cert-manager and external-dns

Author: omendra-tomar

modules/common/cert_manager/standard/1.0/facets.yaml

@@ -30,6 +30,11 @@ inputs:
     type: '@facets/kubernetes_nodepool'
     displayName: Node Pool
     optional: false
+  external_dns_details:
+    type: '@facets/external_dns'
+    displayName: External DNS
+    optional: true
+    description: External DNS module providing DNS credentials for cert-manager DNS-01 challenges
 outputs:
   default:
     type: '@facets/cert_manager'
@@ -91,4 +96,6 @@ sample:
     cert_manager: {}
 iac:
   validated_files:
+  - main.tf
   - variables.tf
+  - outputs.tf

modules/common/cert_manager/standard/1.0/locals.tf

@@ -1,6 +1,6 @@
 # Define your locals here
 locals {
-  tenant_provider           = lower(try(var.cc_metadata.cc_tenant_provider, "aws"))
+  tenant_provider           = lower(try(var.cc_metadata.cc_tenant_provider, try(var.inputs.external_dns_details.attributes.provider, "aws")))
   spec                      = lookup(var.instance, "spec", {})
   user_supplied_helm_values = try(local.spec.cert_manager.values, try(var.instance.advanced.cert_manager.values, {}))
   cert_manager              = lookup(local.spec, "cert_manager", try(var.instance.advanced.cert_manager, {}))
@@ -9,31 +9,45 @@ locals {
   cnameStrategy             = lookup(local.spec, "cname_strategy", "Follow")
   disable_dns_validation    = lookup(local.spec, "disable_dns_validation", lookup(local.advanced, "disable_dns_validation", false))
   user_defined_tags         = try(local.cert_manager.tags, {})
-  deploy_aws_resources      = local.tenant_provider == "aws" ? local.disable_dns_validation ? false : true : false
-  dns_providers = {
-    aws = {
+  
+  # External DNS configuration (if provided)
+  external_dns              = try(var.inputs.external_dns_details.attributes, null)
+  has_external_dns          = local.external_dns != null && !local.disable_dns_validation
+  
+  # Build DNS provider configuration from external_dns input
+  dns_providers = local.has_external_dns ? (
+    local.external_dns.provider == "aws" ? {
       route53 = {
-        region = try(var.cc_metadata.cc_region, null)
+        region = local.external_dns.region
         accessKeyIDSecretRef = {
-          key  = "access-key-id"
-          name = local.disable_dns_validation ? "na" : kubernetes_secret.cert_manager_r53_secret[0].metadata[0].name
+          key  = local.external_dns.aws_access_key_id_key
+          name = local.external_dns.secret_name
         }
         secretAccessKeySecretRef = {
-          key  = "secret-access-key"
-          name = local.disable_dns_validation ? "na" : kubernetes_secret.cert_manager_r53_secret[0].metadata[0].name
+          key  = local.external_dns.aws_secret_access_key_key
+          name = local.external_dns.secret_name
         }
       }
-    }
-    google = {
+    } : local.external_dns.provider == "gcp" ? {
       cloudDNS = {
-        project = lookup(try(data.kubernetes_secret_v1.dns[0].data, {}), "project", "")
+        project = try(var.inputs.cloud_account.attributes.project, "")
         serviceAccountSecretRef = {
-          key  = "credentials.json"
-          name = local.disable_dns_validation ? "na" : kubernetes_secret.cert_manager_r53_secret[0].metadata[0].name
+          key  = local.external_dns.gcp_credentials_json_key
+          name = local.external_dns.secret_name
         }
       }
-    }
-  }
+    } : local.external_dns.provider == "azure" ? {
+      azureDNS = {
+        subscriptionID = try(var.inputs.cloud_account.attributes.subscription_id, "")
+        tenantID       = try(var.inputs.cloud_account.attributes.tenant_id, "")
+        clientID       = try(var.inputs.cloud_account.attributes.client_id, "")
+        clientSecretSecretRef = {
+          key  = local.external_dns.azure_credentials_json_key
+          name = local.external_dns.secret_name
+        }
+      }
+    } : {}
+  ) : {}
   dns01_validations = {
     staging = {
       name = "letsencrypt-staging"
@@ -113,8 +127,9 @@ locals {
   acme_email      = lookup(local.spec, "acme_email", "") != "" ? lookup(local.spec, "acme_email", "") : try(var.cluster.createdBy, null)
 }
 
