Tags to Private DNS Zones and Private DNS Zone vNet Links are not applied

[Joerg-L]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

v3.74.0

Affected Resource(s)/Data Source(s)

azurerm_private_dns_zone_virtual_network_link, azurerm_private_dns_zone, azurerm_private_dns_resolver, azurerm_private_dns_resolver_dns_forwarding_ruleset, azurerm_private_dns_resolver_inbound_endpoint, azurerm_private_dns_resolver_outbound_endpoint

Terraform Configuration Files

locals {
  common_tags = {
    "Workload name"         = "Connectivity Hub"
    "Application name"      = "Connectivity Hub"
    "Business unit"         = "DACH IT"
    "Business criticality"  = "High"
    "Operations team"       = "Clound & Hosting / ***********"
    "Cost Center"           = "to be find out"
    Environment             = "Production"
    managedBy               = "Terraform"
  }
  extra_tags  = {
  }
  tags = merge( local.common_tags, local.extra_tags)

  azure_private_dns_zones = [
    "privatelink.postgres.database.azure.com",
    "privatelink.blob.core.windows.net",
    "privatelink.vaultcore.azure.net"
    ]
}

resource "azurerm_private_dns_zone" "private_dns_zone" {
  for_each            = toset(local.azure_private_dns_zones )
  name                = each.key
  resource_group_name = module.rg-network-dns.name
  tags                = merge( local.tags, { "Application name"      = "DNS" } )
}

Debug Output/Panic Output

[WARN]  Provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value for azurerm_private_dns_zone.private_dns_zone["privatelink.blob.core.windows.net"], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .tags: element "Application name" has vanished
      - .tags: element "Business criticality" has vanished
      - .tags: element "Business unit" has vanished
      - .tags: element "Cost Center" has vanished
      - .tags: element "Operations team" has vanished
      - .tags: element "Workload name" has vanished

Expected Behaviour

The defined Tags, as also shown in the plan, should be applied

Actual Behaviour

Terraform plan/apply shows

But not all Tags are applied

Steps to Reproduce

terraform apply with supplied configuration

Important Factoids

same tag logic is successfully applied to other resources like resource group

References

No response

[Joerg-L]

Someone an idea on that issue? We still see that following dns related resources

• azurerm_private_dns_zone_virtual_network_link
• azurerm_private_dns_zone
• azurerm_private_dns_resolver
• azurerm_private_dns_resolver_dns_forwarding_ruleset
• azurerm_private_dns_resolver_inbound_endpoint
• azurerm_private_dns_resolver_outbound_endpoint

tags are not applied correctly.

Anything we can do to support on that issue?

[Joerg-L]

Anyone an idea on that?

[georgegil]

I suspect this is an upstream Azure API issue, as I'm seeing the same behavior with equivalent azapi provider

Azurerm resource:

resource "azurerm_private_dns_zone_virtual_network_link" "dns_link" {
  for_each = var.private_dns_zones

  name                  = "${azurerm_virtual_network.az_vnet.name}-to-${module.regions.location_short}-privatedns"
  resource_group_name   = var.dns_rg_name != null ? var.dns_rg_name : var.rg_name
  private_dns_zone_name = azurerm_private_dns_zone.dns[each.key].name
  virtual_network_id    = azurerm_virtual_network.az_vnet.id

  tags = var.tags
}

azapi resource

resource "azapi_resource" "dns_link" {
  for_each = var.private_dns_zones_link

  type      = "Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01"
  name      = "${azurerm_virtual_network.az_vnet.name}-to-${module.regions.location_short}-privatedns"
  location  = "global"
  parent_id = each.value

  body = jsonencode({
    properties = {
      registrationEnabled = false
      virtualNetwork = {
        id = azurerm_virtual_network.az_vnet.id
      }
    }
  })

  tags = var.tags
}

Only SOME of the tags are sticking... weird.

[tgiorgio]

I have the same issue here. Tags are not being applied to Private DNS Zones or Network Links.