diff --git a/_example/example.tf b/_example/example.tf index 680f615..b073037 100644 --- a/_example/example.tf +++ b/_example/example.tf @@ -62,4 +62,13 @@ module "container-registry" { virtual_network_id = join("", module.vnet.vnet_id) subnet_id = module.subnet.default_subnet_id private_subnet_address_prefix = module.subnet.default_subnet_address_prefixes + + ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone. + + # diff_sub = true + # alias_sub = "" + + #########Following to be uncommmented when using DNS zone from different resource group or different subscription. + # existing_private_dns_zone = "" + # existing_private_dns_zone_resource_group_name = "" } diff --git a/main.tf b/main.tf index 717758c..7c829ea 100644 --- a/main.tf +++ b/main.tf @@ -15,6 +15,7 @@ module "labels" { resource "azurerm_container_registry" "main" { + count = var.enable ? 1 : 0 name = format("%s", var.container_registry_config.name) resource_group_name = var.resource_group_name location = var.location @@ -92,7 +93,7 @@ resource "azurerm_container_registry_scope_map" "main" { for_each = var.scope_map != null ? { for k, v in var.scope_map : k => v if v != null } : {} name = format("%s", each.key) resource_group_name = var.resource_group_name - container_registry_name = azurerm_container_registry.main.name + container_registry_name = azurerm_container_registry.main.*.name actions = each.value["actions"] } @@ -101,7 +102,7 @@ resource "azurerm_container_registry_token" "main" { for_each = var.scope_map != null ? { for k, v in var.scope_map : k => v if v != null } : {} name = format("%s", "${each.key}-token") resource_group_name = var.resource_group_name - container_registry_name = azurerm_container_registry.main.name + container_registry_name = azurerm_container_registry.main.*.name scope_map_id = element([for k in azurerm_container_registry_scope_map.main : k.id], 0) enabled = true } @@ -111,7 +112,7 @@ resource "azurerm_container_registry_webhook" "main" { name = format("%s", each.key) resource_group_name = var.resource_group_name location = var.location - registry_name = azurerm_container_registry.main.name + registry_name = azurerm_container_registry.main.*.name service_uri = each.value["service_uri"] actions = each.value["actions"] status = each.value["status"] @@ -124,9 +125,20 @@ resource "azurerm_container_registry_webhook" "main" { } } +provider "azurerm" { + alias = "peer" + features {} + subscription_id = var.alias_sub +} + +locals { + valid_rg_name = var.existing_private_dns_zone == null ? var.resource_group_name : var.existing_private_dns_zone_resource_group_name + private_dns_zone_name = var.existing_private_dns_zone == null ? join("", azurerm_private_dns_zone.dnszone1.*.name) : var.existing_private_dns_zone +} + resource "azurerm_private_endpoint" "pep1" { - count = var.enable_private_endpoint ? 1 : 0 + count = var.enable && var.enable_private_endpoint ? 1 : 0 name = format("%s-private-endpoint", var.container_registry_config.name) location = var.location resource_group_name = var.resource_group_name @@ -139,32 +151,105 @@ resource "azurerm_private_endpoint" "pep1" { private_service_connection { name = "containerregistryprivatelink" is_manual_connection = false - private_connection_resource_id = azurerm_container_registry.main.id + private_connection_resource_id = azurerm_container_registry.main.*.id subresource_names = ["registry"] } + lifecycle { + ignore_changes = [ + tags, + ] + } } +data "azurerm_private_endpoint_connection" "private-ip" { + count = var.enable && var.enable_private_endpoint ? 1 : 0 + name = join("", azurerm_private_endpoint.pep1.*.name) + resource_group_name = var.resource_group_name +} + + resource "azurerm_private_dns_zone" "dnszone1" { - count = var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0 + count = var.enable && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0 name = var.private_dns_name resource_group_name = var.resource_group_name tags = merge({ "Name" = format("%s", "Azure-Container-Registry-Private-DNS-Zone") }, module.labels.tags, ) } resource "azurerm_private_dns_zone_virtual_network_link" "vent-link1" { - count = var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0 + count = var.enable && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0 name = "vnet-private-zone-link" - resource_group_name = var.resource_group_name - private_dns_zone_name = azurerm_private_dns_zone.dnszone1.0.name + resource_group_name = local.valid_rg_name + private_dns_zone_name = local.private_dns_zone_name virtual_network_id = var.virtual_network_id registration_enabled = var.private_dns_zone_vnet_link_registration_enabled tags = merge({ "Name" = format("%s", "vnet-private-zone-link") }, module.labels.tags, ) } + +resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff_sub" { + provider = azurerm.peer + count = var.enable && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0 + name = var.existing_private_dns_zone == null ? format("%s-pdz-vnet-link-acr", module.labels.id) : format("%s-pdz-vnet-link-acr-1", module.labels.id) + resource_group_name = local.valid_rg_name + private_dns_zone_name = local.private_dns_zone_name + virtual_network_id = var.virtual_network_id + tags = module.labels.tags +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-multi-subs" { + provider = azurerm.peer + count = var.multi_sub_vnet_link && var.existing_private_dns_zone != null ? 1 : 0 + name = format("%s-pdz-vnet-link-acr-1", module.labels.id) + resource_group_name = var.existing_private_dns_zone_resource_group_name + private_dns_zone_name = var.existing_private_dns_zone + virtual_network_id = var.virtual_network_id + tags = module.labels.tags +} + +resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" { + count = var.enable && var.addon_vent_link ? 