microsoft · Copilot · Nov 20, 2025 · Nov 20, 2025 · Nov 21, 2025 · Nov 21, 2025
@@ -34,6 +34,7 @@ BUG FIXES:
 * Fix deleted workspaces still accessible via URL - get_*_by_id methods now filter out deleted resources ([#4785](https://github.com/microsoft/AzureTRE/issues/4785))
 * Fix circular dependancy in base workspace. ([#4756](https://github.com/microsoft/AzureTRE/pull/4756))
 * Replaced deprecated `datetime.utcnow()` with `datetime.now(datetime.UTC)` in the API and airlock processor. ([#4743](https://github.com/microsoft/AzureTRE/issues/4743))
+* Fix workspace deletion failures due to AnotherOperationInProgress errors on AMPLS private endpoint ([#3194](https://github.com/microsoft/AzureTRE/issues/3194))
 * Updated error messages when publishing a template version that is lower than the existing version. ([#4685](https://github.com/microsoft/AzureTRE/issues/4685))
 * Disable public access on stweb storage account ([#4766](https://github.com/microsoft/AzureTRE/issues/4766))
 * Mark `auth_client_secret` variable as sensitive in terraform templates ([#4736](https://github.com/microsoft/AzureTRE/pull/4736))
@@ -51,6 +52,7 @@ BUG FIXES:
 * Fix duplicate `TOPIC_SUBSCRIPTION_NAME` in `core/terraform/airlock/airlock_processor.tf` ([#4847](https://github.com/microsoft/AzureTRE/pull/4847))
 
 COMPONENTS:
+* Bump workspace base template version to 2.7.2 ([#3194](https://github.com/microsoft/AzureTRE/issues/3194))
 
 | name | version |
 | ----- | ----- |

@@ -180,20 +180,60 @@ resource "azurerm_private_endpoint" "azure_monitor_private_endpoint" {
     is_manual_connection           = false
   }
 
-  private_dns_zone_group {
-    name = "azure-monitor-private-dns-zone-group"
-
-    private_dns_zone_ids = [
-      var.azure_monitor_dns_zone_id,
-      var.azure_monitor_oms_opinsights_dns_zone_id,
-      var.azure_monitor_ods_opinsights_dns_zone_id,
-      var.azure_monitor_agentsvc_dns_zone_id,
-      var.blob_core_dns_zone_id,
-    ]
+  depends_on = [
+    azurerm_monitor_private_link_scoped_service.ampls_app_insights,
+    azurerm_monitor_private_link_scoped_service.ampls_log_anaytics,
+  ]
+}
+
+# Separate DNS zone group using azapi to avoid AnotherOperationInProgress errors
+# See: https://github.com/hashicorp/terraform-provider-azurerm/issues/28715
+resource "azapi_resource" "azure_monitor_dns_zone_group" {
+  type      = "Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-11-01"
+  name      = "azure-monitor-private-dns-zone-group"
+  parent_id = azurerm_private_endpoint.azure_monitor_private_endpoint.id
+
+  body = {
+    properties = {
+      privateDnsZoneConfigs = [
+        {
+          name = "privatelink-monitor-azure-com"
+          properties = {
+            privateDnsZoneId = var.azure_monitor_dns_zone_id
+          }
+        },
+        {
+          name = "privatelink-oms-opinsights-azure-com"
+          properties = {
+            privateDnsZoneId = var.azure_monitor_oms_opinsights_dns_zone_id
+          }
+        },
+        {
+          name = "privatelink-ods-opinsights-azure-com"
+          properties = {
+            privateDnsZoneId = var.azure_monitor_ods_opinsights_dns_zone_id
+          }
+        },
+        {
+          name = "privatelink-agentsvc-azure-automation-net"
+          properties = {
+            privateDnsZoneId = var.azure_monitor_agentsvc_dns_zone_id
+          }
+        },
+        {
+          name = "privatelink-blob-core-windows-net"
+          properties = {
+            privateDnsZoneId = var.blob_core_dns_zone_id
+          }
+        }
+      ]
+    }
   }
 
+  response_export_values = ["id"]
+
   depends_on = [
-    azurerm_monitor_private_link_scoped_service.ampls_app_insights,
+    azurerm_private_endpoint.azure_monitor_private_endpoint,
   ]
 }
 

@@ -53,6 +53,7 @@ resource "azurerm_private_dns_zone" "azure_monitor_ods_opinsights" {
   name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.ods.opinsights.azure.com"]
   resource_group_name = var.ws_resource_group_name
   tags                = var.tre_workspace_tags
+
   lifecycle { ignore_changes = [tags] }
 }
 
@@ -63,13 +64,15 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azure_monitor_ods_opin
   private_dns_zone_name = azurerm_private_dns_zone.azure_monitor_ods_opinsights.name
   registration_enabled  = false
   tags                  = var.tre_workspace_tags
+
   lifecycle { ignore_changes = [tags] }
 }
 
 resource "azurerm_private_dns_zone" "azure_monitor_agentsvc" {
   name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.agentsvc.azure-automation.net"]
   resource_group_name = var.ws_resource_group_name
   tags                = var.tre_workspace_tags
+
   lifecycle { ignore_changes = [tags] }
 }
 
@@ -80,5 +83,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azure_monitor_agentsvc
   private_dns_zone_name = azurerm_private_dns_zone.azure_monitor_agentsvc.name
   registration_enabled  = false
   tags                  = var.tre_workspace_tags
+
   lifecycle { ignore_changes = [tags] }
 }