fix: key vault private dns zone

nebuly-ai · Dec 2, 2024 · c8ef129 · c8ef129
1 parent 6ac227e
commit c8ef129
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 48 deletions.
diff --git a/README.md b/README.md
@@ -195,53 +195,56 @@ You can find examples of code that uses this Terraform module in the [examples](
 ## Resources
 
 
-- resource.azuread_application.main (/terraform-docs/main.tf#264)
-- resource.azuread_group.aks_admins (/terraform-docs/main.tf#588)
-- resource.azuread_group_member.aks_admin_users (/terraform-docs/main.tf#592)
-- resource.azuread_service_principal.main (/terraform-docs/main.tf#270)
-- resource.azuread_service_principal_password.main (/terraform-docs/main.tf#275)
-- resource.azurerm_cognitive_account.main (/terraform-docs/main.tf#482)
-- resource.azurerm_cognitive_deployment.gpt_4o (/terraform-docs/main.tf#502)
-- resource.azurerm_cognitive_deployment.gpt_4o_mini (/terraform-docs/main.tf#519)
-- resource.azurerm_key_vault.main (/terraform-docs/main.tf#195)
-- resource.azurerm_key_vault_secret.azure_openai_api_key (/terraform-docs/main.tf#536)
-- resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#279)
-- resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#288)
-- resource.azurerm_key_vault_secret.jwt_signing_key (/terraform-docs/main.tf#726)
-- resource.azurerm_key_vault_secret.nebuly_azure_client_id (/terraform-docs/main.tf#301)
-- resource.azurerm_key_vault_secret.nebuly_azure_client_secret (/terraform-docs/main.tf#310)
-- resource.azurerm_key_vault_secret.okta_sso_client_id (/terraform-docs/main.tf#738)
-- resource.azurerm_key_vault_secret.okta_sso_client_secret (/terraform-docs/main.tf#749)
-- resource.azurerm_key_vault_secret.postgres_password (/terraform-docs/main.tf#465)
-- resource.azurerm_key_vault_secret.postgres_user (/terraform-docs/main.tf#456)
-- resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#683)
-- resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#399)
-- resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#407)
-- resource.azurerm_postgresql_flexible_server.main (/terraform-docs/main.tf#329)
-- resource.azurerm_postgresql_flexible_server_configuration.mandatory_configurations (/terraform-docs/main.tf#380)
-- resource.azurerm_postgresql_flexible_server_configuration.optional_configurations (/terraform-docs/main.tf#373)
-- resource.azurerm_postgresql_flexible_server_database.analytics (/terraform-docs/main.tf#393)
-- resource.azurerm_postgresql_flexible_server_database.auth (/terraform-docs/main.tf#387)
-- resource.azurerm_private_dns_zone.flexible_postgres (/terraform-docs/main.tf#174)
-- resource.azurerm_private_dns_zone_virtual_network_link.flexible_postgres (/terraform-docs/main.tf#180)
-- resource.azurerm_private_endpoint.key_vault (/terraform-docs/main.tf#221)
-- resource.azurerm_role_assignment.aks_network_contributor (/terraform-docs/main.tf#678)
-- resource.azurerm_role_assignment.key_vault_secret_officer__current (/terraform-docs/main.tf#254)
-- resource.azurerm_role_assignment.key_vault_secret_user__aks (/terraform-docs/main.tf#246)
-- resource.azurerm_role_assignment.storage_container_models__data_contributor (/terraform-docs/main.tf#574)
-- resource.azurerm_storage_account.main (/terraform-docs/main.tf#550)
-- resource.azurerm_storage_container.models (/terraform-docs/main.tf#570)
-- resource.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#130)
-- resource.azurerm_subnet.flexible_postgres (/terraform-docs/main.tf#152)
-- resource.azurerm_subnet.private_endpints (/terraform-docs/main.tf#144)
-- resource.azurerm_virtual_network.main (/terraform-docs/main.tf#122)
-- resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#324)
-- resource.time_sleep.wait_aks_creation (/terraform-docs/main.tf#665)
-- resource.tls_private_key.aks (/terraform-docs/main.tf#584)
-- resource.tls_private_key.jwt_signing_key (/terraform-docs/main.tf#722)
+- resource.azuread_application.main (/terraform-docs/main.tf#284)
+- resource.azuread_group.aks_admins (/terraform-docs/main.tf#608)
+- resource.azuread_group_member.aks_admin_users (/terraform-docs/main.tf#612)
+- resource.azuread_service_principal.main (/terraform-docs/main.tf#290)
+- resource.azuread_service_principal_password.main (/terraform-docs/main.tf#295)
+- resource.azurerm_cognitive_account.main (/terraform-docs/main.tf#502)
+- resource.azurerm_cognitive_deployment.gpt_4o (/terraform-docs/main.tf#522)
+- resource.azurerm_cognitive_deployment.gpt_4o_mini (/terraform-docs/main.tf#539)
+- resource.azurerm_key_vault.main (/terraform-docs/main.tf#217)
+- resource.azurerm_key_vault_secret.azure_openai_api_key (/terraform-docs/main.tf#556)
+- resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#299)
+- resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#308)
+- resource.azurerm_key_vault_secret.jwt_signing_key (/terraform-docs/main.tf#746)
+- resource.azurerm_key_vault_secret.nebuly_azure_client_id (/terraform-docs/main.tf#321)
+- resource.azurerm_key_vault_secret.nebuly_azure_client_secret (/terraform-docs/main.tf#330)
+- resource.azurerm_key_vault_secret.okta_sso_client_id (/terraform-docs/main.tf#758)
+- resource.azurerm_key_vault_secret.okta_sso_client_secret (/terraform-docs/main.tf#769)
+- resource.azurerm_key_vault_secret.postgres_password (/terraform-docs/main.tf#485)
+- resource.azurerm_key_vault_secret.postgres_user (/terraform-docs/main.tf#476)
+- resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#703)
+- resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#419)
+- resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#427)
+- resource.azurerm_postgresql_flexible_server.main (/terraform-docs/main.tf#349)
+- resource.azurerm_postgresql_flexible_server_configuration.mandatory_configurations (/terraform-docs/main.tf#400)
+- resource.azurerm_postgresql_flexible_server_configuration.optional_configurations (/terraform-docs/main.tf#393)
+- resource.azurerm_postgresql_flexible_server_database.analytics (/terraform-docs/main.tf#413)
+- resource.azurerm_postgresql_flexible_server_database.auth (/terraform-docs/main.tf#407)
+- resource.azurerm_private_dns_zone.flexible_postgres (/terraform-docs/main.tf#179)
+- resource.azurerm_private_dns_zone.key_vault (/terraform-docs/main.tf#197)
+- resource.azurerm_private_dns_zone_virtual_network_link.flexible_postgres (/terraform-docs/main.tf#185)
+- resource.azurerm_private_dns_zone_virtual_network_link.key_vault (/terraform-docs/main.tf#202)
+- resource.azurerm_private_endpoint.key_vault (/terraform-docs/main.tf#243)
+- resource.azurerm_role_assignment.aks_network_contributor (/terraform-docs/main.tf#698)
+- resource.azurerm_role_assignment.key_vault_secret_officer__current (/terraform-docs/main.tf#274)
+- resource.azurerm_role_assignment.key_vault_secret_user__aks (/terraform-docs/main.tf#266)
+- resource.azurerm_role_assignment.storage_container_models__data_contributor (/terraform-docs/main.tf#594)
+- resource.azurerm_storage_account.main (/terraform-docs/main.tf#570)
+- resource.azurerm_storage_container.models (/terraform-docs/main.tf#590)
+- resource.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#135)
+- resource.azurerm_subnet.flexible_postgres (/terraform-docs/main.tf#157)
+- resource.azurerm_subnet.private_endpints (/terraform-docs/main.tf#149)
+- resource.azurerm_virtual_network.main (/terraform-docs/main.tf#127)
+- resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#344)
+- resource.time_sleep.wait_aks_creation (/terraform-docs/main.tf#685)
+- resource.tls_private_key.aks (/terraform-docs/main.tf#604)
+- resource.tls_private_key.jwt_signing_key (/terraform-docs/main.tf#742)
 - data source.azuread_user.aks_admins (/terraform-docs/main.tf#81)
 - data source.azurerm_client_config.current (/terraform-docs/main.tf#73)
 - data source.azurerm_private_dns_zone.flexible_postgres (/terraform-docs/main.tf#114)
+- data source.azurerm_private_dns_zone.key_vault (/terraform-docs/main.tf#119)
 - data source.azurerm_resource_group.main (/terraform-docs/main.tf#70)
 - data source.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#86)
 - data source.azurerm_subnet.flexible_postgres (/terraform-docs/main.tf#100)

