From 3e89787f63848c9a22037dacaa54716b33b5b518 Mon Sep 17 00:00:00 2001 From: John Ake Date: Wed, 8 Nov 2023 11:12:33 +0000 Subject: [PATCH] Allow apex domains from multiple zones We want to use frontdoor for multiple dns zones with each one having its own apex. Update the apex condition to allow apex, apex... --- domains/environment_domains/dns.tf | 9 +++++---- domains/environment_domains/front_door.tf | 2 +- domains/environment_domains/front_door_rules.tf | 2 +- domains/environment_domains/tfdocs.md | 2 +- domains/environment_domains/variables.tf | 6 +++++- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/domains/environment_domains/dns.tf b/domains/environment_domains/dns.tf index 0f6a350..6a2177c 100644 --- a/domains/environment_domains/dns.tf +++ b/domains/environment_domains/dns.tf @@ -4,7 +4,7 @@ data "azurerm_dns_zone" "main" { } resource "azurerm_dns_txt_record" "main" { - for_each = { for k in toset(var.domains) : k => k if k != "apex" } + for_each = { for k in toset(var.domains) : k => k if !startswith(k, "apex") } name = join(".", ["_dnsauth", "${each.key}"]) zone_name = data.azurerm_dns_zone.main.name resource_group_name = var.resource_group_name @@ -16,7 +16,7 @@ resource "azurerm_dns_txt_record" "main" { } resource "azurerm_dns_txt_record" "apex" { - for_each = { for k in toset(var.domains) : k => k if k == "apex" } + for_each = { for k in toset(var.domains) : k => k if startswith(k, "apex") } name = "_dnsauth" zone_name = data.azurerm_dns_zone.main.name resource_group_name = var.resource_group_name @@ -27,9 +27,10 @@ resource "azurerm_dns_txt_record" "apex" { } } +# We create the CNAME record if it's not excluded and if it's not an apex resource "azurerm_dns_cname_record" "main" { depends_on = [azurerm_cdn_frontdoor_route.main] - for_each = { for k in toset(var.domains) : k => k if !contains(concat(["apex"], var.exclude_cnames), k) } + for_each = { for k in toset(var.domains) : k => k if !contains(var.exclude_cnames, k) && !startswith(k, "apex") } name = each.key zone_name = data.azurerm_dns_zone.main.name @@ -40,7 +41,7 @@ resource "azurerm_dns_cname_record" "main" { resource "azurerm_dns_a_record" "main" { depends_on = [azurerm_cdn_frontdoor_route.main] - for_each = { for k in toset(var.domains) : k => k if k == "apex" } + for_each = { for k in toset(var.domains) : k => k if startswith(k, "apex") } name = "@" zone_name = data.azurerm_dns_zone.main.name resource_group_name = var.resource_group_name diff --git a/domains/environment_domains/front_door.tf b/domains/environment_domains/front_door.tf index 5d742eb..dcaac0e 100644 --- a/domains/environment_domains/front_door.tf +++ b/domains/environment_domains/front_door.tf @@ -36,7 +36,7 @@ resource "azurerm_cdn_frontdoor_custom_domain" "main" { name = replace(each.key, ".", "-") cdn_frontdoor_profile_id = data.azurerm_cdn_frontdoor_profile.main.id dns_zone_id = data.azurerm_dns_zone.main.id - host_name = each.key == "apex" ? "${var.zone}" : "${each.key}.${var.zone}" + host_name = startswith(each.key, "apex") ? "${var.zone}" : "${each.key}.${var.zone}" tls { certificate_type = "ManagedCertificate" minimum_tls_version = "TLS12" diff --git a/domains/environment_domains/front_door_rules.tf b/domains/environment_domains/front_door_rules.tf index 4d7e934..2b3b7e3 100644 --- a/domains/environment_domains/front_door_rules.tf +++ b/domains/environment_domains/front_door_rules.tf @@ -17,7 +17,7 @@ resource "azurerm_cdn_frontdoor_rule" "rule" { conditions { host_name_condition { operator = "Equal" - match_values = [for d in [var.redirect_rules[count.index]["from-domain"]] : d == "apex" ? "${var.zone}" : "${d}.${var.zone}"] + match_values = [for d in [var.redirect_rules[count.index]["from-domain"]] : startswith(d, "apex") ? "${var.zone}" : "${d}.${var.zone}"] } } diff --git a/domains/environment_domains/tfdocs.md b/domains/environment_domains/tfdocs.md index b41bc05..b2b36a9 100644 --- a/domains/environment_domains/tfdocs.md +++ b/domains/environment_domains/tfdocs.md @@ -37,7 +37,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cached\_paths](#input\_cached\_paths) | List of path patterns such as /packs/* that front door will cache | `list(string)` | `[]` | no | -| [domains](#input\_domains) | n/a | `any` | n/a | yes | +| [domains](#input\_domains) | List of subdomains of the zone e.g. "staging". For apex domain use "apex" or "apex" if apex is already in use | `any` | n/a | yes | | [environment](#input\_environment) | n/a | `any` | n/a | yes | | [exclude\_cnames](#input\_exclude\_cnames) | Don't create the CNAME for this record from var.domains. We set this when we want to configure front door for a services domain that we are migrating so we do not need to wait for the certificate to validate and front door to propagate the configuration. | `list` | `[]` | no | | [front\_door\_name](#input\_front\_door\_name) | n/a | `any` | n/a | yes | diff --git a/domains/environment_domains/variables.tf b/domains/environment_domains/variables.tf index 6cef11b..b3da23e 100644 --- a/domains/environment_domains/variables.tf +++ b/domains/environment_domains/variables.tf @@ -1,7 +1,11 @@ variable "zone" {} variable "front_door_name" {} variable "resource_group_name" {} -variable "domains" {} +variable "domains" { + description = <" if apex is already in use + EOF +} variable "environment" {} variable "host_name" { default = "not-in-use.education.gov.uk"