nullplatform · violenti · Dec 29, 2025 · Dec 22, 2025 · Dec 22, 2025 · Dec 23, 2025
diff --git a/infrastructure/azure/private_dns/README.md b/infrastructure/azure/private_dns/README.md
@@ -0,0 +1,91 @@
+# Module: Azure Private DNS Zone
+
+This module creates a private DNS zone in Azure with optional virtual network links.
+
+## Features
+
+- Creates an Azure private DNS zone
+- Supports linking to multiple virtual networks
+- Optional auto-registration of VM DNS records
+- Supports configurable tags for resource management
+
+## Usage
+
+### Basic Example
+
+```hcl
+module "private_dns" {
+  source          = "git::https://github.com/nullplatform/tofu-modules.git///infrastructure/azure/private_dns?ref=v1.5.0"
+  domain_name     = "privatelink.database.windows.net"
+  resource_group  = "my-resource-group"
+  subscription_id = "00000000-0000-0000-0000-000000000000"
+  tags = {
+    environment = "production"
+    team        = "platform"
+  }
+}
+```
+
+## Important Notes
+
+- **Domain name**: Can be any valid DNS domain name for private resolution (e.g., `privatelink.database.windows.net`, `internal.company.local`)
+- **Virtual network links**: Required for DNS resolution within VNets
+- **Auto-registration**: When `registration_enabled = true`, VM records are automatically created in the DNS zone
+
+## Inputs
+
+| Name | Description | Type | Required | Default |
+|------|-------------|------|----------|---------|
+| `resource_group` | The name of the resource group where the private DNS zone will be created | `string` | Yes | - |
+| `domain_name` | The domain name to use for the private DNS zone | `string` | Yes | - |
+| `subscription_id` | The ID of the Azure subscription | `string` | Yes | - |
+| `virtual_network_links` | List of virtual networks to link to the private DNS zone | `list(object)` | No | `[]` |
+| `tags` | A mapping of tags to assign to the resources | `map(string)` | No | `{}` |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| `private_dns_zone_name` | The name of the created private DNS zone |
+| `private_dns_zone_id` | The ID of the private DNS zone |
+| `virtual_network_link_ids` | The IDs of the virtual network links |
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.6 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | =4.41.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | =4.41.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_private_dns_zone.private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/4.41.0/docs/resources/private_dns_zone) | resource |
+| [azurerm_private_dns_zone_virtual_network_link.vnet_link](https://registry.terraform.io/providers/hashicorp/azurerm/4.41.0/docs/resources/private_dns_zone_virtual_network_link) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name to use for the private DNS zone (e.g., privatelink.database.windows.net) | `string` | n/a | yes |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | The name of the resource group where the private DNS zone will be created | `string` | n/a | yes |
+| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The ID of the Azure subscription | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the private DNS zone | `map(string)` | `{}` | no |
+| <a name="input_virtual_network_links"></a> [virtual\_network\_links](#input\_virtual\_network\_links) | List of virtual networks to link to the private DNS zone. Each object requires vnet\_id and optionally registration\_enabled for auto-registration of VM records | <pre>list(object({<br/>    vnet_id              = string<br/>    registration_enabled = optional(bool, false)<br/>  }))</pre> | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_private_dns_zone_id"></a> [private\_dns\_zone\_id](#output\_private\_dns\_zone\_id) | The ID of the private DNS zone |
+| <a name="output_private_dns_zone_name"></a> [private\_dns\_zone\_name](#output\_private\_dns\_zone\_name) | The name of the created private DNS zone |
+| <a name="output_virtual_network_link_ids"></a> [virtual\_network\_link\_ids](#output\_virtual\_network\_link\_ids) | The IDs of the virtual network links |
+<!-- END_TF_DOCS -->
diff --git a/infrastructure/azure/private_dns/main.tf b/infrastructure/azure/private_dns/main.tf
@@ -0,0 +1,16 @@
+resource "azurerm_private_dns_zone" "private_dns_zone" {
+  name                = var.domain_name
+  resource_group_name = var.resource_group
+  tags                = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnet_link" {
+  for_each = { for idx, link in var.virtual_network_links : idx => link }
