feat: Unified private dns zone handling (#3601)

mamari90 · web-flow · commit 67757d526e7a · 2026-01-26T14:56:54.000+01:00
unified private dns zone handling
diff --git a/src/core-itn/00_dns_private.tf b/src/core-itn/00_dns_private.tf
@@ -69,7 +69,6 @@ data "azurerm_private_dns_zone" "privatelink_table_cosmos_azure_com" {
 }
 
 data "azurerm_private_dns_zone" "privatelink_postgres_azure_com" {
-  count               = var.env_short != "d" ? 1 : 0
   name                = "private.postgres.database.azure.com"
   resource_group_name = "pagopa-${var.env_short}-vnet-rg"
 }
diff --git a/src/core-itn/02_dns_private_link.tf b/src/core-itn/02_dns_private_link.tf
@@ -116,14 +116,18 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_table_cosm
 }
 
 resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_azure_com_vnet_link" {
-  count                 = var.env_short != "d" ? 1 : 0
   name                  = module.vnet_italy[0].name
-  private_dns_zone_name = data.azurerm_private_dns_zone.privatelink_postgres_azure_com[0].name
-  resource_group_name   = data.azurerm_private_dns_zone.privatelink_postgres_azure_com[0].resource_group_name
+  private_dns_zone_name = data.azurerm_private_dns_zone.privatelink_postgres_azure_com.name
+  resource_group_name   = data.azurerm_private_dns_zone.privatelink_postgres_azure_com.resource_group_name
   virtual_network_id    = module.vnet_italy[0].id
   tags                  = module.tag_config.tags
 }
 
+moved {
+  from = azurerm_private_dns_zone_virtual_network_link.privatelink_postgres_azure_com_vnet_link[0]
+  to   = azurerm_private_dns_zone_virtual_network_link.privatelink_postgres_azure_com_vnet_link
+}
+
 
 # cstar integration vnet links
 
diff --git a/src/db-security/00_data.tf b/src/db-security/00_data.tf
@@ -48,7 +48,6 @@ data "azurerm_log_analytics_workspace" "log_analytics_italy" {
 
 
 data "azurerm_private_dns_zone" "postgres" {
-  count               = var.env_short != "d" ? 1 : 0
   name                = "private.postgres.database.azure.com"
   resource_group_name = data.azurerm_resource_group.rg_vnet_core.name
 }
diff --git a/src/db-security/02_metabase_db.tf b/src/db-security/02_metabase_db.tf
@@ -33,7 +33,7 @@ module "metabase_postgres_db" {
   resource_group_name = azurerm_resource_group.metabase_rg.name
 
 
-  private_dns_zone_id = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id = module.postgres_flexible_snet.id
 
   administrator_login    = module.secret_core_itn.values["metabase-db-admin-login"].value
diff --git a/src/domains/apiconfig-common/01_network.tf b/src/domains/apiconfig-common/01_network.tf
@@ -38,15 +38,4 @@ data "azurerm_resource_group" "rg_vnet" {
   name = local.vnet_resource_group_name
 }
 
-data "azurerm_private_dns_zone" "postgres" {
-  count               = var.env_short != "d" ? 1 : 0
-  name                = "private.postgres.database.azure.com"
-  resource_group_name = data.azurerm_resource_group.rg_vnet.name
-}
-
 
-data "azurerm_private_dns_zone" "storage" {
-  count               = var.env_short != "d" ? 1 : 0
-  name                = local.storage_dns_zone_name
-  resource_group_name = local.storage_dns_zone_resource_group_name
-}
diff --git a/src/domains/apiconfig-common/README.md b/src/domains/apiconfig-common/README.md
@@ -56,8 +56,6 @@
 | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
 | [azurerm_private_dns_zone.cosmos](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
 | [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
-| [azurerm_private_dns_zone.postgres](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
-| [azurerm_private_dns_zone.storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
 | [azurerm_redis_cache.redis_cache](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/redis_cache) | data source |
 | [azurerm_resource_group.api_config_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.identity_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
diff --git a/src/domains/cruscotto-common/00_network.tf b/src/domains/cruscotto-common/00_network.tf
@@ -40,7 +40,6 @@ data "azurerm_resource_group" "rg_event_private_dns_zone" {
 }
 
