Handle Nexus private DNS zone replacement in Deploy TRE workflow

[Copilot]

What is being addressed

Deploy PR / Deploy TRE can fail during deploy-core when Terraform replaces the Nexus private DNS zone. Azure rejects deletion with 409 CannotDeleteResource if workspace-created virtualNetworkLinks still exist under that zone.

How is this addressed

• Terraform lifecycle behavior for Nexus DNS zone

  • Updated core/terraform/dns_zones_non_core.tf to allow deleting the zone with child links during replacement.
  • This prevents deployment failure when the Nexus zone must be recreated (for example, when its computed name changes with app gateway FQDN updates).

• Change applied

  resource "azurerm_private_dns_zone" "nexus" {
    name                = "nexus-${module.appgateway.app_gateway_fqdn}"
    resource_group_name = azurerm_resource_group.core.name
    force_destroy       = true
    tags                = local.tre_core_tags
  
    lifecycle { ignore_changes = [tags] }
  }

• Pending work

  • None identified for this fix.

• Documentation

  • No documentation updates required.

• CHANGELOG / template version

  • Not updated; no user-facing feature or template contract change.