diff --git a/_example/basic/example.tf b/_example/basic/example.tf index fff1230..607ba17 100644 --- a/_example/basic/example.tf +++ b/_example/basic/example.tf @@ -1,5 +1,14 @@ provider "azurerm" { features {} + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" +} + +provider "azurerm" { + features {} + alias = "peer" + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" } locals { @@ -11,6 +20,10 @@ locals { ## ACR module call. ##----------------------------------------------------------------------------- module "container-registry" { + providers = { + azurerm.dns_sub = azurerm.peer, + azurerm.main_sub = azurerm + } source = "../../" name = local.name # Name used for specifying tags and other resources naming.(like private endpoint, vnet-link etc) environment = local.environment @@ -27,4 +40,4 @@ module "container-registry" { virtual_network_id = "vnet_id" subnet_id = "subnet_id" enable_diagnostic = false -} \ No newline at end of file +} diff --git a/_example/complete/example.tf b/_example/complete/example.tf index dc1b946..c05fb56 100644 --- a/_example/complete/example.tf +++ b/_example/complete/example.tf @@ -1,7 +1,17 @@ provider "azurerm" { features {} + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" } +provider "azurerm" { + features {} + alias = "peer" + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" +} + + data "azurerm_client_config" "current_client_config" {} locals { @@ -43,7 +53,7 @@ module "vnet" { ##----------------------------------------------------------------------------- module "subnet" { source = "clouddrove/subnet/azure" - version = "1.1.0" + version = "1.2.0" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name @@ -77,10 +87,18 @@ module "log-analytics" { log_analytics_workspace_location = module.resource_group.resource_group_location } + +#########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone. +# data "azurerm_private_dns_zone" "existing_dns_zone" { +# name = "privatelink.azurecr.io" # The name of your DNS Zone +# resource_group_name = "dns-rg" # The resource group where existing the DNS Zone is located +# } + + module "vault" { source = "clouddrove/key-vault/azure" version = "1.1.0" - name = "apptest4rds3474" + name = "apptest4rds3477" environment = local.environment resource_group_name = module.resource_group.resource_group_name location = module.resource_group.resource_group_location @@ -104,29 +122,47 @@ module "vault" { log_analytics_workspace_id = module.log-analytics.workspace_id ## when diagnostic_setting_enable = true, need to add log analytics workspace id } + ##----------------------------------------------------------------------------- ## ACR module call. ##----------------------------------------------------------------------------- module "container-registry" { + providers = { + azurerm.dns_sub = azurerm.peer, + azurerm.main_sub = azurerm + } source = "../../" name = local.name # Name used for specifying tags and other resources naming.(like private endpoint, vnet-link etc) environment = local.environment resource_group_name = module.resource_group.resource_group_name location = module.resource_group.resource_group_location container_registry_config = { - name = "cdacr1234" # Name of Container Registry - sku = "Basic" + name = "cdacr1232" # Name of Container Registry + sku = "Premium" } log_analytics_workspace_id = module.log-analytics.workspace_id + ##----------------------------------------------------------------------------- ## To be mentioned for private endpoint, because private endpoint is enabled by default. ## To disable private endpoint set 'enable_private_endpoint' variable = false and than no need to specify following variable ##----------------------------------------------------------------------------- virtual_network_id = module.vnet.vnet_id subnet_id = module.subnet.default_subnet_id[0] + ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone. + + # diff_sub = true + # alias = "" + + + #########Following to be uncommmented when using DNS zone from different resource group or different subscription. + #existing_private_dns_zone = "privatelink.azurecr.io" + #existing_private_dns_zone_resource_group_name = "dns-rg" + #existing_private_dns_zone_id = [data.azurerm_private_dns_zone.existing_dns_zone.id] + ##if encryption is enabled. encryption = true enable_content_trust = false key_vault_rbac_auth_enabled = true key_vault_id = module.vault.id } + diff --git a/_example/complete/versions.tf b/_example/complete/versions.tf index 6a65607..96cb024 100644 --- a/_example/complete/versions.tf +++ b/_example/complete/versions.tf @@ -7,7 +7,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">=3.85.0" + version = ">=3.102.0" } } -} \ No newline at end of file +} diff --git