diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf
index 8f7054088ae..c066fb2e4ab 100644
--- a/terraform/environments/planetfm/locals_preproduction.tf
+++ b/terraform/environments/planetfm/locals_preproduction.tf
@@ -172,7 +172,7 @@ locals {
           "pp-cafmwebx.az.justice.gov.uk",
           "pp-cafmtx.az.justice.gov.uk",
         ]
-        external_validation_records_created = false
+        external_validation_records_created = true
         cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
         tags = {
           description = "wildcard cert for planetfm ${local.environment} domains"
diff --git a/terraform/modules/acm_certificate/README.md b/terraform/modules/acm_certificate/README.md
index 94ea5283875..58a0caa7309 100644
--- a/terraform/modules/acm_certificate/README.md
+++ b/terraform/modules/acm_certificate/README.md
@@ -11,6 +11,8 @@ in the `validation_records_external` output.
 Step 2: Set the `external_validation_records_created` variable to true
 to validate the certificate.
 
+If the DNS zone which is being added to a certificate is in azure i.e. in example.az.justice.gov.uk then the step which needs to be carried out BEFORE Step 2. is as follows: these need to be created manually by adding them to dso-infra-azure-fixngo repo under the relevant locals. See NOMSDigitalStudioProduction1/webops-prod/dns_records.tf for an example.
+
 Example usage:
 
 ```