 data "azurerm_private_dns_zone" "postgres" {
-  count               = var.env_short != "d" ? 1 : 0
   name                = "private.postgres.database.azure.com"
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
-}
+}
diff --git a/src/domains/cruscotto-common/03_postgresql.tf b/src/domains/cruscotto-common/03_postgresql.tf
@@ -39,7 +39,7 @@ module "postgres_flexible_server_crus8" {
   idh_resource = var.pgres_flex_params.idh_resource
   prefix       = var.prefix
 
-  private_dns_zone_id = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id = module.postgres_flexible_snet.id
 
   administrator_login    = data.azurerm_key_vault_secret.pgres_flex_admin_login.value
diff --git a/src/domains/fdr-common/01_network.tf b/src/domains/fdr-common/01_network.tf
@@ -29,7 +29,6 @@ data "azurerm_subnet" "aks_subnet" {
 }
 
 data "azurerm_private_dns_zone" "postgres" {
-  count               = var.env_short != "d" ? 1 : 0
   name                = "private.postgres.database.azure.com"
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
 }
diff --git a/src/domains/fdr-common/03_postgresql.tf b/src/domains/fdr-common/03_postgresql.tf
@@ -44,7 +44,7 @@ module "postgres_flexible_server_fdr" {
   resource_group_name = azurerm_resource_group.db_rg.name
 
   private_endpoint_enabled      = var.pgres_flex_params.pgres_flex_private_endpoint_enabled
-  private_dns_zone_id           = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id           = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id           = module.postgres_flexible_snet.id
   public_network_access_enabled = var.pgres_flex_params.public_network_access_enabled
 
diff --git a/src/domains/fdr-common/03_postgresql_replica.tf b/src/domains/fdr-common/03_postgresql_replica.tf
@@ -30,7 +30,7 @@ module "postgresql_fdr_replica_itn_db" {
   resource_group_name = azurerm_resource_group.db_rg.name
   location            = var.location_replica
 
-  private_dns_zone_id      = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id      = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id      = module.postgres_flexible_snet_itn_replica[0].id
   private_endpoint_enabled = var.pgres_flex_params.pgres_flex_private_endpoint_enabled
 
diff --git a/src/domains/gps-common/03_postgresql_gpd_db.tf b/src/domains/gps-common/03_postgresql_gpd_db.tf
@@ -47,7 +47,6 @@ module "postgres_flexible_snet" {
 }
 
 data "azurerm_private_dns_zone" "postgres" {
-  count               = var.env_short != "d" ? 1 : 0 # forced ( before exits only in UAT and PROD now DEV too)
   name                = "private.postgres.database.azure.com"
   resource_group_name = local.vnet_resource_group_name
 }
@@ -65,7 +64,7 @@ module "postgres_flexible_server_private_db" {
 
   ### Network
   private_endpoint_enabled      = var.pgres_flex_params.private_endpoint_enabled
-  private_dns_zone_id           = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id           = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id           = module.postgres_flexible_snet[0].id
   public_network_access_enabled = var.pgres_flex_params.public_network_access_enabled
 
@@ -196,4 +195,4 @@ resource "azurerm_portal_dashboard" "debt_position_postgresql_dashboard" {
       }
     )
   )
-}
+}
diff --git a/src/domains/gps-common/03_postgresql_replica.tf b/src/domains/gps-common/03_postgresql_replica.tf
@@ -31,7 +31,7 @@ module "postgresql_gpd_itn_replica_db" {
   resource_group_name = azurerm_resource_group.flex_data[0].name
   location            = var.location_replica
 
