diff --git a/README.md b/README.md
index 3eb0c07..69cef82 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,7 @@ The following resources are used by this module:
- [azurerm_management_lock.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) (resource)
- [azurerm_monitor_diagnostic_setting.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) (resource)
- [azurerm_role_assignment.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
+- [azurerm_role_assignment.dns_zone_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.network_contributor_on_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_user_assigned_identity.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) (resource)
- [modtm_telemetry.telemetry](https://registry.terraform.io/providers/Azure/modtm/latest/docs/resources/telemetry) (resource)
@@ -299,6 +300,14 @@ Type: `string`
Default: `"AzureLinux"`
+### [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id)
+
+Description: (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this
+
+Type: `string`
+
+Default: `"System"`
+
### [rbac\_aad\_admin\_group\_object\_ids](#input\_rbac\_aad\_admin\_group\_object\_ids)
Description: Object ID of groups with admin access.
diff --git a/examples/default/README.md b/examples/default/README.md
index bbcb961..709951e 100644
--- a/examples/default/README.md
+++ b/examples/default/README.md
@@ -64,6 +64,7 @@ module "test" {
name = module.naming.kubernetes_cluster.name_unique
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
+ private_dns_zone_id = azurerm_private_dns_zone.mydomain.id
network = {
name = module.avm_res_network_virtualnetwork.name
resource_group_name = azurerm_resource_group.this.name
@@ -82,6 +83,11 @@ resource "azurerm_private_dns_zone" "this" {
resource_group_name = azurerm_resource_group.this.name
}
+resource "azurerm_private_dns_zone" "mydomain" {
+ name = "mydomain.com"
+ resource_group_name = azurerm_resource_group.this.name
+}
+
module "avm_res_network_virtualnetwork" {
source = "Azure/avm-res-network-virtualnetwork/azurerm"
version = "0.2.3"
@@ -118,6 +124,7 @@ The following requirements are needed by this module:
The following resources are used by this module:
+- [azurerm_private_dns_zone.mydomain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) (resource)
- [azurerm_private_dns_zone.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) (resource)
- [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
- [random_integer.region_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)
diff --git a/examples/default/main.tf b/examples/default/main.tf
index dcb123c..211887f 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -58,6 +58,7 @@ module "test" {
name = module.naming.kubernetes_cluster.name_unique
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
+ private_dns_zone_id = azurerm_private_dns_zone.mydomain.id
network = {
name = module.avm_res_network_virtualnetwork.name
resource_group_name = azurerm_resource_group.this.name
@@ -76,6 +77,11 @@ resource "azurerm_private_dns_zone" "this" {
resource_group_name = azurerm_resource_group.this.name
}
+resource "azurerm_private_dns_zone" "mydomain" {
+ name = "mydomain.com"
+ resource_group_name = azurerm_resource_group.this.name
+}
+
module "avm_res_network_virtualnetwork" {
source = "Azure/avm-res-network-virtualnetwork/azurerm"
version = "0.2.3"
diff --git a/main.tf b/main.tf
index 9314318..1b21a2f 100644
--- a/main.tf
+++ b/main.tf
@@ -48,6 +48,14 @@ resource "azurerm_role_assignment" "network_contributor_on_resource_group" {
role_definition_name = "Network Contributor"
}
+resource "azurerm_role_assignment" "dns_zone_contributor" {
+ count = var.private_dns_zone_id == "System" ? 0 : 1
+
+ principal_id = data.azurerm_user_assigned_identity.cluster_identity.principal_id
+ scope = var.private_dns_zone_id
+ role_definition_name = "Private DNS Zone Contributor"
+}
+
resource "azurerm_kubernetes_cluster" "this" {
location = var.location
name = "aks-${var.name}"
@@ -60,6 +68,7 @@ resource "azurerm_kubernetes_cluster" "this" {
node_os_channel_upgrade = "NodeImage"
oidc_issuer_enabled = true
private_cluster_enabled = true
+ private_dns_zone_id = var.private_dns_zone_id
role_based_access_control_enabled = true
sku_tier = "Standard"
tags = var.tags
diff --git a/variables.tf b/variables.tf
index b83ab55..9e55b44 100644
--- a/variables.tf
+++ b/variables.tf
@@ -207,6 +207,17 @@ variable "os_sku" {
}
}
+variable "private_dns_zone_id" {
+ type = string
+ default = "System"
+ description = "(Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this"
+
+ validation {
+ condition = can(regex("^(System|/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft.Network/privateDnsZones/[^/]+)$", var.private_dns_zone_id))
+ error_message = "private_dns_zone_id must be either System or a valid Private DNS Zone ID"
+ }
+}
+
variable "rbac_aad_admin_group_object_ids" {
type = list(string)
default = null