quixio
diff --git a/‎BASTION_ACCESS.md‎
Lines changed: 1 addition & 24 deletions b/‎BASTION_ACCESS.md‎
Lines changed: 1 addition & 24 deletions
diff --git a/‎README.md‎
Lines changed: 23 additions & 1 deletion b/‎README.md‎
Lines changed: 23 additions & 1 deletion
diff --git a/‎examples/private-quix-infr-external-vnet/main.tf‎
Lines changed: 3 additions & 11 deletions b/‎examples/private-quix-infr-external-vnet/main.tf‎
Lines changed: 3 additions & 11 deletions
diff --git a/‎examples/private-quix-infr/main.tf‎
Lines changed: 40 additions & 24 deletions b/‎examples/private-quix-infr/main.tf‎
Lines changed: 40 additions & 24 deletions
diff --git a/‎examples/public-quix-infr-tiered-storage/main.tf‎
Lines changed: 1 addition & 1 deletion b/‎examples/public-quix-infr-tiered-storage/main.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/public-quix-infr/main.tf‎
Lines changed: 1 addition & 1 deletion b/‎examples/public-quix-infr/main.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/quix-aks/README.md‎
Lines changed: 13 additions & 12 deletions b/‎modules/quix-aks/README.md‎
Lines changed: 13 additions & 12 deletions
diff --git a/‎modules/quix-aks/aks.tf‎
Lines changed: 3 additions & 2 deletions b/‎modules/quix-aks/aks.tf‎
Lines changed: 3 additions & 2 deletions
@@ -9,32 +9,9 @@ This guide shows how to connect to a private AKS cluster using Azure Bastion, ei
 - Azure CLI installed locally
 - Your SSH private key corresponding to jumpbox_ssh_public_key
 
-## Option A: Run kubectl from the Jumpbox
 
-1. Open an SSH session to the jumpbox via Bastion (Native client):
-```bash
-export RG="<RESOURCE_GROUP>"
-export BASTION="<BASTION_NAME>"
-export VM="<JUMPBOX_NAME>"
-export SSH_KEY="$HOME/.ssh/id_rsa"
-
-VM_ID=$(az vm show -g "$RG" -n "$VM" --query id -o tsv)
-az network bastion ssh \
-  --name "$BASTION" \
-  --resource-group "$RG" \
-  --target-resource-id "$VM_ID" \
-  --auth-type ssh-key --username <ADMIN_USERNAME> --ssh-key $SSH_KEY
-```
-
-2. Inside the VM, authenticate and fetch kubeconfig:
-```bash
-az login --use-device-code
-az account set --subscription "<SUBSCRIPTION_ID>"
-az aks get-credentials -g "<RESOURCE_GROUP>" -n "<AKS_NAME>" --overwrite-existing
-kubectl get nodes -o wide
-```
 
-## Option B: Run kubectl from your local machine (Bastion tunneling)
+## Run kubectl from your local machine (Bastion tunneling)
 
 1. Start SSH tunnel to the VM via Bastion:
 ```bash
 
@@ -46,6 +46,28 @@ module "quix_aks" {
 }
 ```
 
+### Private DNS Zone for Private Clusters
+
+When deploying a private AKS cluster, you can control how the Private DNS Zone is managed using the `private_dns_zone_id` variable:
+
+```hcl
+module "quix_aks" {
+  # ...
+  private_cluster_enabled = true
+  
+  # Option 1: Let AKS manage the Private DNS Zone automatically (default)
+  private_dns_zone_id = "System"
+  
+  # Option 2: Disable Private DNS Zone management (manual DNS configuration required)
+  # private_dns_zone_id = "None"
+  
+  # Option 3: Use an existing Private DNS Zone (BYO)
+  # private_dns_zone_id = "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.<region>.azmk8s.io"
+}
+```
+
+**Note:** When using an existing Private DNS Zone (Option 3), the module automatically assigns the `Private DNS Zone Contributor` role to the AKS cluster identity.
+
 ## Tiered Storage module (tiered-storage)
 
 Module documentation (inputs/outputs/resources):
@@ -115,7 +137,7 @@ module "quix_aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "my-nat-id"
+  identity_name = "my-nat-id"
   public_ip_name    = "my-nat-ip"
   nat_gateway_name  = "my-nat"
   availability_zone = "1"
 
