Added Support for DNS zone in different subscription

clouddrove · Mar 29, 2023 · 35ec489 · 35ec489
1 parent cacc347
commit 35ec489
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 29 deletions.
diff --git a/_example/key-vault-with-RBAC/main.tf b/_example/key-vault-with-RBAC/main.tf
@@ -12,7 +12,6 @@ module "resource_group" {
  location = "Canada Central"
 }
 
-
 #Vnet
 module "vnet" {
  source = "clouddrove/virtual-network/azure"
@@ -46,14 +45,15 @@ module "vnet" {
 
 #Key Vault
 module "vault" {
- depends_on = [module.resource_group, module.vnet]
- source = "./../.."
 
- name = "annkkdsovvdcc"
+ source = "./../.."
+
+ name = "an13xvvdcc"
  environment = "test"
  label_order = ["name", "environment", ]
 
  resource_group_name = module.resource_group.resource_group_name
+ location = module.resource_group.resource_group_location
 
  purge_protection_enabled = false
  enabled_for_disk_encryption = true
@@ -64,6 +64,16 @@ module "vault" {
  virtual_network_id = module.vnet.vnet_id[0]
  #private endpoint
  enable_private_endpoint = true
+ ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone.
+
+ # diff_sub = true
+ # alias = ""
+ # alias_sub = ""
+
+ #########Following to be uncommmented when using DNS zone from different resource group or different subscription.
+ # existing_private_dns_zone = ""
+ # existing_private_dns_zone_resource_group_name = ""
+
  ##RBAC
  enable_rbac_authorization = true
  principal_id = ["71d1XXXXXXXXXXXXX166d7c97", "2fa59XXXXXXXXXXXXXX82716fb05"]

diff --git a/_example/key-vault-with-access-policy/main.tf b/_example/key-vault-with-access-policy/main.tf
@@ -46,14 +46,14 @@ module "vnet" {
 
 #Key Vault
 module "vault" {
- depends_on = [module.resource_group, module.vnet]
- source = "./../.."
+ source = "./../.."
 
  name = "annkkdsovvdcc"
  environment = "test"
  label_order = ["name", "environment", ]
 
  resource_group_name = module.resource_group.resource_group_name
+ location = module.resource_group.resource_group_location
 
  purge_protection_enabled = false
  enabled_for_disk_encryption = true
@@ -64,6 +64,16 @@ module "vault" {
  virtual_network_id = module.vnet.vnet_id[0]
  #private endpoint
  enable_private_endpoint = true
+ ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone.
+
+ # diff_sub = true
+ # alias = ""
+ # alias_sub = ""
+
+ #########Following to be uncommmented when using DNS zone from different resource group or different subscription.
+
+ # existing_private_dns_zone = ""
+ # existing_private_dns_zone_resource_group_name = ""
 
  #### enable diagnostic setting
  diagnostic_setting_enable = false

diff --git a/main.tf b/main.tf
@@ -1,17 +1,5 @@
 data "azurerm_client_config" "current_client_config" {}
 
-data "azurerm_resource_group" "default" {
- name = var.resource_group_name
-}
-
-data "azurerm_subscription" "primary" {
-}
-
-locals {
- resource_group_name = data.azurerm_resource_group.default.name
- resource_group_id = data.azurerm_resource_group.default.id
- location = data.azurerm_resource_group.default.location
-}
 
 module "labels" {
 
@@ -27,8 +15,8 @@ module "labels" {
 
 resource "azurerm_key_vault" "key_vault" {
  name = format("%s-kv", module.labels.id)
- location = local.location
- resource_group_name = local.resource_group_name
+ location = var.location
+ resource_group_name = var.resource_group_name
  enabled_for_disk_encryption = var.enabled_for_disk_encryption
  tenant_id = data.azurerm_client_config.current_client_config.tenant_id
  purge_protection_enabled = var.purge_protection_enabled
@@ -74,11 +62,17 @@ resource "azurerm_key_vault_secret" "key_vault_secret" {
  value = each.value
 }
 
+provider "azurerm" {
+ alias = "peer"
+ features {}
+ subscription_id = var.alias_sub
+}
+
 resource "azurerm_private_endpoint" "pep" {
  count = var.enable_private_endpoint ? 1 : 0
  name = format("%s-pe-kv", module.labels.id)
- location = local.location
- resource_group_name = local.resource_group_name
+ location = var.location
+ resource_group_name = var.resource_group_name
  subnet_id = var.subnet_id
  tags = module.labels.tags
  # private_dns_zone_group {
@@ -100,14 +94,14 @@ resource "azurerm_private_endpoint" "pep" {
 }
 
 locals {
- valid_rg_name = var.existing_private_dns_zone == null ? local.resource_group_name : var.existing_private_dns_zone_resource_group_name
+ valid_rg_name = var.existing_private_dns_zone == null ? var.resource_group_name : var.existing_private_dns_zone_resource_group_name
  private_dns_zone_name = var.existing_private_dns_zone == null ? join("", azurerm_private_dns_zone.dnszone.*.name) : var.existing_private_dns_zone
 }
 
 data "azurerm_private_endpoint_connection" "private-ip" {
  count = var.enabled && var.enable_private_endpoint ? 1 : 0
  name = join("", azurerm_private_endpoint.pep.*.name)
- resource_group_name = local.resource_group_name
+ resource_group_name = var.resource_group_name
  depends_on = [azurerm_key_vault.key_vault]
 }
 
@@ -120,12 +114,22 @@ data "azurerm_private_endpoint_connection" "private-ip" {
 resource "azurerm_private_dns_zone" "dnszone" {
  count = var.enabled && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0
  name = "privatelink.vaultcore.azure.net"
- resource_group_name = local.resource_group_name
+ resource_group_name = var.resource_group_name
  tags = module.labels.tags
 }
 
 resource "azurerm_private_dns_zone_virtual_network_link" "vent-link" {
- count = var.enabled && var.enable_private_endpoint ? 1 : 0
+ count = var.enabled && var.enable_private_endpoint && var.diff_sub == false ? 1 : 0
+ name = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-kv", module.labels.id) : format("%s-pdz-vnet-link-kv-1", module.labels.id)
+ resource_group_name = local.valid_rg_name
+ private_dns_zone_name = local.private_dns_zone_name
+ virtual_network_id = var.virtual_network_id
+ tags = module.labels.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-1" {
+ provider = azurerm.peer
+ count = var.enabled && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0
  name = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-kv", module.labels.id) : format("%s-pdz-vnet-link-kv-1", module.labels.id)
  resource_group_name = local.valid_rg_name
  private_dns_zone_name = local.private_dns_zone_name
@@ -143,7 +147,23 @@ resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" {
 }
 
 resource "azurerm_private_dns_a_record" "arecord" {
- count = var.enabled && var.enable_private_endpoint ? 1 : 0
+ count = var.enabled && var.enable_private_endpoint && var.diff_sub == false ? 1 : 0
+ name = join("", azurerm_key_vault.key_vault.*.name)
+ zone_name = local.private_dns_zone_name
+ resource_group_name = local.valid_rg_name
+ ttl = 3600
+ records = [data.azurerm_private_endpoint_connection.private-ip.0.private_service_connection.0.private_ip_address]
+ tags = module.labels.tags
+ lifecycle {
+ ignore_changes = [
+ tags,
+ ]
+ }
+}
+
+resource "azurerm_private_dns_a_record" "arecord-1" {
+ count = var.enabled && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0
+ provider = azurerm.peer
  name = join("", azurerm_key_vault.key_vault.*.name)
  zone_name = local.private_dns_zone_name
  resource_group_name = local.valid_rg_name
@@ -159,8 +179,8 @@ resource "azurerm_private_dns_a_record" "arecord" {
 
 resource "azurerm_user_assigned_identity" "example" {
  count = var.enabled ? 1 : 0
- resource_group_name = local.resource_group_name
- location = local.location
+ resource_group_name = var.resource_group_name
+ location = var.location
  name = format("midd-keyvault-%s", module.labels.id)
 }
 

diff --git a/variables.tf b/variables.tf
@@ -43,6 +43,12 @@ variable "resource_group_name" {
 
 }
 
+variable "location" {
+ type = string
+ default = null
+ description = "Location where resource group will be created."
+}
+
 
 variable "tags" {
  type = map(string)
@@ -258,3 +264,24 @@ variable "eventhub_authorization_rule_id" {
  default = null
  description = "Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data."
 }
+
+variable "diff_sub" {
+ # To be set true when hosted DNS zone is in different subnscription.
+ type = bool
+ default = false
+ description = "Flag to tell whether dns zone is in different sub or not."
+}
+
+variable "alias" {
+ # To be set when you are using a DNS zone from different subscription.
+ type = string
+ default = null
+ description = "Alias for local provider in module."
+}
+
+variable "alias_sub" {
+ # To be set when you are using a DNS zone from different subscription.
+ type = string
+ default = null
+ description = "Different subscription id for local provider(id of diff sub in which DNS zone is present)."
+}