Add existing private dns linking for vnet

README.md

@@ -1749,6 +1749,7 @@ Description: Configuration object for Private DNS Zones and their network links.
   - `vnetlinkname` - The name of the virtual network link.
   - `vnetid` - The resource ID of the virtual network to link.
   - `resolutionPolicy` - (Optional) The resolution policy for the virtual network link. Default is "Default".
+- `tags` - (Optional) Map of tags to assign to the Private DNS Zones.
 
 Type:
 
@@ -1761,6 +1762,7 @@ object({
       vnetid           = string
       resolutionPolicy = optional(string, "Default")
     })), {})
+    tags = optional(map(string))
   })
 ```
 
@@ -2041,6 +2043,12 @@ Source: Azure/avm-res-network-privatednszone/azurerm
 
 Version: 0.4.2
 
+### <a name="module_private_dns_zones_link"></a> [private\_dns\_zones\_link](#module\_private\_dns\_zones\_link)
+
+Source: Azure/avm-res-network-privatednszone/azurerm//modules/private_dns_virtual_network_link
+
+Version: 0.4.2
+
 ### <a name="module_search_service"></a> [search\_service](#module\_search\_service)
 
 Source: Azure/avm-res-search-searchservice/azurerm

locals.foundry.tf

@@ -8,34 +8,34 @@ locals {
         subnetArmId                = local.subnet_ids["AIFoundrySubnet"]
         useMicrosoftManagedNetwork = false
       }]
-      private_dns_zone_resource_ids = [
-        (var.flag_platform_landing_zone ? module.private_dns_zones.ai_foundry_openai_zone.resource_id : local.private_dns_zones_existing.ai_foundry_openai_zone.resource_id),
-        (var.flag_platform_landing_zone ? module.private_dns_zones.ai_foundry_ai_services_zone.resource_id : local.private_dns_zones_existing.ai_foundry_ai_services_zone.resource_id),
-        (var.flag_platform_landing_zone ? module.private_dns_zones.ai_foundry_cognitive_services_zone.resource_id : local.private_dns_zones_existing.ai_foundry_cognitive_services_zone.resource_id)
-      ]
+      private_dns_zone_resource_ids = compact([
+        local.private_dns_zone_resource_map.ai_foundry_openai_zone.id,
+        local.private_dns_zone_resource_map.ai_foundry_ai_services_zone.id,
+        local.private_dns_zone_resource_map.ai_foundry_cognitive_services_zone.id,
+      ])
     }
   )
   foundry_ai_search_definition = { for key, value in var.ai_foundry_definition.ai_search_definition : key => merge(
     var.ai_foundry_definition.ai_search_definition[key], {
-      private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones.ai_search_zone.resource_id : local.private_dns_zones_existing.ai_search_zone.resource_id
+      private_dns_zone_resource_id = local.private_dns_zone_resource_map.id,
     }
   ) }
   foundry_cosmosdb_definition = { for key, value in var.ai_foundry_definition.cosmosdb_definition : key => merge(
     var.ai_foundry_definition.cosmosdb_definition[key], {
-      private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones.cosmos_sql_zone.resource_id : local.private_dns_zones_existing.cosmos_sql_zone.resource_id
+      private_dns_zone_resource_id = local.private_dns_zone_resource_map.id,
     }
   ) }
   foundry_key_vault_definition = { for key, value in var.ai_foundry_definition.key_vault_definition : key => merge(
     var.ai_foundry_definition.key_vault_definition[key], {
-      private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones.key_vault_zone.resource_id : local.private_dns_zones_existing.key_vault_zone.resource_id
+      private_dns_zone_resource_id = local.private_dns_zone_resource_map.id,
     }
   ) }
   foundry_storage_account_definition = { for key, value in var.ai_foundry_definition.storage_account_definition : key => merge(
     var.ai_foundry_definition.storage_account_definition[key], {
       endpoints = {
         for ek, ev in value.endpoints :
         ek => {
-          private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones["storage_${lower(ek)}_zone"].resource_id : local.private_dns_zones_existing["storage_${lower(ek)}_zone"].resource_id
+          private_dns_zone_resource_id = local.private_dns_zone_resource_map["storage_${lower(ek)}_zone"].id,
