Skip to content

[AVM Module Issue]: Private endpoint resource_group_name in private_endpoints is ignored; PE is created in parent app resource group #286

Open
Open
[AVM Module Issue]: Private endpoint resource_group_name in private_endpoints is ignored; PE is created in parent app resource group#286
Labels
Language: Terraform 🌐This is related to the Terraform IaC languageNeeds: Triage 🔍Maintainers need to triage stillType: Bug 🐛Something isn't working
@PbALpi7xEX

Description

@PbALpi7xEX
PbALpi7xEX
opened on May 29, 2026

Check for previous/existing GitHub issues

  • I have checked for previous/existing GitHub issues

Issue Type?

Bug

(Optional) Module Version

0.22.0

(Optional) Correlation Id

No response

Description

When using Azure/avm-res-web-site/azurerm, setting private_endpoints..resource_group_name does not control where the private endpoint is created.
The private endpoint is created in the app resource group (derived from parent_id) instead of the specified resource group.

Repro configuration

The app is created under an app resource group via parent_id, while the private endpoint is configured with a different resource_group_name (network resource group).

Example:

    module "app_service" {
      source    = "Azure/avm-res-web-site/azurerm"
      version   = "0.22.0"

      name      = "example-app"
      location  = var.location
      parent_id = azurerm_resource_group.app.id

      private_endpoints_manage_dns_zone_group = false
      private_endpoints = {
        primary = {
          subnet_resource_id  = azurerm_subnet.private_endpoints.id
          resource_group_name = azurerm_resource_group.network.name
        }
      }
    }

Expected behavior

  • Private endpoint should be created in the resource group specified by private_endpoints.primary.resource_group_name.

Actual behavior

  • Private endpoint is created in the resource group associated with parent_id.

Impact

  • Prevents common separation patterns where application resources and networking resources are managed in separate resource groups.
  • Can violate policy/governance controls requiring private endpoints in a dedicated network RG.

Suspected root cause

PE creation appears to use the app parent scope for placement, and private_endpoints..resource_group_name is not honored for resource placement.

Workaround

  • Create private endpoints outside the module (for example via azurerm_private_endpoint or azapi_resource) in the desired networking resource group.

Request

Please confirm whether this is:

  • A bug (resource_group_name should be honored), or
  • Intended behavior (documentation should clarify PE placement follows parent_id).

If bug, please update module behavior so private_endpoints..resource_group_name controls PE resource group placement.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Language: Terraform 🌐This is related to the Terraform IaC languageNeeds: Triage 🔍Maintainers need to triage stillType: Bug 🐛Something isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions