Update of azurerm_private_endpoint.private_dns_zone_group.private_dns_zone_ids must be re-created and not updated

[DevopsMercenary]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.5

AzureRM Provider Version

4.3.0

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint

Terraform Configuration Files

Focusing on the one area for this issue.  I've experienced this in multiple versions of Terraform and the AzureRM provider.

This is the starting state...


resource "azurerm_private_endpoint" "blob" {

    location                      = "eastus"
    name                          = "sa-blob"

    resource_group_name           = "service-sa"
    subnet_id                     = "..."

    private_service_connection {
     ...
    }

    private_dns_zone_group {
        name                 = "sa-blob"
        private_dns_zone_ids = [
            "/subscriptions/0f849332....privateDnsZones/privatelink.blob.core.windows.net",
        ]
    }

}

For example, I want to change the private_dns_zone_ids to a different subscription.

resource "azurerm_private_endpoint" "blob" {

    location                      = "eastus"
    name                          = "sa-blob"

    resource_group_name           = "service-sa"
    subnet_id                     = "..."

    private_service_connection {
     ...
    }

    private_dns_zone_group {
        name                 = "sa-blob"
        private_dns_zone_ids = [
            "/subscriptions/8bfe5092....privateDnsZones/privatelink.blob.core.windows.net",
        ]
    }

}

### Debug Output/Panic Output

```shell
# azurerm_private_endpoint.blob will be updated in-place
  ~ resource "azurerm_private_endpoint" "blob" {
        id                            = "/subscriptions/8bfe5092...ivateEndpoints/service-sa-blob"
        name                          = "service-sa-blob"
        # (7 unchanged attributes hidden)

      ~ private_dns_zone_group {
            id                   = "/subscriptions/8bfe5092...privateDnsZoneGroups/service-sa-blob"
            name                 = "service-sa-blob"
          ~ private_dns_zone_ids = [
              ~ "/subscriptions/3d759fe3...icrosoft.Network/privateDnsZones/privatelink.blob.core.windows.net" -> "/subscriptions/0f849332...privateDnsZones/privatelink.blob.core.windows.net",
            ]
        }
        # (1 unchanged block hidden)
    }

### Expected Behaviour

I expected terraform to perform an update in-place as it stated.

### Actual Behaviour

│ Error: creating Private Endpoint (Subscription: "8bfe5092-..."
│ Resource Group Name: "service-sa"
│ Private Endpoint Name: "service-sa-blob"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: UpdatingPrivateDnsZoneIdOnPrivateDnsZoneConfigNotAllowed: Updating private dns zone id from /subscriptions/3d759fe3.../privateDnsZones/privatelink.blob.core.windows.net to /subscriptions/0f849332...privateDnsZones/privatelink.blob.core.windows.net on private dns zone config /subscriptions/8bfe5092-...privateEndpoints/service-sa-blob/privateDnsZoneGroups/service-sa-blob/privateDnsZoneConfigs/privatelink.blob.core.windows.net not allowed.
│
│ with azurerm_private_endpoint.blob,
│ on private-endpoint.tf line 4, in resource "azurerm_private_endpoint" "blob":
│ 4: resource "azurerm_private_endpoint" "blob" {
│
╵

### Steps to Reproduce

terraform apply

### Important Factoids

N/A

### References

_No response_