[AVM Module Issue]: Unknown (privatelink) DNS zone upon Static Site creation.

[JarroVGIT]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Feature Request

Module Name

avm/res/web/static-site

(Optional) Module Version

No response

Description

At present, Static WebApps are deployed under a random generated site identifier and the azurestaticapps.net suffix. This suffix can contain a partition ID, and you can have a URL like {identifier}.azurestaticapps.net or {identifier}.{partitionId}.azurestaticapps.net. This is documented in both Private Endpoint documentation as well as in the Static Web App documentation on using private endpoints.

The privatelink domains that you need to create a DNS record in, als need to provide this partition id. So, if you app is located on {identifier}.4.azurestaticapps.net and you want to create a private endpoint, the corresponding A record must be created in the privatelink.4.azurestaticapps.net DNS zone.

The name of the private DNS zone is part of its resourceId. This resourceId is input of the private endpoint parameters of this module:

module staticSite 'br/public:avm/res/web/static-site:<version>' = {
  name: 'staticSiteDeployment'
  params: {
    name: 'mysite'
    privateEndpoints: [
      {
        privateDnsZoneGroup: {
          privateDnsZoneGroupConfigs: [
            {
              privateDnsZoneResourceId: '<privateDnsZoneResourceId>'
            }
          ]
        }
        subnetResourceId: '<subnetResourceId>'
      }
    ] 
}

The privateDnsZoneResourceId can't be known. There are two solutions to this problem:

1. Deploy twice: first without a private endpoint, see what domain partition id you are dealt, and add the endpoint with the correct privateDnsZoneResourceId later.
2. Create a module that defines the static site resource and private endpoint separately, and use the output of the former to construct the privateDnsZoneResourceId later.

The second approach is (in my mind) generalizable across users.

The feature request is for the module to be able to amend the privateDnsZoneResourceId so it fixes the actual resource part.
So when one provided the following privateDnsZoneResourceId:

/subscriptions/{guid}/resourceGroups/{rg_name}/providers/Microsoft.Network/privateDnsZones/privatelink.azurestaticapps.net

the module could automatically amend the suffix by adding the {partitionId}. This information is retrievable by getting the DefaultHost property of the staticSite resource and replace the identifier with privatelink. For example:

resource staticSite 'Microsoft.Web/staticSites@2021-03-01' = {
  name: name
  location: location
  sku: {
    name: sku
    tier: sku
  }
  properties: {
    // some properties
  }

var identifier = split(staticSite.properties.defaultHostname, '.')[0]
var privateLinkZone = replace(staticSite.properties.defaultHostname, identifier, 'privatelink')

Then the variable privateLinkZone can be used and the private endpoint is correctly created.

Alternatives

Amending parameters in a nontransparent manner feels iffy. As alternative there could also be an additional boolean parameter on the privateEndpoints parameter that would steer this behavior.

I checked other implementations as well:

• Aure Data Explorer, AKS, Batch, Container Apps (and probably others) have variable domain names, but only have {region} as part of the domain zone, which is predictable at deployment time.
• SQL Managed Instance do have unpredictable elements in the domain zone for privatelink, but it is unclear how you can create a private endpoint through Bicep.

It seems that Azure Static WebApps is unique in this situation.

(Optional) Correlation Id

No response

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[avm-team-linter]

@JarroVGIT, thanks for submitting this issue for the avm/res/web/static-site module!

Important

A member of the @Azure/avm-res-web-staticsite-module-owners-bicep or @Azure/avm-res-web-staticsite-module-contributors-bicep team will review it soon!

[microsoft-github-policy-service]

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!