Fix: Sanitize DNS zone tags to comply with Azure DNS key restrictions #499
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Created ConvertTo-DnsSafeTags function to remove spaces and parentheses from tag keys - Created Set-DnsSafeTagsForVirtualHubs function to implement tag fallback logic (dns_zone_tags -> connectivity_tags -> overall_tags) - Modified Write-TfvarsJsonFile to automatically sanitize DNS zone tags when processing virtual_hubs configuration - Added comprehensive unit tests for both new functions (20 tests total, all passing) - All existing tests pass (55 tests total) Co-authored-by: jaredfholgate <1612200+jaredfholgate@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix Azure DNS tagging to prevent drift and conflicts
Fix: Sanitize DNS zone tags to comply with Azure DNS key restrictions
Dec 5, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue
Issue #, if available: Related to Azure DNS tagging limitations where tag keys with spaces, parentheses, or leading numbers violate Azure DNS restrictions.
Description
Azure DNS zones reject tag keys containing spaces or parentheses, causing drift when connectivity tags merge into DNS resources. This implements automatic tag key sanitization for
virtual_hubs.private_dns_zoneswith three-tier fallback logic.Changes
ConvertTo-DnsSafeTags.ps1): Strips spaces/parentheses from tag keys, prefixes numeric-leading keys with underscoreSet-DnsSafeTagsForVirtualHubs.ps1): Applies DNS zone tags → connectivity tags → overall tags (all sanitized)Write-TfvarsJsonFile.ps1): Detectsvirtual_hubsand applies sanitization before writing tfvarsBehavior
Testing
License
By submitting this pull request, I confirm that my contribution is made under the terms of the projects associated license.
Original prompt
This section details on the original issue you should resolve
<issue_title>Bug: Azure DNS / Private DNS tagging: module applies tag keys with spaces, causing drift and conflicts with documented limitations</issue_title>
<issue_description>### Is there an existing issue for this?
Infrastructure as Code Type? (Required)
terraform
PowerShell Module Version (Optional)
latest
Bootstrap Module Version (Optional)
latest
Starter Module? (Required)
terraform - platform_landing_zone
Starter Module Version (Optional)
No response
Input arguments of the ALZ-PowerShell-Module (Optional)
virtual_hubs = {
primary = {
location = "$${starter_location_01}"
/*
NOTE: We are defaulting to a separate resource group for the hub per best practice for resiliency
However, there is a known limitation with the portal experience: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-faq#can-hubs-be-created-in-different-resource-groups-in-virtual-wan
If you prefer to use the same resource group as the vwan, then set this to
$${connectivity_hub_vwan_resource_group_name}*/
default_parent_id = "$${primary_connectivity_resource_group_id}"
enabled_resources = {
firewall = "$${primary_firewall_enabled}"
firewall_policy = "$${primary_firewall_enabled}" # Firewall policy depends on firewall
bastion = "$${primary_bastion_enabled}"
virtual_network_gateway_express_route = "$${primary_virtual_network_gateway_express_route_enabled}"
virtual_network_gateway_vpn = "$${primary_virtual_network_gateway_vpn_enabled}"
private_dns_zones = "$${primary_private_dns_zones_enabled}"
private_dns_resolver = "$${primary_private_dns_resolver_enabled}"
sidecar_virtual_network = "$${primary_sidecar_virtual_network_enabled}"
}
hub = {
name = "$${primary_hub_name}"
address_prefix = "$${primary_hub_address_space}"
hub_routing_preference = "VpnGateway" # Default" = "ExpressRoute"
}
/firewall = {
name = "$${primary_firewall_name}"
}
firewall_policy = {
name = "$${primary_firewall_policy_name}"
}/
virtual_network_gateways = {
/express_route = {
name = "$${primary_virtual_network_gateway_express_route_name}"
}/
vpn = {
name = "$${primary_virtual_network_gateway_vpn_name}"
}
}
private_dns_zones = {
resource_group_name = "$${dns_resource_group_name}"
private_link_private_dns_zones_regex_filter = {
enabled = false
}
auto_registration_zone_enabled = "$${primary_private_dns_auto_registration_zone_enabled}"
auto_registration_zone_name = "$${primary_auto_registration_zone_name}"
}
}
Debug Output/Panic Output (Optional)
Expected Behaviour (Required)
Given Azure’s documented limitation for DNS tags:
-> “Azure DNS zones don't support the use of spaces or parentheses in the tag or a tag that starts with a number.”
-> https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
I expect:
To provide a clear way to avoid applying tag keys with spaces to Azure DNS / Private DNS resources only.
When I set
private_dns_zones.tagsinvirtual_hubsto a DNS-safe map:...
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.