Tags are not applying to azurerm_private_dns_zone

[johnwildes]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.23

• provider.azurerm v2.1.0
• provider.random v2.2.1

Affected Resource(s)

azurerm_private_dns_zone

Terraform Configuration Files

locals {
  location = var.location
  region = var.region[var.location]
  env = var.env_code[var.env]
  common_tags = {
    "nt:TLA" = var.tla
    "nt:CostCenter" = var.costCenter
    "nt:BusinessUnit" = var.businessUnit
    "nt:Environment" = title(var.env)
  }
  prefix = "${local.region}-${var.tla}-${local.env}-"

  # Private DNS Zones needed for PrivateLink
  zones = {
    SQL = "private.database.windows.net"
    KV = "private.vaultcore.azure.net"
    ACR = "privatelink.azurecr.io"
    BLOB = "privatelink.blob.core.windows.net"
    TABLE = "privatelink.table.core.windows.net"
    QUEUE =  "privatelink.queue.core.windows.net"
    FILE = "privatelink.file.core.windows.net"
    WEB = "privatelink.web.core.windows.net"
    DFS = "privatelink.dfs.core.windows.net"
    COSMOS_SQL = "privatelink.documents.azure.com"
  }
}

### Private Link DNS Zones
### https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview

resource "azurerm_private_dns_zone" "privatelink" {
  for_each = local.zones
  name                = each.value
  resource_group_name = azurerm_resource_group.sandbox.name
  tags = local.common_tags
}

resource "azurerm_private_dns_zone_virtual_network_link" "privatelink" {
  for_each = local.zones
  name                  = "PL_${each.key}"
  resource_group_name   = azurerm_resource_group.sandbox.name
  private_dns_zone_name = azurerm_private_dns_zone.privatelink[each.key].name
  virtual_network_id    = azurerm_virtual_network.sandbox.id

  lifecycle {
    ignore_changes = [
      name
    ]
  }
}

Debug Output

NO Panic was created, no crash.log created, no debug output to attach

Terraform Plan Ouptut (Reduced for clarity, only showing one resource)

 # azurerm_private_dns_zone.privatelink["WEB"] will be updated in-place
  ~ resource "azurerm_private_dns_zone" "privatelink" {
        id                                                    = "/subscriptions/58be4214-863c-4205-867e-689e155cb3ce/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net"
        max_number_of_record_sets                             = 25000
        max_number_of_virtual_network_links                   = 1000
        max_number_of_virtual_network_links_with_registration = 100
        name                                                  = "privatelink.web.core.windows.net"
        number_of_record_sets                                 = 1
        resource_group_name                                   = "cus-azr-z-rg"
      ~ tags                                                  = {
          + "nt:BusinessUnit" = "INFR"
          + "nt:CostCenter"   = "0888"
          + "nt:Environment"  = "Sandbox"
          + "nt:TLA"          = "AZR"
        }
    }

You can see from the plan output above that it is trying to add tags to the resource. cd

