azurerm_private_dns_a_record - Bug in authorisation

[gibbcode]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.6

AzureRM Provider Version

3.115.0

Affected Resource(s)/Data Source(s)

azurerm_private_dns_a_record

Terraform Configuration Files

resource "azurerm_private_dns_a_record" "aoai" {
  name                = "record-name"
  zone_name           = "privatelink.openai.azure.com"
  resource_group_name = var.private_dns_zone_resource_group_name
  ttl                 = 3600
  records             = ["1.1.1.1"]
}

Debug Output/Panic Output

TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: 2024-08-12T11:00:36.726Z [DEBUG] provider.terraform-provider-azurerm_v3.115.0_x5: AzureRM Response for https://management.azure.com/subscriptions/***/resourceGroups/RG-Name/providers/Microsoft.Network/privateDnsZones/privatelink.openai.azure.com/A/Record-Name?api-version=2020-06-01: 
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: HTTP/2.0 403 Forbidden
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Content-Length: 550
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Cache-Control: no-cache
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Content-Type: application/json; charset=utf-8
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Date: Mon, 12 Aug 2024 11:00:36 GMT
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Expires: -1
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Pragma: no-cache
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Strict-Transport-Security: max-age=31536000; includeSubDomains
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: X-Cache: CONFIG_NOCACHE
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: X-Content-Type-Options: nosniff
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: X-Ms-Correlation-Request-Id: 4456d40b-34c0-b310-5c5e-42aa54ae9d10
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: X-Ms-Failure-Cause: gateway
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: X-Ms-Request-Id: 99963856-1a9d-4242-8c37-8c7ce2d0da13
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: X-Ms-Routing-Request-Id: WESTEUROPE:20240812T110036Z:99963856-1a9d-4242-8c37-8c7ce2d0da13
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: X-Msedge-Ref: Ref A: 903CECCAEFE0426FBD0950365450D479 Ref B: AMS231032609047 Ref C: 2024-08-12T11:00:36Z
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: 
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: {"error":{"code":"AuthorizationFailed","message":"The client 'Client-ID' with object id 'Object-ID' does not have authorization to perform action 'Microsoft.Network/privateDnsZones/A/write' over scope '/subscriptions/***/resourceGroups/RG-Name/providers/Microsoft.Network/privateDnsZones/privatelink.openai.azure.com/A/Record-Name' or the scope is invalid. If access was recently granted, please refresh your credentials."}}: timestamp=2024-08-12T11:00:36.726Z
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: 2024-08-12T11:00:36.726Z [ERROR] provider.terraform-provider-azurerm_v3.115.0_x5: Response contains error diagnostic: @module=sdk.proto diagnostic_severity=ERROR tf_proto_version=5.6 tf_provider_addr=provider @caller=github.com/hashicorp/terraform-plugin-go@v0.23.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_summary="creating/updating Record Type (Subscription: "***"
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Resource Group Name: "RG-Name"
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Private Dns Zone Name: "privatelink.openai.azure.com"
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Record Type: "A"
TestDataSciencePlatform 2024-08-12T11:00:36Z logger.go:66: Relative Record Set Name: "Record-Name"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client 'Client-ID' with object id 'Object-ID' does not have authorization to perform action 'Microsoft.Network/privateDnsZones/A/write' over scope '/subscriptions/***/resourceGroups/RG-Name/providers/Microsoft.Network/privateDnsZones/privatelink.openai.azure.com/A/Record-Name' or the scope is invalid. If access was recently granted, please refresh your credentials." tf_req_id=1a1a9dfc-36e7-167a-c657-bd412c5aa42b tf_resource_type=azurerm_private_dns_a_record tf_rpc=ApplyResourceChange diagnostic_detail= timestamp=2024-08-12T11:00:36.726Z

Expected Behaviour

DNS Record should have been created.

Using the same service principal to authenticate, using the same private DNS zone and resource group, i'm able to create the same Private DNS records without a problem from PowerShell. Using "az network private-dns record-set a add-record"

Actual Behaviour

        Error:          Received unexpected error:
                        FatalError{Underlying: error while running command: exit status 1; 
                        Error: creating/updating Record Type (Subscription: "***"
                        Resource Group Name: "RG-Name"
                        Private Dns Zone Name: "privatelink.openai.azure.com"
                        Record Type: "A"
                        Relative Record Set Name: "Record-Name"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client 'client-id' with object id 'object-id' does not have authorization to perform action 'Microsoft.Network/privateDnsZones/A/write' over scope '/subscriptions/***/resourceGroups/RG-Name/providers/Microsoft.Network/privateDnsZones/privatelink.openai.azure.com/A/Record-Name' or the scope is invalid. If access was recently granted, please refresh your credentials.

Steps to Reproduce

terraform apply

Important Factoids

The service principal used by Terraform and referenced in the errors is permissioned as a "Private DNS Zone Contributor" and is able to create the Private DNS record defined in Terraform using PowerShell without a problem

References

No response

[neil-yechenwei]

Thanks for raising this issue. Seems I can't reproduce this issue with below tf config. Could you try below tf config to see if the issue still exists? Thanks.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "acctestRG-pdnsar-test01"
  location = "westeurope"
}

resource "azurerm_private_dns_zone" "test" {
  name                = "acctestzonetest01.com"
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_private_dns_a_record" "test" {
  name                = "myarecordtest01"
  resource_group_name = azurerm_resource_group.test.name
  zone_name           = azurerm_private_dns_zone.test.name
  ttl                 = 3600
  records             = ["1.2.3.4"]
}