           type                         = lower(ek)
         }
       }

locals.networking.tf

@@ -12,83 +12,49 @@ locals {
       vnetid            = local.vnet_resource_id
       autoregistration  = false
       resolution_policy = var.private_dns_zones.allow_internet_resolution_fallback == false ? "Default" : "NxDomainRedirect"
+      tags              = local.private_dns_zone_tags
     }
   }
   deployed_subnets = { for subnet_name, subnet in local.subnets : subnet_name => subnet if subnet.enabled }
   firewall_name    = try(var.firewall_definition.name, null) != null ? var.firewall_definition.name : (var.name_prefix != null ? "${var.name_prefix}-fw" : "ai-alz-fw")
+  # Private DNS zones names needed for Private Endpoints
   private_dns_zone_map = {
-    key_vault_zone = {
-      name = "privatelink.vaultcore.azure.net"
-    }
-    apim_zone = {
-      name = "privatelink.azure-api.net"
-    }
-    cosmos_sql_zone = {
-      name = "privatelink.documents.azure.com"
-    }
-    cosmos_mongo_zone = {
-      name = "privatelink.mongo.cosmos.azure.com"
-    }
-    cosmos_cassandra_zone = {
-      name = "privatelink.cassandra.cosmos.azure.com"
-    }
-    cosmos_gremlin_zone = {
-      name = "privatelink.gremlin.cosmos.azure.com"
-    }
-    cosmos_table_zone = {
-      name = "privatelink.table.cosmos.azure.com"
-    }
-    cosmos_analytical_zone = {
-      name = "privatelink.analytics.cosmos.azure.com"
-    }
-    cosmos_postgres_zone = {
-      name = "privatelink.postgres.cosmos.azure.com"
-    }
-    storage_blob_zone = {
-      name = "privatelink.blob.core.windows.net"
-    }
-    storage_queue_zone = {
-      name = "privatelink.queue.core.windows.net"
-    }
-    storage_table_zone = {
-      name = "privatelink.table.core.windows.net"
-    }
-    storage_file_zone = {
-      name = "privatelink.file.core.windows.net"
-    }
-    storage_dlfs_zone = {
-      name = "privatelink.dfs.core.windows.net"
-    }
-    storage_web_zone = {
-      name = "privatelink.web.core.windows.net"
-    }
-    ai_search_zone = {
-      name = "privatelink.search.windows.net"
-    }
-    container_registry_zone = {
-      name = "privatelink.azurecr.io"
-    }
-    app_configuration_zone = {
-      name = "privatelink.azconfig.io"
-    }
-    ai_foundry_openai_zone = {
-      name = "privatelink.openai.azure.com"
-    }
-    ai_foundry_ai_services_zone = {
-      name = "privatelink.services.ai.azure.com"
-    }
-    ai_foundry_cognitive_services_zone = {
-      name = "privatelink.cognitiveservices.azure.com"
-    }
+    key_vault_zone                     = "privatelink.vaultcore.azure.net"
+    apim_zone                          = "privatelink.azure-api.net"
+    cosmos_sql_zone                    = "privatelink.documents.azure.com"
+    cosmos_mongo_zone                  = "privatelink.mongo.cosmos.azure.com"
+    cosmos_cassandra_zone              = "privatelink.cassandra.cosmos.azure.com"
+    cosmos_gremlin_zone                = "privatelink.gremlin.cosmos.azure.com"
+    cosmos_table_zone                  = "privatelink.table.cosmos.azure.com"
+    cosmos_analytical_zone             = "privatelink.analytics.cosmos.azure.com"
+    cosmos_postgres_zone               = "privatelink.postgres.cosmos.azure.com"
+    storage_blob_zone                  = "privatelink.blob.core.windows.net"
+    storage_queue_zone                 = "privatelink.queue.core.windows.net"
+    storage_table_zone                 = "privatelink.table.core.windows.net"
+    storage_file_zone                  = "privatelink.file.core.windows.net"
+    storage_dlfs_zone                  = "privatelink.dfs.core.windows.net"
+    storage_web_zone                   = "privatelink.web.core.windows.net"
+    ai_search_zone                     = "privatelink.search.windows.net"
+    container_registry_zone            = "privatelink.azurecr.io"
+    app_configuration_zone             = "privatelink.azconfig.io"
+    ai_foundry_openai_zone             = "privatelink.openai.azure.com"
+    ai_foundry_ai_services_zone        = "privatelink.services.ai.azure.com"
