource Group Name: "taskflow-rg"
│ Registry Name: "taskflowacr99e01328"): performing Create: unexpected status 403 (403 Forbidden) with error: RequestDisallowedByAzure: Resource 'taskflowacr99e01328' was disallowed by Azure: This policy maintains a set of best available regions where your subscription can deploy resources. The objective of this policy is to ensure that your subscription has full access to Azure services with optimal performance. Should you need additional or different regions, contact support..
│
│ with azurerm_container_registry.main,
│ on main.tf line 340, in resource "azurerm_container_registry" "main":
│ 340: resource "azurerm_container_registry" "main" {
│
╵
How to collect this error?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 91%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVU%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 56.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