+# Fallback: Read existing DNS credentials secret if external_dns not provided (for GCP/Azure)
 data "kubernetes_secret_v1" "dns" {
-  count = local.tenant_provider == "aws" ? 0 : 1
+  count = local.has_external_dns ? 0 : (local.tenant_provider == "aws" ? 0 : 1)
   metadata {
     name      = "facets-tenant-dns"
     namespace = "default"

modules/common/cert_manager/standard/1.0/main.tf

@@ -1,92 +1,10 @@
 # Define your terraform resources here
-module "iam_user_name" {
-  count           = local.disable_dns_validation ? 0 : 1
-  source          = "github.com/Facets-cloud/facets-utility-modules//name"
-  environment     = var.environment
-  limit           = 64
-  globally_unique = false
-  resource_name   = var.inputs.kubernetes_details.attributes.cluster_name
-  resource_type   = ""
-  is_k8s          = false
-}
-
-module "iam_policy_name" {
-  count           = local.disable_dns_validation ? 0 : 1
-  source          = "github.com/Facets-cloud/facets-utility-modules//name"
-  environment     = var.environment
-  limit           = 128
-  globally_unique = false
-  resource_name   = var.inputs.kubernetes_details.attributes.cluster_name
-  resource_type   = ""
-  is_k8s          = false
-}
-
-resource "aws_iam_user" "cert_manager_iam_user" {
-  count    = local.deploy_aws_resources ? 1 : 0
-  provider = "aws3tooling"
-  name     = lower(module.iam_user_name[0].name)
-  tags     = merge(local.user_defined_tags, var.environment.cloud_tags)
-}
-
-resource "aws_iam_user_policy" "cert_manager_r53_policy" {
-  count    = local.deploy_aws_resources ? 1 : 0
-  provider = "aws3tooling"
-  name     = lower(module.iam_policy_name[0].name)
-  user     = try(aws_iam_user.cert_manager_iam_user[0].name, "na")
-  policy   = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "route53:GetChange",
-      "Resource": "arn:aws:route53:::change/*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "route53:ChangeResourceRecordSets",
-        "route53:ListResourceRecordSets"
-      ],
-      "Resource": "arn:aws:route53:::hostedzone/${try(var.cc_metadata.tenant_base_domain_id, "*")}"
-    },
-    {
-      "Effect": "Allow",
-      "Action": "route53:ListHostedZonesByName",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_access_key" "cert_manager_access_key" {
-  count    = local.deploy_aws_resources ? 1 : 0
-  provider = "aws3tooling"
-  user     = try(aws_iam_user.cert_manager_iam_user[0].name, "na")
-}
-
 resource "kubernetes_namespace" "namespace" {
   metadata {
     name = local.cert_mgr_namespace
   }
 }
 
-resource "kubernetes_secret" "cert_manager_r53_secret" {
-  count      = local.disable_dns_validation ? 0 : 1
-  depends_on = [kubernetes_namespace.namespace]
-  metadata {
-    name      = "${lower(module.iam_user_name[0].name)}-secret"
-    namespace = local.cert_mgr_namespace
-  }
-  data = jsondecode(local.tenant_provider == "aws" ? jsonencode({
-    "access-key-id"     = aws_iam_access_key.cert_manager_access_key[0].id
-    "secret-access-key" = aws_iam_access_key.cert_manager_access_key[0].secret
-    }) : jsonencode({
-    "credentials.json" = lookup(lookup(try(data.kubernetes_secret_v1.dns[0], {}), "data", {}), "credentials.json", "{}")
-  }))
-}
-
 resource "helm_release" "cert_manager" {
   depends_on = [kubernetes_namespace.namespace]
   name       = "cert-manager"

modules/common/cert_manager/standard/1.0/variables.tf

@@ -1,15 +1,5 @@
 variable "instance" {
   type = any
-
-  validation {
-    condition     = contains(["Follow", "None"], var.instance.spec.cname_strategy)
-    error_message = "cname_strategy must be either 'Follow' or 'None'."
-  }
-
-  validation {
-    condition     = lookup(var.instance.spec, "use_gts", false) ? lookup(var.instance.spec, "gts_private_key", "") != "" : true
-    error_message = "gts_private_key is required when use_gts is enabled."
-  }
 }
 
 variable "instance_name" {

modules/common/external_dns/aws/1.0/facets.yaml

@@ -0,0 +1,48 @@
+intent: external_dns
+flavor: aws
+version: '1.0'
+description: Manages DNS credentials and IAM resources for Route53 DNS operations in Kubernetes clusters
+clouds:
+- aws
+inputs:
+  kubernetes_details:
+    optional: false
+    type: '@facets/kubernetes-details'
+    displayName: Kubernetes Cluster
+    default:
+      resource_type: kubernetes_cluster
+      resource_name: default
+    providers:
+    - kubernetes
+  cloud_account:
+    optional: false
+    type: '@facets/aws_cloud_account'
+    displayName: AWS Cloud Account
+    providers:
+    - aws
+spec:
+  title: External DNS Controller for AWS Route53
+  description: Manages DNS credentials and IAM resources for Route53 DNS operations
+  type: object
+  properties:
+    hosted_zone_id:
+      type: string
+      title: Route53 Hosted Zone ID
+      description: AWS Route53 hosted zone ID for DNS operations
+      x-ui-overrides-only: true
+  required: []
+outputs:
+  default:
+    type: '@facets/external_dns'
+    title: External DNS Details
+sample:
+  kind: external_dns
+  flavor: aws
+  version: '1.0'
+  disabled: true
+  spec: {}
+iac:
+  validated_files:
+  - main.tf
+  - variables.tf
+  - outputs.tf

