fixes hashicorp#6571

* Fixed requiresImport test case

* Progress exposing dns zone groups

* Work thus far redesign

* Progress thus far

* Progress

* Change data structure

* Close mostly working now

* Remove old resources

* Code complete needs docs and tests

* Add docs and example

* Added Tests and updated docs

* Fix Lint Errors

* Update azurerm/internal/services/network/parse/private_endpoint.go

Co-authored-by: Tom Harvey <[email protected]>

* Update azurerm/internal/services/network/private_endpoint_resource.go

Co-authored-by: Tom Harvey <[email protected]>

* Update azurerm/internal/services/network/private_endpoint_resource.go

Co-authored-by: Tom Harvey <[email protected]>

* Changes per PR

* Fix lint error

* Requested changes per PR comment

Co-authored-by: Tom Harvey <[email protected]>

Author: WodansSon

azurerm/internal/services/network/client/client.go

@@ -42,6 +42,7 @@ type Client struct {
 	VpnServerConfigurationsClient        *network.VpnServerConfigurationsClient
 	WatcherClient                        *network.WatchersClient
 	WebApplicationFirewallPoliciesClient *network.WebApplicationFirewallPoliciesClient
+	PrivateDnsZoneGroupClient            *network.PrivateDNSZoneGroupsClient
 	PrivateLinkServiceClient             *network.PrivateLinkServicesClient
 }
 
@@ -112,6 +113,9 @@ func NewClient(o *common.ClientOptions) *Client {
 	PublicIPPrefixesClient := network.NewPublicIPPrefixesClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
 	o.ConfigureClient(&PublicIPPrefixesClient.Client, o.ResourceManagerAuthorizer)
 
+	PrivateDnsZoneGroupClient := network.NewPrivateDNSZoneGroupsClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
+	o.ConfigureClient(&PrivateDnsZoneGroupClient.Client, o.ResourceManagerAuthorizer)
+
 	PrivateLinkServiceClient := network.NewPrivateLinkServicesClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
 	o.ConfigureClient(&PrivateLinkServiceClient.Client, o.ResourceManagerAuthorizer)
 
@@ -194,6 +198,7 @@ func NewClient(o *common.ClientOptions) *Client {
 		VpnServerConfigurationsClient:        &vpnServerConfigurationsClient,
 		WatcherClient:                        &WatcherClient,
 		WebApplicationFirewallPoliciesClient: &WebApplicationFirewallPoliciesClient,
+		PrivateDnsZoneGroupClient:            &PrivateDnsZoneGroupClient,
 		PrivateLinkServiceClient:             &PrivateLinkServiceClient,
 	}
 }

azurerm/internal/services/network/parse/private_endpoint.go

@@ -0,0 +1,117 @@
+package parse
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+)
+
+type NameResourceGroup struct {
+	ResourceGroup string
+	Name          string
+	ID            string
+}
+
+func PrivateDnsZoneGroupResourceID(input string) (*NameResourceGroup, error) {
+	if len(strings.TrimSpace(input)) == 0 {
+		return nil, fmt.Errorf("unable to parse Private DNS Zone Group ID %q: input is empty", input)
+	}
+
+	id, err := azure.ParseAzureResourceID(input)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse Private DNS Zone Group ID %q: %+v", input, err)
+	}
+
+	privateDnsZoneGroup := NameResourceGroup{
+		ResourceGroup: id.ResourceGroup,
+	}
+
+	if privateDnsZoneGroup.Name, err = id.PopSegment("privateDnsZoneGroups"); err != nil {
+		return nil, err
+	}
+
+	if privateDnsZoneGroup.ID = input; err != nil {
+		return nil, err
+	}
+
+	return &privateDnsZoneGroup, nil
+}
+
+func PrivateDnsZoneResourceIDs(input []interface{}) (*[]NameResourceGroup, error) {
+	results := make([]NameResourceGroup, 0)
+
+	for _, item := range input {
+		v := item.(string)
+
+		if privateDnsZone, err := PrivateDnsZoneResourceID(v); err != nil {
+			return nil, fmt.Errorf("unable to parse Private DNS Zone ID %q: %+v", v, err)
+		} else {
+			results = append(results, *privateDnsZone)
+		}
+	}
+
+	return &results, nil
+}
+
+func PrivateDnsZoneResourceID(input string) (*NameResourceGroup, error) {
+	if len(strings.TrimSpace(input)) == 0 {
+		return nil, fmt.Errorf("unable to parse Private DNS Zone ID %q: input is empty", input)
+	}
+
+	id, err := azure.ParseAzureResourceID(input)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse Private DNS Zone ID %q: %+v", input, err)
+	}
+
+	privateDnsZone := NameResourceGroup{
+		ResourceGroup: id.ResourceGroup,
+	}
+
+	if privateDnsZone.Name, err = id.PopSegment("privateDnsZones"); err != nil {
+		return nil, err
+	}
+
+	if privateDnsZone.ID = input; err != nil {
+		return nil, err
+	}
+
+	return &privateDnsZone, nil
+}
+
+func PrivateEndpointResourceID(input string) (*NameResourceGroup, error) {
+	id, err := azure.ParseAzureResourceID(input)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse Private Endpoint ID %q: %+v", input, err)
+	}
+
+	privateEndpoint := NameResourceGroup{
+		ResourceGroup: id.ResourceGroup,
+	}
+
+	if privateEndpoint.Name, err = id.PopSegment("privateEndpoints"); err != nil {
+		return nil, err
+	}
+
+	if privateEndpoint.ID = input; err != nil {
+		return nil, err
+	}
+
+	return &privateEndpoint, nil
+}
+
+func ValidatePrivateDnsZoneResourceID(i interface{}, k string) (warnings []string, errors []error) {
+	v, ok := i.(string)
+	if !ok {
+		errors = append(errors, fmt.Errorf("expected type of %q to be string", k))
+		return
+	}
+
+	if id, err := azure.ParseAzureResourceID(v); err != nil {
+		errors = append(errors, fmt.Errorf("Can not parse %q as a resource id: %v", k, err))
+	} else if _, err = id.PopSegment("privateDnsZones"); err != nil {
+		errors = append(errors, fmt.Errorf("Can not parse %q as a private dns zone resource id: %v", k, err))
+	}
+
+	return warnings, errors
+}

