Terraform Azure : deploy mysql network rule on another subscription

1
votes

I'm trying do deploy a MySQL database on Azure using Terraform (v 0.11.11). I need to set differents parts in my main.tf file:

  • provider
  • resource group
  • mysql server
  • mysql database
  • mysql virtual network rule 1
  • mysql virtual network rule 2
  • mysql virtual network rule 3

At the moment, all those requierements work except the last one, mysql virtual network rule 3. Everything is created on subscription A but mysql virtual network rule 3 uses a subnet_id includes in subscription B.

And here is the problem, how can I write my .tf file to create a virtual network rule using a subnet_id with a subscription different from the one used until now ?

I tried to do it manually in Azure and it works. On Azure Portal, I can choose the subnet even if it based in another subscription.

#provider azurem.A is Subscription A in my text. Everything is created in this sub.
#prodiver azurem.B is Subscription B in my text. The subnet used to create vitual_network_rule_3 is in this subscription.

provider "azurerm" {
    client_id       = "${var.client_id}"
    client_secret   = "${var.client_secret}"
    tenant_id       = "${var.tenant_id}"
    subscription_id = "${var.subscription}"
    alias           = "A"
}

provider "azurerm" {
    client_id       = "${var.client_id}"
    client_secret   = "${var.client_secret}"
    tenant_id       = "${var.tenant_id}"
    subscription_id = "${var.subscription_B}"
    alias           = "B"
}

#Creating RG in Sub A.
resource "azurerm_resource_group" "rg" {
    # attributes to create RG in Sub A. works well.
    # ....
}

#Creating mysql server in Sub A.
resource "azurerm_mysql_server" "mysql_server" {
    # attributes to create mysql server. works well.
    # ....
}

#Creating mysql database in Sub A.
resource "azurerm_mysql_database" "mysql_db" {
    # attributes to create mysql database. works well.
    # ....
}

#Creating vnet rule using a subnet in Sub A. WORKING
resource "azurerm_mysql_virtual_network_rule" "mysql_vnet_1" {
    count = "${var.vnet_one != "" ? 1 : 0}"

    name                = "subscription-peering-1"
    resource_group_name = "${azurerm_resource_group.rg.name}"
    server_name         = "${azurerm_mysql_server.mysql_server.name}"
    subnet_id           = "${var.vnet_one}"
    provider = "azurerm.A"
}

#Creating vnet rule using a subnet in Sub A. WORKING
resource "azurerm_mysql_virtual_network_rule" "mysql_vnet_2" {
    count = "${var.vnet_two != "" ? 1 : 0}"

    name                = "subscription-peering-2"
    resource_group_name = "${azurerm_resource_group.rg.name}"
    server_name         = "${azurerm_mysql_server.mysql_server.name}"
    subnet_id           = "${var.vnet_two}"
    provider = "azurerm.A"
}

#Getting data to get the subnet in Subscription B in order to use it in "mysql_vnet_three".
#Uses the second provider, the one that contains Subcription B
data "azurerm_subnet" "subnet_data" {
    name                 = "my-subB-subnet-name"
    virtual_network_name = "my-subB-vnet-name"
    resource_group_name  = "my-subB-rg_name" 
    provider = "azurerm.B"
}

#Creating vnet rule using a subnet in Sub B. NOT WORKING
resource "azurerm_mysql_virtual_network_rule" "mysql_vnet_3" {
    count = "${var.vnet_exploit != "" ? 1 : 0}"

    name                = "subscription-peering-3"
    resource_group_name = "${azurerm_resource_group.rg.name}"
    server_name         = "${azurerm_mysql_server.mysql_server.name}"
    subnet_id           = "${data.azurerm_subnet.subnet_data.id}"
    provider            = "azurerm.A"
}

Thank you so much !

2
mysqlazureterraform
There are two questions need to be clear. Do the two subscriptions in the same tenant? And what permission do you have with the subnet in the different subscription?Charles Xu
1. Both subscriptions have the same tenant. 2. I have full permissions on both subscriptions. That's why it seems weird for me... I can create the vnet rule with Az CLI,or Azure portal but I can't using Terraform...vmele

2 Answers

0
votes

Shouldn't the provider be azurerm.B ?

#Creating vnet rule using a subnet in Sub B. NOT WORKING
resource "azurerm_mysql_virtual_network_rule" "mysql_vnet_3" {
count = "${var.vnet_exploit != "" ? 1 : 0}"

name                = "subscription-peering-3"
resource_group_name = "${azurerm_resource_group.rg.name}"
server_name         = "${azurerm_mysql_server.mysql_server.name}"
subnet_id           = "${data.azurerm_subnet.subnet_data.id}"
provider            = "azurerm.B"
}
0
votes

As I couldn't find the solution using TF resources, I used local-exec to run Az command in order to create the vnet rule.

resource "null_resource" "create_vnet_rule_exploit_from_cli" {
    count = "${var.vnet_exploit != "" ? 1 : 0}"

    provisioner "local-exec" {
    command = "az mysql server vnet-rule create --name subscription-peering-exploit 
        --server-name ${azurerm_mysql_server.mysql_server.name} --resource-group                                         
        ${azurerm_resource_group.rg.name} --subnet ${var.vnet_exploit} -- 
        subscription ${var.subscription}"
    }
    depends_on = ["azurerm_mysql_server.mysql_server"]
}