I have a use case for an Azure DNS Private Zone, with an apex A record. For example, I have the name “test.domain.com” and for the VNET that I link to my private zone, I want it to ONLY resolve “test” for domain.com, but go out to the DNS hierarchy for any other records within “domain.com”.
This can be created directly in the Azure portal, by leaving the “Name” field empty when creating a record set. This will produce an apex record, like this:
I want to deploy this through Terraform, so I first tried to leave an empty string in the Name property (because Name is a required field on the AzureRM provider):
resource "azurerm_private_dns_a_record" "test-domain-com-apex" { name = "" zone_name = azurerm_private_dns_zone.test-domain-com.name resource_group_name = azurerm_resource_group.shared-rg.name ttl = 300 records = ["10.9.3.230"] } |
However, AzureRM provider doesn’t like that:
So then I went to the Portal, and did an “Export Template” to view the ARM resource natively. Here I found a syntax that appeared to be “zone-name/@”.
I tried this in Terraform:
resource "azurerm_private_dns_a_record" "test-domain-com-apex" { name = "${azurerm_private_dns_zone.test-domain-com.name}/@" zone_name = azurerm_private_dns_zone.test-domain-com.name resource_group_name = azurerm_resource_group.shared-rg.name ttl = 300 records = ["10.9.3.230"] } |
However, this wasn’t valid and produced strange output:
Next I tried just the @ symbol:
resource "azurerm_private_dns_a_record" "test-domain-com-apex" { name = "@" zone_name = azurerm_private_dns_zone.test-domain-com.name resource_group_name = azurerm_resource_group.shared-rg.name ttl = 300 records = ["10.9.3.230"] } |
This worked!
Now I can selectively resolve specific FQDNs within my VNET without having to worry about records outside that scope.