a/_example/with_existing_dns_zone_in_diff_rg/example.tf b/_example/with_existing_dns_zone_in_diff_rg/example.tf index 44778e7..c321d43 100644 --- a/_example/with_existing_dns_zone_in_diff_rg/example.tf +++ b/_example/with_existing_dns_zone_in_diff_rg/example.tf @@ -1,5 +1,14 @@ provider "azurerm" { features {} + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" +} + +provider "azurerm" { + features {} + alias = "peer" + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" } locals { @@ -41,7 +50,7 @@ module "vnet" { ##----------------------------------------------------------------------------- module "subnet" { source = "clouddrove/subnet/azure" - version = "1.1.0" + version = "1.2.0" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name @@ -77,10 +86,21 @@ module "log-analytics" { log_analytics_workspace_location = module.resource_group.resource_group_location } + +#########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone. +data "azurerm_private_dns_zone" "existing_dns_zone" { + name = "privatelink.azurecr.io" # The name of your DNS Zone + resource_group_name = "example-rg" # The resource group where existing the DNS Zone is located +} + ##----------------------------------------------------------------------------- ## ACR module call. ##----------------------------------------------------------------------------- module "container-registry" { + providers = { + azurerm.dns_sub = azurerm.peer, + azurerm.main_sub = azurerm + } source = "../../" name = local.name # Name used for specifying tags and other resources naming.(like private endpoint, vnet-link etc) environment = local.environment @@ -101,5 +121,6 @@ module "container-registry" { ## Specify following variales when private dns zone is in same subscription but in different resource group ##----------------------------------------------------------------------------- existing_private_dns_zone = "privatelink.azurecr.io" # Name of private dns zone remain same for acr. - existing_private_dns_zone_resource_group_name = "example_test_rg" + existing_private_dns_zone_resource_group_name = "example-rg" + existing_private_dns_zone_id = [data.azurerm_private_dns_zone.existing_dns_zone.id] } diff --git a/_example/with_existing_dns_zone_in_diff_rg/versions.tf b/_example/with_existing_dns_zone_in_diff_rg/versions.tf index 6a65607..96cb024 100644 --- a/_example/with_existing_dns_zone_in_diff_rg/versions.tf +++ b/_example/with_existing_dns_zone_in_diff_rg/versions.tf @@ -7,7 +7,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">=3.85.0" + version = ">=3.102.0" } } -} \ No newline at end of file +} diff --git a/_example/with_existing_dns_zone_in_diff_subs/example.tf b/_example/with_existing_dns_zone_in_diff_subs/example.tf index b9687ae..1c04530 100644 --- a/_example/with_existing_dns_zone_in_diff_subs/example.tf +++ b/_example/with_existing_dns_zone_in_diff_subs/example.tf @@ -1,7 +1,15 @@ provider "azurerm" { features {} + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" } +provider "azurerm" { + features {} + alias = "peer" + subscription_id = "01111111111110-11-11-11-11" + skip_provider_registration = "true" +} locals { name = "app" environment = "test" @@ -42,7 +50,7 @@ module "vnet" { ##----------------------------------------------------------------------------- module "subnet" { source = "clouddrove/subnet/azure" - version = "1.1.0" + version = "1.2.0" name = local.name environment = local.environment resource_group_name = module.resource_group.resource_group_name @@ -76,10 +84,23 @@ module "log-analytics" { log_analytics_workspace_location = module.resource_group.resource_group_location } +##---------------------------------------------------------------------------- +## Existing DNS zone +#----------------------------------------------------------------------------- +data "azurerm_private_dns_zone" "existing_dns_zone" { + name = "privatelink.azurecr.io" # The name of your DNS Zone + resource_group_name = "dns-rg" # The resource group where existing the DNS Zone is located +} + + ##----------------------------------------------------------------------------- ## ACR module call. ##----------------------------------------------------------------------------- module "container-registry" { + providers = { + azurerm.dns_sub = azurerm.peer, + azurerm.main_sub = azurerm + } source = "../../" name = local.name # Name used for specifying tags and other resources naming.