Skip to content

feat(external_dns): support azure-private-dns provider#369

Merged
gdrojas merged 1 commit into
mainfrom
feat/external-dns-azure-private-dns-support
May 26, 2026
Merged

feat(external_dns): support azure-private-dns provider#369
gdrojas merged 1 commit into
mainfrom
feat/external-dns-azure-private-dns-support

Conversation

@gdrojas

@gdrojas gdrojas commented May 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds azure-private-dns as a supported value for dns_provider_name, alongside the existing azure. Both share the same auth, secret mount, and ServiceAccount wiring — only the external-dns chart's provider.name differs.

Why

Azure exposes Public DNS and Private DNS as two distinct ARM resource types (Microsoft.Network/dnszones vs Microsoft.Network/privateDnsZones), and upstream external-dns ships two separate provider implementations (azure vs azure-private-dns) — you cannot manage Private DNS zones via provider: azure. AWS and OCI don't have this split (they use flags on the same provider), which is why no symmetric change is needed for those clouds.

Until now, callers needing Private DNS zone management had to maintain their own helm_release block. This PR closes that gap.

Changes

  • variables.tfdns_provider_name validation extended to accept "azure-private-dns"
  • locals.tfazure_family_active helper; azure_config.provider.name templated from the input; provider_configs maps both keys to the same config
  • secret.tf — Azure secret count condition extended to the family
  • validation.tf — Azure preconditions extended to fire for both providers

Net diff: 4 files, +27 / -21 lines. Callers passing dns_provider_name = "azure" get exactly the same Helm Values output as before — bumping the ref is a no-op for them.

Usage

Instantiate the module a second time for Private DNS:

module "external_dns_private" {
  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=<new-ref>"

  dns_provider_name      = "azure-private-dns"
  type                   = "private"                # avoids ClusterRole name collision with the public instance
  external_dns_namespace = "external-dns-private"
  # ... auth + zone vars identical to the azure provider case
}

The companion IAM module needs role_definition_name = "Private DNS Zone Contributor" scoped to the private zone.

Accepts dns_provider_name = "azure-private-dns" in addition to "azure".
Both providers share the same auth, secret mount, and ServiceAccount
wiring — only external-dns chart's `provider.name` differs — so the
azure_config block now templates the provider name from the input and
provider_configs maps both keys to the same config.

Validation preconditions and the kubernetes_secret_v1 count condition
were extended from `dns_provider_name == "azure"` to a shared
`azure_family_active` local that matches both providers.

Unblocks callers managing Azure Private DNS zones (Microsoft.Network/
privateDnsZones), which the upstream external-dns binary handles via a
separate provider name from the public DNS one. Previously such callers
had to maintain their own helm_release block.
@gdrojas gdrojas merged commit 3a0ebf5 into main May 26, 2026
44 checks passed
@gdrojas gdrojas deleted the feat/external-dns-azure-private-dns-support branch May 26, 2026 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants