azurerm_private_dns_zone data lookup needs more access than enterprise customers will allow

[KevinBrooke]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.111.0

Affected Resource(s)/Data Source(s)

azurerm_private_dns_zone

Terraform Configuration Files

data "azurerm_private_dns_zone" "keyvault" {
  provider = azurerm.dns
  name     = "privatelink.vaultcore.azure.net"
}

Debug Output/Panic Output

Resource Group Name: "customer-dnszones"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client '267b0905-1091-4b0a-87c9-dadc7c5c56a2' with object id '267b0905-1091-4b0a-87c9-dadc7c5c56a2' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read' over scope '/subscriptions/566f2f89-58cd-4d39-a602-60ddbc6e8d14/resourceGroups/customer-dnszones' or the scope is invalid. If access was recently granted, please refresh your credentials.

Note, GUIDs have been replaced with randomised GUIDs

Expected Behaviour

Most customers we work with have DNS zones in a central subscription and service principals are given access to the zones the deployment requires. The customer has provided the service principal with the Private DNS Zone Contributor role to the zone. This should be enough for Terraform to manage resources within the zone. azurerm provider v3.77.0 does not produce the error as it must obtain the zone details via other methods. We should not need to ask a customer for read access over a whole resource group to perform a task that should not require that access.

Actual Behaviour

The private dns zones details are returned without requiring resource group reader.

Steps to Reproduce

Give your SP the Private DNS Zone Contributor role to the zone and then run TF plan/apply. The error appears on apply.

Important Factoids

No response

References

No response

[tombuildsstuff]

hey @KevinBrooke

In order to look up the Private DNS Zone we need to know the Resource Group name - when that's not specified (as is the case here), we'll attempt to discover that by listing the Private DNS Zones within the Subscription - and as such you should be able to fix this by specifying the Resource Group name here.

This requirement comes from the design of the API (which is the same as other ARM API's) - insofar as the Private DNS Zone is obtained via /subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.Network/privateDnsZones/XXX - meaning that we need to know the Subscription ID, Resource Group Name and Private DNS Zone name in order to retrieve information about the Private DNS Zone.

Since this is a question related to the Terraform Configuration being used, I'm going to close this issue for the moment since this is an expected behaviour when the resource_group_name field isn't specified - but as mentioned above you can specify the Resource Group name in order to remove the requirement for this extra permission.

Thanks!

[KevinBrooke]

But provider v3.77.0 works with just the DNS Zone name. It's a PITA having to pass/know the resource group name for something that already worked in a previous version of the provider.

[KevinBrooke]

If the RG name is required, instead of only needing the DNS Subscription ID, we'll need the sub ID and a map of resource group names and DNS zone names. By the time you have that you might as well not use the lookup and just pass the resource IDs.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.