We value your privacy
Module configures IAM permissions that allow Cert Manager to be integrated with the Azure DNS service for DNS-01 ACME challenges.
Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:
shellterraform login solutions.corewide.com
Initialize mandatory providers:
Copy and paste into your Terraform configuration and insert the variables:
hclmodule "tf_k8s_cert_manager_dns_azure" {
source = "solutions.corewide.com/azure/tf-k8s-cert-manager-dns-azure/azurerm"
version = "~> 1.0.0"
# specify module inputs here or try one of the examples below
...
}
Initialize the setup:
shellterraform init
Corewide DevOps team strictly follows Semantic Versioning
Specification
to
provide our clients with products that have predictable upgrades between versions. We
recommend
pinning
patch versions of our modules using pessimistic
constraint operator (~>) to prevent breaking changes during upgrades.
To get new features during the upgrades (without breaking compatibility), use
~> 1.0 and run
terraform init -upgrade
For the safest setup, use strict pinning with version = "1.0.0"
Module configures IAM permissions that allow Cert Manager to be integrated with the Azure DNS service for DNS-01 ACME challenges.
All notable changes to this project are documented here.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
First stable version
Setup with custom Cert Manager Kubernetes ServiceAccount name, namespace, tags, DNS zone ID fetched from tf-azure-dns module, OIDC provider URL fetched from the tf-azure-k8s-aks module and outputs passed to the tf-k8s-cert-manager module:
hclmodule "aks" {
source = "solutions.corewide.com/azure/tf-azure-k8s-aks/azurerm"
version = "~> 5.0"
# ...
}
resource "azurerm_resource_group" "main" {
name = "foo"
location = "westus2"
}
module "dns" {
source = "solutions.corewide.com/azure/tf-azure-dns/azurerm"
version = "~> 1.0"
resource_group_name = azurerm_resource_group.main.name
create_zone = true
zone_name = "example.com"
records = {
"@" = {
type = "A"
ttl = 300
value = ["192.0.2.1"]
}
}
}
module "azure_cert_manager" {
source = "solutions.corewide.com/azure/tf-k8s-cert-manager-dns-azure/azurerm"
version = "~> 1.0"
name_suffix = "foo"
resource_group_name = azurerm_resource_group.main.name
region = azurerm_resource_group.main.location
hosted_zone_name = "example.com"
hosted_zone_id = module.dns.zone.id
subscription_id = "bar"
oidc_provider_url = module.aks.cluster.oidc_issuer_url
cert_manager_namespace = "cert-manager-foo"
cert_manager_sa_name = "cert-manager-bar"
tags = {
env = "example"
}
}
module "cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1"
acme_email = "[email protected]"
ingress_classes = ["nginx"]
dns_solver_config = module.azure_cert_manager.issuer_spec
service_account_labels = module.azure_cert_manager.service_account_label
pod_labels = module.azure_cert_manager.pod_label
}
Minimal setup with mandatory parameters, DNS zone ID fetched from tf-azure-dns module, OIDC provider URL fetched from the tf-azure-k8s-aks module and outputs passed to the tf-k8s-cert-manager module:
hclmodule "aks" {
source = "solutions.corewide.com/azure/tf-azure-k8s-aks/azurerm"
version = "~> 5.0"
# ...
}
resource "azurerm_resource_group" "main" {
name = "foo"
location = "westus2"
}
module "dns" {
source = "solutions.corewide.com/azure/tf-azure-dns/azurerm"
version = "~> 1.0"
resource_group_name = azurerm_resource_group.main.name
create_zone = true
zone_name = "example.com"
records = {
"@" = {
type = "A"
ttl = 300
value = ["192.0.2.1"]
}
}
}
module "azure_cert_manager" {
source = "solutions.corewide.com/azure/tf-k8s-cert-manager-dns-azure/azurerm"
version = "~> 1.0"
resource_group_name = azurerm_resource_group.main.name
region = azurerm_resource_group.main.location
hosted_zone_name = "example.com"
hosted_zone_id = module.dns.zone.id
subscription_id = "bar"
oidc_provider_url = module.aks.cluster.oidc_issuer_url
}
module "cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1"
acme_email = "[email protected]"
ingress_classes = ["nginx"]
dns_solver_config = module.azure_cert_manager.issuer_spec
service_account_labels = module.azure_cert_manager.service_account_label
pod_labels = module.azure_cert_manager.pod_label
}
| Variable | Description | Type | Default | Required | Sensitive |
|---|---|---|---|---|---|
hosted_zone_id |
Azure DNS hosted zone ID | string |
yes | no | |
hosted_zone_name |
Azure DNS hosted zone name | string |
yes | no | |
oidc_provider_url |
OpenID Connect provider URL | string |
yes | no | |
region |
Region of a Resource Group to create resources in | string |
yes | no | |
resource_group_name |
Name of the Resource Group to create resources in | string |
yes | no | |
subscription_id |
Azure Subscription ID to create resources in | string |
yes | no | |
cert_manager_namespace |
Kubernetes namespace to configure RBAC for Cert Manager in | string |
cert-manager |
no | no |
cert_manager_sa_name |
Kubernetes Cert Manager's ServiceAccount name to configure RBAC for |
string |
cert-manager |
no | no |
name_suffix |
Name suffix for RBAC resources to create | string |
cert-manager |
no | no |
tags |
Map of tags to assign to resources | map(string) |
{} |
no | no |
| Output | Description | Type | Sensitive |
|---|---|---|---|
issuer_spec |
Cert Manager parameters for Azure DNS DNS-01 ACME challenge provider | map |
no |
pod_label |
Label to add to the Cert Manager controller's Pod |
map |
no |
service_account_label |
Label to add to the Cert Manager controller's ServiceAccount |
map |
no |
| Dependency | Version | Kind |
|---|---|---|
terraform |
>= 1.3 |
CLI |
hashicorp/azurerm |
~> 4.2 |
provider |
