feat: Added support for existing dns zone

clouddrove · May 31, 2023 · 5706caf · 5706caf
1 parent 9607848
commit 5706caf
Show file tree

Hide file tree

Showing 4 changed files with 166 additions and 17 deletions.
diff --git a/_example/example.tf b/_example/example.tf
@@ -62,4 +62,13 @@ module "container-registry" {
   virtual_network_id            = join("", module.vnet.vnet_id)
   subnet_id                     = module.subnet.default_subnet_id
   private_subnet_address_prefix = module.subnet.default_subnet_address_prefixes
+
+  ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone.
+
+  # diff_sub                                      = true
+  # alias_sub                                     = ""
+
+  #########Following to be uncommmented when using DNS zone from different resource group or different subscription.
+  # existing_private_dns_zone                     = ""
+  # existing_private_dns_zone_resource_group_name = ""
 }
diff --git a/main.tf b/main.tf
@@ -15,6 +15,7 @@ module "labels" {
 
 
 resource "azurerm_container_registry" "main" {
+  count                         = var.enable ? 1 : 0
   name                          = format("%s", var.container_registry_config.name)
   resource_group_name           = var.resource_group_name
   location                      = var.location
@@ -92,7 +93,7 @@ resource "azurerm_container_registry_scope_map" "main" {
   for_each                = var.scope_map != null ? { for k, v in var.scope_map : k => v if v != null } : {}
   name                    = format("%s", each.key)
   resource_group_name     = var.resource_group_name
-  container_registry_name = azurerm_container_registry.main.name
+  container_registry_name = azurerm_container_registry.main.*.name
   actions                 = each.value["actions"]
 }
 
@@ -101,7 +102,7 @@ resource "azurerm_container_registry_token" "main" {
   for_each                = var.scope_map != null ? { for k, v in var.scope_map : k => v if v != null } : {}
   name                    = format("%s", "${each.key}-token")
   resource_group_name     = var.resource_group_name
-  container_registry_name = azurerm_container_registry.main.name
+  container_registry_name = azurerm_container_registry.main.*.name
   scope_map_id            = element([for k in azurerm_container_registry_scope_map.main : k.id], 0)
   enabled                 = true
 }
@@ -111,7 +112,7 @@ resource "azurerm_container_registry_webhook" "main" {
   name                = format("%s", each.key)
   resource_group_name = var.resource_group_name
   location            = var.location
-  registry_name       = azurerm_container_registry.main.name
+  registry_name       = azurerm_container_registry.main.*.name
   service_uri         = each.value["service_uri"]
   actions             = each.value["actions"]
   status              = each.value["status"]
@@ -124,9 +125,20 @@ resource "azurerm_container_registry_webhook" "main" {
   }
 }
 
+provider "azurerm" {
+  alias = "peer"
+  features {}
+  subscription_id = var.alias_sub
+}
+
+locals {
+  valid_rg_name         = var.existing_private_dns_zone == null ? var.resource_group_name : var.existing_private_dns_zone_resource_group_name
+  private_dns_zone_name = var.existing_private_dns_zone == null ? join("", azurerm_private_dns_zone.dnszone1.*.name) : var.existing_private_dns_zone
+}
+
 
 resource "azurerm_private_endpoint" "pep1" {
-  count               = var.enable_private_endpoint ? 1 : 0
+  count               = var.enable && var.enable_private_endpoint ? 1 : 0
   name                = format("%s-private-endpoint", var.container_registry_config.name)
   location            = var.location
   resource_group_name = var.resource_group_name
@@ -139,32 +151,105 @@ resource "azurerm_private_endpoint" "pep1" {
   private_service_connection {
     name                           = "containerregistryprivatelink"
     is_manual_connection           = false
-    private_connection_resource_id = azurerm_container_registry.main.id
+    private_connection_resource_id = azurerm_container_registry.main.*.id
     subresource_names              = ["registry"]
   }
+  lifecycle {
+    ignore_changes = [
+      tags,
+    ]
+  }
 }
 
