From 08c8bc55881197210f162b1587c38f352759a73f Mon Sep 17 00:00:00 2001
From: Abhinav Dahiya <abhinav.dahiya@redhat.com>
Date: Wed, 22 May 2019 12:58:17 -0700
Subject: [PATCH] data/azure: create an explicit dependency on private zone
 before VMs are created

From the Private DNS Overview Doc [1]

```
The virtual network needs to be empty (that is, no VM records exist) when it initially (that is, for the first time) links to a private zone as a registration or resolution virtual network. However, the virtual network can then be non-empty for future linking as a registration or resolution virtual network, to other private zones.
```

Therefore, it looks like there needs to be an explicit dependency between private zone and VMs being created in the VNET.

Moving the private zone resource to main.tf and making bootstrap, masters, dns module consume a variable with value from private zone resource, makes terraform create the DNS Zone before creating any resources from those modules.

There is hope that the constraint might be lifted when private DNS zones become publicly GA. [2]

[1]: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
[2]: https://feedback.azure.com/forums/217313-networking/suggestions/35340511-create-private-dns-zone-in-virtual-network-which-a
---
 data/data/azure/bootstrap/variables.tf |  4 ++++
 data/data/azure/dns/dns.tf             | 17 +++++------------
 data/data/azure/dns/variables.tf       |  4 ++--
 data/data/azure/main.tf                | 15 ++++++++++++++-
 data/data/azure/master/variables.tf    |  4 ++++
 5 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/data/data/azure/bootstrap/variables.tf b/data/data/azure/bootstrap/variables.tf
index e66cc45c709..4690d20d8d8 100644
--- a/data/data/azure/bootstrap/variables.tf
+++ b/data/data/azure/bootstrap/variables.tf
@@ -64,3 +64,7 @@ variable "tags" {
   description = "tags to be applied to created resources."
 }
 
+variable "private_dns_zone_id" {
+  type        = string
+  description = "This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728"
+}
diff --git a/data/data/azure/dns/dns.tf b/data/data/azure/dns/dns.tf
index 46bf564084d..c1d10a80922 100644
--- a/data/data/azure/dns/dns.tf
+++ b/data/data/azure/dns/dns.tf
@@ -3,16 +3,9 @@ locals {
   api_external_name = "api.${replace(var.cluster_domain, ".${var.base_domain}", "")}"
 }
 
-resource "azurerm_dns_zone" "private" {
-  name                           = var.cluster_domain
-  resource_group_name            = var.resource_group_name
-  zone_type                      = "Private"
-  resolution_virtual_network_ids = [var.internal_dns_resolution_vnet_id]
-}
-
 resource "azurerm_dns_cname_record" "apiint_internal" {
   name                = "api-int"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 300
   record              = var.external_lb_fqdn
@@ -20,7 +13,7 @@ resource "azurerm_dns_cname_record" "apiint_internal" {
 
 resource "azurerm_dns_cname_record" "api_internal" {
   name                = "api"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 300
   record              = var.external_lb_fqdn
@@ -37,7 +30,7 @@ resource "azurerm_dns_cname_record" "api_external" {
 resource "azurerm_dns_a_record" "etcd_a_nodes" {
   count               = var.etcd_count
   name                = "etcd-${count.index}"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 60
   records             = [var.etcd_ip_addresses[count.index]]
@@ -45,7 +38,7 @@ resource "azurerm_dns_a_record" "etcd_a_nodes" {
 
 resource "azurerm_dns_srv_record" "etcd_cluster" {
   name                = "_etcd-server-ssl._tcp"
-  zone_name           = azurerm_dns_zone.private.name
+  zone_name           = var.private_dns_zone_name
   resource_group_name = var.resource_group_name
   ttl                 = 60
 
@@ -53,7 +46,7 @@ resource "azurerm_dns_srv_record" "etcd_cluster" {
     for_each = azurerm_dns_a_record.etcd_a_nodes.*.name
     iterator = name
     content {
-      target   = "${name.value}.${azurerm_dns_zone.private.name}"
+      target   = "${name.value}.${var.private_dns_zone_name}"
       priority = 10
       weight   = 10
       port     = 2380
diff --git a/data/data/azure/dns/variables.tf b/data/data/azure/dns/variables.tf
index bc3efdb6f97..c63057bbfe7 100644
--- a/data/data/azure/dns/variables.tf
+++ b/data/data/azure/dns/variables.tf
@@ -29,8 +29,8 @@ variable "internal_lb_ipaddress" {
   type        = string
 }
 
-variable "internal_dns_resolution_vnet_id" {
-  description = "the vnet id to be attached to the private DNS zone"
+variable "private_dns_zone_name" {
+  description = "private DNS zone name that should be used for records"
   type        = string
 }
 
diff --git a/data/data/azure/main.tf b/data/data/azure/main.tf
index 36e8c74a11c..508ab1d6212 100644
--- a/data/data/azure/main.tf
+++ b/data/data/azure/main.tf
@@ -32,6 +32,9 @@ module "bootstrap" {
   tags                    = local.tags
   boot_diag_blob_endpoint = azurerm_storage_account.bootdiag.primary_blob_endpoint
   ssh_nat_rule_id         = module.vnet.bootstrap_ssh_nat_rule_id
+
+  # This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728
+  private_dns_zone_id = azurerm_dns_zone.private.id
 }
 
 module "vnet" {
@@ -64,6 +67,9 @@ module "master" {
   boot_diag_blob_endpoint = azurerm_storage_account.bootdiag.primary_blob_endpoint
   os_volume_size          = var.azure_master_root_volume_size
   ssh_nat_rule_ids        = module.vnet.mmaster_ssh_nat_rule_ids
+
+  # This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728
+  private_dns_zone_id = azurerm_dns_zone.private.id
 }
 
 module "dns" {
@@ -74,7 +80,7 @@ module "dns" {
   internal_lb_ipaddress           = module.vnet.internal_lb_ip_address
   resource_group_name             = azurerm_resource_group.main.name
   base_domain_resource_group_name = var.azure_base_domain_resource_group_name
-  internal_dns_resolution_vnet_id = module.vnet.vnet_id
+  private_dns_zone_name           = azurerm_dns_zone.private.name
   etcd_count                      = var.master_count
   etcd_ip_addresses               = module.master.ip_addresses
 }
@@ -112,3 +118,10 @@ resource "azurerm_role_assignment" "main" {
   principal_id         = azurerm_user_assigned_identity.main.principal_id
 }
 
+# https://github.com/MicrosoftDocs/azure-docs/issues/13728
+resource "azurerm_dns_zone" "private" {
+  name                           = var.cluster_domain
+  resource_group_name            = azurerm_resource_group.main.name
+  zone_type                      = "Private"
+  resolution_virtual_network_ids = [module.vnet.vnet_id]
+}
diff --git a/data/data/azure/master/variables.tf b/data/data/azure/master/variables.tf
index e64acf0eb1b..76c04832490 100644
--- a/data/data/azure/master/variables.tf
+++ b/data/data/azure/master/variables.tf
@@ -88,3 +88,7 @@ variable "ssh_nat_rule_ids" {
   description = "ssh nat rule to make the master nodes reachable"
 }
 
+variable "private_dns_zone_id" {
+  type        = string
+  description = "This is to create explicit dependency on private zone to exist before VMs are created in the vnet. https://github.com/MicrosoftDocs/azure-docs/issues/13728"
+}