terraform-azurerm-caf icon indicating copy to clipboard operation
terraform-azurerm-caf copied to clipboard

Published 20 hours ago verified publisher icon aztfmod

Private DNS zone group deployed by DeployIfNotExists policy gets destroyed

Open jvanenckevort opened this issue 3 years ago • 2 comments

I am running into a problem where Terraform tries to change the private_dns_zone_group, which is deployed by a DeployIfNotExists policy. This policy automatically creates a DNS entry for a private endpoint (source). Normally, I would use ignore_changes, but this only works for resources that are first deployed by Terraform, and then all future changes outside Terraform are ignored.

How can I deploy a private endpoint without a private_dns_zone_group, preventing any future deployments from deleting the private_dns_zone_group which is deployed by an Azure policy?

Within the Cloud Adoption Framework, having a centralized DNS, which is automatically updated by Azure policies is highly favorable. But it seems like Terraform conflicts with these specific policies.

resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.private_endpoint_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.private_subnet_id

  private_service_connection {
    name                           = var.private_service_connection_name
    is_manual_connection           = false
    private_connection_resource_id = azurerm_app_service.app_service.id
    subresource_names              = ["sites"]
  }

  # This cannot be included, otherwise the DeployIfNotExists policy will not run
  # private_dns_zone_group {
  #   name = "deployedByPolicy"
  #   private_dns_zone_ids = []
  # }

  lifecycle {
    ignore_changes = [
      private_dns_zone_group
    ]
  }
}

jvanenckevort avatar Jul 02 '21 12:07 jvanenckevort