Unable to reference data block for azurerm_private_dns_zone: "Parent resource '...' not found"

[fcatacut]

I'm trying to use a data-block to retrieve an existing Private DNS zone so that it can be referenced when creating additional resources, such as azurerm_private_dns_zone_virtual_network_link and azurerm_private_dns_a_record.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.29

• provider.azurerm v2.21.0

Affected Resource(s)

• azurerm_private_dns_zone

Terraform Configuration Files

provider "azurerm" {
  features {}
}

data "azurerm_private_dns_zone" "example" {
  name                = "privatelink.documents.azure.com"
  resource_group_name = "<change me>"
}

resource "azurerm_resource_group" "example" {
  name     = "myrg"
  location = "eastus"
}

resource "azurerm_virtual_network" "example" {
  name                = "myvnet"
  resource_group_name = azurerm_resource_group.example.name
  location            = "eastus"
  address_space       = ["10.0.0.0/20"]
}

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "myvnetlink"
  resource_group_name   = azurerm_resource_group.example.name
  private_dns_zone_name = data.azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
}

output "data_private_dns_zone" {
  value = data.azurerm_private_dns_zone.example
}

Debug Output

https://gist.github.com/fcatacut/59b3005ef022f629502d8f6d6cc4ce41

Panic Output

Expected Behavior

azurerm_private_dns_zone_virtual_network_link should be successfully created.

Actual Behavior

Error: error creating/updating Private DNS Zone Virtual network link "myvnetlink" (Resource Group "myrg"): privatedns.VirtualNetworkLinksClient#CreateOrUpdate: Failure sending request: StatusCode=404 -- Original Error: Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource 'privatelink.documents.azure.com' not found."

  on main.tf line 22, in resource "azurerm_private_dns_zone_virtual_network_link" "example":
  22: resource "azurerm_private_dns_zone_virtual_network_link" "example" {

Steps to Reproduce

1. Create a Private DNS zone. For the sample code, privatelink.documents.azure.com is used.
2. Update the 2 <change me> references to the Name of the Resource Group containing the Private DNS zone.
3. terraform apply

Important Factoids

Commenting out the azurerm_private_dns_zone_virtual_network_link resource block yields the expected output:

Outputs:

data_private_dns_zone = {
  "id" = "/subscriptions/.../resourceGroups/.../providers/Microsoft.Network/privateDnsZones/..."
  "max_number_of_record_sets" = 25000
  "max_number_of_virtual_network_links" = 1000
  "max_number_of_virtual_network_links_with_registration" = 100
  "name" = "privatelink.documents.azure.com"
  "number_of_record_sets" = 3
  "resource_group_name" = "<change me>"
  "tags" = {}
}

[neil-yechenwei]

@fcatacut, thanks for opening this issue. After investigated, I suspect you are using incorrect resource group name while creating private dns zone virtual network link. You have to use the resource group where the Private DNS Zone exists while creating vnet link. I think it's just a document issue. So I made a fix for it.

Sample code:

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  ....
  resource_group_name   = <The resource group where the Private DNS Zone exists>
  ....
}

[fcatacut]

I suspect you are using incorrect resource group name while creating private dns zone virtual network link.

As noted in Step 2 of the "Steps to Reproduce" section, <change me> should be changed to the resource group name where the Private DNS Zone was created. I verified that I was referencing the correct resource group name by commenting out the azurerm_private_dns_zone_virtual_network_link resource block which results in the output that contains the attributes retrieved by the data block used to retrieve the Private DNS Zone.

[neil-yechenwei]

@fcatacut, I assume below repro steps is the same with what you described above, right? If yes, could you have a try below my tfconfig which is similar with yours to check whether the issue still exists since I cannot repro this issue with below tfconfig? Thanks.

1. First apply:

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "dnszone-test01"
  location = "eastus"
}

resource "azurerm_private_dns_zone" "test" {
  name                = "privatelink.documents.azure.com"
  resource_group_name = azurerm_resource_group.test.name
}

Result:

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

2. Second apply:

provider "azurerm" {
  features {}
}

data "azurerm_private_dns_zone" "example" {
  name                = "privatelink.documents.azure.com"
  resource_group_name = "dnszone-test01"
}

resource "azurerm_resource_group" "example" {
  name     = "dnszone-test02"
  location = "eastus"
}

resource "azurerm_virtual_network" "example" {
  name                = "myvnettest01"
  resource_group_name = azurerm_resource_group.example.name
  location            = "eastus"
  address_space       = ["10.0.0.0/20"]
}

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "myvnetlinktest01"
  resource_group_name   = "dnszone-test01"
  private_dns_zone_name = data.azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
}

output "data_private_dns_zone" {
  value = data.azurerm_private_dns_zone.example
}

Result:

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

data_private_dns_zone = {
  "id" = "/subscriptions/xx-xx-xx-xx/resourceGroups/dnszone-test01/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com"
  "max_number_of_record_sets" = 25000
  "max_number_of_virtual_network_links" = 1000
  "max_number_of_virtual_network_links_with_registration" = 100
  "name" = "privatelink.documents.azure.com"
  "number_of_record_sets" = 1
  "resource_group_name" = "dnszone-test01"
  "tags" = {}
}

[fcatacut]

For #2, replace the azurerm_private_dns_zone_virtual_network_link resource block with below so that the resource is in the same resource group as the VNet.

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "myvnetlinktest01"
  resource_group_name   = "dnszone-test02"
  private_dns_zone_name = data.azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
}

[fcatacut]

Sorry, long morning. I finally realized what you pointed out in your initial response. The link has to be in the same resource group as the Private DNS Zone.

[neil-yechenwei]

Yes. That’s right. You got my point.

[ghost]

This has been released in version 2.22.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.22.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!