@@ -79,16 +79,10 @@ module "aks" {
   sku_tier                = "Standard"
   private_cluster_enabled = true
 
-  vnet_name          = "vnet-quix-private"
-  vnet_address_space = ["10.240.0.0/16"]
-  nodes_subnet_name  = "Subnet-Nodes"
-  nodes_subnet_cidr  = "10.240.0.0/22"
+  vnet_name          = azurerm_virtual_network.ext.name
+  nodes_subnet_name  = azurerm_subnet.nodes_ext.name
 
-  # Reuse external VNet/Subnets
-  vnet_id         = azurerm_virtual_network.ext.id
-  nodes_subnet_id = azurerm_subnet.nodes_ext.id
-
-  nat_identity_name = "quix-private-nat-id"
+  identity_name     = "quix-private-nat-id"
   public_ip_name    = "quix-private-nat-ip"
   nat_gateway_name  = "quix-private-nat"
   availability_zone = "2"
@@ -117,8 +111,6 @@ module "aks" {
   create_bastion_subnet = false
   enable_bastion        = true
   bastion_name          = "quix-bastion"
-  # Reuse external Bastion subnet & IP
-  bastion_subnet_id = azurerm_subnet.bastion_ext.id
 
   jumpbox_name           = "quix-jumpbox"
   jumpbox_vm_size        = "Standard_B2s"
 
@@ -20,25 +20,60 @@ resource "azurerm_resource_group" "this" {
 module "aks" {
   source = "../../modules/quix-aks"
 
+  # Core + RG
   name                    = "quix-aks-private"
   location                = "westeurope"
   resource_group_name     = "rg-quix-private"
   create_resource_group   = false
   kubernetes_version      = "1.32.4"
   sku_tier                = "Standard"
   private_cluster_enabled = true
-
+  # Use existing Private DNS Zone for the AKS private API server:
+  #   - "System" lets AKS manage it automatically (default)
+  #   - "None" disables creation/association (you must manage DNS yourself)
+  #   - "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.westeurope.azmk8s.io"
+  #     to reuse an existing zone
+  private_dns_zone_id = "System"
+
+  # Networking (VNet/Subnet)
   vnet_name          = "vnet-quix-private"
   vnet_address_space = ["10.240.0.0/16"]
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-private-nat-id"
+  # Network profile
+  network_profile = {
+    network_plugin_mode = "overlay"
+    service_cidr        = "172.22.0.0/16"
+    dns_service_ip      = "172.22.0.10"
+    pod_cidr            = "10.144.0.0/16"
+  }
+
+  # NAT (names reserved even if not used with userDefinedRouting)
+  identity_name     = "quix-private-nat-id"
   public_ip_name    = "quix-private-nat-ip"
   nat_gateway_name  = "quix-private-nat"
   availability_zone = "2"
 
-  enable_credentials_fetch = true
+  # Bastion
+  create_bastion_subnet  = true
+  enable_bastion         = true
+  bastion_subnet_cidr    = "10.240.5.0/27"
+  bastion_name           = "quix-bastion"
+  bastion_public_ip_name = "quix-bastion-ip"
+
+  # Jumpbox
+  jumpbox_name           = "quix-jumpbox"
+  jumpbox_vm_size        = "Standard_B2s"
+  jumpbox_admin_username = "azureuser"
+  jumpbox_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3Zz+tHUEI7ulzE69GxtLwi9DOvROBG4aI7h3za2FAP6Ya9/GhG2zcBiKOzk3SlKavE3/5NomgGifTC/ica6rTPlpb4U5oky/2phs9AtczVVI2G+yNC43hJzVhWbqKT3qAGGCGEm2+Cpxx7spKEbZAfAcq5GxL3k9kTcpaQEv3hpVvqK3zlCziHyahUv1pxQGuX3b2hqi4idgFX3m0FaqU98DtQu/I9x95jXHrb7Wltp3sbTSKCDxGo3nk4plpzILs/OqTMSPpfxwarCXA1ZtU82hyWO4Szn2U4I+MbuNaO/dso1oNlprqJQgsQ8t+hawCdIHeZ00M/QELdnYldBjo1jM19AT1OwMcB7PP7GRTNv7YsDW10YCvX9XRPab66PIKpe5R4IG/n6TzEwUP2pb4hRJWvnPJzrHK5HEJg7G7baCEyjCtaWkL4M7dBxIGJ3sp9IfjdeztV2Llh+hYmwPefTejprER+Q/qHZTNr1wEW4BV0TQQd+jeqdIL4QkIno3IyM3IBX+uPM/WlSpi2sT+hDqiUcCRu/x21O/bVYz/UbeHIqptRDfGc5rVoAN/zc/kGsGeGuP3auyI6aQxlnU0wMDdyS8rf3SpWagOB2UFNxZSuU2gnYdtz2uWG4vF75Sqr04MFJImHIY4N7gHJrvdarg6YBaDDnmdREcqp3ooAw=="
+
+  # Features
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+  enable_credentials_fetch  = true
+
+  # Node pools
   node_pools = {
     default = {
       name       = "default"
@@ -56,32 +91,13 @@ module "aks" {
     }
   }
 
