[Question/Feedback]: Make private-endpoints play well with Azure policies

[davidkarlsen]

Check for previous/existing GitHub issues

• [X] I have checked for previous/existing GitHub issues

Description

Its quite common to deploy the private-DNS with policies in an enterprise environment - because these zones are often hosted in the central hub in a hub-and-spoke setup. Hence it would be good for the AVM modules to be able to ignore drift on private-endpoint DNS-settings.

I propose that the private-endpoint logic is done conditionally like this:

• if a user provides a dns-zone, the module creates a PE resource (like today) with private-dns zone settings
• if a user does not provide dns-zone settings, another PE-resource (instead of the previous one), where it ignores drift on the private-endpoint settings.

In lack of this support in AVM, the user would have to deploy the module w/o any private-endpoint settings, and deal with this themselves outside of the AVM-module.

Relevant links:

• terraform feature request for life-cycle ignores on modules: https://github.com/hashicorp/terraform/issues/27360
• cloud-adoption framework on central hub and DNS: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures

[matt-FFFFFF]

Hi @davidkarlsen

We are coming up with guidance on this issue.

We will have it out by 2024

[davidkarlsen]

@matt-FFFFFF I can see it one of your favourite topics: https://www.youtube.com/watch?v=J61D3FcAyEU&ab_channel=AzureTerraformer :-D

[matt-FFFFFF]

Still on the list of things to do, won't be long

[matt-FFFFFF]

We have proposed this in a PR

fixed by #537