Terraform Apply Output

azurerm_private_dns_zone.privatelink["DFS"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.dfs.core.windows.net]
azurerm_private_dns_zone.privatelink["BLOB"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net]
azurerm_private_dns_zone.privatelink["COSMOS_SQL"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com]
azurerm_private_dns_zone.privatelink["KV"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/private.vaultcore.azure.net]
azurerm_private_dns_zone.privatelink["TABLE"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net]
azurerm_private_dns_zone.privatelink["WEB"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net]
azurerm_private_dns_zone.privatelink["SQL"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/private.database.windows.net]
azurerm_private_dns_zone.privatelink["ACR"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io]
azurerm_private_dns_zone.privatelink["FILE"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net]
azurerm_private_dns_zone.privatelink["QUEUE"]: Modifying... [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net]
azurerm_private_dns_zone.privatelink["DFS"]: Still modifying... [id=/subscriptions/subID-...Zones/privatelink.dfs.core.windows.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["BLOB"]: Still modifying... [id=/subscriptions/subID-...ones/privatelink.blob.core.windows.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["COSMOS_SQL"]: Still modifying... [id=/subscriptions/subID-...sZones/privatelink.documents.azure.com, 10s elapsed]
azurerm_private_dns_zone.privatelink["KV"]: Still modifying... [id=/subscriptions/subID-...teDnsZones/private.vaultcore.azure.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["TABLE"]: Still modifying... [id=/subscriptions/subID-...nes/privatelink.table.core.windows.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["WEB"]: Still modifying... [id=/subscriptions/subID-...Zones/privatelink.web.core.windows.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["SQL"]: Still modifying... [id=/subscriptions/subID-...eDnsZones/private.database.windows.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["ACR"]: Still modifying... [id=/subscriptions/subID-...privateDnsZones/privatelink.azurecr.io, 10s elapsed]
azurerm_private_dns_zone.privatelink["FILE"]: Still modifying... [id=/subscriptions/subID-...ones/privatelink.file.core.windows.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["QUEUE"]: Still modifying... [id=/subscriptions/subID-...nes/privatelink.queue.core.windows.net, 10s elapsed]
azurerm_private_dns_zone.privatelink["BLOB"]: Still modifying... [id=/subscriptions/subID-...ones/privatelink.blob.core.windows.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["DFS"]: Still modifying... [id=/subscriptions/subID-...Zones/privatelink.dfs.core.windows.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["COSMOS_SQL"]: Still modifying... [id=/subscriptions/subID-...sZones/privatelink.documents.azure.com, 20s elapsed]
azurerm_private_dns_zone.privatelink["WEB"]: Still modifying... [id=/subscriptions/subID-...Zones/privatelink.web.core.windows.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["TABLE"]: Still modifying... [id=/subscriptions/subID-...nes/privatelink.table.core.windows.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["KV"]: Still modifying... [id=/subscriptions/subID-...teDnsZones/private.vaultcore.azure.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["ACR"]: Still modifying... [id=/subscriptions/subID-...privateDnsZones/privatelink.azurecr.io, 20s elapsed]
azurerm_private_dns_zone.privatelink["SQL"]: Still modifying... [id=/subscriptions/subID-...eDnsZones/private.database.windows.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["FILE"]: Still modifying... [id=/subscriptions/subID-...ones/privatelink.file.core.windows.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["QUEUE"]: Still modifying... [id=/subscriptions/subID-...nes/privatelink.queue.core.windows.net, 20s elapsed]
azurerm_private_dns_zone.privatelink["DFS"]: Still modifying... [id=/subscriptions/subID-...Zones/privatelink.dfs.core.windows.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["BLOB"]: Still modifying... [id=/subscriptions/subID-...ones/privatelink.blob.core.windows.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["COSMOS_SQL"]: Still modifying... [id=/subscriptions/subID-...sZones/privatelink.documents.azure.com, 30s elapsed]
azurerm_private_dns_zone.privatelink["KV"]: Still modifying... [id=/subscriptions/subID-...teDnsZones/private.vaultcore.azure.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["WEB"]: Still modifying... [id=/subscriptions/subID-...Zones/privatelink.web.core.windows.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["TABLE"]: Still modifying... [id=/subscriptions/subID-...nes/privatelink.table.core.windows.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["ACR"]: Still modifying... [id=/subscriptions/subID-...privateDnsZones/privatelink.azurecr.io, 30s elapsed]
azurerm_private_dns_zone.privatelink["SQL"]: Still modifying... [id=/subscriptions/subID-...eDnsZones/private.database.windows.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["FILE"]: Still modifying... [id=/subscriptions/subID-...ones/privatelink.file.core.windows.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["QUEUE"]: Still modifying... [id=/subscriptions/subID-...nes/privatelink.queue.core.windows.net, 30s elapsed]
azurerm_private_dns_zone.privatelink["QUEUE"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net] 
azurerm_private_dns_zone.privatelink["BLOB"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net]   
azurerm_private_dns_zone.privatelink["WEB"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net]     
azurerm_private_dns_zone.privatelink["SQL"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/private.database.windows.net]
azurerm_private_dns_zone.privatelink["KV"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/private.vaultcore.azure.net]
azurerm_private_dns_zone.privatelink["DFS"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.dfs.core.windows.net]     
azurerm_private_dns_zone.privatelink["ACR"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io]
azurerm_private_dns_zone.privatelink["COSMOS_SQL"]: Modifications complete after 32s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com]
azurerm_private_dns_zone.privatelink["TABLE"]: Modifications complete after 33s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net] 
azurerm_private_dns_zone.privatelink["FILE"]: Modifications complete after 33s [id=/subscriptions/subID/resourceGroups/cus-azr-z-rg/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net]   

Apply complete! Resources: 0 added, 10 changed, 0 destroyed.