-  network_profile = {
-    network_plugin_mode = "overlay"
-    service_cidr        = "172.22.0.0/16"
-    dns_service_ip      = "172.22.0.10"
-    pod_cidr            = "10.144.0.0/16"
-  }
-
-  enable_bastion         = true
-  bastion_subnet_cidr    = "10.240.5.0/27"
-  bastion_name           = "quix-bastion"
-  bastion_public_ip_name = "quix-bastion-ip"
-
-  jumpbox_name           = "quix-jumpbox"
-  jumpbox_vm_size        = "Standard_B2s"
-  jumpbox_admin_username = "azureuser"
-  jumpbox_ssh_public_key = "ssh-rsa ......"
-
-  oidc_issuer_enabled       = true
-  workload_identity_enabled = true
-
-
+  # Tags
   tags = {
     environment = "demo"
     project     = "Quix"
   }
 
+  # Dependencies
   depends_on = [azurerm_resource_group.this]
 }
 
 
@@ -27,7 +27,7 @@ module "aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-public-nat-id"
+  identity_name     = "quix-public-nat-id"
   public_ip_name    = "quix-public-nat-ip"
   nat_gateway_name  = "quix-public-nat"
   availability_zone = "1"
 
@@ -27,7 +27,7 @@ module "aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-public-nat-id"
+  identity_name     = "quix-public-nat-id"
   public_ip_name    = "quix-public-nat-ip"
   nat_gateway_name  = "quix-public-nat"
   availability_zone = "1"
 
