feat: (IAC-950) Add the possibility to specify private dns zone resource id to use for AKS private cluster (#297)

morenovj · riragh · web-flow · commit ca171c72dc1e · 2023-10-10T14:11:23.000-05:00
* Added the possibility to specify the private DNS zone resource id to use

* Fixed syntax for the new conditional operator

* Variable names adjusted and dns prefix comparison defined

* feat: (IAC-950) Added variable to specify private dns zone for private AKS Cluster

* feat: (IAC-950) Update the dns_prefix logic

* feat: (IAC-950) Added additional info to CONFIG-VARS

---------

Co-authored-by: Ritika Patil &lt;94649368+riragh@users.noreply.github.com&gt;
Co-authored-by: Ritika Patil &lt;Ritika.Patil@sas.com&gt;
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -193,6 +193,7 @@ Ubuntu 20.04 LTS is the operating system used on the Jump/NFS servers. Ubuntu cr
 | aks_identity | Use UserAssignedIdentity or Service Principal as  [AKS identity](https://docs.microsoft.com/en-us/azure/aks/concepts-identity) | string | "uai" | A value of `uai` wil create a Managed Identity based on the permissions of the authenticated user or use [`AKS_UAI_NAME`](#use-existing), if set. A value of `sp` will use values from [`CLIENT_ID`/`CLIENT_SECRET`](#azure-authentication), if set. |
 | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
 | cluster_api_mode | Public or private IP for the cluster api | string | "public" | Valid Values: "public", "private" |
+| aks_cluster_private_dns_zone_id | Specifies private DNS zone resource ID for AKS private cluster to use | string | "" | For `cluster_api_mode=private` if `aks_cluster_private_dns_zone_id` is not specified then the value `System` is used else it is set to null. For details see [Configure a private DNS zone](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal#configure-a-private-dns-zone) |
 | aks_cluster_sku_tier | Optimizes api server for cost vs availability | string | "Free" | Valid Values:  "Free", "Standard" | 
 
 ## Node Pools
diff --git a/main.tf b/main.tf
@@ -145,6 +145,7 @@ module "aks" {
   aks_cluster_node_vm_size                 = var.default_nodepool_vm_type
   aks_cluster_node_admin                   = var.node_vm_admin
   aks_cluster_ssh_public_key               = try(file(var.ssh_public_key), "")
+  aks_cluster_private_dns_zone_id          = var.aks_cluster_private_dns_zone_id
   aks_vnet_subnet_id                       = module.vnet.subnets["aks"].id
   kubernetes_version                       = var.kubernetes_version
   aks_cluster_endpoint_public_access_cidrs = var.cluster_api_mode == "private" ? [] : local.cluster_endpoint_public_access_cidrs # "Private cluster cannot be enabled with AuthorizedIPRanges.""
diff --git a/modules/azure_aks/main.tf b/modules/azure_aks/main.tf
@@ -6,7 +6,9 @@ resource "azurerm_kubernetes_cluster" "aks" {
   name                               = var.aks_cluster_name
   location                           = var.aks_cluster_location
   resource_group_name                = var.aks_cluster_rg
-  dns_prefix                         = var.aks_cluster_dns_prefix
+  dns_prefix                         = var.aks_private_cluster == false || var.aks_cluster_private_dns_zone_id == "" ? var.aks_cluster_dns_prefix : null
+  dns_prefix_private_cluster         = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_dns_prefix : null
+
   sku_tier                           = var.aks_cluster_sku_tier
   role_based_access_control_enabled  = true
   http_application_routing_enabled   = false
@@ -16,7 +18,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   kubernetes_version                 = var.kubernetes_version
   api_server_authorized_ip_ranges    = var.aks_cluster_endpoint_public_access_cidrs
   private_cluster_enabled            = var.aks_private_cluster
-  private_dns_zone_id                = var.aks_private_cluster ? "System" : null
+  private_dns_zone_id                = var.aks_private_cluster && var.aks_cluster_private_dns_zone_id != "" ? var.aks_cluster_private_dns_zone_id : (var.aks_private_cluster ? "System" : null)
 
   network_profile {
     network_plugin = var.aks_network_plugin
diff --git a/modules/azure_aks/variables.tf b/modules/azure_aks/variables.tf
@@ -223,3 +223,8 @@ variable "cluster_egress_type" {
   type        = string
   default     = "loadBalancer"
 }
+
+variable "aks_cluster_private_dns_zone_id" {
+  type = string
+  default = ""
+}
diff --git a/variables.tf b/variables.tf
@@ -754,6 +754,12 @@ variable "aks_identity" {
   }
 }
 
+variable "aks_cluster_private_dns_zone_id" {
+  description = "Specify private DNS zone resource ID for AKS private cluster to use."
+  type = string
+  default = ""
+}
+
 ## Message Broker - Azure Service Bus - Experimental
 variable "create_azure_message_broker" {
   description = "Allows user to create a fully managed enterprise message broker: Azure Service Bus"

Original file line number	Diff line number	Diff line change
`@@ -223,3 +223,8 @@ variable "cluster_egress_type" {`
`223`	`223`	`type = string`
`224`	`224`	`default = "loadBalancer"`
`225`	`225`	`}`
	`226`	`+`
	`227`	`+variable "aks_cluster_private_dns_zone_id" {`
	`228`	`+ type = string`
	`229`	`+ default = ""`
	`230`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -754,6 +754,12 @@ variable "aks_identity" {`
`754`	`754`	`}`
`755`	`755`	`}`
`756`	`756`
	`757`	`+variable "aks_cluster_private_dns_zone_id" {`
	`758`	`+ description = "Specify private DNS zone resource ID for AKS private cluster to use."`
	`759`	`+ type = string`
	`760`	`+ default = ""`
	`761`	`+}`
	`762`	`+`
`757`	`763`	`## Message Broker - Azure Service Bus - Experimental`
`758`	`764`	`variable "create_azure_message_broker" {`
`759`	`765`	`description = "Allows user to create a fully managed enterprise message broker: Azure Service Bus"`