Skip to content

Latest commit

 

History

History
144 lines (109 loc) · 10.3 KB

File metadata and controls

144 lines (109 loc) · 10.3 KB

Module: Azure DNS Private Resolver

Description

Create Azure DNS Private Resolver with Inbound / Outbound endpoints as well as DNS Forwarding rule sets using Terraform.

To learn more about Azure DNS Private Reslover is check out Microsoft Learn: What is Azure DNS Private Resolver?

This Module can be used to create Azure DNS Private Resolver, one or two Inbound and Outbound Endpoints as well as one or two DNS Forwarding rule sets due to the limitations in supporting more then two Inbound/Outbound Endpoints and two DNS forwarding rule sets per Outbound Endpoint giving us total of four DNS Forwarding rule sets available, with two outbound endpoints.

Requirements

Name Version
terraform >= 1.3.0
azurerm ~> 3.36.0

Providers

Name Version
azurerm ~> 3.36.0

Resources

Module Inputs

Name Description Type Default Required
resource_group_name (Required): Name of the resource group where resources should be deployed. string n/a yes
location (Required): Region / Location where Azure DNS Resolver should be deployed string n/a yes
dns_resolver_name (Required): Name of the Azure DNS Private Resolver string n/a yes
virtual_network_id (Required): ID of the associated virtual network string n/a yes
dns_resolver_inbound_endpoints (Optional): Set of Azure Private DNS resolver Inbound Endpoints
set(object({
inbound_endpoint_name = string
inbound_subnet_id = string
}))
[] no
dns_resolver_outbound_endpoints (Optional): Set of Azure Private DNS resolver Outbound Endpoints with one or more Forwarding Rule sets
set(object({
outbound_endpoint_name = string
outbound_subnet_id = string
forwarding_rulesets = optional(set(object({
forwarding_ruleset_name = optional(string)
})))
}))
[] no
tags (Optional): Resource Tags map(string) {} no

Module Outputs

There is only one Output attribute, but it exports multiple information described in the value column down below.

To get the information needed for example to get the DNS Forwarding Rule Set id to be able to add dns forwarding rules seperatly you can use (Let's say that the module name is dns_resolver_weu, your outbound endpoint name is outbound and your rule set name is default-ruleset ): module.dns_resolver_weu.dns_resolver.dns_outbound_endpoints.outbound.dns_forwarding_rulesets.outbound-default-ruleset.ruleset_id will give you the ID of the dns forwarding rule set needed to add DNS forwarding rule into the forwarding rule set using azurerm_private_dns_resolver_forwarding_rule see Example below.

Name Description Value Sensitive
dns_resolver Multi value Output that includes all information needed to use values from the module.
{
"dns_inbound_endpoints": {
"inbound": {
"inbound_endpoint_id": "/subscriptions/01234567-abcd-efgh-ijkl-891011121314/resourceGroups/rg-dns-resolver-test-06076545238c8c77/providers/Microsoft.Network/dnsResolvers/test-private-dns-resolver/inboundEndpoints/inbound",
"inbound_endpoint_name": "inbound"
"inbound_endpoint_private_ip_address" : "10.1.0.4"
}
},
"dns_outbound_endpoints": {
"outbound": {
"dns_forwarding_rulesets": {
"outbound-default-ruleset": {
"ruleset_id": "/subscriptions/01234567-abcd-efgh-ijkl-891011121314/resourceGroups/rg-dns-resolver-test-06076545238c8c77/providers/Microsoft.Network/dnsForwardingRulesets/default-ruleset",
"ruleset_name": "default-ruleset"
}
},
"outbound_endpoint_id": "/subscriptions/01234567-abcd-efgh-ijkl-891011121314/resourceGroups/rg-dns-resolver-test-06076545238c8c77/providers/Microsoft.Network/dnsResolvers/test-private-dns-resolver/outboundEndpoints/outbound",
"outbound_endpoint_name": "outbound"
}
},
"dns_resolver_id": "/subscriptions/01234567-abcd-efgh-ijkl-891011121314/resourceGroups/rg-dns-resolver-test-06076545238c8c77/providers/Microsoft.Network/dnsResolvers/test-private-dns-resolver"
}
no

Example Usage

Example 1

Creating Azure Private DNS Resolver, Inbound & Outbound Endpoint plus DNS Forwarding Rule set. For this example the pre-requisites of Resource Group, Virtual Network, 1x Inbound Subnet, and 1x Outbound subnet have already been declared in the code, and is not included in the example, to create the resouces needed for this example checkout my other module on creating Virtual Network and Subnets: terraform-azurerm-network

#..omitted

module "dns_private_resolver" {
  source              = "github.com/haflidif/terraform-azurerm-dns-private-resolver"
  resource_group_name = azurerm_resource_group.dns_resolver.name
  location            = azurerm_resource_group.dns_resolver.location
  dns_resolver_name   = "test-private-dns-resolver"
  virtual_network_id  = azurerm_virtual_network.vnet.id
  tags = {
    Configuration = "Terraform"
  }

  dns_resolver_inbound_endpoints = [
    # There is currently only support for two Inbound endpoints per Private Resolver.
    {
      inbound_endpoint_name = "inbound"
      inbound_subnet_id     = azurerm_subnet.inbound.id
    }
  ]

  dns_resolver_outbound_endpoints = [
    # There is currently only support for two Outbound endpoints per Private Resolver.
    {
      outbound_endpoint_name = "outbound"
      outbound_subnet_id     = azurerm_subnet.outbound.id 
      forwarding_rulesets = [
        # There is currently only support for two DNS forwarding rulesets per outbound endpoint.
        {
          forwarding_ruleset_name = "default-ruleset"
        }
      ]
    }
  ]
}

Example 2

In this example we are going to use the module output for the DNS Forwarding Rule set created in Example 1 to add a DNS Forwarding rule to the rule set outside of the module using azurerm_private_dns_resolver_forwarding_rule each ruleset can have up to 25 rules see restrictions

Each rule includes one or more target DNS Servers divided by block as seen below.

#..omitted

resource "azurerm_private_dns_resolver_forwarding_rule" "corp_mycompany_com" {
  name                      = "corp_mycompany_com" # 
  dns_forwarding_ruleset_id = module.dns_private_resolver.dns_resolver.dns_outbound_endpoints.outbound.dns_forwarding_rulesets.default-ruleset.ruleset_id
  domain_name               = "corp.mycompany.com." # Domain name supports 2-34 lables and must end with a dot (period) for example corp.mycompany.com. has three lables.
  enabled                   = true
  target_dns_servers {
    ip_address = "10.0.0.3"
    port       = 53
  }
  target_dns_servers {
    ip_address = "10.0.0.4"
    port       = 53
  }
}

Example 3

In this example we are going to use the inbound endpoint private ip address module output from the private dns resolver created in Example 1 to assign the private ip address to a custom dns servers on virtual network, you can either use the inline dns_server list in azurerm_virtual_network or the individual resource azurerm_virtual_network_dns_servers but keep in mind, that the DNS servers can't be configured inline and on the individual resource for the same virtual network, as they will conflict with each other.

#..omitted

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  location            = azurerm_resource_group.dns_resolver.location
  resource_group_name = azurerm_resource_group.dns_resolver.name
  address_space       = ["10.0.0.0/16"]
  dns_servers         = [module.dns_private_resolver.dns_resolver.dns_inbound_endpoints.inbound.inbound_endpoint_private_ip_address]
}

Authors

Originally created by Haflidi Fridthjofsson

Other Resouces