azurerm/internal/services/network/private_endpoint_resource.go

@@ -351,8 +351,8 @@ func testAccAzureRMPrivateLinkService_requiresImport(data acceptance.TestData) s
 
 resource "azurerm_private_link_service" "import" {
   name                = azurerm_private_link_service.test.name
-  location            = azurerm_private_link_service.test.location
-  resource_group_name = azurerm_private_link_service.test.name
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
 
   nat_ip_configuration {
     name      = "primaryIpConfiguration-%d"

azurerm/internal/services/network/tests/private_endpoint_resource_test.go

@@ -0,0 +1,32 @@
+package privatedns
+
+import (
+	"fmt"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate"
+)
+
+func ValidatePrivateDnsZoneGroupName(i interface{}, k string) (_ []string, errors []error) {
+	v, ok := i.(string)
+	if !ok {
+		return nil, append(errors, fmt.Errorf("expected type of %s to be string", k))
+	}
+
+	// The name attribute rules per the Nat Gateway service team are (Friday, October 18, 2019 4:20 PM):
+	// 1. Must not be empty.
+	// 2. Must be between 1 and 80 characters.
+	// 3. The attribute must:
+	//    a) begin with a letter or number
+	//    b) end with a letter, number or underscore
+	//    c) may contain only letters, numbers, underscores, periods, or hyphens.
+
+	if len(v) == 1 {
+		if m, _ := validate.RegExHelper(i, k, `^([a-zA-Z\d])`); !m {
+			errors = append(errors, fmt.Errorf("%s must begin with a letter or number", k))
+		}
+	} else if m, _ := validate.RegExHelper(i, k, `^([a-zA-Z\d])([a-zA-Z\d-\_\.]{0,78})([a-zA-Z\d\_])$`); !m {
+		errors = append(errors, fmt.Errorf("%s must be between 1 - 80 characters long, begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, periods, hyphens or underscores", k))
+	}
+
+	return nil, errors
+}

azurerm/internal/services/network/tests/private_link_service_resource_test.go

@@ -0,0 +1,9 @@
+## Example: Private Endpoint
+
+This example provisions a Private Endpoint which connects to a Private Link Service within Azure.
+
+### Variables
+
+* `prefix` - (Required) The prefix used for all resources in this example.
+
+* `location` - (Required) The Azure Region in which all resources in this example should be created.

azurerm/internal/services/privatedns/validate.go

@@ -0,0 +1,66 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-resources"
+  location = "${var.location}"
+}
+
+resource "azurerm_virtual_network" "example" {
+  name                = "${var.prefix}-vnet"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_subnet" "endpoint" {
+  name                 = "endpoint"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefix       = "10.0.2.0/24"
+
+  enforce_private_link_endpoint_network_policies = true
+}
+
+resource "azurerm_private_dns_zone" "example" {
+  name                = "privatelink.postgres.database.azure.com"
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_postgresql_server" "example" {
+  name                = "${var.prefix}-postgresql"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  sku_name = "GP_Gen5_4"
+
+  storage_mb                   = 5120
+  backup_retention_days        = 7
+  geo_redundant_backup_enabled = false
+  auto_grow_enabled            = true
+
+  administrator_login          = "psqladminun"
+  administrator_login_password = "H@Sh1CoR3!"
+  version                      = "9.5"
+  ssl_enforcement_enabled      = true
+}
+
+resource "azurerm_private_endpoint" "example" {
+  name                 = "${var.prefix}-pe"
+  location             = azurerm_resource_group.example.location
+  resource_group_name  = azurerm_resource_group.example.name
+  subnet_id            = azurerm_subnet.endpoint.id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
+  }
+
+  private_service_connection {
+    name                           = "tfex-postgresql-connection"
+    is_manual_connection           = false
+    private_connection_resource_id = azurerm_postgresql_server.example.id
+    subresource_names              = ["postgresqlServer"]
+  }
+}

examples/private-endpoint/private-dns-group/README.md

@@ -0,0 +1,7 @@
+variable "prefix" {
+  description = "The Prefix used for all resources in this example"
+}
+
+variable "location" {
+  description = "The Azure Region in which all resources in this example should be created."
+}

examples/private-endpoint/private-dns-group/main.tf

@@ -29,6 +29,8 @@ The following arguments are supported:
 
 * `name` - (Required) The name of the Private DNS Zone. Must be a valid domain name.
 
+-> **NOTE:** If you are going to be using the Private DNS Zone with a Private Endpoint the name of the Private DNS Zone must follow the **Private DNS Zone name** schema in the [product documentation](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder) in order for the two resources to be connected successfully.
+
 * `resource_group_name` - (Required) Specifies the resource group where the resource exists. Changing this forces a new resource to be created.
 
 * `tags` - (Optional) A mapping of tags to assign to the resource.

examples/private-endpoint/private-dns-group/variables.tf

@@ -109,12 +109,22 @@ The following arguments are supported:
 
 * `subnet_id` - (Required) The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. Changing this forces a new resource to be created.
 
+* `private_dns_zone_group` - (Optional) A `private_dns_zone_group` block as defined below.
+
 * `private_service_connection` - (Required) A `private_service_connection` block as defined below.
 
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 
 ---
 
+A `private_dns_zone_group` supports the following:
+
+* `name` - (Required) Specifies the Name of the Private Service Connection. Changing this forces the a new `private_dns_zone_group` to be created.
+
+* `private_dns_zone_ids` - (Required) Specifies the list of Private DNS Zones to include within the `private_dns_zone_group`.
+
+---
+
 A `private_service_connection` supports the following:
 
 * `name` - (Required) Specifies the Name of the Private Service Connection. Changing this forces a new resource to be created.
@@ -151,11 +161,58 @@ The following attributes are exported:
 
 * `id` - The ID of the Private Endpoint.
 
+---
+
+A `private_dns_zone_group` block exports:
+
+* `id` - The ID of the Private DNS Zone Group.
+
+---
+
+A `custom_dns_configs` block exports:
+
+* `fqdn` - The fully qualified domain name to the `private_endpoint`.
+
+* `ip_addresses` - A list of all IP Addresses that map to the `private_endpoint` fqdn.
+
+-> **NOTE:** If a Private DNS Zone Group has been defined and is currently connected correctly this block will be empty.
+
+---
+
+A `private_dns_zone_configs` block exports:
+
+* `name` - The name of the Private DNS Zone that the config belongs to.
+
+* `id` - The ID of the Private DNS Zone Config.
+
+* `private_dns_zone_id` - A list of IP Addresses
+
+* `record_sets` - A `record_sets` block as defined below.
+
+---
+
+A `record_sets` block exports:
+
+* `name` - The name of the Private DNS Zone that the config belongs to.
+
+* `type` - The type of DNS record.
+
+* `fqdn` - The fully qualified domain name to the `private_dns_zone`.
+
+* `ttl` - The time to live for each connection to the `private_dns_zone`.
+
+* `ip_addresses` - A list of all IP Addresses that map to the `private_dns_zone` fqdn.
+
+-> **NOTE:** If a Private DNS Zone Group has not been configured correctly the `record_sets` attibutes will be empty.
+
+---
+
 ## Example HCL Configurations
 
 * How to connect a `Private Endpoint` to a [Cosmos MongoDB](https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/private-endpoint/cosmos-db)
 * How to connect a `Private Endpoint` to a [PostgreSQL Server](https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/private-endpoint/postgresql)
 * How to connect a `Private Endpoint` to a [Private Link Service](https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/private-endpoint/private-link-service)
+* How to connect a `Private Endpoint` to a [Private DNS Group](https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/private-endpoint/private-dns-group)
 
 ## Timeouts