modules/common/external_dns/aws/1.0/locals.tf

@@ -0,0 +1,9 @@
+locals {
+  spec                = lookup(var.instance, "spec", {})
+  hosted_zone_id      = lookup(local.spec, "hosted_zone_id", try(var.cc_metadata.tenant_base_domain_id, "*"))
+  cluster_name        = var.inputs.kubernetes_details.attributes.cluster_name
+  namespace           = "external-dns"
+  secret_name         = "${lower(var.instance_name)}-dns-secret"
+  aws_region          = var.inputs.cloud_account.attributes.aws_region
+}
+

modules/common/external_dns/aws/1.0/main.tf

@@ -0,0 +1,84 @@
+# Name generation for IAM resources
+module "iam_user_name" {
+  source          = "github.com/Facets-cloud/facets-utility-modules//name"
+  environment     = var.environment
+  limit           = 64
+  globally_unique = false
+  resource_name   = local.cluster_name
+  resource_type   = "external-dns"
+  is_k8s          = false
+}
+
+module "iam_policy_name" {
+  source          = "github.com/Facets-cloud/facets-utility-modules//name"
+  environment     = var.environment
+  limit           = 128
+  globally_unique = false
+  resource_name   = local.cluster_name
+  resource_type   = "external-dns-policy"
+  is_k8s          = false
+}
+
+# IAM User for Route53 access
+resource "aws_iam_user" "external_dns_user" {
+  name = lower(module.iam_user_name.name)
+  tags = merge(var.environment.cloud_tags, {
+    Name      = "external-dns-${local.cluster_name}"
+    Purpose   = "Route53 DNS management"
+    ManagedBy = "facets"
+  })
+}
+
+# IAM Policy for Route53 permissions
+resource "aws_iam_user_policy" "external_dns_r53_policy" {
+  name = lower(module.iam_policy_name.name)
+  user = aws_iam_user.external_dns_user.name
+  policy   = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = "route53:GetChange"
+        Resource = "arn:aws:route53:::change/*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "route53:ChangeResourceRecordSets",
+          "route53:ListResourceRecordSets"
+        ]
+        Resource = "arn:aws:route53:::hostedzone/${local.hosted_zone_id}"
+      },
+      {
+        Effect   = "Allow"
+        Action   = "route53:ListHostedZonesByName"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+# IAM Access Key
+resource "aws_iam_access_key" "external_dns_access_key" {
+  user = aws_iam_user.external_dns_user.name
+}
+
+# Kubernetes namespace for external-dns
+resource "kubernetes_namespace" "namespace" {
+  metadata {
+    name = local.namespace
+  }
+}
+
+# Kubernetes secret with Route53 credentials
+resource "kubernetes_secret" "external_dns_r53_secret" {
+  depends_on = [kubernetes_namespace.namespace]
+  metadata {
+    name      = local.secret_name
+    namespace = local.namespace
+  }
+  data = {
+    "access-key-id"     = aws_iam_access_key.external_dns_access_key.id
+    "secret-access-key" = aws_iam_access_key.external_dns_access_key.secret
+  }
+}

modules/common/external_dns/aws/1.0/outputs.tf

@@ -0,0 +1,14 @@
+locals {
+  output_attributes = {
+    secret_name                = kubernetes_secret.external_dns_r53_secret.metadata[0].name
+    secret_namespace           = local.namespace
+    aws_access_key_id_key      = "access-key-id"
+    aws_secret_access_key_key  = "secret-access-key"
+    gcp_credentials_json_key   = ""
+    azure_credentials_json_key  = ""
+    hosted_zone_id             = local.hosted_zone_id
+    region                     = local.aws_region
+    provider                   = "aws"
+  }
+  output_interfaces = {}
+}

modules/common/external_dns/aws/1.0/variables.tf

@@ -0,0 +1,31 @@
+variable "instance" {
+  type = object({
+    spec = object({
+      hosted_zone_id = optional(string, "")
+    })
+  })
+}
+
+variable "instance_name" {
+  type    = string
+  default = "test_instance"
+}
+
+variable "environment" {
+  type = any
+  default = {
+    namespace = "default"
+  }
+}
+
+variable "inputs" {
+  type = object({
+    kubernetes_details = any
+    cloud_account      = any
+  })
+}
+
+variable "cc_metadata" {
+  type = any
+  default = {}
+}