+
+  name                  = "vnet-link-${each.key}"
+  resource_group_name   = var.resource_group
+  private_dns_zone_name = azurerm_private_dns_zone.private_dns_zone.name
+  virtual_network_id    = each.value.vnet_id
+  registration_enabled  = each.value.registration_enabled
+  tags                  = var.tags
+}
diff --git a/infrastructure/azure/private_dns/output.tf b/infrastructure/azure/private_dns/output.tf
@@ -0,0 +1,14 @@
+output "private_dns_zone_name" {
+  description = "The name of the created private DNS zone"
+  value       = azurerm_private_dns_zone.private_dns_zone.name
+}
+
+output "private_dns_zone_id" {
+  description = "The ID of the private DNS zone"
+  value       = azurerm_private_dns_zone.private_dns_zone.id
+}
+
+output "virtual_network_link_ids" {
+  description = "The IDs of the virtual network links"
+  value       = { for k, v in azurerm_private_dns_zone_virtual_network_link.vnet_link : k => v.id }
+}
diff --git a/infrastructure/azure/private_dns/provider.tf b/infrastructure/azure/private_dns/provider.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_version = "~> 1.6"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "=4.41.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  resource_provider_registrations = "none"
+  use_cli                         = true
+  subscription_id                 = var.subscription_id
+}
diff --git a/infrastructure/azure/private_dns/variables.tf b/infrastructure/azure/private_dns/variables.tf
@@ -0,0 +1,41 @@
+###############################################################################
+# REQUIRED VARIABLES
+###############################################################################
+
+variable "resource_group" {
+  type        = string
+  description = "The name of the resource group where the private DNS zone will be created"
+}
+
+variable "domain_name" {
+  type        = string
+  description = "The domain name to use for the private DNS zone (e.g., privatelink.database.windows.net)"
+}
+
+variable "subscription_id" {
+  type        = string
+  description = "The ID of the Azure subscription"
+}
+
+###############################################################################
+# OPTIONAL VARIABLES - VNET LINK
+###############################################################################
+
+variable "virtual_network_links" {
+  type = list(object({
+    vnet_id              = string
+    registration_enabled = optional(bool, false)
+  }))
+  description = "List of virtual networks to link to the private DNS zone. Each object requires vnet_id and optionally registration_enabled for auto-registration of VM records"
+  default     = []
+}
+
+###############################################################################
+# OPTIONAL VARIABLES - TAGS
+###############################################################################
+
+variable "tags" {
+  type        = map(string)
+  description = "A mapping of tags to assign to the private DNS zone"
+  default     = {}
+}
diff --git a/nullplatform/scope_definition_agent_association/auth.tf b/nullplatform/scope_definition_agent_association/auth.tf
@@ -1,40 +1,17 @@
 ################################################################################
-# Nullplatform Agent API Key
+# Nullplatform Agent Association API Key
 ################################################################################
 
-# Create API key for agent authentication with required role grants
+# Create API key for agent association with minimal required permissions
 resource "nullplatform_api_key" "nullplatform_agent_api_key" {
-  name = "NULLPLATFORM-AGENT-API-KEY"
+  name = "AGENT-ASSOCIATION"
 
-  # Grant control plane agent role for core agent operations
+  # Grant control plane agent role for agent operations
   grants {
     nrn       = local.nrn_without_namespace
     role_slug = "controlplane:agent"
   }
 
-  # Grant developer role for application deployment operations
-  grants {
-    nrn       = local.nrn_without_namespace
-    role_slug = "developer"
-  }
-
-  # Grant ops role for operational and maintenance tasks
-  grants {
-    nrn       = local.nrn_without_namespace
-    role_slug = "ops"
-  }
-
-  # Grant secops role for security operations and compliance
-  grants {
-    nrn       = local.nrn_without_namespace
-    role_slug = "secops"
-  }
-  # Grant secrets-reader role for accessing application secrets
-  grants {
-    nrn       = local.nrn_without_namespace
-    role_slug = "secrets-reader"
-  }
-
   tags {
     key   = "managed-by"
     value = "IaC"