I am using Infrastructure-As-Code to create an app service, and a front door endpoint using a private endpoint. I do this with bicep templates.
Once created, I have to approve the private endpoint link in the UI.
How can I automatically approve this private endpoint request? Is there a way to do this with a bicep deployment?
I use this bicep to create the origin, with the endpoint.
resource appService 'Microsoft.Web/sites@2022-09-01' existing = {
name: applicationName
scope: resourceGroup(resourceGroup)
}
resource fdOrigin 'Microsoft.Cdn/profiles/originGroups/origins@2021-06-01' = {
name: 'fd-origin'
parent: fdOriginGroup
properties: {
hostName: '${applicationName}.azurewebsites.net'
httpPort: 80
httpsPort: 443
originHostHeader: '${applicationName}.azurewebsites.net'
priority: 1
weight: 1000
sharedPrivateLinkResource: {
groupId: 'sites'
privateLinkLocation: 'EastUS2'
requestMessage: 'Created by Deployment Pipeline'
status: 'Approved'
privateLink: {
id: appService.id
}
}
}
}
I've tried setting the status to approved in the sharedPrivateLinkResource section, but it doesn't approve it. It's doesn't throw an error, but the link is still in Pending status.
I can approve it with the bicep below, but I have to hardcode the private link name. I can't find a way to get the private link name from the bicep above.
resource privateEndpointConnection 'Microsoft.Web/sites/privateEndpointConnections@2022-09-01' = {
name: 'MyAppService/ecc50509-75b1-xxxx-92c9-62bebcececf3-13f6a331-6472-4497-bf94-67adda467e22'
properties: {
privateLinkServiceConnectionState: {
status: 'Approved'
description: 'Approved by pipeline'
}
}
}
Once front-door deployment is completed, the private endpoint connections information are available on the webapp properties itself. You can verify that by running:
az rest --method get --uri <webapp-resource-id>?api-version=2022-09-01
You will see this section:
"privateEndpointConnections": [
{
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/front-door-test/providers/Microsoft.Web/sites/myapp-bckwiz6zgci7k/privateEndpointConnections/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
...
}
]
you can create a module to fetch the endpoint name:
// fetch-private-endpoint.bicep
param appName string
resource app 'Microsoft.Web/sites@2020-06-01' existing = {
name: appName
}
output name string = last(split(first(app.properties.privateEndpointConnections).id,'/'))
Then having a second module to approve the connection:
// approve-private-endpoint.bicep
param appName string
param endPointName string
resource app 'Microsoft.Web/sites@2022-09-01' existing = {
name: appName
}
resource privateEndpointConnection 'Microsoft.Web/sites/privateEndpointConnections@2022-09-01' = {
parent: app
name: endPointName
properties: {
privateLinkServiceConnectionState: {
status: 'Approved'
description: 'Approved by pipeline'
}
}
}
Then in your main template you can add that:
// Need to wait for front door deployment to be completed
module fetchPrivateEdnpointName 'modules/fetch-private-endpoint.bicep' = {
name: 'fetch-private-endpoint'
dependsOn: [
fdOrigin
]
params: {
appName: appName
}
}
module approvePrivateEndpoint 'modules/approve-private-endpoint.bicep' = {
name: 'approve-private-endpoint'
params: {
appName: appName
endPointName: fetchPrivateEdnpointName.outputs.name
}
}