diff --git a/infrastructure/azure/private_dns/README.md b/infrastructure/azure/private_dns/README.md
new file mode 100644
index 00000000..30858173
--- /dev/null
+++ b/infrastructure/azure/private_dns/README.md
@@ -0,0 +1,91 @@
+# Module: Azure Private DNS Zone
+
+This module creates a private DNS zone in Azure with optional virtual network links.
+
+## Features
+
+- Creates an Azure private DNS zone
+- Supports linking to multiple virtual networks
+- Optional auto-registration of VM DNS records
+- Supports configurable tags for resource management
+
+## Usage
+
+### Basic Example
+
+```hcl
+module "private_dns" {
+ source = "git::https://github.com/nullplatform/tofu-modules.git///infrastructure/azure/private_dns?ref=v1.5.0"
+ domain_name = "privatelink.database.windows.net"
+ resource_group = "my-resource-group"
+ subscription_id = "00000000-0000-0000-0000-000000000000"
+ tags = {
+ environment = "production"
+ team = "platform"
+ }
+}
+```
+
+## Important Notes
+
+- **Domain name**: Can be any valid DNS domain name for private resolution (e.g., `privatelink.database.windows.net`, `internal.company.local`)
+- **Virtual network links**: Required for DNS resolution within VNets
+- **Auto-registration**: When `registration_enabled = true`, VM records are automatically created in the DNS zone
+
+## Inputs
+
+| Name | Description | Type | Required | Default |
+|------|-------------|------|----------|---------|
+| `resource_group` | The name of the resource group where the private DNS zone will be created | `string` | Yes | - |
+| `domain_name` | The domain name to use for the private DNS zone | `string` | Yes | - |
+| `subscription_id` | The ID of the Azure subscription | `string` | Yes | - |
+| `virtual_network_links` | List of virtual networks to link to the private DNS zone | `list(object)` | No | `[]` |
+| `tags` | A mapping of tags to assign to the resources | `map(string)` | No | `{}` |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| `private_dns_zone_name` | The name of the created private DNS zone |
+| `private_dns_zone_id` | The ID of the private DNS zone |
+| `virtual_network_link_ids` | The IDs of the virtual network links |
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.6 |
+| [azurerm](#requirement\_azurerm) | =4.41.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [azurerm](#provider\_azurerm) | =4.41.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_private_dns_zone.private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/4.41.0/docs/resources/private_dns_zone) | resource |
+| [azurerm_private_dns_zone_virtual_network_link.vnet_link](https://registry.terraform.io/providers/hashicorp/azurerm/4.41.0/docs/resources/private_dns_zone_virtual_network_link) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [domain\_name](#input\_domain\_name) | The domain name to use for the private DNS zone (e.g., privatelink.database.windows.net) | `string` | n/a | yes |
+| [resource\_group](#input\_resource\_group) | The name of the resource group where the private DNS zone will be created | `string` | n/a | yes |
+| [subscription\_id](#input\_subscription\_id) | The ID of the Azure subscription | `string` | n/a | yes |
+| [tags](#input\_tags) | A mapping of tags to assign to the private DNS zone | `map(string)` | `{}` | no |
+| [virtual\_network\_links](#input\_virtual\_network\_links) | List of virtual networks to link to the private DNS zone. Each object requires vnet\_id and optionally registration\_enabled for auto-registration of VM records | list(object({
vnet_id = string
registration_enabled = optional(bool, false)
})) | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [private\_dns\_zone\_id](#output\_private\_dns\_zone\_id) | The ID of the private DNS zone |
+| [private\_dns\_zone\_name](#output\_private\_dns\_zone\_name) | The name of the created private DNS zone |
+| [virtual\_network\_link\_ids](#output\_virtual\_network\_link\_ids) | The IDs of the virtual network links |
+
\ No newline at end of file
diff --git a/infrastructure/azure/private_dns/main.tf b/infrastructure/azure/private_dns/main.tf
new file mode 100644
index 00000000..0258323c
--- /dev/null
+++ b/infrastructure/azure/private_dns/main.tf
@@ -0,0 +1,16 @@
+resource "azurerm_private_dns_zone" "private_dns_zone" {
+ name = var.domain_name
+ resource_group_name = var.resource_group
+ tags = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnet_link" {
+ for_each = { for idx, link in var.virtual_network_links : idx => link }
+
+ name = "vnet-link-${each.key}"
+ resource_group_name = var.resource_group
+ private_dns_zone_name = azurerm_private_dns_zone.private_dns_zone.name
