Azure FHIR Service cannot disable public network access

[mclacore]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.7

AzureRM Provider Version

3.22.0

Affected Resource(s)/Data Source(s)

azurerm_healthcare_fhir_service

Terraform Configuration Files

resource "azurerm_healthcare_fhir_service" "main" {
  name                          = "name"
  location                      = "location"
  resource_group_name           = "group"
  workspace_id                  = azurerm_healthcare_workspace.main.id
  kind                          = "fhir-R4"
  public_network_access_enabled = false
}

Debug Output/Panic Output

│ Error: Unsupported argument
│
│   on main.tf line 20, in resource "azurerm_healthcare_fhir_service" "main":
│   20:   public_network_access_enabled = false
│
│ An argument named "public_network_access_enabled" is not expected here.

Expected Behaviour

Public network access would be disabled

Actual Behaviour

I get an error that it's not supported. But I see that it's supported in the documentation

Steps to Reproduce

No response

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/healthcare_fhir_service

[aristosvo]

Hi @mclacore! Thanks for raising this issue.

I'm investigating and working on/exploring the solution.

Private endpoints should be configured for the healthcareworkspace, after that I'll check what the options are to disable public access.

My TF setup:

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "${var.prefix}-resources"
  location = var.location
}

resource "azurerm_virtual_network" "example" {
  name                = "${var.prefix}-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "endpoint" {
  name                 = "endpoint"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]

  enforce_private_link_endpoint_network_policies = true
}

resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.azurehealthcareapis.com"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_private_dns_zone" "example2" {
  name                = "privatelink.dicom.azurehealthcareapis.com"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_healthcare_workspace" "example" {
  name                = "${var.prefix}hcws"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_healthcare_fhir_service" "example" {
  name                = "${var.prefix}-fhir"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  workspace_id        = azurerm_healthcare_workspace.example.id
  kind                = "fhir-R4"

  authentication {
    authority = "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47"
    audience  = "https://acctestfhir.fhir.azurehealthcareapis.com"
  }
}

resource "azurerm_private_endpoint" "example" {
  name                = "${var.prefix}-pe"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.endpoint.id

  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.example.id, azurerm_private_dns_zone.example2.id]
  }

  private_service_connection {
    name                           = "hcws-connection"
    is_manual_connection           = false
    private_connection_resource_id = azurerm_healthcare_workspace.example.id
    subresource_names              = ["healthcareworkspace"]
  }
}

[aristosvo]

@mclacore It seems the property is at this moment in time read-only. When private endpoints are added, public networking is disabled.

I've enhanced the documentation and added it as attribute in #18566. I'm still exploring the option to open up the network while connected to private endpoint, but thus far I haven't figured it out.

Edit: Based on the docs private endpoints automatically disable public networking:

When an approved private endpoint is created for Azure Health Data Services, public traffic to it is automatically disabled.

Another note shows that it may take a while before this is in place:

It can take up to 5 minutes after updating the public network access flag before public traffic is blocked.

TL;DR of the investigation: public_network_access_enabled is an attribute which is changed based on the presence of private endpoints in the parent azurerm_healthcare_workspace

[github-actions]

This functionality has been released in v3.25.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.