azurerm_dns_zone: ability to add a resolution_virtual_network_id

[davidwneary]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently there does not appear to be a way to add a virtual network to an existing private dns zone's list of resolution_virtual_network_ids.

Use case

I have a different terraform plan for each of the different areas of our infrastructure, e.g. shared, staging, production.

In the plan for the shared infrastructure, I create a private DNS zone, mycompany.local.

In the plans for production or staging, I want to add the virtual networks I create to that DNS zone's resolution_virtual_network_ids when running terraform apply and I want to remove them from the ids when running terraform destroy

New or Affected Resource(s)

Existing

• azurerm_dns_zone
• azurerm_virtual_network

New

• azurerm_dns_zone_resolution_vnet

Potential Terraform Configuration

The first option to come to mind is this:

resource "azurerm_dns_zone" "private_dns_zone" {
  name                = "mycompany.local"
  resource_group_name = "shared-rg"
  zone_type           = "Private"
}

resource "azurerm_virtual_network" "vnet" {
  name                = "my-vnet"
  address_space       = "10.0.0.0/8"
  location            = "uksouth"
  resource_group_name = "production-rg"
}

resource "azurerm_dns_zone_resolution_vnet" "test" {
  dns_zone_name                 = "${azurerm_dns_zone.private_dns_zone.name}"
  dns_zone_resource_group_name  = "${azurerm_dns_zone.private_dns_zone.resource_group_name}"
  virtual_network_id            = "${azurerm_virtual_network.vnet.id}"
}

An issue with that is that, from the docs:

The virtual network must be completely empty the first time you link it to a private zone as a registration or resolution virtual network. However, the virtual network can then be non-empty for future linking as a registration or resolution virtual network, to other private zones.

Following the above approach would likely lead to a lot of depends_on in order to ensure other resources weren't added to the vnet created before the dns zone was updated.

Perhaps a way around this would be to add a private_dns_zone_name property to azurerm_virtual_network instead?

I'm relatively new to terraform so please holler if this is nonsense. Thanks!

References

• Azure docs

[davidwneary]

Any thoughts on this. I'm open to creating a PR myself but would like some feedback on what the correct approach would be before starting on it

[mhennecke]

Private DNS zones are in public preview. According to the respective FAQ, the limitation that a vNet must be empty will be lifted once the service is GA. Maybe this helps!?

[tombuildsstuff]

hey @davidwneary @mhennecke

Thanks for opening this issue - apologies for the delayed response here!

Taking a look into this support for this was added in #1404 - but during the preview period this has been moved into the separate Private DNS Zone resource which has a Virtual Network Link resource. As such for the moment this is available in the azurerm_dns_zone resource but will also be available in the split out resource, which is being added in #3789 - would you mind subscribing to that for updates?

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!