1 : 0 + name = format("%s-pdz-vnet-link-acr-addon", module.labels.id) + resource_group_name = var.addon_resource_group_name + private_dns_zone_name = var.existing_private_dns_zone == null ? join("", azurerm_private_dns_zone.dnszone1.*.name) : var.existing_private_dns_zone + virtual_network_id = var.addon_virtual_network_id + tags = module.labels.tags +} + +resource "azurerm_private_dns_a_record" "arecord" { + count = var.enable && var.enable_private_endpoint && var.diff_sub == false ? 1 : 0 + name = join("", azurerm_container_registry.main.*.name) + zone_name = local.private_dns_zone_name + resource_group_name = local.valid_rg_name + ttl = 3600 + records = [data.azurerm_private_endpoint_connection.private-ip.0.private_service_connection.0.private_ip_address] + tags = module.labels.tags + lifecycle { + ignore_changes = [ + tags, + ] + } +} + +resource "azurerm_private_dns_a_record" "arecord-1" { + count = var.enable && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0 + provider = azurerm.peer + name = join("", azurerm_container_registry.main.*.name) + zone_name = local.private_dns_zone_name + resource_group_name = local.valid_rg_name + ttl = 3600 + records = [data.azurerm_private_endpoint_connection.private-ip.0.private_service_connection.0.private_ip_address] + tags = module.labels.tags + lifecycle { + ignore_changes = [ + tags, + ] + } +} + resource "azurerm_monitor_diagnostic_setting" "acr-diag" { - count = var.log_analytics_workspace_name != null || var.storage_account_name != null ? 1 : 0 + count = var.enable_diagnostic && var.log_analytics_workspace_name != null || var.storage_account_name != null ? 1 : 0 name = lower("acr-${var.container_registry_config.name}-diag") - target_resource_id = azurerm_container_registry.main.id + target_resource_id = azurerm_container_registry.main.*.id storage_account_id = var.storage_account_name != null ? var.storage_account_id : null log_analytics_workspace_id = var.log_analytics_workspace_id diff --git a/output.tf b/output.tf index 6a1d90a..c995936 100644 --- a/output.tf +++ b/output.tf @@ -1,32 +1,32 @@ output "container_registry_id" { description = "The ID of the Container Registry" - value = azurerm_container_registry.main.id + value = azurerm_container_registry.main.*.id } output "container_registry_login_server" { description = "The URL that can be used to log into the container registry" - value = azurerm_container_registry.main.login_server + value = azurerm_container_registry.main.*.login_server } output "container_registry_admin_username" { description = "The Username associated with the Container Registry Admin account - if the admin account is enabled." - value = var.admin_enabled == true ? azurerm_container_registry.main.admin_username : null + value = var.admin_enabled == true ? azurerm_container_registry.main.*.admin_username : null } output "container_registry_admin_password" { description = "The Username associated with the Container Registry Admin account - if the admin account is enabled." - value = var.admin_enabled == true ? azurerm_container_registry.main.admin_password : null + value = var.admin_enabled == true ? azurerm_container_registry.main.*.admin_password : null sensitive = true } output "container_registry_identity_principal_id" { description = "The Principal ID for the Service Principal associated with the Managed Service Identity of this Container Registry" - value = flatten(azurerm_container_registry.main.identity.*.principal_id) + value = flatten(azurerm_container_registry.main[0].identity.*.principal_id) } output "container_registry_identity_tenant_id" { description = "The Tenant ID for the Service Principal associated with the Managed Service Identity of this Container Registry" - value = flatten(azurerm_container_registry.main.identity.*.tenant_id) + value = flatten(azurerm_container_registry.main[0].identity.*.tenant_id) } output "container_registry_scope_map_id" { diff --git a/variables.tf b/variables.tf index 59e59f4..241672a 100644 --- a/variables.tf +++ b/variables.tf @@ -203,3 +203,58 @@ variable "admin_enabled" { default = true description = "To enable of disable admin access" } + +variable "enable" { + type = bool + default = true + description = "Flag to control module creation." +} + +variable "enable_diagnostic" { + type = bool + default = true + description = "Flag to control diagnostic setting resource creation." +} + +variable "existing_private_dns_zone_resource_group_name" { + type = string + default = null + description = "The name of the existing resource group" +} + +variable "alias_sub" { + type = string + default = null + description = "Subscription id for different sub in which dns zone is present." +} + +variable "diff_sub" { + # To be set true when hosted DNS zone is in different subnscription. + type = bool + default = false + description = "Flag to tell whether dns zone is in different sub or not." +} + +variable "multi_sub_vnet_link" { + type = bool + default = false + description = "Flag to control creation of vnet link for dns zone in different subscription" +} + +variable "addon_vent_link" { + type = bool + default = false + description = "The name of the addon vnet " +} + +variable "addon_resource_group_name" { + type = string + default = "" + description = "The name of the addon vnet resource group" +} + +variable "addon_virtual_network_id" { + type = string + default = "" + description = "The name of the addon vnet link vnet id" +} \ No newline at end of file