Allow setting private_dns_zone_id = "None" #710
Description
Is there an existing issue for this?
- I have searched the existing issues
Greenfield/Brownfield provisioning
greenfield
Terraform Version
1.12.1
Module Version
11.0
AzureRM Provider Version
4.48.0
Affected Resource(s)/Data Source(s)
azurerm_kubernetes_cluster
Terraform Configuration Files
module "aks" {
# ... other required variables ...
private_cluster_enabled = true
private_dns_zone_id = null
}
tfvars variables values
Debug Output/Panic Output
Error: creating Kubernetes Cluster (Subscription: "<SUBSCRIPTION_ID>"
│ Resource Group Name: "<RG_NAME>"
│ Kubernetes Cluster Name: "<AKS_NAME>"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
│
│ Status: "RequestDisallowedByPolicy"
│ Code: "RequestDisallowedByPolicy"
│ Message: "Create or update private dns zone failed. Subscription: <SUBSCRIPTION_ID>; resource group: <MC_RG_NAME>; private dns zone: <GUID>.privatelink.<REGION>.azmk8s.io. Resource '<GUID>.privatelink.<REGION>.azmk8s.io' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"<POLICY_ASSIGNMENT_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_PATH>/providers/Microsoft.Authorization/policyAssignments/<POLICY_ASSIGNMENT_NAME>\"},\"policyDefinition\":{\"name\":\"<POLICY_DEFINITION_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_ROOT>/providers/Microsoft.Authorization/policyDefinitions/<POLICY_DEFINITION_NAME>\",\"version\":\"<POLICY_VERSION>\"}}]'.\nResource '<GUID>.privatelink.<REGION>.azmk8s.io' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"<POLICY_ASSIGNMENT_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_PATH>/providers/Microsoft.Authorization/policyAssignments/<POLICY_ASSIGNMENT_NAME>\"},\"policyDefinition\":{\"name\":\"<POLICY_DEFINITION_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_ROOT>/providers/Microsoft.Authorization/policyDefinitions/<POLICY_DEFINITION_NAME>\",\"version\":\"<POLICY_VERSION>\"}}]'."
│ Activity Id: ""
│
│ ---
│
│ API Response:
│
│ ----[start]----
│ {
│ "name": "<OPERATION_ID>",
│ "status": "Failed",
│ "startTime": "<START_TIME_ISO8601>",
│ "endTime": "<END_TIME_ISO8601>",
│ "error": {
│ "code": "RequestDisallowedByPolicy",
│ "message": "Create or update private dns zone failed. Subscription: <SUBSCRIPTION_ID>; resource group: <MC_RG_NAME>; private dns zone: <GUID>.privatelink.<REGION>.azmk8s.io. Resource '<GUID>.privatelink.<REGION>.azmk8s.io' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"<POLICY_ASSIGNMENT_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_PATH>/providers/Microsoft.Authorization/policyAssignments/<POLICY_ASSIGNMENT_NAME>\"},\"policyDefinition\":{\"name\":\"<POLICY_DEFINITION_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_ROOT>/providers/Microsoft.Authorization/policyDefinitions/<POLICY_DEFINITION_NAME>\",\"version\":\"<POLICY_VERSION>\"}}]'.",
│ "details": [
│ {
│ "code": "RequestDisallowedByPolicy",
│ "message": "Resource '<GUID>.privatelink.<REGION>.azmk8s.io' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"<POLICY_ASSIGNMENT_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_PATH>/providers/Microsoft.Authorization/policyAssignments/<POLICY_ASSIGNMENT_NAME>\"},\"policyDefinition\":{\"name\":\"<POLICY_DEFINITION_NAME>\",\"id\":\"/providers/Microsoft.Management/managementGroups/<MGMT_GROUP_ROOT>/providers/Microsoft.Authorization/policyDefinitions/<POLICY_DEFINITION_NAME>\",\"version\":\"<POLICY_VERSION>\"}}]'.",
│ "target": "<GUID>.privatelink.<REGION>.azmk8s.io"
│ }
│ ]
│ }
│ }
│ -----[end]-----
│
│
│ with module.aks.azurerm_kubernetes_cluster.main,
│ on .terraform/modules/aks/main.tf line 13, in resource "azurerm_kubernetes_cluster" "main":
│ 13: resource "azurerm_kubernetes_cluster" "main" {
│
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.Expected Behaviour
Be able to set private_dns_zone_id = "None" and let the provider configure AKS accordingly, without the module creating/managing any Private DNS Zone.
Actual Behaviour
The module prevents using private_dns_zone_id = "None" even though the azurerm_kubernetes_cluster resource officially supports it. In my environment, the Landing Zone policies forbid creating/managing Private DNS Zones from workloads. I must therefore not delegate a zone to AKS and not create one via Terraform—exactly what the "None" value enables at the provider level.
Provider reference:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster
private_dns_zone_id – (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
The module includes a precondition that only accepts null or specific private zone name formats; the string literal "None" is rejected:
precondition {
condition = var.private_dns_zone_id == null ? true : (anytrue([for r in local.valid_private_dns_zone_regexs : try(regex(r, local.private_dns_zone_name) == local.private_dns_zone_name, false)]))
error_message = "According to the document, the private DNS zone must be in one of the following format: privatelink.<region>.azmk8s.io, <subzone>.privatelink.<region>.azmk8s.io, private.<region>.azmk8s.io, <subzone>.private.<region>.azmk8s.io"
}
Additionally, when set to null, the module still attempts to create/attach a Private DNS Zone, which is disallowed by our Landing Zone policies.
Steps to Reproduce
No response
Important Factoids
No response
References
No response