Move non-core DNS zones outside network module

CHANGELOG.md

@@ -27,7 +27,9 @@ FEATURES:
 
 ENHANCEMENTS:
 * Add support for referencing IP Groups from the Core Resource Group in firewall rules created via the pipeline [#3089](https://github.com/microsoft/AzureTRE/pull/3089)
+* Support for _Azure Firewall Basic_ SKU [#3107](https://github.com/microsoft/AzureTRE/pull/3107). This SKU doesn't support deallocation and for most non 24/7 scenarios will be more expensive than the Standard SKU.
 * Update Azure Machine Learning Workspace Service to support "no public IP" compute. This is a full rework so upgrades of existing Azure ML Workspace Service deployments are not supported. Requires `v0.8.0` or later of the TRE project.  [#3052](https://github.com/microsoft/AzureTRE/pull/3052)
+* Move non-core DNS zones out of the network module to reduce dependencies [#3119](https://github.com/microsoft/AzureTRE/pull/3119)
 
 BUG FIXES:
 

core/terraform/dns_zones_non_core.tf

@@ -0,0 +1,22 @@
+# the zones defined in this file aren't used by the core system,
+# but are a preperation for shared/workspace services deployment.
+
+resource "azurerm_private_dns_zone" "non_core" {
+  for_each            = local.private_dns_zone_names_non_core
+  name                = each.key
+  resource_group_name = azurerm_resource_group.core.name
+  tags                = local.tre_core_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+# since shared services are in the core network, their dns link could exist once and must be defined here.
+resource "azurerm_private_dns_zone_virtual_network_link" "mysql" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.mysql.database.azure.com"].name
+  name                  = azurerm_private_dns_zone.non_core["privatelink.mysql.database.azure.com"].name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}

core/terraform/locals.tf

@@ -12,4 +12,23 @@ locals {
 
   # https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
   azure_portal_cosmos_ips = "104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26"
+
+  # we define some zones in core despite not used by the core infra because
+  # it's the easier way to make them available to other services in the system.
+  private_dns_zone_names_non_core = toset([
+    "privatelink.purview.azure.com",
+    "privatelink.purviewstudio.azure.com",
+    "privatelink.sql.azuresynapse.net",
+    "privatelink.dev.azuresynapse.net",
+    "privatelink.azuresynapse.net",
+    "privatelink.dfs.core.windows.net",
+    "privatelink.azurehealthcareapis.com",
+    "privatelink.dicom.azurehealthcareapis.com",
+    "privatelink.api.azureml.ms",
+    "privatelink.cert.api.azureml.ms",
+    "privatelink.notebooks.azure.net",
+    "privatelink.postgres.database.azure.com",
+    "nexus-${var.tre_id}.${var.location}.cloudapp.azure.com",
+    "privatelink.mysql.database.azure.com",
+  ])
 }

core/terraform/migrate.sh

@@ -189,6 +189,13 @@ if [ -n "${rp_subnet}" ]; then
   fi
 fi
 
+# DNS Zones migration. We can't use a moved block due the the vars being used.
+nexus_dns_zone=$(echo "${terraform_show_json}" \
+  | jq -r 'select(.values.root_module.child_modules != null) .values.root_module.child_modules[] | select (.address=="module.network") | .resources[] | select(.address=="module.network.azurerm_private_dns_zone.nexus") | .values.id')
+if [ -n "${nexus_dns_zone}" ]; then
+  terraform state rm module.network.azurerm_private_dns_zone.nexus
+  terraform import azurerm_private_dns_zone.non_core[\""nexus-${TRE_ID}.${LOCATION}.cloudapp.azure.com"\"] "${nexus_dns_zone}"
+fi
 
 # this isn't a classic migration, but impacts how terraform handles the deployment in the next phase
 state_store_serverless=$(echo "${terraform_show_json}" \