+data "azurerm_private_endpoint_connection" "private-ip" {
+  count               = var.enable && var.enable_private_endpoint ? 1 : 0
+  name                = join("", azurerm_private_endpoint.pep1.*.name)
+  resource_group_name = var.resource_group_name
+}
+
+
 resource "azurerm_private_dns_zone" "dnszone1" {
-  count               = var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0
+  count               = var.enable && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0
   name                = var.private_dns_name
   resource_group_name = var.resource_group_name
   tags                = merge({ "Name" = format("%s", "Azure-Container-Registry-Private-DNS-Zone") }, module.labels.tags, )
 }
 
 resource "azurerm_private_dns_zone_virtual_network_link" "vent-link1" {
-  count                 = var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0
+  count                 = var.enable && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0
   name                  = "vnet-private-zone-link"
-  resource_group_name   = var.resource_group_name
-  private_dns_zone_name = azurerm_private_dns_zone.dnszone1.0.name
+  resource_group_name   = local.valid_rg_name
+  private_dns_zone_name = local.private_dns_zone_name
   virtual_network_id    = var.virtual_network_id
   registration_enabled  = var.private_dns_zone_vnet_link_registration_enabled
   tags                  = merge({ "Name" = format("%s", "vnet-private-zone-link") }, module.labels.tags, )
 }
 
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff_sub" {
+  provider              = azurerm.peer
+  count                 = var.enable && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0
+  name                  = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-acr", module.labels.id) : format("%s-pdz-vnet-link-acr-1", module.labels.id)
+  resource_group_name   = local.valid_rg_name
+  private_dns_zone_name = local.private_dns_zone_name
+  virtual_network_id    = var.virtual_network_id
+  tags                  = module.labels.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-multi-subs" {
+  provider              = azurerm.peer
+  count                 = var.multi_sub_vnet_link && var.existing_private_dns_zone != null ? 1 : 0
+  name                  = format("%s-pdz-vnet-link-acr-1", module.labels.id)
+  resource_group_name   = var.existing_private_dns_zone_resource_group_name
+  private_dns_zone_name = var.existing_private_dns_zone
+  virtual_network_id    = var.virtual_network_id
+  tags                  = module.labels.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" {
+  count                 = var.enable && var.addon_vent_link ? 1 : 0
+  name                  = format("%s-pdz-vnet-link-acr-addon", module.labels.id)
+  resource_group_name   = var.addon_resource_group_name
+  private_dns_zone_name = var.existing_private_dns_zone == null ? join("", azurerm_private_dns_zone.dnszone1.*.name) : var.existing_private_dns_zone
+  virtual_network_id    = var.addon_virtual_network_id
+  tags                  = module.labels.tags
+}
+
+resource "azurerm_private_dns_a_record" "arecord" {
+  count               = var.enable && var.enable_private_endpoint && var.diff_sub == false ? 1 : 0
+  name                = join("", azurerm_container_registry.main.*.name)
+  zone_name           = local.private_dns_zone_name
+  resource_group_name = local.valid_rg_name
+  ttl                 = 3600
+  records             = [data.azurerm_private_endpoint_connection.private-ip.0.private_service_connection.0.private_ip_address]
+  tags                = module.labels.tags
+  lifecycle {
+    ignore_changes = [
+      tags,
+    ]
+  }
+}
+
+resource "azurerm_private_dns_a_record" "arecord-1" {
+  count               = var.enable && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0
+  provider            = azurerm.peer
+  name                = join("", azurerm_container_registry.main.*.name)
+  zone_name           = local.private_dns_zone_name
+  resource_group_name = local.valid_rg_name
+  ttl                 = 3600
+  records             = [data.azurerm_private_endpoint_connection.private-ip.0.private_service_connection.0.private_ip_address]
+  tags                = module.labels.tags
+  lifecycle {
+    ignore_changes = [
+      tags,
+    ]
+  }
+}
+
 resource "azurerm_monitor_diagnostic_setting" "acr-diag" {
-  count                      = var.log_analytics_workspace_name != null || var.storage_account_name != null ? 1 : 0
+  count                      = var.enable_diagnostic && var.log_analytics_workspace_name != null || var.storage_account_name != null ? 1 : 0
   name                       = lower("acr-${var.container_registry_config.name}-diag")
-  target_resource_id         = azurerm_container_registry.main.id
+  target_resource_id         = azurerm_container_registry.main.*.id
   storage_account_id         = var.storage_account_name != null ? var.storage_account_id : null
   log_analytics_workspace_id = var.log_analytics_workspace_id
 

