Private DNS zone group deployed by DeployIfNotExists policy gets destroyed

[jvanenckevort]

I am running into a problem where Terraform tries to change the private_dns_zone_group, which is deployed by a DeployIfNotExists policy. This policy automatically creates a DNS entry for a private endpoint (source). Normally, I would use ignore_changes, but this only works for resources that are first deployed by Terraform, and then all future changes outside Terraform are ignored.

How can I deploy a private endpoint without a private_dns_zone_group, preventing any future deployments from deleting the private_dns_zone_group which is deployed by an Azure policy?

Within the Cloud Adoption Framework, having a centralized DNS, which is automatically updated by Azure policies is highly favorable. But it seems like Terraform conflicts with these specific policies.

resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.private_endpoint_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.private_subnet_id

  private_service_connection {
    name                           = var.private_service_connection_name
    is_manual_connection           = false
    private_connection_resource_id = azurerm_app_service.app_service.id
    subresource_names              = ["sites"]
  }

  # This cannot be included, otherwise the DeployIfNotExists policy will not run
  # private_dns_zone_group {
  #   name = "deployedByPolicy"
  #   private_dns_zone_ids = []
  # }

  lifecycle {
    ignore_changes = [
      private_dns_zone_group
    ]
  }
}

[pkwarts]

+1

[arne21a]

I also had this issue and tried different things. But none of them can be called more then a bad workaround. IMO the best place to fix this would be the azurerm provider. I wrote a feature request in which i also outlined my workarounds.

If this is still an issue for you, i invite you to upvote my feature request ;) https://github.com/hashicorp/terraform-provider-azurerm/issues/24681