core/terraform/modules_move_definitions.tf

@@ -231,3 +231,80 @@ moved {
   from = module.airlock.azurerm_private_dns_zone.eventgrid
   to   = module.network.azurerm_private_dns_zone.eventgrid
 }
+
+
+# DNS Zones
+moved {
+  from = module.network.azurerm_private_dns_zone.mysql
+  to   = azurerm_private_dns_zone.non_core["privatelink.mysql.database.azure.com"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.azureml
+  to   = azurerm_private_dns_zone.non_core["privatelink.api.azureml.ms"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.azuremlcert
+  to   = azurerm_private_dns_zone.non_core["privatelink.cert.api.azureml.ms"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.notebooks
+  to   = azurerm_private_dns_zone.non_core["privatelink.notebooks.azure.net"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.postgres
+  to   = azurerm_private_dns_zone.non_core["privatelink.postgres.database.azure.com"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone_virtual_network_link.mysql
+  to   = azurerm_private_dns_zone_virtual_network_link.mysql
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.purview.azure.com"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.purview.azure.com"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.purviewstudio.azure.com"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.purviewstudio.azure.com"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.sql.azuresynapse.net"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.sql.azuresynapse.net"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.dev.azuresynapse.net"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.dev.azuresynapse.net"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.azuresynapse.net"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.azuresynapse.net"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.azuresynapse.net"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.azuresynapse.net"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.dfs.core.windows.net"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.dfs.core.windows.net"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.azurehealthcareapis.com"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.azurehealthcareapis.com"]
+}
+
+moved {
+  from = module.network.azurerm_private_dns_zone.private_dns_zones["privatelink.dicom.azurehealthcareapis.com"]
+  to   = azurerm_private_dns_zone.non_core["privatelink.dicom.azurehealthcareapis.com"]
+}

core/terraform/network/dns_zones.tf

@@ -112,23 +112,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_private_dns_zone" "mysql" {
-  name                = "privatelink.mysql.database.azure.com"
-  resource_group_name = var.resource_group_name
-  tags                = local.tre_core_tags
-  lifecycle { ignore_changes = [tags] }
-}
-
-resource "azurerm_private_dns_zone_virtual_network_link" "mysql" {
-  resource_group_name   = var.resource_group_name
-  virtual_network_id    = azurerm_virtual_network.core.id
-  private_dns_zone_name = azurerm_private_dns_zone.mysql.name
-  name                  = "azurewebsites-link"
-  registration_enabled  = false
-  tags                  = local.tre_core_tags
-  lifecycle { ignore_changes = [tags] }
-}
-
 resource "azurerm_private_dns_zone" "static_web" {
   name                = "privatelink.web.core.windows.net"
   resource_group_name = var.resource_group_name
@@ -193,42 +176,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "acrlink" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_private_dns_zone" "azureml" {
-  name                = "privatelink.api.azureml.ms"
-  resource_group_name = var.resource_group_name
-  tags                = local.tre_core_tags
-  lifecycle { ignore_changes = [tags] }
-}
-
-resource "azurerm_private_dns_zone" "azuremlcert" {
-  name                = "privatelink.cert.api.azureml.ms"
-  resource_group_name = var.resource_group_name
-  tags                = local.tre_core_tags
-  lifecycle { ignore_changes = [tags] }
-}
-
-resource "azurerm_private_dns_zone" "notebooks" {
-  name                = "privatelink.notebooks.azure.net"
-  resource_group_name = var.resource_group_name
-  tags                = local.tre_core_tags
-  lifecycle { ignore_changes = [tags] }
-}
-
-resource "azurerm_private_dns_zone" "postgres" {
-  name                = "privatelink.postgres.database.azure.com"
-  resource_group_name = var.resource_group_name
-  tags                = local.tre_core_tags
-  lifecycle { ignore_changes = [tags] }
-}
-
-resource "azurerm_private_dns_zone" "nexus" {
-  name                = "nexus-${var.tre_id}.${var.location}.cloudapp.azure.com"
-  resource_group_name = var.resource_group_name
-  tags                = local.tre_core_tags
-
-  lifecycle { ignore_changes = [tags] }
-}
-
 resource "azurerm_private_dns_zone" "eventgrid" {
   name                = "privatelink.eventgrid.azure.net"
   resource_group_name = var.resource_group_name

core/terraform/network/locals.tf

@@ -30,13 +30,5 @@ locals {
   private_dns_zone_names = toset([
     "privatelink.queue.core.windows.net",
     "privatelink.table.core.windows.net",
-    "privatelink.purview.azure.com",
-    "privatelink.purviewstudio.azure.com",
-    "privatelink.sql.azuresynapse.net",
-    "privatelink.dev.azuresynapse.net",
-    "privatelink.azuresynapse.net",
-    "privatelink.dfs.core.windows.net",
-    "privatelink.azurehealthcareapis.com",
-    "privatelink.dicom.azurehealthcareapis.com"
   ])
 }

core/version.txt

@@ -1 +1 @@
-__version__ = "0.6.0"
+__version__ = "0.7.0"