Can't configure a value for "network_interface": its value will be decided │ automatically based on the result of applying this configuration

Question

I want to craete private endpoint with Network Interface in terraform. This is my terraform code:

resource "azurerm_network_interface" "generic_kv_nic" {
  name                = "generic-${local.key_vault_name}-nic"
  location            = data.azurerm_resource_group.generic_net_rg.location
  resource_group_name = data.azurerm_resource_group.generic_net_rg.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = data.azurerm_subnet.generic_subnet.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "azurerm_private_endpoint" "generic_kv_pe" {
  name                = "generic-${local.key_vault_name}"
  location            = data.azurerm_resource_group.generic_net_rg.location
  resource_group_name = data.azurerm_resource_group.generic_net_rg.name
  subnet_id           = data.azurerm_subnet.generic_subnet.id

  private_service_connection {
    name                           = "generic-${local.key_vault_name}-connection"
    private_connection_resource_id = azurerm_key_vault.generic_kv.id
    is_manual_connection           = false
  }

  network_interface {
    id = azurerm_network_interface.generic_kv_nic.id
  }

  depends_on = [ 
    azurerm_key_vault.generic_kv,
    azurerm_network_interface.generic_kv_nic
  ]
}

The error i get during plan:

│ Error: Value for unconfigurable attribute
│
│   with azurerm_private_endpoint.imco_kv_pe,
│   on main.tf line 170, in resource "azurerm_private_endpoint" "generic_kv_pe":
│  170: resource "azurerm_private_endpoint" "generic_kv_pe" {
│
│ Can't configure a value for "network_interface": its value will be decided
│ automatically based on the result of applying this configuration.

How to overcome that issue?

Answer 1

The azurerm_private_endpoint resource creates a network interface itself, you don't need to explicitly create one and pass it in. The network_interface block is exported by the resource, i.e. it's an output of the resource, not an input you can set.

Get rid of the azurerm_network_interface resource and the network_interface block from your azurerm_private_endpoint resource.

You need to add the subresource_names argument to your private_service_connection block (vault in your case as the target resource is a Key Vault).

Also both of the dependencies listed in your depends_on block aren't needed because they're already implicit dependencies (due to you referencing those resources in the config for your azurerm_private_endpoint).

resource "azurerm_private_endpoint" "generic_kv_pe" {
  name                = "generic-${local.key_vault_name}"
  location            = data.azurerm_resource_group.generic_net_rg.location
  resource_group_name = data.azurerm_resource_group.generic_net_rg.name
  subnet_id           = data.azurerm_subnet.generic_subnet.id

  private_service_connection {
    name                           = "generic-${local.key_vault_name}-connection"
    private_connection_resource_id = azurerm_key_vault.generic_kv.id
    subresource_names              = ["vault"]
    is_manual_connection           = false
  }
}