TES-305 DNS Module

.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
@@ -35,3 +35,11 @@ terraform.rc
 
 # IDEs
 .idea/
+
+#Certificates
+*.pem
+*.p12
+*.pub
+
+#Licenses
+*.license

main.tf

@@ -182,6 +182,7 @@ module "roles" {
   identity_principal_id        = module.identity.identity_principal_id
   key_vault_id                 = module.vault.key_vault_id
   backups_storage_container_id = module.backup.storage_account_id
+  private_dns_zone             = module.dns.private_dns_zone_id
 }
 
 # Managed GraphDB configurations in the Key Vault
@@ -314,5 +315,21 @@ module "vm" {
   tags = local.tags
 
   # Wait for configurations to be created in the key vault and roles to be assigned
-  depends_on = [module.configuration, module.roles]
+  depends_on = [module.configuration, module.roles, module.dns]
+}
+
+module "dns" {
+  source = "./modules/dns"
+
+  resource_name_prefix  = var.resource_name_prefix
+  resource_group_name   = azurerm_resource_group.graphdb.name
+  identity_name         = module.identity.identity_name
+  identity_principal_id = module.identity.identity_principal_id
+  virtual_network_id    = azurerm_virtual_network.graphdb.id
+
+  tags = local.tags
+
+  depends_on = [
+    module.identity
+  ]
 }

modules/dns/main.tf

@@ -0,0 +1,13 @@
+resource "azurerm_private_dns_zone" "zone" {
+  name                = "${var.resource_name_prefix}.dns.zone"
+  resource_group_name = var.resource_group_name
+  tags                = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "zone_link" {
+  name                  = "${var.resource_name_prefix}-dns-link"
+  resource_group_name   = var.resource_group_name
+  private_dns_zone_name = azurerm_private_dns_zone.zone.name
+  virtual_network_id    = var.virtual_network_id
+  tags                  = var.tags
+}

modules/dns/outputs.tf

@@ -0,0 +1,4 @@
+output "private_dns_zone_id" {
+  description = "ID of the private DNS zone for Azure DNS resolving"
+  value       = azurerm_private_dns_zone.zone.id
+}

modules/dns/variables.tf

@@ -0,0 +1,30 @@
+variable "resource_group_name" {
+  description = "Resource group name where the DNS zone will be created"
+  type        = string
+}
+
+variable "resource_name_prefix" {
+  description = "Resource name prefix used for tagging and naming Azure resources"
+  type        = string
+}
+
+variable "identity_name" {
+  description = "Name of a user assigned identity with permissions"
+  type        = string
+}
+
+variable "virtual_network_id" {
+  description = "Virtual network the DNS will be linked to"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common resource tags."
+  type        = map(string)
+  default     = {}
+}
+
+variable "identity_principal_id" {
+  description = "Principal identifier of a user assigned identity with permissions"
+  type        = string
+}

modules/roles/main.tf

@@ -43,3 +43,9 @@ resource "azurerm_role_assignment" "rg-contributor-role" {
 
   depends_on = [azurerm_role_definition.managed_disk_manager]
 }
+
+resource "azurerm_role_assignment" "dns_zone_role_assignment" {
+  principal_id         = var.identity_principal_id
+  role_definition_name = "Private DNS Zone Contributor"
+  scope                = var.private_dns_zone
+}

modules/roles/variables.tf

@@ -30,3 +30,10 @@ variable "backups_storage_container_id" {
   description = "Identifier of the storage container for GraphDB backups"
   type        = string
 }
+
+# DNS
+
+variable "private_dns_zone" {
+  description = "Identifier of a Private DNS zone"
+  type        = string
+}