+    ai_foundry_cognitive_services_zone = "privatelink.cognitiveservices.azure.com"
   }
-  private_dns_zones = var.flag_platform_landing_zone == true ? local.private_dns_zone_map : {}
-  private_dns_zones_existing = var.flag_platform_landing_zone == false ? { for key, value in local.private_dns_zone_map : key => {
-    name        = value.name
-    resource_id = "${coalesce(var.private_dns_zones.existing_zones_resource_group_resource_id, "notused")}/providers/Microsoft.Network/privateDnsZones/${value.name}" #TODO: determine if there is a more elegant way to do this while avoiding errors
+  # Maps of Private DNS zone resource IDs, either from existing or created zones
+  private_dns_zone_resource_map = { for k, v in local.private_dns_zone_map : k =>
+    {
+      name = v
+      id = try(coalesce(
+        try("${var.private_dns_zones.existing_zones_resource_group_resource_id}/providers/Microsoft.Network/privateDnsZones/${v}", null),
+        try(module.private_dns_zones[k].resource_id, null)
+      ), null)
     }
-  } : {}
-  route_table_name = "${local.vnet_name}-firewall-route-table"
-  subnet_ids       = length(var.vnet_definition.existing_byo_vnet) > 0 ? { for key, m in module.byo_subnets : key => try(m.resource_id, m.id) } : { for key, s in module.ai_lz_vnet[0].subnets : key => s.resource_id }
+  }
+  # Tags for Private DNS zones, excluding any with ":" in the name - Odd quirk of Private DNS zones, they don't like that char
+  private_dns_zone_tags = { for k, v in var.private_dns_zones.tags != null ? var.private_dns_zones.tags : var.tags : k => v if !strcontains(k, ":") }
+  route_table_name      = "${local.vnet_name}-firewall-route-table"
+  subnet_ids            = length(var.vnet_definition.existing_byo_vnet) > 0 ? { for key, m in module.byo_subnets : key => try(m.resource_id, m.id) } : { for key, s in module.ai_lz_vnet[0].subnets : key => s.resource_id }
   subnets = {
     AzureBastionSubnet = {
       enabled          = var.flag_platform_landing_zone == true ? try(local.subnets_definition["AzureBastionSubnet"].enabled, true) : try(local.subnets_definition["AzureBastionSubnet"].enabled, false)

main.apim.tf

@@ -24,7 +24,7 @@ module "apim" {
   notification_sender_email = var.apim_definition.notification_sender_email
   private_endpoints = {
     endpoint1 = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.apim_zone.resource_id] : [local.private_dns_zones_existing.apim_zone.resource_id]
+      private_dns_zone_resource_ids = compact([local.private_dns_zone_resource_map.apim_zone.id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }

main.genai_services.tf

@@ -18,7 +18,7 @@ module "avm_res_keyvault_vault" {
   network_acls                    = var.genai_key_vault_definition.network_acls
   private_endpoints = {
     primary = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.key_vault_zone.resource_id] : [local.private_dns_zones_existing.key_vault_zone.resource_id]
+      private_dns_zone_resource_ids = compact([local.private_dns_zone_resource_map.key_vault_zone.id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }
@@ -88,7 +88,7 @@ module "cosmosdb" {
     "sql" = {
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
       subresource_name              = "sql"
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.cosmos_sql_zone.resource_id] : [local.private_dns_zones_existing.cosmos_sql_zone.resource_id]
+      private_dns_zone_resource_ids = compact([local.private_dns_zone_resource_map.cosmos_sql_zone.id])
     }
   }
   public_network_access_enabled = var.genai_cosmosdb_definition.public_network_access_enabled
@@ -125,7 +125,7 @@ module "storage_account" {
     for endpoint in var.genai_storage_account_definition.endpoint_types :
     endpoint => {
       name                          = "${local.genai_storage_account_name}-${endpoint}-pe"
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones["storage_${lower(endpoint)}_zone"].resource_id] : [local.private_dns_zones_existing["storage_${lower(endpoint)}_zone"].resource_id]
