Allow to specify a private_dns_zone_id

README.md

@@ -53,6 +53,7 @@ The following resources are used by this module:
 - [azurerm_management_lock.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) (resource)
 - [azurerm_monitor_diagnostic_setting.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) (resource)
 - [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
+- [azurerm_role_assignment.dns_zone_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.network_contributor_on_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_user_assigned_identity.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) (resource)
 - [modtm_telemetry.telemetry](https://registry.terraform.io/providers/Azure/modtm/latest/docs/resources/telemetry) (resource)
@@ -299,6 +300,14 @@ Type: `string`
 
 Default: `"AzureLinux"`
 
+### <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id)
+
+Description: (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this
+
+Type: `string`
+
+Default: `"System"`
+
 ### <a name="input_rbac_aad_admin_group_object_ids"></a> [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids)
 
 Description: Object ID of groups with admin access.

examples/default/README.md

@@ -64,6 +64,7 @@ module "test" {
   name                = module.naming.kubernetes_cluster.name_unique
   resource_group_name = azurerm_resource_group.this.name
   location            = azurerm_resource_group.this.location
+  private_dns_zone_id = azurerm_private_dns_zone.mydomain.id
   network = {
     name                = module.avm_res_network_virtualnetwork.name
     resource_group_name = azurerm_resource_group.this.name
@@ -82,6 +83,11 @@ resource "azurerm_private_dns_zone" "this" {
   resource_group_name = azurerm_resource_group.this.name
 }
 
+resource "azurerm_private_dns_zone" "mydomain" {
+  name                = "mydomain.com"
+  resource_group_name = azurerm_resource_group.this.name
+}
+
 module "avm_res_network_virtualnetwork" {
   source  = "Azure/avm-res-network-virtualnetwork/azurerm"
   version = "0.2.3"
@@ -118,6 +124,7 @@ The following requirements are needed by this module:
 
 The following resources are used by this module:
 
+- [azurerm_private_dns_zone.mydomain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) (resource)
 - [azurerm_private_dns_zone.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) (resource)
 - [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
 - [random_integer.region_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)

examples/default/main.tf

@@ -58,6 +58,7 @@ module "test" {
   name                = module.naming.kubernetes_cluster.name_unique
   resource_group_name = azurerm_resource_group.this.name
   location            = azurerm_resource_group.this.location
+  private_dns_zone_id = azurerm_private_dns_zone.mydomain.id
   network = {
     name                = module.avm_res_network_virtualnetwork.name
     resource_group_name = azurerm_resource_group.this.name
@@ -76,6 +77,11 @@ resource "azurerm_private_dns_zone" "this" {
   resource_group_name = azurerm_resource_group.this.name
 }
 
+resource "azurerm_private_dns_zone" "mydomain" {
+  name                = "mydomain.com"
+  resource_group_name = azurerm_resource_group.this.name
+}
+
 module "avm_res_network_virtualnetwork" {
   source  = "Azure/avm-res-network-virtualnetwork/azurerm"
   version = "0.2.3"

main.tf

@@ -48,6 +48,14 @@ resource "azurerm_role_assignment" "network_contributor_on_resource_group" {
   role_definition_name = "Network Contributor"
 }
 
+resource "azurerm_role_assignment" "dns_zone_contributor" {
+  count = var.private_dns_zone_id == "System" ? 0 : 1
+
+  principal_id         = data.azurerm_user_assigned_identity.cluster_identity.principal_id
+  scope                = var.private_dns_zone_id
+  role_definition_name = "Private DNS Zone Contributor"
+}
+
 resource "azurerm_kubernetes_cluster" "this" {
   location                          = var.location
   name                              = "aks-${var.name}"
@@ -60,6 +68,7 @@ resource "azurerm_kubernetes_cluster" "this" {
   node_os_channel_upgrade           = "NodeImage"
   oidc_issuer_enabled               = true
   private_cluster_enabled           = true
+  private_dns_zone_id               = var.private_dns_zone_id
   role_based_access_control_enabled = true
   sku_tier                          = "Standard"
   tags                              = var.tags

variables.tf

@@ -207,6 +207,17 @@ variable "os_sku" {
   }
 }
 
+variable "private_dns_zone_id" {
+  type        = string
+  default     = "System"
+  description = "(Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this"
+
+  validation {
+    condition     = can(regex("^(System|/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft.Network/privateDnsZones/[^/]+)$", var.private_dns_zone_id))
+    error_message = "private_dns_zone_id must be either System or a valid Private DNS Zone ID"
+  }
+}
+
 variable "rbac_aad_admin_group_object_ids" {
   type        = list(string)
   default     = null