-
-
Save liamfoneill/f78698854d5dd23a9e6ab08ff044f38a to your computer and use it in GitHub Desktop.
resource "azurerm_resource_group" "dnsprivatezones" { | |
name = "connectivity-dnsprivatezones-001" | |
location = "West Europe" | |
tags = { | |
"Usage" = "Azure Private DNS Zones for Private Endpoints" | |
} | |
} | |
resource "azurerm_private_dns_zone" "azureautomation" { | |
name = "privatelink.azure-automation.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "sqldatabase" { | |
name = "privatelink.database.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "blobstorage" { | |
name = "privatelink.blob.core.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "tablestorage" { | |
name = "privatelink.table.core.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "queuestorage" { | |
name = "privatelink.queue.core.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "filestorage" { | |
name = "privatelink.file.core.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "storageaccount" { | |
name = "privatelink.web.core.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "datalakegen2storage" { | |
name = "privatelink.dfs.core.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "cosmosdb_sql" { | |
name = "privatelink.documents.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "cosmosdb_mongodb" { | |
name = "privatelink.mongo.cosmos.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "cosmosdb_cassandradb" { | |
name = "privatelink.cassandra.cosmos.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "cosmosdb_gremlindb" { | |
name = "privatelink.gremlin.cosmos.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "cosmosdb_table" { | |
name = "privatelink.table.cosmos.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "postgresql" { | |
name = "privatelink.postgres.database.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "mysql" { | |
name = "privatelink.mysql.database.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "mariadb" { | |
name = "privatelink.mariadb.database.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "keyvault" { | |
name = "privatelink.vaultcore.azure.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "search" { | |
name = "privatelink.search.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "container_registry" { | |
name = "privatelink.azurecr.io" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "app_configuration" { | |
name = "privatelink.azconfig.io" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "servicebus" { | |
name = "privatelink.servicebus.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "iothub" { | |
name = "privatelink.azure-devices.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "eventgrid" { | |
name = "privatelink.eventgrid.azure.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "appservices" { | |
name = "privatelink.azurewebsites.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "azure_machine_learning" { | |
name = "privatelink.api.azureml.ms" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "databricks" { | |
name = "privatelink.notebooks.azure.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "signalR" { | |
name = "privatelink.service.signalr.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "cognitiveservices" { | |
name = "privatelink.cognitiveservices.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "azure_file_sync" { | |
name = "privatelink.afs.azure.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "datafactory" { | |
name = "privatelink.datafactory.azure.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "datafactory_portal" { | |
name = "privatelink.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "redis" { | |
name = "privatelink.redis.cache.windows.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "monitor_1" { | |
name = "privatelink.monitor.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "monitor_2" { | |
name = "privatelink.oms.opinsights.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "monitor_3" { | |
name = "privatelink.ods.opinsights.azure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "monitor_4" { | |
name = "privatelink.agentsvc.azure-automation.net" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "azurebackup_westeurope" { | |
name = "privatelink.westeurope.backup.windowsazure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "azurebackup_northeurope" { | |
name = "privatelink.northeurope.backup.windowsazure.com" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "aks_westeurope" { | |
name = "privatelink.westeurope.azmk8s.io" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} | |
resource "azurerm_private_dns_zone" "aks_northeurope" { | |
name = "privatelink.northeurope.azmk8s.io" | |
resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
} |
Nice!
We took a slightly different approach on the basis that new Private Endpoint DNS zones may be introduced later.
We wrote an ADO Pipeline that executes a PowerShell script to scrape the DNZ zones from https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns(!) into some JSON, and then pushes that into some Terraform that loops through to create any missing Private DNS zones (and assumes some specific regional zones where required). This runs on a schedule and has mostly worked so far.
It's a bit brittle as it depends on an expected structure of the page; it would be nicer if we could interrogate the Azure management API to discover the services that support Private Endpoints.
How do you get the aks resources, for example, to use the private DNS zone you created for AKS in this scenario vs the default of AKS creating a random private DNS zone per AKS instance?
Nice work!