Terraform Error while trying to use Azure Key Vault Private Endpoint Resource

I am trying to create a Private Endpoint resource for my KV which is there in the Identity Subscription My Private DNS Zones and Private DNS Zone virtual network links are all in the Connectivity Subscription I have put the code for those two resources in the Connectivity Folder

Now i want to create the Private Endpoint for my KV in Identity subscription and am using the below code

resource "azurerm_private_endpoint" "kv_pe" {
  name                = format("pe-%s-%s-%s-%s",local.application_names.workload_type,var.environment,var.location_short_name,var.instance_number)
  resource_group_name = module.resource_group.rg_name_subs
  location            = var.location
  subnet_id           =
  private_dns_zone_group {
    name                 = local.application_name.kv_dns_zone_group_name
    private_dns_zone_ids = [azurerm_private_dns_zone.private_dns_zones["privatelink-vaultcore-azure-net"].id]
  private_service_connection {
    is_manual_connection           = false
    private_connection_resource_id = 
    name                           = local.application_names.pes_conn_name_kv
    subresource_names              = ["vault"]
  depends_on = [module.key_vault]

TF is throwing the below error while trying to do a plan :

Error: Reference to undeclared resource
│   on subscriptions/identity/ line 417, in resource "azurerm_private_endpoint" "kv_pe":
│  417:     private_dns_zone_ids = [azurerm_private_dns_zone.private_dns_zones["privatelink-vaultcore-azure-net"].id]
│ A managed resource "azurerm_private_dns_zone" "private_dns_zones" has not
│ been declared in module.identity_subscription.

How do i refer the private dns zone that i have created under "" file in the "" where i am creating the KV private endpoint

My folder structure is shown in the screenshot

  • You can use a data block to reference the existing azurerm_private_dns_zone resource in the file. This can ensures that the files azurerm_private_dns_zone created in the connectivity folder/module can be accessed by the identity folder/module.

    Here is the updated Terraform code below to reference the private DNS zone from in the block.


    resource "azurerm_private_dns_zone" "kv_private_dns_zone" {
      name                = ""
      resource_group_name = "Venkat-RG"


       data "azurerm_private_dns_zone" "name" {
          name                = ""
        resource "azurerm_private_endpoint" "kv_private_endpoint" {
          name                = "venkat-vaulttest"
          resource_group_name = "Venkat-RG"
          location            = "eastus"      
          subnet_id           = "/subscriptions/833hgjgja7c-4dafjgjjggjg/resourceGroups/Venkat-RG/providers/Microsoft.Network/virtualNetworks/venkat-vnet/subnets/KV-subnet"
          private_dns_zone_group {
            name                 = "kv-private-dns-group"
            private_dns_zone_ids = []
          private_service_connection {
            is_manual_connection           = false
            private_connection_resource_id = "/subscriptions/8332bf56-aa7c-4daa-a507-d7e60e5f09a9/resourceGroups/Venkat-RG/providers/Microsoft.KeyVault/vaults/venkat-vault"
            name                           = "keyvault-connection"
            subresource_names              = ["vault"]

    provider "azurerm" {
      features {}
      subscription_id ="8332ccccc507-d7e60e5f09a9"
    module "connectivity" {
      source = "./subscription/connectivity"
    module "identity" {
      source = "./subscription/identity"
      depends_on = [ module.connectivity ]

    After running the script, the private endpoint was created and attached to the Key Vault.

