Azure Terraform ignore_changes on private dns zone group with DeployIfNotExists policy

Question

I am running into a problem where Terraform tries to change a resource, which is deployed by a DeployIfNotExists policy. This policy automatically creates a DNS entry for a private endpoint (source). Normally, I would use ignore_changes, but this only works for resources that are first deployed by Terraform, and then all future changes outside Terraform are ignored.

How can I deploy a private endpoint without private_dns_zone_group, preventing any future deployments from deleting the private_dns_zone_group which is deployed by an Azure policy?

resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.private_endpoint_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.private_subnet_id

  private_service_connection {
    name                           = var.private_service_connection_name
    is_manual_connection           = false
    private_connection_resource_id = azurerm_app_service.app_service.id
    subresource_names              = ["sites"]
  }

  # This cannot be included, otherwise the DeployIfNotExists policy will not run
  # private_dns_zone_group {
  #   name                 = "deployedByPolicy"
  #   private_dns_zone_ids = []
  # }

  lifecycle {
    ignore_changes = [
      private_dns_zone_group
    ]
  }
}

If you just remove the block from your code it doesn't work? the `private_dns_zone_group` block is optional so just omit it and you will be able to create your pe without it being added to a dns zone by terraform — Ked Mardemootoo, Jul 08 '21 at 13:01
When you don't deploy it, it will be deleted when Azure created it with a policy. — Cloudkollektiv, Jul 08 '21 at 13:36
That's odd I didn't know that! Are you also managing the `azurerm_private_dns_zone` via terraform? Do you think this could be the one causing the issue? It's just weird that terraform would be aware of what exists in the private dns zone by just omitting the private dnz zone group. — Ked Mardemootoo, Jul 08 '21 at 15:02
azurerm_private_dns_zone is not managed by terraform, it is within the hub subscription (cloud adoption framework). So the private dns zone group is the issue, which is always a subresource of the private endpoint. — Cloudkollektiv, Jul 09 '21 at 07:25

score 0 · Answer 1 · answered Oct 29 '21 at 14:06

0

Here, obviously, the problem comes from the builtin Azure policy.

You can create a custom policy which will create directly a record on the Azure Private DNS Zone.

answered Oct 29 '21 at 14:06

MoonHorse

1,966
2
24
46

score 0 · Answer 2 · answered Oct 29 '21 at 14:23

I am not sure what happened in the meantime, but I got it to work as I expected. I must say I updated to the latest azurerm provider and deleted the state. It works when you do not include private_dns_zone_group within the private_endpoint and explicitly ignore changes on it.

resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.private_endpoint_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.private_subnet_id

  private_service_connection {
    name                           = var.private_service_connection_name
    is_manual_connection           = false
    private_connection_resource_id = azurerm_app_service.app_service.id
    subresource_names              = ["sites"]
  }

  # Ignore, because managed by DeployIfNotExists policy 
  lifecycle {
    ignore_changes = [
      private_dns_zone_group
    ]
  }
}

Azure Terraform ignore_changes on private dns zone group with DeployIfNotExists policy

2 Answers2