+ virtual_network_id = each.value.vnet_id
+ registration_enabled = each.value.registration_enabled
+ tags = var.tags
+}
diff --git a/infrastructure/azure/private_dns/output.tf b/infrastructure/azure/private_dns/output.tf
new file mode 100644
index 00000000..b57e56fd
--- /dev/null
+++ b/infrastructure/azure/private_dns/output.tf
@@ -0,0 +1,14 @@
+output "private_dns_zone_name" {
+ description = "The name of the created private DNS zone"
+ value = azurerm_private_dns_zone.private_dns_zone.name
+}
+
+output "private_dns_zone_id" {
+ description = "The ID of the private DNS zone"
+ value = azurerm_private_dns_zone.private_dns_zone.id
+}
+
+output "virtual_network_link_ids" {
+ description = "The IDs of the virtual network links"
+ value = { for k, v in azurerm_private_dns_zone_virtual_network_link.vnet_link : k => v.id }
+}
diff --git a/infrastructure/azure/private_dns/provider.tf b/infrastructure/azure/private_dns/provider.tf
new file mode 100644
index 00000000..f61091bc
--- /dev/null
+++ b/infrastructure/azure/private_dns/provider.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = "~> 1.6"
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "=4.41.0"
+ }
+ }
+}
+
+provider "azurerm" {
+ features {}
+ resource_provider_registrations = "none"
+ use_cli = true
+ subscription_id = var.subscription_id
+}
diff --git a/infrastructure/azure/private_dns/variables.tf b/infrastructure/azure/private_dns/variables.tf
new file mode 100644
index 00000000..e64f8999
--- /dev/null
+++ b/infrastructure/azure/private_dns/variables.tf
@@ -0,0 +1,41 @@
+###############################################################################
+# REQUIRED VARIABLES
+###############################################################################
+
+variable "resource_group" {
+ type = string
+ description = "The name of the resource group where the private DNS zone will be created"
+}
+
+variable "domain_name" {
+ type = string
+ description = "The domain name to use for the private DNS zone (e.g., privatelink.database.windows.net)"
+}
+
+variable "subscription_id" {
+ type = string
+ description = "The ID of the Azure subscription"
+}
+
+###############################################################################
+# OPTIONAL VARIABLES - VNET LINK
+###############################################################################
+
+variable "virtual_network_links" {
+ type = list(object({
+ vnet_id = string
+ registration_enabled = optional(bool, false)
+ }))
+ description = "List of virtual networks to link to the private DNS zone. Each object requires vnet_id and optionally registration_enabled for auto-registration of VM records"
+ default = []
+}
+
+###############################################################################
+# OPTIONAL VARIABLES - TAGS
+###############################################################################
+
+variable "tags" {
+ type = map(string)
+ description = "A mapping of tags to assign to the private DNS zone"
+ default = {}
+}
diff --git a/nullplatform/scope_definition_agent_association/auth.tf b/nullplatform/scope_definition_agent_association/auth.tf
index ff70a1e5..a90ae77b 100644
--- a/nullplatform/scope_definition_agent_association/auth.tf
+++ b/nullplatform/scope_definition_agent_association/auth.tf
@@ -1,40 +1,17 @@
################################################################################
-# Nullplatform Agent API Key
+# Nullplatform Agent Association API Key
################################################################################
-# Create API key for agent authentication with required role grants
+# Create API key for agent association with minimal required permissions
resource "nullplatform_api_key" "nullplatform_agent_api_key" {
- name = "NULLPLATFORM-AGENT-API-KEY"
+ name = "AGENT-ASSOCIATION"
- # Grant control plane agent role for core agent operations
+ # Grant control plane agent role for agent operations
grants {
nrn = local.nrn_without_namespace
role_slug = "controlplane:agent"
}
- # Grant developer role for application deployment operations
- grants {
- nrn = local.nrn_without_namespace
- role_slug = "developer"
- }
-
- # Grant ops role for operational and maintenance tasks
- grants {
- nrn = local.nrn_without_namespace
- role_slug = "ops"
- }
-
- # Grant secops role for security operations and compliance
- grants {
- nrn = local.nrn_without_namespace
- role_slug = "secops"
- }
- # Grant secrets-reader role for accessing application secrets
- grants {
- nrn = local.nrn_without_namespace
- role_slug = "secrets-reader"
- }
-
tags {
key = "managed-by"
value = "IaC"