0

i have following code to create private endpoint, and if provided, will be associated with a private dns zone as well, however, the private endpoint is crated ignoring private dns zone value I entered, treat it as Null resource. I'm not sure what went wrong inside the dynamic block

resource "azurerm_private_endpoint" "this" {
  name                = join("", [lookup(var.service_subresource_map, "name"), "-pvt-endpoint"])
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = data.azurerm_subnet.endpoint_subnet.id
  tags                = var.tags

  private_service_connection {
    name                           = join("", [lookup(var.service_subresource_map, "name"), "-pvt-endpoint-conn"])
    private_connection_resource_id = lookup(var.service_subresource_map, "resource_id")
    subresource_names              = [lookup(var.service_subresource_map, "subresource_name")]
    is_manual_connection           = false
  }

  dynamic "private_dns_zone_group" {
    for_each = var.private_dns_zone_group[*]

    content {
      name                 = private_dns_zone_group.value.name
      private_dns_zone_ids = private_dns_zone_group.value.private_dns_zone_ids
    }
  }

the value I provided in private_dns_zone_group is this

private_dns_zone_group = {
    name = "private-dns-zone-group"
    private_dns_zone_ids = [
      "/subscriptions/xxx/resourceGroups/rogertest/providers/Microsoft.Network/privateDnsZones/example.com",
    ]
  }

and variable is as following

variable "private_dns_zone_group" {
 
  type = object({
    name                 = string
    private_dns_zone_ids = list(string)
  })
  default = null
}

everything is deployed without error except for private dns zone association

if I replace dynamic block with simple block like this

private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [
      "/subscriptions/xxx/resourceGroups/rogertest/providers/Microsoft.Network/privateDnsZones/example.com",
    ]
  }

then it works.

Roger Chen
  • 233
  • 3
  • 15

2 Answers2

1

Depending on your service , if you want to use Private Endpoint then you will have to properly name as per the naming convention for the Private DNS Zones which can referred from this Microsoft Documentation . For example , If you are creating Private Endpoint for App Service, Storage and SQL , then your Private DNS Group will have Id's of Zones with names : ['privatelink.azurewebsites.net','privatelink.blob.core.windows.net','privatelink.database.windows.net'].

I tested the same for only app service by using your code :

.tfvars

private_dns_zone_group = {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [
      "/subscriptions/xxxxx/resourceGroups/xxxxx/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
    ]
}

Main.tf

provider "azurerm" {
  features{}
}

variable "private_dns_zone_group" {
 
  type = object({
    name                 = string
    private_dns_zone_ids = list(string)
  })
  default = null
}
data "azurerm_subnet" "endpoint_subnet" {
  name                 = "default"
  virtual_network_name = "ansuman-vnet"
  resource_group_name  = "xxxxxx"
}

resource "azurerm_private_endpoint" "this" {
  name                = "appservice-pvt-endpoint"
  location            = "west us 2"
  resource_group_name = data.azurerm_subnet.endpoint_subnet.resource_group_name
  subnet_id           = data.azurerm_subnet.endpoint_subnet.id

  private_service_connection {
    name                           =  "appservice-pvt-endpoint-conn"
    private_connection_resource_id = "/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.Web/sites/ansumantestapp"
    subresource_names              = ["sites"]
    is_manual_connection           = false
  }

  dynamic "private_dns_zone_group" {
    for_each = var.private_dns_zone_group[*]

    content {
      name                 = private_dns_zone_group.value.name
      private_dns_zone_ids = private_dns_zone_group.value.private_dns_zone_ids
    }
  }
}

Output:

enter image description here

enter image description here

Note:

  • Please make sure you have the latest versions of Azurerm Provider and Terraform .

  • If you are still getting the error then try removing the default argument from the Private DNS group variable block:

    variable "private_dns_zone_group" {

  type = object({
    name                 = string
    private_dns_zone_ids = list(string)
  })
  default = null ## remove this argument
}
Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
  • Hi @AnsumanBal-MT, thanks for that, What I'm trying to do is use a pre-created, existing private dns zone, so not using default name for this resource. Also, I tried taken off null default value, now it complains that " no definition is found", so almost like it can not read that particular tfvar value... – Roger Chen Jan 31 '22 at 21:40
0

Finally found out the reason.. I put resource "azurerm_private_endpoint" "this" as a module, when I'm calling the module, I forgot to include private_dns_zone_group = var.private_dns_zone_group

so of course, it's always missing the tfvar value.... always something so simple...

Roger Chen
  • 233
  • 3
  • 15