-  private_dns_zone_id      = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id      = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id      = module.postgres_flexible_itn_snet_replica[0].id
   private_endpoint_enabled = var.pgres_flex_params.private_endpoint_enabled
 
diff --git a/src/domains/nodo-common/01_network.tf b/src/domains/nodo-common/01_network.tf
@@ -33,14 +33,12 @@ data "azurerm_subnet" "aks_subnet" {
 }
 
 data "azurerm_private_dns_zone" "postgres" {
-  count               = var.env_short != "d" ? 1 : 0
   name                = "private.postgres.database.azure.com"
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
 }
 
 
 data "azurerm_private_dns_zone" "storage" {
-  count               = var.env_short != "d" ? 1 : 0
   name                = local.storage_dns_zone_name
   resource_group_name = local.storage_dns_zone_resource_group_name
 }
diff --git a/src/domains/nodo-common/03_postgresql.tf b/src/domains/nodo-common/03_postgresql.tf
@@ -43,7 +43,7 @@ module "postgres_flexible_server" {
   resource_group_name = azurerm_resource_group.db_rg.name
 
   private_endpoint_enabled    = var.pgres_flex_params.pgres_flex_private_endpoint_enabled
-  private_dns_zone_id         = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id         = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id         = var.env_short != "d" ? module.postgres_flexible_snet.id : null
   high_availability_enabled   = var.pgres_flex_params.pgres_flex_ha_enabled
   standby_availability_zone   = var.env_short != "d" ? var.pgres_flex_params.standby_ha_zone : null
diff --git a/src/domains/nodo-common/03_postgresql_replica.tf b/src/domains/nodo-common/03_postgresql_replica.tf
@@ -33,7 +33,7 @@ module "postgresql_nodo_replica_itn_db" {
   resource_group_name = azurerm_resource_group.db_rg.name
   location            = var.location_replica
 
-  private_dns_zone_id      = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id      = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id      = module.postgres_flexible_snet_replica_itn[0].id
   private_endpoint_enabled = var.pgres_flex_params.pgres_flex_private_endpoint_enabled
 
diff --git a/src/domains/nodo-common/03_postgresql_storico.tf b/src/domains/nodo-common/03_postgresql_storico.tf
@@ -36,7 +36,7 @@ module "postgres_storico_flexible_server" {
   resource_group_name = azurerm_resource_group.db_rg.name
 
   private_endpoint_enabled    = var.pgres_flex_storico_params.pgres_flex_private_endpoint_enabled
-  private_dns_zone_id         = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres[0].id : null
+  private_dns_zone_id         = var.env_short != "d" ? data.azurerm_private_dns_zone.postgres.id : null
   delegated_subnet_id         = var.env_short != "d" ? module.postgres_storico_flexible_snet.id : null
   high_availability_enabled   = var.pgres_flex_storico_params.pgres_flex_ha_enabled
   standby_availability_zone   = var.env_short != "d" ? var.pgres_flex_storico_params.standby_ha_zone : null
diff --git a/src/domains/nodo-common/07_sftp.tf b/src/domains/nodo-common/07_sftp.tf
@@ -60,7 +60,7 @@ resource "azurerm_private_endpoint" "sftp_blob" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.storage[0].id]
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.storage.id]
   }
 
   tags = module.tag_config.tags
diff --git a/src/network/00_dns_private.tf b/src/network/00_dns_private.tf
@@ -69,7 +69,6 @@ data "azurerm_private_dns_zone" "privatelink_table_cosmos_azure_com" {
 }
 
 data "azurerm_private_dns_zone" "privatelink_postgres_azure_com" {
-  count               = var.env_short != "d" ? 1 : 0
   name                = "private.postgres.database.azure.com"
   resource_group_name = "pagopa-${var.env_short}-vnet-rg"
 }
diff --git a/src/network/04_dns_private_link.tf b/src/network/04_dns_private_link.tf
@@ -126,10 +126,10 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_table_cosm
 }
 
 resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_azure_com_vnet_link" {
-  for_each              = var.env_short != "d" ? local.hub_spoke_vnet : {}
+  for_each              = local.hub_spoke_vnet
   name                  = module.vnet_hub_spoke[each.key].name
   virtual_network_id    = module.vnet_hub_spoke[each.key].id
-  private_dns_zone_name = data.azurerm_private_dns_zone.privatelink_postgres_azure_com[0].name
-  resource_group_name   = data.azurerm_private_dns_zone.privatelink_postgres_azure_com[0].resource_group_name
+  private_dns_zone_name = data.azurerm_private_dns_zone.privatelink_postgres_azure_com.name
+  resource_group_name   = data.azurerm_private_dns_zone.privatelink_postgres_azure_com.resource_group_name
   tags                  = module.tag_config.tags
 }
diff --git a/src/next-core/01_dns_private.tf b/src/next-core/01_dns_private.tf
@@ -186,21 +186,27 @@ resource "azurerm_private_dns_zone_virtual_network_link" "platform_vnetlink_vnet
 ### 🔮 Private DNS Zone for Postgres Databases
 
 resource "azurerm_private_dns_zone" "postgres" {
-  count = var.env_short != "d" ? 1 : 0
-
   name                = "private.postgres.database.azure.com"
   resource_group_name = azurerm_resource_group.rg_vnet.name
 }
 
-resource "azurerm_private_dns_zone_virtual_network_link" "postgres_vnet" {
-  count = var.env_short != "d" ? 1 : 0
+moved {
+  from = azurerm_private_dns_zone.postgres[0]
+  to   = azurerm_private_dns_zone.postgres
+}
 
+resource "azurerm_private_dns_zone_virtual_network_link" "postgres_vnet" {
   name                  = module.vnet.name
   resource_group_name   = azurerm_resource_group.rg_vnet.name
-  private_dns_zone_name = azurerm_private_dns_zone.postgres[0].name
+  private_dns_zone_name = azurerm_private_dns_zone.postgres.name
   virtual_network_id    = module.vnet.id
 }
 
+moved {
+  from = azurerm_private_dns_zone_virtual_network_link.postgres_vnet[0]
+  to   = azurerm_private_dns_zone_virtual_network_link.postgres_vnet
+}
+
 ### 🔮 Private DNS Zone for ACR azure container registry
 
 resource "azurerm_private_dns_zone" "privatelink_azurecr_pagopa" {
diff --git a/src/next-core/01_network_dns_private.tf b/src/next-core/01_network_dns_private.tf
@@ -1,21 +1,28 @@
 # db dns
 
 resource "azurerm_private_dns_zone" "private_db_dns_zone" {
-  count               = var.is_feature_enabled.postgres_private_dns ? 1 : 0
   name                = "${var.env_short}.internal.postgresql.pagopa.it"
   resource_group_name = azurerm_resource_group.rg_vnet.name
 
   tags = module.tag_config.tags
 }
 
-resource "azurerm_private_dns_zone_virtual_network_link" "private_db_zone_to_core_vnet" {
-  count = var.is_feature_enabled.postgres_private_dns ? 1 : 0
+moved {
+  from = azurerm_private_dns_zone.private_db_dns_zone[0]
+  to   = azurerm_private_dns_zone.private_db_dns_zone
+}
 
+resource "azurerm_private_dns_zone_virtual_network_link" "private_db_zone_to_core_vnet" {
   name                  = module.vnet.name
   resource_group_name   = azurerm_resource_group.rg_vnet.name
-  private_dns_zone_name = azurerm_private_dns_zone.private_db_dns_zone[0].name
+  private_dns_zone_name = azurerm_private_dns_zone.private_db_dns_zone.name
   virtual_network_id    = module.vnet.id
   registration_enabled  = false
 
   tags = module.tag_config.tags
 }
+
+moved {
+  from = azurerm_private_dns_zone_virtual_network_link.private_db_zone_to_core_vnet[0]
+  to   = azurerm_private_dns_zone_virtual_network_link.private_db_zone_to_core_vnet
+}
diff --git a/src/next-core/99_variables.tf b/src/next-core/99_variables.tf
@@ -198,30 +198,6 @@ variable "dns_a_reconds_dbnodonexipostgres_prf_ips" {
   default     = []
 }
 
