Search code examples
azurepulumiazure-sql-managed-instance

Managed Instance deployment failed due to error related to preparation of network intent policy

Following Pulumi doc Create managed instance with all properties and trying to create Managed Instance with code below:

//
// spokeManagedInstanceSubnet -> delegated to "Microsoft.Sql/managedInstances"
// spokeManagedInstanceSubnet -> does not have any other resource (i.e. VM)
// 
var spokeManagedInstanceSubnet = new Subnet($"{SpokeVirtualNetwork}.{ManagedInstanceSubnet}", new AzureNative.Network.SubnetArgs {
    // ... ... ...
}, new CustomResourceOptions { DependsOn = { spokeVnet } });


//
// Create Managed Instance
//
var mainManagedInstanceArgs = config.RequireObject<JsonElement>(MainManagedInstanceArgs);

var mainMiName = mainManagedInstanceArgs.GetName();
var mainMiSku = mainManagedInstanceArgs.GetSku();
var mainMiTier = mainManagedInstanceArgs.GetTier();
var mainMiVCores = mainManagedInstanceArgs.GetInt(VCores);
var mainMiStorageSizeInGB = mainManagedInstanceArgs.GetInt(StorageSizeInGB);
var mainMiStorageAccountType = mainManagedInstanceArgs.GetString(StackConfigKeys.StorageAccountType);
var mainMiAdminId = mainManagedInstanceArgs.GetString(AdministratorLoginId);
var mainMiAdminPassword = mainManagedInstanceArgs.GetString(AdministratorLoginPassword);
var mainMiLicenseType = mainManagedInstanceArgs.GetString(StackConfigKeys.LicenseType);
var mainMiCollation = mainManagedInstanceArgs.GetString(Collation);
var mainMiTimezoneId = mainManagedInstanceArgs.GetString(TimezoneId);
var mainMiMinimalTlsVersion = mainManagedInstanceArgs.GetString(MinimalTlsVersion);
var mainMiPublicDataEndpointEnabled = mainManagedInstanceArgs.GetBool(PublicDataEndpointEnabled);
var mainMiTags = mainManagedInstanceArgs.GetTags();

var mainManagedInstance = new ManagedInstance(MainManagedInstance, new ManagedInstanceArgs {
    ResourceGroupName = mainResourceGroup.Name,
    SubnetId = spokeManagedInstanceSubnet.Id,
    ManagedInstanceName = mainMiName,
    Sku = new AzureNative.Sql.Inputs.SkuArgs {
        Name = mainMiSku,
        Tier = mainMiTier,
    },
    VCores = mainMiVCores,
    StorageSizeInGB = mainMiStorageSizeInGB,
    StorageAccountType = mainMiStorageAccountType,
    ManagedInstanceCreateMode = ManagedServerCreateMode.Default,
    AdministratorLogin = mainMiAdminId,
    AdministratorLoginPassword = mainMiAdminPassword,
    LicenseType = mainMiLicenseType,
    ProxyOverride = ManagedInstanceProxyOverride.Default,
    Collation = mainMiCollation,
    TimezoneId = mainMiTimezoneId,
    MinimalTlsVersion = mainMiMinimalTlsVersion,
    PublicDataEndpointEnabled = mainMiPublicDataEndpointEnabled,
    Tags = mainMiTags
}, new CustomResourceOptions { DependsOn = { spokeManagedInstanceSubnet } });

Getting following errors:

Pulumi Error: error: update failed. Code="Failed" Message="The async operation failed."
Error shown in Azure portal: managed Instance create operation failed
Virtual network activity log: Managed Instance deployment failed due to conflict with the following error related to preparation of network intent policy: Network security group is required for subnet

There is a related question here but did not solve my problem.

How to create Managed Instance in the delegated subnet ?

According to Microsoft doc

To address customer security and manageability requirements, SQL Managed Instance is transitioning from manual to service-aided subnet configuration.

So, user just needs to delegate subnet (which I did) and then Azure (ARM) should take care of the rest (NSG, Route table etc.)

Update 2021.11.21

I added NSG and Route table to ManagedInstanceSubnet and getting followings (in Azure portal):

Step 1/3 Request validation: Completed
Step 2/3 Virtual Cluster resize/creation: Completed
Step 3/3 SQL Instance Cleanup: Failed

Solution

  • I was able to create Azure SQL Managed Instance by doing the followings (for "operation timed out" issue, see update below to resolve):

    1. Assigned "SQL Managed Instance Contributor" role to the service principal used by Pulumi
    2. Created NSG and added NSG rules (ignored property NetworkSecurityGroupArgs.SecurityRules)
    3. Crated Route Table (ignored property RouteTableArgs.Routes)
    4. Managed Instance Subnet:
      • Subnet is delegated to "Microsoft.Sql/managedInstances"
      • NSG is attached to Subnet
      • Route Table is attached to Subnet

    Update 2021.12.03 - solution to "operation timed out error"

    var operationTimeoutLimit = TimeSpan.FromHours(24);

var fpManagedInstance = new ManagedInstance(
    name: "FailoverPartnerManagedInstance",
    args: new ManagedInstanceArgs {
        // props
    },
    options: new CustomResourceOptions {
        CustomTimeouts = new CustomTimeouts {
            Create = operationTimeoutLimit,
            Update = operationTimeoutLimit,
            Delete = operationTimeoutLimit,
        }
    }
);

    Timeout related question and answer: Pulumi stack update failed due to operation timed out error