diff --git a/output.tf b/output.tf
@@ -1,32 +1,32 @@
 output "container_registry_id" {
   description = "The ID of the Container Registry"
-  value       = azurerm_container_registry.main.id
+  value       = azurerm_container_registry.main.*.id
 }
 
 output "container_registry_login_server" {
   description = "The URL that can be used to log into the container registry"
-  value       = azurerm_container_registry.main.login_server
+  value       = azurerm_container_registry.main.*.login_server
 }
 
 output "container_registry_admin_username" {
   description = "The Username associated with the Container Registry Admin account - if the admin account is enabled."
-  value       = var.admin_enabled == true ? azurerm_container_registry.main.admin_username : null
+  value       = var.admin_enabled == true ? azurerm_container_registry.main.*.admin_username : null
 }
 
 output "container_registry_admin_password" {
   description = "The Username associated with the Container Registry Admin account - if the admin account is enabled."
-  value       = var.admin_enabled == true ? azurerm_container_registry.main.admin_password : null
+  value       = var.admin_enabled == true ? azurerm_container_registry.main.*.admin_password : null
   sensitive   = true
 }
 
 output "container_registry_identity_principal_id" {
   description = "The Principal ID for the Service Principal associated with the Managed Service Identity of this Container Registry"
-  value       = flatten(azurerm_container_registry.main.identity.*.principal_id)
+  value       = flatten(azurerm_container_registry.main[0].identity.*.principal_id)
 }
 
 output "container_registry_identity_tenant_id" {
   description = "The Tenant ID for the Service Principal associated with the Managed Service Identity of this Container Registry"
-  value       = flatten(azurerm_container_registry.main.identity.*.tenant_id)
+  value       = flatten(azurerm_container_registry.main[0].identity.*.tenant_id)
 }
 
 output "container_registry_scope_map_id" {

diff --git a/variables.tf b/variables.tf
@@ -203,3 +203,58 @@ variable "admin_enabled" {
   default     = true
   description = "To enable of disable admin access"
 }
+
+variable "enable" {
+  type        = bool
+  default     = true
+  description = "Flag to control module creation."
+}
+
+variable "enable_diagnostic" {
+  type        = bool
+  default     = true
+  description = "Flag to control diagnostic setting resource creation."
+}
+
+variable "existing_private_dns_zone_resource_group_name" {
+  type        = string
+  default     = null
+  description = "The name of the existing resource group"
+}
+
+variable "alias_sub" {
+  type        = string
+  default     = null
+  description = "Subscription id for different sub in which dns zone is present."
+}
+
+variable "diff_sub" {
+  # To be set true when hosted DNS zone is in different subnscription.
+  type        = bool
+  default     = false
+  description = "Flag to tell whether dns zone is in different sub or not."
+}
+
+variable "multi_sub_vnet_link" {
+  type        = bool
+  default     = false
+  description = "Flag to control creation of vnet link for dns zone in different subscription"
+}
+
+variable "addon_vent_link" {
+  type        = bool
+  default     = false
+  description = "The name of the addon vnet "
+}
+
+variable "addon_resource_group_name" {
+  type        = string
+  default     = ""
+  description = "The name of the addon vnet resource group"
+}
+
+variable "addon_virtual_network_id" {
+  type        = string
+  default     = ""
+  description = "The name of the addon vnet link vnet id"
+}