I am trying to setup/configure PostgreSQL using ARM templates on Azure. Also, in my template, I am using already existing VNET with Subnets.
Everything worked as expected until I tried to add virtualNetworkRules. When I tried to add network rules I got an error:
Subnets XXXXX of virtual network /subscript.../virtualNetworks/XXXXXX do not have ServiceEndpoints for Microsoft.Sql resources configured. Add Microsoft.Sql to subnet's ServiceEndpoints collection before trying to ACL Microsoft.Sql resources to these subnets.
So, I decided to add in the template Microsoft.Network/virtualNetworks section.
My VNET has 3 subnets. One of these 3 subnets has my PSQL Database.
I added this section:
...
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-06-01",
"name": "VNETNAME",
"location": "LOCATION",
"properties": {
"addressSpace": {
"addressPrefixes": [
"XXX"
]
}
},
"resources": [
{
"type": "subnets",
"apiVersion": "2020-06-01",
"name": "subnetName",
"location": "LOCATION",
"dependsOn": [
"VNETNAME"
],
"properties": {
"addressPrefix": "YYY",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"*"
]
}
]
}
}
]
},
...
And after that I got an error:
...499791aac1e995 and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet."}}, "target_resou ...
So, for some reason, it wants to destroy (or recreate?) my subnet. Any ideas why?
My opinion - maybe I missed some attributes which already present in subnet but not defined in my template? If so - is there a way to set some special flag to not modify any existing resources not specified in template? Or something like that? Or any other solutions?
In your question you state that you've got 3 subnets but in the snippet of the ARM template you only define 1 (as a child resource of the virtualNetwork). When the virtualNetwork resource is deployed only the subnets defined in that resource are created and any that aren't defined are deleted (if possible, if resources are attached to the subnet(s) that aren't defined you'll get an error instead).
There are 2 ways to handle this, either:
Define all the subnets in the ARM template that deploys the virtualNetwork. Depending on what other projects and resources use the virtualNetwork you might find it makes sense to do that in a different ARM template
Don't define the virtualNetwork in your template, just define the subnet that matters for this deployment like this:
"resources": [
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-06-01",
"name": "VNETNAME/subnetName",
"location": "LOCATION",
"properties": {
"addressPrefix": "YYY",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"*"
]
}
]
}
}
],
but be aware that if an attempt to deploy the virtualNetwork is made from another template and it doesn't include a definition for your subnet it'll either throw an error or delete the subnet (depending on whether anything is attached).