+      private_dns_zone_resource_ids = compact([local.private_dns_zone_resource_map["storage_${lower(endpoint)}_zone"].id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
       subresource_name              = endpoint
     }
@@ -156,7 +156,7 @@ module "containerregistry" {
   enable_telemetry = var.enable_telemetry
   private_endpoints = {
     container_registry = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.container_registry_zone.resource_id] : [local.private_dns_zones_existing.container_registry_zone.resource_id]
+      private_dns_zone_resource_ids = compact([local.private_dns_zone_resource_map.container_registry_zone.id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }
@@ -181,7 +181,7 @@ module "app_configuration" {
   local_auth_enabled              = var.genai_app_configuration_definition.local_auth_enabled
   private_endpoints = {
     app_configuration = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.app_configuration_zone.resource_id] : [local.private_dns_zones_existing.app_configuration_zone.resource_id]
+      private_dns_zone_resource_ids = compact([local.private_dns_zone_resource_map.app_configuration_zone.id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }

main.knowledge_sources.tf

@@ -17,7 +17,7 @@ module "search_service" {
   partition_count              = var.ks_ai_search_definition.partition_count
   private_endpoints = {
     primary = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.ai_search_zone.resource_id] : [local.private_dns_zones_existing.ai_search_zone.resource_id]
+      private_dns_zone_resource_ids = compact([local.private_dns_zone_resource_map.ai_search_zone.id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }

main.networking.tf

@@ -201,16 +201,37 @@ module "azure_bastion" {
 module "private_dns_zones" {
   source   = "Azure/avm-res-network-privatednszone/azurerm"
   version  = "0.4.2"
-  for_each = var.flag_platform_landing_zone ? local.private_dns_zones : {}
+  for_each = var.flag_platform_landing_zone ? local.private_dns_zone_map : {}
 
   domain_name           = each.value.name
   parent_id             = azurerm_resource_group.this.id
   enable_telemetry      = var.enable_telemetry
+  tags                  = local.private_dns_zone_tags
   virtual_network_links = local.virtual_network_links
 
   depends_on = [module.hub_vnet_peering]
 }
 
+# Link existing Private DNS zones to created vNet
+module "private_dns_zones_link" {
+  source  = "Azure/avm-res-network-privatednszone/azurerm//modules/private_dns_virtual_network_link"
+  version = "0.4.2"
+  for_each = alltrue([
+    var.private_dns_zones.existing_zones_resource_group_resource_id != null,
+    length(module.ai_lz_vnet) > 0,
+    length(module.private_dns_zones) == 0
+  ]) ? local.private_dns_zone_resource_map : {}
+
+  parent_id = each.value.id
+  # Mandatory resource attributes
+  name                                   = local.vnet_name
+  private_dns_zone_supports_private_link = true
+  resolution_policy                      = var.private_dns_zones.allow_internet_resolution_fallback == false ? "Default" : "NxDomainRedirect"
+  # Optional resource attributes
+  tags               = local.private_dns_zone_tags
+  virtual_network_id = local.vnet_resource_id
+}
+
 module "app_gateway_waf_policy" {
   source  = "Azure/avm-res-network-applicationgatewaywebapplicationfirewallpolicy/azurerm"
   version = "0.2.0"

variables.networking.tf

@@ -540,6 +540,7 @@ variable "private_dns_zones" {
       vnetid           = string
       resolutionPolicy = optional(string, "Default")
     })), {})
+    tags = optional(map(string))
   })
   default     = {}
   description = <<DESCRIPTION
@@ -551,7 +552,9 @@ Configuration object for Private DNS Zones and their network links.
   - `vnetlinkname` - The name of the virtual network link.
   - `vnetid` - The resource ID of the virtual network to link.
   - `resolutionPolicy` - (Optional) The resolution policy for the virtual network link. Default is "Default".
+- `tags` - (Optional) Map of tags to assign to the Private DNS Zones.
 DESCRIPTION
+  nullable    = false
 }
 
 variable "use_internet_routing" {