Expected Behavior

Tags should be applied after terraform apply is run.

Actual Behavior

Tags are not applied, but no error is displayed. TF Apply completes normally but the resource has no tags

Steps to Reproduce

1. terraform apply
2. Review Plan to see that tags are added to the resource
3. Review output of apply to see that there are no errors, and that resources are changed
4. Run terraform apply and see that azurerm_private_dns_zone will apply tags again.

Important Factoids

Nothing significant about this environment

References

[njuCZ]

it seems an issue of azure api that tags will be omitted when the key contains :

[johnwildes]

In this deployment, the tags are being applied to other resources within this deployment, including the : within the tag name. It's only these azurerm_private_dns_zone resources that the tags are not applying on.

Are you saying it's the Azure API for the private dns zone resource that is not applying tags with : ?

[akonrath]

I was able to replicate this, and it does seem to involve the ':'. For example, adding a tag of '"key:1" = "value"' works for the azurerm_resource_group resource, but not for azurerm_private_dns_zone resource. This can also be verified through the Azure UI and it actually hangs when trying to add a tag with a ':' to a private DNS zone.

[namratasuresh]

I am looking do something similar to this. Add tags to DNS Zones with ":" Is there any way to achieve this?

[tombuildsstuff]

@njuCZ since this appears to be an API bug, can you raise an API issue to track this?

[frankcavazos]

We have noticed this issue as well when the key contains a space.

For example:

      "Data Classification" = "Internal Use Only"
      "Maintenance Window"  = "None"

Those show up in our Terraform plan to be added each time, but they are never added to the resource.

[AmudaPalani]

We noticed this issue when tag key contains a space, show up in Terraform plan to be added each time, but they are never getting added to the resource. We see this issue for following resources:

azurerm_dns_a_record azurerm_dns_ns_record azurerm_dns_txt_record azurerm_dns_zone

[glenn-arter]

Experiencing this issue on private DNS zone and Virtual network links where a space in the name prevents the tag from applying.

[alexs77]

With hashicorp/azurerm v3.8.0, tags where the name does NOT contain a space work just fine, also for these DNS resources. With spaces, there are issues. Not only with azurerm_dns_*, but also elsewhere.

Because of this, we changed to using _ (underscore) instead of (space). Not nice, but that's what's working for us.

[b0bu]

Any update on this? I also require tags that contain colon namespacing.

[matt-byrne]

This still appears to be an issue as of 3.64.0 and in addition to the above resource types, also seems to affect azurerm_private_dns_zone_virtual_network_link.

[b0bu]

Also appears to be the case with vm extensions, at least for arc enabled resources.

[Speeddymon]

I'm seeing what I suspect is a symptom of this due to Azure Policy and my organization's tagging requirements -- I'm unable to create a private AKS cluster because the tags from the cluster are not making it to the azure-managed virtual network link resource and the policy is preventing that link from being created which fails the cluster creation.

My tags names have hyphens instead of spaces or colons, but some of my tag values do have spaces. The previous comments have indicated spaces and colons in the name are problematic, so it would be helpful for me and anyone else seeing my issue if anyone could confirm the below:

• Can you replicate the issue with hyphens in the tag name?
• Can you replicate the issue with spaces in the tag value?

Thanks in advance

[Speeddymon]

We opened a support case with MS for this and they advised that my issue is due to a lack of support to pass the same tags from the parent onto the child, on their end. They said the support should come in the February 2024 releases. For now, we excluded the network link resources from the tagging policy.

[pierrehar]

Hi,

Any update on this? I also require tags that contain colon namespacing into private DNS Zone.

Thanks,

[dastrobu]

I can confirm that the issue still persists. Tags with colons or spaces are not working.