@@ -32,6 +32,7 @@ No modules.
 | [azurerm_public_ip.nat_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.aks_nodes_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.aks_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.aks_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.aks_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_subnet.bastion](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
@@ -43,8 +44,9 @@ No modules.
 | [azurerm_resource_group.existing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_role_definition.contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
 | [azurerm_role_definition.network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
-| [azurerm_subnet.bastion](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
-| [azurerm_subnet.nodes](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_role_definition.private_dns_zone_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
+| [azurerm_subnet.existing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.existing_bastion](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_virtual_network.existing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs
@@ -57,14 +59,14 @@ No modules.
 | <a name="input_bastion_public_ip_id"></a> [bastion\_public\_ip\_id](#input\_bastion\_public\_ip\_id) | Existing Bastion Public IP ID to reuse (skip public IP creation when set) | `string` | `null` | no |
 | <a name="input_bastion_public_ip_name"></a> [bastion\_public\_ip\_name](#input\_bastion\_public\_ip\_name) | Name of the Public IP for Azure Bastion | `string` | `"QuixBastionIP"` | no |
 | <a name="input_bastion_subnet_cidr"></a> [bastion\_subnet\_cidr](#input\_bastion\_subnet\_cidr) | CIDR for AzureBastionSubnet | `string` | `"10.0.64.0/27"` | no |
-| <a name="input_bastion_subnet_id"></a> [bastion\_subnet\_id](#input\_bastion\_subnet\_id) | Existing AzureBastionSubnet ID to reuse (skip subnet creation when set) | `string` | `null` | no |
 | <a name="input_create_bastion_subnet"></a> [create\_bastion\_subnet](#input\_create\_bastion\_subnet) | Whether to create AzureBastionSubnet (set false when supplying bastion\_subnet\_id) | `bool` | `true` | no |
 | <a name="input_create_nat"></a> [create\_nat](#input\_create\_nat) | Whether to create NAT Gateway and its Public IP (set false to bring your own) | `bool` | `true` | no |
 | <a name="input_create_nodes_subnet"></a> [create\_nodes\_subnet](#input\_create\_nodes\_subnet) | Whether to create the nodes subnet (set false when using external nodes\_subnet\_id) | `bool` | `true` | no |
 | <a name="input_create_resource_group"></a> [create\_resource\_group](#input\_create\_resource\_group) | Whether to create the resource group | `bool` | `true` | no |
 | <a name="input_create_vnet"></a> [create\_vnet](#input\_create\_vnet) | Whether to create the VNet (set false when using external vnet\_id) | `bool` | `true` | no |
 | <a name="input_enable_bastion"></a> [enable\_bastion](#input\_enable\_bastion) | Deploy Azure Bastion and its required subnet | `bool` | `false` | no |
 | <a name="input_enable_credentials_fetch"></a> [enable\_credentials\_fetch](#input\_enable\_credentials\_fetch) | Run az aks get-credentials after creating the cluster | `bool` | `false` | no |
+| <a name="input_identity_name"></a> [identity\_name](#input\_identity\_name) | Name of the user-assigned managed identity for the AKS cluster | `string` | n/a | yes |
 | <a name="input_jumpbox_admin_username"></a> [jumpbox\_admin\_username](#input\_jumpbox\_admin\_username) | Admin username for the jumpbox | `string` | `"azureuser"` | no |
 | <a name="input_jumpbox_name"></a> [jumpbox\_name](#input\_jumpbox\_name) | Name of the jumpbox VM | `string` | `"quix-jumpbox"` | no |
 | <a name="input_jumpbox_ssh_public_key"></a> [jumpbox\_ssh\_public\_key](#input\_jumpbox\_ssh\_public\_key) | SSH public key for the jumpbox admin user | `string` | `""` | no |
@@ -73,22 +75,21 @@ No modules.
 | <a name="input_location"></a> [location](#input\_location) | Azure region | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name of the AKS cluster | `string` | n/a | yes |
 | <a name="input_nat_gateway_id"></a> [nat\_gateway\_id](#input\_nat\_gateway\_id) | Existing NAT Gateway ID to associate when create\_nat is false | `string` | `null` | no |
-| <a name="input_nat_gateway_name"></a> [nat\_gateway\_name](#input\_nat\_gateway\_name) | Name of the NAT Gateway | `string` | n/a | yes |
-| <a name="input_nat_identity_name"></a> [nat\_identity\_name](#input\_nat\_identity\_name) | Name of the managed identity for NAT | `string` | n/a | yes |
+| <a name="input_nat_gateway_name"></a> [nat\_gateway\_name](#input\_nat\_gateway\_name) | Name of the NAT Gateway | `string` | `null` | no |
 | <a name="input_network_profile"></a> [network\_profile](#input\_network\_profile) | AKS network profile | <pre>object({<br/>    network_plugin_mode = string # "overlay" or "vnet"<br/>    service_cidr        = string<br/>    dns_service_ip      = string<br/>    pod_cidr            = optional(string)<br/>    network_policy      = optional(string, "calico")<br/>    outbound_type       = optional(string, "userAssignedNATGateway")<br/>  })</pre> | n/a | yes |
 | <a name="input_node_pools"></a> [node\_pools](#input\_node\_pools) | Map of additional node pools (include a 'system' pool to override default) | <pre>map(object({<br/>    name       = string<br/>    type       = string # system | user<br/>    node_count = number<br/>    vm_size    = string<br/>    max_pods   = optional(number)<br/>    taints     = optional(list(string))<br/>    labels     = optional(map(string))<br/>    mode       = optional(string) # system | user (overrides type)<br/>  }))</pre> | `{}` | no |
-| <a name="input_nodes_subnet_cidr"></a> [nodes\_subnet\_cidr](#input\_nodes\_subnet\_cidr) | CIDR for the AKS nodes subnet | `string` | n/a | yes |
-| <a name="input_nodes_subnet_id"></a> [nodes\_subnet\_id](#input\_nodes\_subnet\_id) | Existing nodes subnet ID to reuse (skip subnet creation when set) | `string` | `null` | no |
-| <a name="input_nodes_subnet_name"></a> [nodes\_subnet\_name](#input\_nodes\_subnet\_name) | Name of the AKS nodes subnet | `string` | n/a | yes |
+| <a name="input_nodes_subnet_cidr"></a> [nodes\_subnet\_cidr](#input\_nodes\_subnet\_cidr) | CIDR for the AKS nodes subnet | `string` | `null` | no |
+| <a name="input_nodes_subnet_name"></a> [nodes\_subnet\_name](#input\_nodes\_subnet\_name) | Name of the AKS nodes subnet | `string` | `null` | no |
 | <a name="input_oidc_issuer_enabled"></a> [oidc\_issuer\_enabled](#input\_oidc\_issuer\_enabled) | Enable OIDC issuer | `bool` | `true` | no |
 | <a name="input_private_cluster_enabled"></a> [private\_cluster\_enabled](#input\_private\_cluster\_enabled) | Enable AKS private cluster | `bool` | `false` | no |
-| <a name="input_public_ip_name"></a> [public\_ip\_name](#input\_public\_ip\_name) | Name of the public IP for NAT Gateway | `string` | n/a | yes |
+| <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | Private DNS Zone to use for AKS API server when private cluster is enabled. Accepts "System", "None", or a Private DNS Zone resource ID. | `string` | `"System"` | no |
+| <a name="input_public_ip_name"></a> [public\_ip\_name](#input\_public\_ip\_name) | Name of the public IP for NAT Gateway | `string` | `null` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Resource group name (existing or to be created) | `string` | n/a | yes |
 | <a name="input_sku_tier"></a> [sku\_tier](#input\_sku\_tier) | AKS tier (Free or Standard) | `string` | `"Standard"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources | `map(string)` | `{}` | no |
-| <a name="input_vnet_address_space"></a> [vnet\_address\_space](#input\_vnet\_address\_space) | Address space for the Virtual Network | `list(string)` | n/a | yes |
-| <a name="input_vnet_id"></a> [vnet\_id](#input\_vnet\_id) | Existing VNet ID to reuse (skip VNet creation when set) | `string` | `null` | no |
-| <a name="input_vnet_name"></a> [vnet\_name](#input\_vnet\_name) | Name of the Virtual Network | `string` | n/a | yes |
+| <a name="input_vnet_address_space"></a> [vnet\_address\_space](#input\_vnet\_address\_space) | Address space for the Virtual Network | `list(string)` | `null` | no |
+| <a name="input_vnet_name"></a> [vnet\_name](#input\_vnet\_name) | Name of the Virtual Network | `string` | `null` | no |
+| <a name="input_vnet_resource_group"></a> [vnet\_resource\_group](#input\_vnet\_resource\_group) | Resource group name where the VNet (and its subnets) reside. Defaults to module RG when null | `string` | `null` | no |
 | <a name="input_workload_identity_enabled"></a> [workload\_identity\_enabled](#input\_workload\_identity\_enabled) | Enable workload identity | `bool` | `true` | no |
 
