data/azure: create an explicit dependency on private zone before VMs …

…are created From the Private DNS Overview Doc [1] ``` The virtual network needs to be empty (that is, no VM records exist) when it initially (that is, for the first time) links to a private zone as a registration or resolution virtual network. However, the virtual network can then be non-empty for future linking as a registration or resolution virtual network, to other private zones. ``` Therefore, it looks like there needs to be an explicit dependency between private zone and VMs being created in the VNET. Moving the private zone resource to main.tf and making bootstrap, masters, dns module consume a variable with value from private zone resource, makes terraform create the DNS Zone before creating any resources from those modules. There is hope that the constraint might be lifted when private DNS zones become publicly GA. [2] [1]: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview [2]: https://feedback.azure.com/forums/217313-networking/suggestions/35340511-create-private-dns-zone-in-virtual-network-which-a
openshift · May 22, 2019 · 08c8bc5 · 08c8bc5
1 parent 03b753f
commit 08c8bc5
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 15 deletions.
diff --git a/data/data/azure/bootstrap/variables.tf b/data/data/azure/bootstrap/variables.tf
@@ -64,3 +64,7 @@ variable "tags" {
   description = "tags to be applied to created resources."
 }
 
+variable "private_dns_zone_id" {
+  type        = string
+  description = "This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728"
+}
diff --git a/data/data/azure/dns/dns.tf b/data/data/azure/dns/dns.tf
@@ -3,24 +3,17 @@ locals {
   api_external_name = "api.${replace(var.cluster_domain, ".${var.base_domain}", "")}"
 }
 
-resource "azurerm_dns_zone" "private" {
-  name                           = var.cluster_domain
-  resource_group_name            = var.resource_group_name
-  zone_type                      = "Private"
-  resolution_virtual_network_ids = [var.internal_dns_resolution_vnet_id]
-}
-
 resource "azurerm_dns_cname_record" "apiint_internal" {
   name                = "api-int"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 300
   record              = var.external_lb_fqdn
 }
 
 resource "azurerm_dns_cname_record" "api_internal" {
   name                = "api"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 300
   record              = var.external_lb_fqdn
@@ -37,23 +30,23 @@ resource "azurerm_dns_cname_record" "api_external" {
 resource "azurerm_dns_a_record" "etcd_a_nodes" {
   count               = var.etcd_count
   name                = "etcd-${count.index}"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 60
   records             = [var.etcd_ip_addresses[count.index]]
 }
 
 resource "azurerm_dns_srv_record" "etcd_cluster" {
   name                = "_etcd-server-ssl._tcp"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 60
 
   dynamic "record" {
     for_each = azurerm_dns_a_record.etcd_a_nodes.*.name
     iterator = name
     content {
-      target   = "${name.value}.${azurerm_dns_zone.private.name}"
+      target   = "${name.value}.${var.private_dns_zone_name}"
       priority = 10
       weight   = 10
       port     = 2380

diff --git a/data/data/azure/dns/variables.tf b/data/data/azure/dns/variables.tf
@@ -29,8 +29,8 @@ variable "internal_lb_ipaddress" {
   type        = string
 }
 
-variable "internal_dns_resolution_vnet_id" {
-  description = "the vnet id to be attached to the private DNS zone"
+variable "private_dns_zone_name" {
+  description = "private DNS zone name that should be used for records"
   type        = string
 }
 

diff --git a/data/data/azure/main.tf b/data/data/azure/main.tf
@@ -32,6 +32,9 @@ module "bootstrap" {
   tags                    = local.tags
   boot_diag_blob_endpoint = azurerm_storage_account.bootdiag.primary_blob_endpoint
   ssh_nat_rule_id         = module.vnet.bootstrap_ssh_nat_rule_id
+
+  # This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728
+  private_dns_zone_id = azurerm_dns_zone.private.id
 }
 
 module "vnet" {
@@ -64,6 +67,9 @@ module "master" {
   boot_diag_blob_endpoint = azurerm_storage_account.bootdiag.primary_blob_endpoint
   os_volume_size          = var.azure_master_root_volume_size
   ssh_nat_rule_ids        = module.vnet.mmaster_ssh_nat_rule_ids
+
+  # This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728
+  private_dns_zone_id = azurerm_dns_zone.private.id
 }
 
 module "dns" {
@@ -74,7 +80,7 @@ module "dns" {
   internal_lb_ipaddress           = module.vnet.internal_lb_ip_address
   resource_group_name             = azurerm_resource_group.main.name
   base_domain_resource_group_name = var.azure_base_domain_resource_group_name
-  internal_dns_resolution_vnet_id = module.vnet.vnet_id
+  private_dns_zone_name           = azurerm_dns_zone.private.name
   etcd_count                      = var.master_count
   etcd_ip_addresses               = module.master.ip_addresses
 }
@@ -112,3 +118,10 @@ resource "azurerm_role_assignment" "main" {
   principal_id         = azurerm_user_assigned_identity.main.principal_id
 }
 
+# https://github.com/MicrosoftDocs/azure-docs/issues/13728
+resource "azurerm_dns_zone" "private" {
+  name                           = var.cluster_domain
+  resource_group_name            = azurerm_resource_group.main.name
+  zone_type                      = "Private"
+  resolution_virtual_network_ids = [module.vnet.vnet_id]
+}
diff --git a/data/data/azure/master/variables.tf b/data/data/azure/master/variables.tf
@@ -88,3 +88,7 @@ variable "ssh_nat_rule_ids" {
   description = "ssh nat rule to make the master nodes reachable"
 }
 
+variable "private_dns_zone_id" {
+  type        = string
+  description = "This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728"
+}