Skip to content


Repository files navigation

Azure Verified Module for Private DNS Zone

This module provides a generic way to create and manage Private DNS zones in Azure.

To use this module in your Terraform configuration, you'll need to provide values for the required variables. Here's a basic example:

module "azure_privatednszone" {
  source = "./path_to_this_module"

  // ... mandatory variables ...
  domain_name = ""
  resource_group_name = "existing_resourcegroup_name"

  // ... other optional variables, see example ...


When this module is used and terraform plan is run after an initial successful deployment, the following example output(truncated for brevity) may be seen. This is due to updating of Terraform output resource value of number_of_record_sets. Running apply will only update the Terraform output but will not change infrastructure

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

      ~ number_of_record_sets                                 = 15 -> 17

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.


The following requirements are needed by this module:


The following resources are used by this module:

Required Inputs

The following input variables are required:

Description: The name of the private dns zone.

Type: string

Description: The resource group where the resources will be deployed.

Type: string

Optional Inputs

The following input variables are optional (have default values):

Description: A map of objects where each object contains information to create a A record.


    name                = string
    resource_group_name = string
    zone_name           = string
    ttl                 = number
    records             = list(string)
    tags                = optional(map(string), null)

Default: {}

Description: A map of objects where each object contains information to create a AAAA record.


    name                = string
    resource_group_name = string
    zone_name           = string
    ttl                 = number
    records             = list(string)
    tags                = optional(map(string), null)

Default: {}

Description: A map of objects where each object contains information to create a CNAME record.


    name                = string
    resource_group_name = string
    zone_name           = string
    ttl                 = number
    record              = string
    tags                = optional(map(string), null)

Default: {}

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see
If it is set to false, then no telemetry will be collected.

Type: bool

Default: true

Description: A map of objects where each object contains information to create a MX record.


    name                = optional(string, "@")
    resource_group_name = string
    zone_name           = string
    ttl                 = number
    records = map(object({
      preference = number
      exchange   = string
    tags = optional(map(string), null)

Default: {}

Description: A map of objects where each object contains information to create a PTR record.


    name                = string
    resource_group_name = string
    zone_name           = string
    ttl                 = number
    records             = list(string)
    tags                = optional(map(string), null)

Default: {}

Description: A map of role assignments to create on the . The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

  • role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
  • principal_id - The ID of the principal to assign the role to.
  • description - (Optional) The description of the role assignment.
  • skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
  • condition - (Optional) The condition which will be used to scope the role assignment.
  • condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.
  • delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
  • principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

Note: only set skip_service_principal_aad_check to true if you are assigning a role to a service principal.


    role_definition_id_or_name             = string
    principal_id                           = string
    description                            = optional(string, null)
    skip_service_principal_aad_check       = optional(bool, false)
    condition                              = optional(string, null)
    condition_version                      = optional(string, null)
    delegated_managed_identity_resource_id = optional(string, null)
    principal_type                         = optional(string, null)

Default: {}

Description: optional soa_record variable, if included only email is required, rest are optional. Email must use and not [email protected]


    email        = string
    expire_time  = optional(number, 2419200)
    minimum_ttl  = optional(number, 10)
    refresh_time = optional(number, 3600)
    retry_time   = optional(number, 300)
    ttl          = optional(number, 3600)
    tags         = optional(map(string), null)

Default: null

Description: A map of objects where each object contains information to create a SRV record.


    name                = string
    resource_group_name = string
    zone_name           = string
    ttl                 = number
    records = map(object({
      priority = number
      weight   = number
      port     = number
      target   = string
    tags = optional(map(string), null)

Default: {}

Description: (Optional) Tags of the resource.

Type: map(string)

Default: null

Description: A map of timeouts objects, per resource type, to apply to the creation and destruction of resources the following resources:

  • dns_zones - (Optional) The timeouts for DNS Zones.
  • vnet_links - (Optional) The timeouts for DNS Zones Virtual Network Links.

Each timeout object has the following optional attributes:

  • create - (Optional) The timeout for creating the resource. Defaults to 5m apart from policy assignments, where this is set to 15m.
  • delete - (Optional) The timeout for deleting the resource. Defaults to 5m.
  • update - (Optional) The timeout for updating the resource. Defaults to 5m.
  • read - (Optional) The timeout for reading the resource. Defaults to 5m.


    dns_zones = optional(object({
      create = optional(string, "30m")
      delete = optional(string, "30m")
      update = optional(string, "30m")
      read   = optional(string, "5m")
      }), {}
    vnet_links = optional(object({
      create = optional(string, "30m")
      delete = optional(string, "30m")
      update = optional(string, "30m")
      read   = optional(string, "5m")
      }), {}

Default: {}

Description: A map of objects where each object contains information to create a TXT record.


    name                = string
    resource_group_name = string
    zone_name           = string
    ttl                 = number
    records = map(object({
      value = string
    tags = optional(map(string), null)

Default: {}

Description: A map of objects where each object contains information to create a virtual network link.


    vnetlinkname     = string
    vnetid           = string
    autoregistration = optional(bool, false)
    tags             = optional(map(string), null)

Default: {}


The following outputs are exported:

Description: The a record output

Description: The aaaa record output

Description: The cname record output

Description: The mx record output

Description: The name of private DNS zone

Description: The ptr record output

Description: The private dns zone output

Description: The resource id of private DNS zone

Description: The srv record output

Description: The txt record output

Description: The virtual network link output


No modules.

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.