 ## Outputs
 
@@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster" "this" {
   kubernetes_version      = var.kubernetes_version
   sku_tier                = var.sku_tier
   private_cluster_enabled = var.private_cluster_enabled
+  private_dns_zone_id     = var.private_cluster_enabled ? var.private_dns_zone_id : null
 
   oidc_issuer_enabled       = var.oidc_issuer_enabled
   workload_identity_enabled = var.workload_identity_enabled
@@ -18,7 +19,7 @@ resource "azurerm_kubernetes_cluster" "this" {
     name           = local.system_pool_name
     node_count     = local.system_pool.node_count
     vm_size        = local.system_pool.vm_size
-    vnet_subnet_id = coalesce(try(azurerm_subnet.nodes[0].id, null), var.nodes_subnet_id)
+    vnet_subnet_id = coalesce(try(azurerm_subnet.nodes[0].id, null), try(data.azurerm_subnet.existing[0].id, null))
 
     upgrade_settings {
       max_surge                     = "10%"
@@ -67,7 +68,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "additional" {
   kubernetes_cluster_id = azurerm_kubernetes_cluster.this.id
   vm_size               = each.value.vm_size
   node_count            = each.value.node_count
-  vnet_subnet_id        = coalesce(try(azurerm_subnet.nodes[0].id, null), var.nodes_subnet_id)
+  vnet_subnet_id        = coalesce(try(azurerm_subnet.nodes[0].id, null), try(data.azurerm_subnet.existing[0].id, null))
   mode                  = lower(coalesce(each.value.mode, each.value.type)) == "system" ? "System" : "User"
   node_taints           = coalesce(each.value.taints, null)
   orchestrator_version  = var.kubernetes_version