diff --git a/main.tf b/main.tf
@@ -116,6 +116,11 @@ data "azurerm_private_dns_zone" "flexible_postgres" {
 
   name = var.private_dns_zones.flexible_postgres
 }
+data "azurerm_private_dns_zone" "key_vault" {
+  count = var.private_dns_zones.key_vault != null ? 1 : 0
+
+  name = var.private_dns_zones.key_vault
+}
 
 
 # ------ Networking: Networks and Subnets ------ #
@@ -189,6 +194,23 @@ resource "azurerm_private_dns_zone_virtual_network_link" "flexible_postgres" {
   virtual_network_id    = local.virtual_network.id
   private_dns_zone_name = azurerm_private_dns_zone.flexible_postgres[0].name
 }
+resource "azurerm_private_dns_zone" "key_vault" {
+  count               = var.private_dns_zones.key_vault == null ? 1 : 0
+  name                = "privatelink.vaultcore.azure.net"
+  resource_group_name = data.azurerm_resource_group.main.name
+}
+resource "azurerm_private_dns_zone_virtual_network_link" "key_vault" {
+  count = var.private_dns_zones.key_vault == null ? 1 : 0
+
+  name = format(
+    "%s-key-vault-%s",
+    var.resource_prefix,
+    local.virtual_network.name,
+  )
+  resource_group_name   = data.azurerm_resource_group.main.name
+  virtual_network_id    = local.virtual_network.id
+  private_dns_zone_name = azurerm_private_dns_zone.key_vault[0].name
+}
 
 
 # ------ Key Vault ------ #
@@ -235,10 +257,8 @@ resource "azurerm_private_endpoint" "key_vault" {
   }
 
   private_dns_zone_group {
-    name = "privatelink-vaultcore-azure-net"
-    private_dns_zone_ids = [
-      var.private_dns_zones.key_vault,
-    ]
+    name                 = "privatelink-vaultcore-azure-net"
+    private_dns_zone_ids = length(azurerm_private_dns_zone.key_vault) > 0 ? [azurerm_private_dns_zone.key_vault[0].id] : [data.azurerm_private_dns_zone.key_vault[0].id]
   }
 
   tags = var.tags