Share via

Error: creating Subnet with terraform

Uday Kiran Reddy 11 Reputation points
2021-12-10T10:43:31.71+00:00

I have applied below terraform file to my azure account. 

# Configure the Microsoft Azure Provider  
terraform {  
  required_providers {  
    azurerm = {  
      source = "hashicorp/azurerm"  
      version = "~>2.0"  
    }  
  }  
}  
provider "azurerm" {  
  features {}  
}  
  
# Create a resource group if it doesn't exist  
resource "azurerm_resource_group" "myterraformgroup" {  
    name     = "myResourceGroup"  
    location = "eastus"  
  
    tags = {  
        environment = "Terraform Demo"  
    }  
}  
  
# Create virtual network  
resource "azurerm_virtual_network" "myterraformnetwork" {  
    name                = "myVnet"  
    address_space       = ["10.0.0.0/16"]  
    location            = "eastus"  
    resource_group_name = azurerm_resource_group.myterraformgroup.name  
  
    tags = {  
        environment = "Terraform Demo"  
    }  
}  
  
# Create subnet  
resource "azurerm_subnet" "myterraformsubnet" {  
    name                 = "mySubnet"  
    resource_group_name  = azurerm_resource_group.myterraformgroup.name  
    virtual_network_name = azurerm_virtual_network.myterraformnetwork.name  
    address_prefixes       = ["10.0.1.0/24"]  
}  
  
# Create public IPs  
resource "azurerm_public_ip" "myterraformpublicip" {  
    name                         = "myPublicIP"  
    location                     = "eastus"  
    resource_group_name          = azurerm_resource_group.myterraformgroup.name  
    allocation_method            = "Dynamic"  
  
    tags = {  
        environment = "Terraform Demo"  
    }  
}  
  
# Create Network Security Group and rule  
resource "azurerm_network_security_group" "myterraformnsg" {  
    name                = "myNetworkSecurityGroup"  
    location            = "eastus"  
    resource_group_name = azurerm_resource_group.myterraformgroup.name  
  
    security_rule {  
        name                       = "SSH"  
        priority                   = 1001  
        direction                  = "Inbound"  
        access                     = "Allow"  
        protocol                   = "Tcp"  
        source_port_range          = "*"  
        destination_port_range     = "22"  
        source_address_prefix      = "*"  
        destination_address_prefix = "*"  
    }  
  
    tags = {  
        environment = "Terraform Demo"  
    }  
}  
  
# Create network interface  
resource "azurerm_network_interface" "myterraformnic" {  
    name                      = "myNIC"  
    location                  = "eastus"  
    resource_group_name       = azurerm_resource_group.myterraformgroup.name  
  
    ip_configuration {  
        name                          = "myNicConfiguration"  
        subnet_id                     = azurerm_subnet.myterraformsubnet.id  
        private_ip_address_allocation = "Dynamic"  
        public_ip_address_id          = azurerm_public_ip.myterraformpublicip.id  
    }  
  
    tags = {  
        environment = "Terraform Demo"  
    }  
}  
  
# Connect the security group to the network interface  
resource "azurerm_network_interface_security_group_association" "example" {  
    network_interface_id      = azurerm_network_interface.myterraformnic.id  
    network_security_group_id = azurerm_network_security_group.myterraformnsg.id  
}  
  
# Generate random text for a unique storage account name  
resource "random_id" "randomId" {  
    keepers = {  
        # Generate a new ID only when a new resource group is defined  
        resource_group = azurerm_resource_group.myterraformgroup.name  
    }  
  
    byte_length = 8  
}  
  
# Create storage account for boot diagnostics  
resource "azurerm_storage_account" "mystorageaccount" {  
    name                        = "diag${random_id.randomId.hex}"  
    resource_group_name         = azurerm_resource_group.myterraformgroup.name  
    location                    = "eastus"  
    account_tier                = "Standard"  
    account_replication_type    = "LRS"  
  
    tags = {  
        environment = "Terraform Demo"  
    }  
}  
  
# Create (and display) an SSH key  
resource "tls_private_key" "example_ssh" {  
  algorithm = "RSA"  
  rsa_bits = 4096  
}  
output "tls_private_key" {   
    value = tls_private_key.example_ssh.private_key_pem   
    sensitive = true  
}  
  
# Create virtual machine  
resource "azurerm_linux_virtual_machine" "myterraformvm" {  
    name                  = "myVM"  
    location              = "eastus"  
    resource_group_name   = azurerm_resource_group.myterraformgroup.name  
    network_interface_ids = [azurerm_network_interface.myterraformnic.id]  
    size                  = "Standard_DS1_v2"  
  
    os_disk {  
        name              = "myOsDisk"  
        caching           = "ReadWrite"  
        storage_account_type = "Premium_LRS"  
    }  
  
    source_image_reference {  
        publisher = "Canonical"  
        offer     = "UbuntuServer"  
        sku       = "18.04-LTS"  
        version   = "latest"  
    }  
  
    computer_name  = "myvm"  
    admin_username = "azureuser"  
    disable_password_authentication = true  
  
    admin_ssh_key {  
        username       = "azureuser"  
        public_key     = tls_private_key.example_ssh.public_key_openssh  
    }  
  
    boot_diagnostics {  
        storage_account_uri = azurerm_storage_account.mystorageaccount.primary_blob_endpoint  
    }  
  
    tags = {  
        environment = "Terraform Demo"  
    }  
}

Reference from msdn link

But getting this error: 

 37: resource "azurerm_subnet" "myterraformsubnet" {Error: creating Subnet: (Name "mySubnet" / Virtual Network Name "myVnet" / Resource Group "myResourceGroup"): network.SubnetsClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'mySubnet' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Deny-Subnet-Without-Nsg\",\"id\":\"/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"},\"policyDefinition\":{\"name\":\"Subnets should have a Network Security Group \",\"id\":\"/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\"}}]'." Target="mySubnet" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Network/virtualNetworks/subnets","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Network/virtualNetworks/subnets"},{"expression":"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id","expressionKind":"Field","operator":"Exists","path":"properties.networkSecurityGroup.id","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Deny-Subnet-Without-Nsg","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/QSFT-landingzones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg","policyAssignmentName":"Deny-Subnet-Without-Nsg","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/QSFT-landingzones","policyDefinitionDisplayName":"Subnets should have a Network Security Group ","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/QSFT/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg","policyDefinitionName":"Deny-Subnet-Without-Nsg"},"type":"PolicyViolation"}]

How to fix this?

Disabling the policy is not a solution for this, please suggest if any other options

Azure Lab Services
Azure Lab Services
An Azure service that is used to set up labs for classrooms, trials, development and testing, and other scenarios.
308 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator
    2021-12-10T12:54:16.833+00:00

    Wanted to confirm that your subnets have associated NSG rules?

    One of the workaround that worked for another customer was removing and re-applying the policy to detect NSGs on their managed subnets, the NSGs rule came back as working and the issue got resolved

    Please refer to this documentation : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group

    Let me know and I can further investigate. Thanks.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.