(like private endpoint, vnet-link etc) environment = local.environment @@ -100,7 +121,7 @@ module "container-registry" { ## Specify following variales when private dns zone is in different subscription. ##----------------------------------------------------------------------------- diff_sub = true - alias_sub = "35XXXXXXXXXXXX67" # Subcription id in which dns zone is present. existing_private_dns_zone = "privatelink.azurecr.io" # Name of private dns zone remain same for acr. existing_private_dns_zone_resource_group_name = "example_test_rg" + existing_private_dns_zone_id = [data.azurerm_private_dns_zone.existing_dns_zone.id] } diff --git a/_example/with_existing_dns_zone_in_diff_subs/versions.tf b/_example/with_existing_dns_zone_in_diff_subs/versions.tf index 6a65607..a689955 100644 --- a/_example/with_existing_dns_zone_in_diff_subs/versions.tf +++ b/_example/with_existing_dns_zone_in_diff_subs/versions.tf @@ -7,7 +7,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">=3.85.0" + version = ">=3.102.0" } } } \ No newline at end of file diff --git a/main.tf b/main.tf index d80c213..2a8528c 100644 --- a/main.tf +++ b/main.tf @@ -17,6 +17,7 @@ module "labels" { ## Below resources will create ACR and its components. ##----------------------------------------------------------------------------- resource "azurerm_container_registry" "main" { + provider = azurerm.main_sub count = var.enable ? 1 : 0 name = format("%s", var.container_registry_config.name) resource_group_name = var.resource_group_name @@ -92,6 +93,7 @@ resource "azurerm_container_registry" "main" { } resource "azurerm_container_registry_scope_map" "main" { + provider = azurerm.main_sub for_each = var.enable && var.scope_map != null ? { for k, v in var.scope_map : k => v if v != null } : {} name = format("%s", each.key) resource_group_name = var.resource_group_name @@ -100,6 +102,7 @@ resource "azurerm_container_registry_scope_map" "main" { } resource "azurerm_container_registry_token" "main" { + provider = azurerm.main_sub for_each = var.enable && var.scope_map != null ? { for k, v in var.scope_map : k => v if v != null } : {} name = format("%s", "${each.key}-token") resource_group_name = var.resource_group_name @@ -109,6 +112,7 @@ resource "azurerm_container_registry_token" "main" { } resource "azurerm_container_registry_webhook" "main" { + provider = azurerm.main_sub for_each = var.enable && var.container_registry_webhooks != null ? { for k, v in var.container_registry_webhooks : k => v if v != null } : {} name = format("%s", each.key) resource_group_name = var.resource_group_name @@ -130,6 +134,7 @@ resource "azurerm_container_registry_webhook" "main" { ## Below resources will create Vault_key . ##----------------------------------------------------------------------------- resource "azurerm_key_vault_key" "kvkey" { + provider = azurerm.main_sub depends_on = [azurerm_role_assignment.identity_assigned] count = var.enable && var.encryption ? 1 : 0 name = format("%s-acr-cmk-key", module.labels.id) @@ -159,6 +164,7 @@ resource "azurerm_key_vault_key" "kvkey" { } resource "azurerm_role_assignment" "identity_assigned" { + provider = azurerm.main_sub depends_on = [azurerm_user_assigned_identity.identity] count = var.enable && var.encryption && var.key_vault_rbac_auth_enabled ? 1 : 0 principal_id = azurerm_user_assigned_identity.identity[0].principal_id @@ -167,16 +173,19 @@ resource "azurerm_role_assignment" "identity_assigned" { } resource "azurerm_user_assigned_identity" "identity" { + provider = azurerm.main_sub count = var.enable && var.encryption != null ? 1 : 0 location = var.location name = format("%s-acr-mid", module.labels.id) resource_group_name = var.resource_group_name } + ##----------------------------------------------------------------------------- ## Below resource will create private endpoint resource for ACR. ##----------------------------------------------------------------------------- resource "azurerm_private_endpoint" "pep1" { + provider = azurerm.main_sub count = var.enable && var.enable_private_endpoint ? 1 : 0 name = format("%s-acr-pe", module.labels.id) location = var.location @@ -200,16 +209,6 @@ resource "azurerm_private_endpoint" "pep1" { } } -##----------------------------------------------------------------------------- -## Provider block added, to be used when private dns zone is in different subscription and vnet link is to be created in that private dns zone name. -## Add different subscription id in 'alias_sub' variable. -##----------------------------------------------------------------------------- -provider "azurerm" { - alias = "peer" - features {} - subscription_id = var.alias_sub -} - ##----------------------------------------------------------------------------- ## Locals defined to determine the resource group in which private dns zone must be created or existing private dns zone is present. ##----------------------------------------------------------------------------- @@ -222,6 +221,7 @@ locals { ## Private dns zone will be created if private endpoint is enabled and no existing dns zone is provided. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone" "dnszone1" { + provider = azurerm.main_sub count = var.enable && var.existing_private_dns_zone == null && var.enable_private_endpoint ? 1 : 0 name = var.private_dns_name resource_group_name = var.resource_group_name @@ -234,8 +234,9 @@ resource "azurerm_private_dns_zone" "dnszone1" { ## Resource group and private dns zone in which vnet link is to be created will be decided from condition present in locals and will be passed as locals. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-same-sub" { + provider = azurerm.main_sub count = var.enable && var.enable_private_endpoint && var.diff_sub == false && var.same_vnet == false ? 1 : 0 - name = var.existing_private_dns_zone == null ? format("%s-acr-pdz-vnet-link", module.labels.id) : format("%s-acr-pdz-vnet-link-1") + name = var.existing_private_dns_zone == null ? format("%s-acr-pdz-vnet-link", module.labels.id) : format("%s-acr-pdz-vnet-link-1", module.labels.id) resource_group_name = local.valid_rg_name private_dns_zone_name = local.private_dns_zone_name virtual_network_id = var.virtual_network_id @@ -248,7 +249,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-same-sub" { ## Add different subscription id in alias sub variable to use provider for that particular subscription. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff_sub" { - provider = azurerm.peer + provider = azurerm.dns_sub count = var.enable && var.enable_private_endpoint && var.diff_sub == true ? 1 : 0 name = var.existing_private_dns_zone == null ? format("%s-acr-pdz-vnet-link", module.labels.id) : format("%s-acr-pdz-vnet-link-diif-dns", module.labels.id) resource_group_name = local.valid_rg_name @@ -262,7 +263,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff_sub" { ## Call the module again and set enable variable = false and add variables specific only to this resource. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-multi-subs" { - provider = azurerm.peer + provider = azurerm.dns_sub count = var.enable && var.multi_sub_vnet_link && var.existing_private_dns_zone != null ? 1 : 0 name = format("%s-acr-pdz-vnet-link", module.labels.id) resource_group_name = var.existing_private_dns_zone_resource_group_name @@ -275,6 +276,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-multi-subs" ## Below vnet link resource will be created when you have to add extra vnet link in same subscription. ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" { + provider = azurerm.main_sub count = var.enable && var.addon_vent_link ? 1 : 0 name = format("%s-acr-pdz-vnet-link-addon", module.labels.id) resource_group_name = var.addon_resource_group_name @@ -287,6 +289,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" { ## Below resource will create diagnostic setting for ACR. ##----------------------------------------------------------------------------- resource "azurerm_monitor_diagnostic_setting" "acr-diag" { + provider = azurerm.main_sub count = var.enable && var.enable_diagnostic ? 1 : 0 name = format("%s-acr-nic-diag-log", module.labels.id) target_resource_id = azurerm_container_registry.main[0].id diff --git a/output.tf b/output.tf index 2bfd72e..3b6077c 100644 --- a/output.tf +++ b/output.tf @@ -52,9 +52,4 @@ output "container_registry_private_endpoint" { output "container_registry_private_dns_zone_domain" { value = var.existing_private_dns_zone == null && var.enable_private_endpoint ? azurerm_private_dns_zone.dnszone1[0].name : var.existing_private_dns_zone description = "DNS zone name of Azure Container Registry Private endpoints dns name records" -} - -output "private_dns_zone_id" { - value = var.enable_private_endpoint ? azurerm_private_dns_zone.dnszone1[0].id : null - description = "ID of private dns zone. To be used when there is existing dns zone and id is to be passed in private endpoint dns configuration group." } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 703a184..9a174e1 100644 --- a/variables.tf +++ b/variables.tf @@ -221,12 +221,6 @@ variable "existing_private_dns_zone_resource_group_name" { description = "The name of the existing resource group" } -variable "alias_sub" { - type = string - default = null - description = "Subscription id for different sub in which dns zone is present." -} - ##----------------------------------------------------------------------------- ## To be set when existing dns zone is in diffrent subscription. ##----------------------------------------------------------------------------- diff --git a/versions.tf b/versions.tf index 6a65607..96cb024 100644 --- a/versions.tf +++ b/versions.tf @@ -7,7 +7,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">=3.85.0" + version = ">=3.102.0" } } -} \ No newline at end of file +}