-variable "dns_a_reconds_dbnodonexipostgres_prf_balancer_1_ips" {
-  type        = list(string)
-  description = "IPs address of DB Nodo PostgreSQL Nexi"
-  default     = []
-}
-
-variable "dns_a_reconds_dbnodonexipostgres_prf_balancer_2_ips" {
-  type        = list(string)
-  description = "IPs address of DB Nodo PostgreSQL Nexi"
-  default     = []
-}
-
-variable "dns_a_reconds_dbnodonexipostgres_balancer_1_ips" {
-  type        = list(string)
-  description = "IPs address of DB Nodo PostgreSQL Nexi"
-  default     = []
-}
-
-variable "dns_a_reconds_dbnodonexipostgres_balancer_2_ips" {
-  type        = list(string)
-  description = "IPs address of DB Nodo PostgreSQL Nexi"
-  default     = []
-}
-
 #
 # dns forwarder
 #
@@ -464,12 +440,6 @@ variable "upload_endpoint_enabled" {
   default     = true
 }
 
-variable "app_gateway_prf_certificate_name" {
-  type        = string
-  description = "Application gateway api certificate name on Key Vault"
-  default     = ""
-}
-
 variable "app_gateway_portal_certificate_name" {
   type        = string
   description = "Application gateway developer portal certificate name on Key Vault"
@@ -812,7 +782,6 @@ variable "is_feature_enabled" {
     node_forwarder_ha_enabled = bool
     vpn                       = optional(bool, false)
     dns_forwarder_lb          = optional(bool, false)
-    postgres_private_dns      = bool
     azdoa                     = optional(bool, true)
     apim_core_import          = optional(bool, false)
     use_new_apim              = optional(bool, false)
diff --git a/src/next-core/README.md b/src/next-core/README.md
diff --git a/src/next-core/env/dev/terraform.tfvars b/src/next-core/env/dev/terraform.tfvars
diff --git a/src/next-core/env/prod/terraform.tfvars b/src/next-core/env/prod/terraform.tfvars
diff --git a/src/next-core/env/uat/terraform.tfvars b/src/next-core/env/uat/terraform.tfvars

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,6 @@ data "azurerm_private_dns_zone" "privatelink_table_cosmos_azure_com" {`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`data "azurerm_private_dns_zone" "privatelink_postgres_azure_com" {`
`72`		`- count = var.env_short != "d" ? 1 : 0`
`73`	`72`	`name = "private.postgres.database.azure.com"`
`74`	`73`	`resource_group_name = "pagopa-${var.env_short}-vnet-rg"`
`75`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,6 @@ data "azurerm_log_analytics_workspace" "log_analytics_italy" {`
`48`	`48`
`49`	`49`
`50`	`50`	`data "azurerm_private_dns_zone" "postgres" {`
`51`		`- count = var.env_short != "d" ? 1 : 0`
`52`	`51`	`name = "private.postgres.database.azure.com"`
`53`	`52`	`resource_group_name = data.azurerm_resource_group.rg_vnet_core.name`
`54`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,6 @@ data "azurerm_resource_group" "rg_event_private_dns_zone" {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`data "azurerm_private_dns_zone" "postgres" {`
`43`		`- count = var.env_short != "d" ? 1 : 0`
`44`	`43`	`name = "private.postgres.database.azure.com"`
`45`	`44`	`resource_group_name = data.azurerm_resource_group.rg_vnet.name`
`46`		`-}`
	`45`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,6 @@ data "azurerm_subnet" "aks_subnet" {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`data "azurerm_private_dns_zone" "postgres" {`
`32`		`- count = var.env_short != "d" ? 1 : 0`
`33`	`32`	`name = "private.postgres.database.azure.com"`
`34`	`33`	`resource_group_name = data.azurerm_resource_group.rg_vnet.name`
`35`	`34`	`}`