Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions infrastructure/commons/external_dns/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,13 @@ locals {
]
}

# Both `azure` (Public DNS zones) and `azure-private-dns` (Private DNS zones)
# share the same auth, secret mount, and ServiceAccount wiring — only the
# external-dns `provider.name` differs.
azure_family_active = contains(["azure", "azure-private-dns"], var.dns_provider_name)

azure_config = {
provider = { name = "azure" }
provider = { name = var.dns_provider_name }
serviceAccount = {
create = true
annotations = var.azure_workload_identity_enabled ? {
Expand Down Expand Up @@ -117,10 +122,11 @@ locals {
}

provider_configs = {
cloudflare = local.cloudflare_config
aws = local.route53_config
oci = local.oci_config
azure = local.azure_config
cloudflare = local.cloudflare_config
aws = local.route53_config
oci = local.oci_config
azure = local.azure_config
"azure-private-dns" = local.azure_config
}

external_dns_values = merge(local.base_config, local.provider_configs[var.dns_provider_name])
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/commons/external_dns/secret.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ resource "kubernetes_secret_v1" "external_dns_cloudflare" {
}

resource "kubernetes_secret_v1" "external_dns_azure_config" {
count = var.dns_provider_name == "azure" ? 1 : 0
count = local.azure_family_active ? 1 : 0

metadata {
name = "external-dns-azure-config"
Expand Down
24 changes: 12 additions & 12 deletions infrastructure/commons/external_dns/validation.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,28 +29,28 @@ resource "terraform_data" "provider_validation" {
error_message = "oci_region is required when dns_provider_name is 'oci'."
}
precondition {
condition = var.dns_provider_name != "azure" || length(var.azure_client_id) > 0
error_message = "azure_client_id is required when dns_provider_name is 'azure'."
condition = !local.azure_family_active || length(var.azure_client_id) > 0
error_message = "azure_client_id is required when dns_provider_name is 'azure' or 'azure-private-dns'."
}
precondition {
condition = var.dns_provider_name != "azure" || !var.azure_workload_identity_enabled || length(var.azure_federated_credential_id) > 0
error_message = "azure_federated_credential_id is required when dns_provider_name is 'azure' and azure_workload_identity_enabled is true. Use module.iam to create the federated identity credential and pass its id output."
condition = !local.azure_family_active || !var.azure_workload_identity_enabled || length(var.azure_federated_credential_id) > 0
error_message = "azure_federated_credential_id is required when dns_provider_name is 'azure' or 'azure-private-dns' and azure_workload_identity_enabled is true. Use module.iam to create the federated identity credential and pass its id output."
}
precondition {
condition = var.dns_provider_name != "azure" || var.azure_workload_identity_enabled || length(var.azure_client_secret) > 0
error_message = "azure_client_secret is required when dns_provider_name is 'azure' and azure_workload_identity_enabled is false."
condition = !local.azure_family_active || var.azure_workload_identity_enabled || length(var.azure_client_secret) > 0
error_message = "azure_client_secret is required when dns_provider_name is 'azure' or 'azure-private-dns' and azure_workload_identity_enabled is false."
}
precondition {
condition = var.dns_provider_name != "azure" || length(var.azure_subscription_id) > 0
error_message = "azure_subscription_id is required when dns_provider_name is 'azure'."
condition = !local.azure_family_active || length(var.azure_subscription_id) > 0
error_message = "azure_subscription_id is required when dns_provider_name is 'azure' or 'azure-private-dns'."
}
precondition {
condition = var.dns_provider_name != "azure" || length(var.azure_resource_group) > 0
error_message = "azure_resource_group is required when dns_provider_name is 'azure'."
condition = !local.azure_family_active || length(var.azure_resource_group) > 0
error_message = "azure_resource_group is required when dns_provider_name is 'azure' or 'azure-private-dns'."
}
precondition {
condition = var.dns_provider_name != "azure" || length(var.azure_tenant_id) > 0
error_message = "azure_tenant_id is required when dns_provider_name is 'azure'."
condition = !local.azure_family_active || length(var.azure_tenant_id) > 0
error_message = "azure_tenant_id is required when dns_provider_name is 'azure' or 'azure-private-dns'."
}
}
}
6 changes: 3 additions & 3 deletions infrastructure/commons/external_dns/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -141,10 +141,10 @@ variable "oci_zones_cache_duration" {

variable "dns_provider_name" {
type = string
description = "The DNS provider to use with ExternalDNS "
description = "The DNS provider to use with ExternalDNS. Use 'azure' for Azure Public DNS zones and 'azure-private-dns' for Azure Private DNS zones — both share the same auth, secret, and ServiceAccount wiring."
validation {
condition = contains(["cloudflare", "aws", "oci", "azure"], var.dns_provider_name)
error_message = "dns_provider_name must be either 'cloudflare', 'aws', 'oci', or 'azure'."
condition = contains(["cloudflare", "aws", "oci", "azure", "azure-private-dns"], var.dns_provider_name)
error_message = "dns_provider_name must be one of: 'cloudflare', 'aws', 'oci', 'azure', 'azure-private-dns'."
}
}

Expand Down