azurerm_private_endpoint.private_dns_zone_group - created A records aren't idempotent.

[poddm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ terraform -v
Terraform v0.12.26
+ provider.azurerm v2.15.0

Affected Resource(s)

• azurerm_private_endpoint.private_dns_zone_group

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "${var.prefix}-resources"
  location = "${var.location}"
}

resource "azurerm_virtual_network" "example" {
  name                = "${var.prefix}-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "endpoint" {
  name                 = "endpoint"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefix       = "10.0.2.0/24"

  enforce_private_link_endpoint_network_policies = true
}

resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.postgres.database.azure.com"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_postgresql_server" "example" {
  name                = "${var.prefix}-postgresql"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  sku_name = "GP_Gen5_4"

  storage_mb                   = 5120
  backup_retention_days        = 7
  geo_redundant_backup_enabled = false
  auto_grow_enabled            = true

  administrator_login          = "psqladminun"
  administrator_login_password = "H@Sh1CoR3!"
  version                      = "9.5"
  ssl_enforcement_enabled      = true
}

resource "azurerm_private_endpoint" "example" {
  name                 = "${var.prefix}-pe"
  location             = azurerm_resource_group.example.location
  resource_group_name  = azurerm_resource_group.example.name
  subnet_id            = azurerm_subnet.endpoint.id

  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
  }

  private_service_connection {
    name                           = "tfex-postgresql-connection"
    is_manual_connection           = false
    private_connection_resource_id = azurerm_postgresql_server.example.id
    subresource_names              = ["postgresqlServer"]
  }
}

Expected Behavior

An A record within the private DNS zones should be recreated, if deleted from outside terraform (eg. the azure portal).

Actual Behavior

When an A record within a private DNS zone is deleted, terraform doesn't recreate it.

Steps to Reproduce

1. terraform apply
2. Delete A records from Azure Portal
3. terraform apply

...previously created A records by azurerm_private_endpoint.private_dns_zone_group are not recreated.

Important Factoids

References

• azurerm_private_endpoint - expose private_dns_zone_group, private_dns_zone_configs, and custom_dns_configs #7246

[WodansSon]

@poddm, thanks for opening this issue. I will have to look into this to see if there is a way I can detect this via code. The issue here is, the A records are created automatically by the API without Terraform knowing that it has done so. Which means, it will be very difficult for Terraform to determine if an A record should be "re-created" or not. I will see what I can do, but if the API does not offer a way for me to get this information there, unfortunately, isn't a whole lot I can do.

[WodansSon]

@poddm, I've spoken to the service team for this API and I'm sorry but there is nothing we can do here due to the current design of the API, if you want this functionality I would suggest opening a feature request on the Network API's feedback forum? Given the response from the service team I am going to go ahead and close this issue, but I would really like to thank you for opening this issue and your patience while I worked with the service team. Cheers! 🚀

[poddm]

@WodansSon, thanks for looking at this. Very much appreciate.

I see what you mean - bummer. The private DNS record changes aren't reflected in the privatednszonegroups API.

az rest --method get  --uri https://management.azure.com/subscriptions/######/resourceGroups/######-resources/providers/Microsoft.Network/privateEndpoints/######-pe/privateDnsZoneGroups/private-dns-zone-group?api-version=2020-05-01

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!