Support for DNS Private Resolver

[mlcooper]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support for DNS Private Resolver which "enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers"

New or Affected Resource(s)/Data Source(s)

azurerm_dns_private_resolver, azurerm_dns_private_resolver_endpoint, azurerm_dns_private_resolver_ruleset

Potential Terraform Configuration

resource "azurerm_dns_private_resolver" "pvt" {
  resource_group_name = "rg_infra"
  instance_name       = "pvt-resolver-01"
  region              = "westus3"
  virtual_network_id  = "<vnet_id>"
  
  tags = {}
}

resource "azurerm_dns_private_resolver_endpoint" "endpoint" {
  private_resolver = dns_private_resolver.pvt.id
  endpoint_name    = "outbound_endpoint_01"
  direction        = <"Inbound"/"Outbound">
  subnet_id        = "<subnet_id>"
}

resource "azurerm_dns_private_resolver_ruleset" "ruleset" {
  ruleset_name     = "ruleset01"
  endpoint         = dns_private_resolver.endpoint.id
  
  rule {
    rule_name    = "rule01"
    domain_name  = "contoso.com."
    rule_enabled = true/false
    
    destination_and_port = [
     {
       ip   = "192.168.2.18"
       port = 53
     },
     {
       ip   = "192.168.2.19"
       port = 53
      }
    ]
  }
}

References

No response

[omonnig]

This project uses the azapi. Have not tested yet. Could REALLY use this feature on current project.
https://github.com/namitjagtiani/terraform-azure-private-dns-resolver-azapi

[jmswick]

When assigning an Azure DNS Private Resolver to a subnet via the Azure portal, the following subnet delegation is added to the subnet it's put in:

  delegation {
    name = "Microsoft.Network.dnsResolvers"
    service_delegation {
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
      name    = "Microsoft.Network/dnsResolvers"
    }
  }

However, as reported in #12466, Microsoft.Network/dnsResolvers is not in the validation list.

[mykolakobzar]

Hi, the problem with specific delegation has been fixed #17574

[M0dj0]

Hi, I am really interested in a fast implementation to deploy the Private DNS Resolver via Terraform with supported resources.

[omonnig]

Sadly, I had to implement using null_resource blocks wrapping CLI commands. Had attempted to use azapi first, but that did not handle the 'destroy' use case well.

Also note, starting roughly 8/1, Azure implemented charges for this service. They billed the monthly rate on an hourly basis (730x). They have admitted a global bug, but the issue is still unresolved.

[omerzubair]

Sadly, I had to implement using null_resource blocks wrapping CLI commands. Had attempted to use azapi first, but that did not handle the 'destroy' use case well.

Also note, starting roughly 8/1, Azure implemented charges for this service. They billed the monthly rate on an hourly basis (730x). They have admitted a global bug, but the issue is still unresolved.

Hi @omonnig , Can you share your implementation in Terraform please? Cheers

[ms-henglu]

I'm working on this feature.

[onenessboy]

@ms-henglu can you please share working example how to setup this private dns resolver with terraform azapi ?

[floryut]

@ms-henglu can you please share working example how to setup this private dns resolver with terraform azapi ?

https://github.com/namitjagtiani/terraform-azure-private-dns-resolver-azapi
you have one here, working pretty fine, in my setup.

[onenessboy]

@ms-henglu can you please share working example how to setup this private dns resolver with terraform azapi ?

https://github.com/namitjagtiani/terraform-azure-private-dns-resolver-azapi you have one here, working pretty fine, in my setup.

@floryut I have seen that , did you face issued mentioned in read.me(gotchas) mentioned in that repo ? like the second time apply will fail like that , did you face same issue when you rerun terraform apply ?

[ms-henglu]

Hi @onenessboy - There's an azapi example which is a slightly modified version of https://github.com/namitjagtiani/terraform-azure-private-dns-resolver-azapi. I guess the issues mentioned in the read.me are now fixed in the stable api-version.

I'm working on supporting this feature in azurerm provider.

[onenessboy]

Hi @onenessboy - There's an azapi example which is a slightly modified version of https://github.com/namitjagtiani/terraform-azure-private-dns-resolver-azapi. I guess the issues mentioned in the read.me are now fixed in the stable api-version.

I'm working on supporting this feature in azurerm provider.

Sure @ms-henglu will see other example you mentioned, but again eagerly waiting for azurerm version ...thanks again

[desweil]

Hi @onenessboy - There's an azapi example which is a slightly modified version of https://github.com/namitjagtiani/terraform-azure-private-dns-resolver-azapi. I guess the issues mentioned in the read.me are now fixed in the stable api-version.

I'm working on supporting this feature in azurerm provider.

@ms-henglu Will this new resource only create the resolver itself? What about the inbound/outbound endpoints, the Forwarding Ruleset, the Forwarding Rules and the Ruleset DNS links?

[ms-henglu]

Hi @desweil , there'll be 5 more PRs to support these resources, I'll submit them after the first one is merged.

[plasma-tech]

Hi @ms-henglu , thanks for your work in getting this released!

Is it possible to specify more than one IP for target_dns_servers ? It is not clear from the documentation.

[ms-henglu]

Hi @plasma-tech,

Is it possible to specify more than one IP for target_dns_servers ?

Yes

[yaench]

Hi @ms-henglu , thanks for your work in getting this released!

Is it possible to specify more than one IP for target_dns_servers ? It is not clear from the documentation.

Hi @plasma-tech - you can add multiple blocks of target_dns_servers

target_dns_servers {
    ip_address = "10.10.0.1"
    port       = 53
  }
target_dns_servers {
    ip_address = "10.10.0.2"
    port       = 53
  }

But I agree, the documentation was not clear to me either. I expected the block name to be target_dns_server and then having multiple blocks of it. Like subnet as part of azurerm_virtual_network, where the documentation specifies "Can be specified multiple times to define multiple subnets".

Anyway - thanks @ms-henglu for your work to get this released!

[ms-henglu]

Thanks @yaench and @plasma-tech - I opened this PR to address the document issue: https://github.com/hashicorp/terraform-provider-azurerm/pull/19167/files :)

[yaench]

Thanks @yaench and @plasma-tech - I opened this PR to address the document issue: https://github.com/hashicorp/terraform-provider-azurerm/pull/19167/files :)

I was actually talking about the "azurerm_private_dns_resolver_forwarding_rule" resource and the argument "target_dns_servers" here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver_forwarding_rule#target_dns_servers

[ms-henglu]

Hi @yaench - Thanks! 🤣 https://github.com/hashicorp/terraform-provider-azurerm/pull/19181/files

[Joerg-L]

On documentation, there is nothing related to "data"

Is that not implemented right now or just not documented?

[aristosvo]

@Joerg-L there are not data sources implemented yet, what are you looking for?

[Joerg-L]

Thanks @aristosvo

We have separate configurations for the Hub and the different spokes.
The first plan was that the vnet link to the rule set would be established from the spoke.

But as no data object is available, we have changed now the setup that the links are all managed in the Hub configuration.

[aristosvo]

As all resources are implemented as data sources as well, I think it is time to close this issue.

For other resources within this category a separate issue makes more sense.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.