TechQA.

Azure Terraform ignore_changes on private dns zone group with DeployIfNotExists policy

2k views Asked by At

I am running into a problem where Terraform tries to change a resource, which is deployed by a DeployIfNotExists policy. This policy automatically creates a DNS entry for a private endpoint (source). Normally, I would use ignore_changes, but this only works for resources that are first deployed by Terraform, and then all future changes outside Terraform are ignored.

How can I deploy a private endpoint without private_dns_zone_group, preventing any future deployments from deleting the private_dns_zone_group which is deployed by an Azure policy?

resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.private_endpoint_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.private_subnet_id

  private_service_connection {
    name                           = var.private_service_connection_name
    is_manual_connection           = false
    private_connection_resource_id = azurerm_app_service.app_service.id
    subresource_names              = ["sites"]
  }

  # This cannot be included, otherwise the DeployIfNotExists policy will not run
  # private_dns_zone_group {
  #   name                 = "deployedByPolicy"
  #   private_dns_zone_ids = []
  # }

  lifecycle {
    ignore_changes = [
      private_dns_zone_group
    ]
  }
}
azure terraform azure-policy azure-private-dns-zone
Original Q&A
2

There are 2 answers

0
MoonHorse On

Here, obviously, the problem comes from the builtin Azure policy.

You can create a custom policy which will create directly a record on the Azure Private DNS Zone.

0
Cloudkollektiv On

I am not sure what happened in the meantime, but I got it to work as I expected. I must say I updated to the latest azurerm provider and deleted the state. It works when you do not include private_dns_zone_group within the private_endpoint and explicitly ignore changes on it.

resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.private_endpoint_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.private_subnet_id

  private_service_connection {
    name                           = var.private_service_connection_name
    is_manual_connection           = false
    private_connection_resource_id = azurerm_app_service.app_service.id
    subresource_names              = ["sites"]
  }

  # Ignore, because managed by DeployIfNotExists policy 
  lifecycle {
    ignore_changes = [
      private_dns_zone_group
    ]
  }
}

Related Questions in AZURE

Related Questions in TERRAFORM

Related Questions in AZURE-POLICY

Related Questions in AZURE-PRIVATE-DNS-ZONE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions