The following TF code was used to create an Azure Key Vault, assign it a Private Endpoint and add an A record to InfoBlox:
main.tf
module "key_vault_qa_01" {
source = "app.terraform.io/Molina-Cloud/azure-key-vault/azurerm"
version = "1.0.0"
key_vault_name = var.enso_kv_name_01
keyvault_sku = var.enso_kv_sku_01
resource_group_name = data.azurerm_resource_group.RG-key_vault_qa.name
resource_group_location = data.azurerm_resource_group.RG-key_vault_qa.location
:
tenant_id = data.azurerm_user_assigned_identity.kv-uami-key_vault_qa.tenant_id
:
}
module "privateendpoint-kv-sc-kv-enso-qa-01" {
source = "app.terraform.io/Molina-Cloud/privateendpoint/azurerm"
version = "1.0.5"
resource_group_name = data.azurerm_resource_group.RG-key_vault_qa.name
resource_group_location = data.azurerm_resource_group.RG-key_vault_qa.location
resource_name = var.enso_kv_name_01
resource_id = module.key_vault_qa_01.key_vault_id
subresource_names = ["vault"]
:
subnet_id = data.azurerm_subnet.Node-SNET-DC10AKSSTG.id
private_dns_zone_ids = [data.azurerm_private_dns_zone.key-vault-private-dns-zone.id]
private_dns_zone_name = data.azurerm_private_dns_zone.key-vault-private-dns-zone.name
:
}
module "DNSRecord-kv-sc-kv-enso-qa-01" {
source = "app.terraform.io/Molina-Cloud/dns-record/infoblox"
version = "1.0.1"
fqdn_name = "${var.enso_kv_name_01}.vault.azure.net" #==> "sc-kv-enso-qa-02"
ip_address = module.privateendpoint-kv-sc-kv-enso-qa-01.private-ip
}
requirements.tf
data "azurerm_private_dns_zone" "key-vault-private-dns-zone" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = "ussc-non-prod-apps-vnet"
}
data "azurerm_resource_group" "RG-key_vault_qa" {
name = var.resource_group_name # <=== why no "location"?
}
• Unsure if the A record was correctly added
• Initially, NSLOOKUP sc-kv-enso-qa-02.vault.azure.net resolved to a Public IP Address. Public access was enabled.
• We did not troubleshoot why it was NOT resolving to a Public IP but noticed that there was no A record in InfoBlox for KV
• We proceeded to manually add the A record to InfoBlox
• NSLOOKUP resolved to the newly added private IP after the manual added A record
• However, we now are having issues with running the existing TF code which consistently fails with:
│ Error: failed getting A-record: WAPI request error: 404('404 Not Found')
│ Contents:
│ { "Error": "AdmConDataNotFoundError: Reference record:a/ZG5zLmJpbmRfYSQuX2RlZmF1bHQubmV0LmF6dXJlLnZhdWx0LHNjLWt2LWVuc28tcWEtMDIsMTAuMjM5Ljk5LjEy:sc-kv-enso-qa-02.vault.azure.net/default not found",
│ "code": "Client.Ibap.Data.NotFound",
│ "text": "Reference record:a/ZG5zLmJpbmRfYSQuX2RlZmF1bHQubmV0LmF6dXJlLnZhdWx0LHNjLWt2LWVuc28tcWEtMDIsMTAuMjM5Ljk5LjEy:sc-kv-enso-qa-02.vault.azure.net/default not found"
│ }
│
│
│ with module.DNSRecord-kv-sc-kv-enso-qa-01.infoblox_a_record.a-record,
│ on .terraform/modules/DNSRecord-kv-sc-kv-enso-qa-01/main.tf line 1, in resource "infoblox_a_record" "a-record":
│ 1: resource "infoblox_a_record" "a-record" {
│
╵
Operation failed: failed running terraform plan (exit 1)
• Doesn’t matter if we uncomment the PrivateEndpoint or DNS Record module – still fails with same error
InfoBlox shows the A record. So it seems the record is there.
Tfstate file shows:
{
"module": "module.DNSRecord-kv-sc-kv-enso-qa-01",
"mode": "managed",
"type": "infoblox_a_record",
"name": "a-record",
"provider": "provider[\"registry.terraform.io/infobloxopen/infoblox\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"cidr": null,
"comment": "",
"dns_view": "default",
"ext_attrs": null,
"fqdn": "sc-kv-enso-qa-02.vault.azure.net",
"id": "record:a/ZG5zLmJpbmRfYSQuX2RlZmF1bHQubmV0LmF6dXJlLnZhdWx0LHNjLWt2LWVuc28tcWEtMDIsMTAuMjM5Ljk5LjEy:sc-kv-enso-qa-02.vault.azure.net/default",
"ip_addr": "10.239.99.12",
"network_view": "default",
"ttl": -2147483648
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.azurerm_private_dns_zone.key-vault-private-dns-zone",
"data.azurerm_resource_group.RG-key_vault_qa",
"data.azurerm_subnet.Node-SNET-DC10AKSSTG",
"data.azurerm_user_assigned_identity.kv-uami-key_vault_qa",
"data.azurerm_virtual_network.VNET-DC10AKSSTG",
"module.key_vault_qa_01.azurerm_key_vault.sc-azure-keyvault",
"module.privateendpoint-kv-sc-kv-enso-qa-01.azurerm_private_endpoint.private-endpoint"
]
}
]
},
Unsure how this was added there.
This is TF Cloud. Using InfoBlox provider:
infoblox = {
source = "infobloxopen/infoblox"
version = "2.3.0"
Need to understand how to resolve this issue. Seems the record is there – so why does TF keep failing to retrieve it? Do we need to manually delete the A record and run the TF code again? If so, why would it succeed when it appears to not do so initially?
The following TF code was used to create an Azure Key Vault, assign it a Private Endpoint and add an A record to InfoBlox:
main.tf
module "key_vault_qa_01" {
source = "app.terraform.io/Molina-Cloud/azure-key-vault/azurerm"
version = "1.0.0"
key_vault_name = var.enso_kv_name_01
keyvault_sku = var.enso_kv_sku_01
resource_group_name = data.azurerm_resource_group.RG-key_vault_qa.name
resource_group_location = data.azurerm_resource_group.RG-key_vault_qa.location
:
tenant_id = data.azurerm_user_assigned_identity.kv-uami-key_vault_qa.tenant_id
:
}
module "privateendpoint-kv-sc-kv-enso-qa-01" {
source = "app.terraform.io/Molina-Cloud/privateendpoint/azurerm"
version = "1.0.5"
resource_group_name = data.azurerm_resource_group.RG-key_vault_qa.name
resource_group_location = data.azurerm_resource_group.RG-key_vault_qa.location
resource_name = var.enso_kv_name_01
resource_id = module.key_vault_qa_01.key_vault_id
subresource_names = ["vault"]
:
subnet_id = data.azurerm_subnet.Node-SNET-DC10AKSSTG.id
private_dns_zone_ids = [data.azurerm_private_dns_zone.key-vault-private-dns-zone.id]
private_dns_zone_name = data.azurerm_private_dns_zone.key-vault-private-dns-zone.name
:
}
module "DNSRecord-kv-sc-kv-enso-qa-01" {
source = "app.terraform.io/Molina-Cloud/dns-record/infoblox"
version = "1.0.1"
fqdn_name = "${var.enso_kv_name_01}.vault.azure.net" #==> "sc-kv-enso-qa-02"
ip_address = module.privateendpoint-kv-sc-kv-enso-qa-01.private-ip
}
requirements.tf
data "azurerm_private_dns_zone" "key-vault-private-dns-zone" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = "ussc-non-prod-apps-vnet"
}
data "azurerm_resource_group" "RG-key_vault_qa" {
name = var.resource_group_name # <=== why no "location"?
}
• Unsure if the A record was correctly added
• Initially, NSLOOKUP sc-kv-enso-qa-02.vault.azure.net resolved to a Public IP Address. Public access was enabled.
• We did not troubleshoot why it was NOT resolving to a Public IP but noticed that there was no A record in InfoBlox for KV
• We proceeded to manually add the A record to InfoBlox
• NSLOOKUP resolved to the newly added private IP after the manual added A record
• However, we now are having issues with running the existing TF code which consistently fails with:
│ Error: failed getting A-record: WAPI request error: 404('404 Not Found')
│ Contents:
│ { "Error": "AdmConDataNotFoundError: Reference record:a/ZG5zLmJpbmRfYSQuX2RlZmF1bHQubmV0LmF6dXJlLnZhdWx0LHNjLWt2LWVuc28tcWEtMDIsMTAuMjM5Ljk5LjEy:sc-kv-enso-qa-02.vault.azure.net/default not found",
│ "code": "Client.Ibap.Data.NotFound",
│ "text": "Reference record:a/ZG5zLmJpbmRfYSQuX2RlZmF1bHQubmV0LmF6dXJlLnZhdWx0LHNjLWt2LWVuc28tcWEtMDIsMTAuMjM5Ljk5LjEy:sc-kv-enso-qa-02.vault.azure.net/default not found"
│ }
│
│
│ with module.DNSRecord-kv-sc-kv-enso-qa-01.infoblox_a_record.a-record,
│ on .terraform/modules/DNSRecord-kv-sc-kv-enso-qa-01/main.tf line 1, in resource "infoblox_a_record" "a-record":
│ 1: resource "infoblox_a_record" "a-record" {
│
╵
Operation failed: failed running terraform plan (exit 1)
• Doesn’t matter if we uncomment the PrivateEndpoint or DNS Record module – still fails with same error
InfoBlox shows the A record. So it seems the record is there.
Tfstate file shows:
Unsure how this was added there.
This is TF Cloud. Using InfoBlox provider:
Need to understand how to resolve this issue. Seems the record is there – so why does TF keep failing to retrieve it? Do we need to manually delete the A record and run the TF code again? If so, why would it succeed when it appears to not do so initially?