fix: accept private_dns_zone_id from the Bleu national partner cloud (#758)

lonegunmanb · benmille · Copilot · web-flow · commit 0f8086c5a03f · 2026-04-23T13:46:36.000+08:00
* fix: accept private_dns_zone_id from the Bleu national partner cloud * fix: use RFC-compliant DNS label pattern for private_dns_zone_id validation Replace the broad [a-z0-9.\-]+ suffix pattern from PR #748 with a stricter RFC 952/1123 DNS label pattern that correctly rejects: - trailing dots (e.g. privatelink.eastus.azmk8s.io.) - consecutive dots (e.g. privatelink.eastus.azmk8s..io) - leading/trailing hyphens in labels (e.g. -foo, foo-) - single-hyphen labels (e.g. -) The new pattern [a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+ enforces that each DNS label starts and ends with alphanumeric characters, while still accepting all valid cloud suffixes (azmk8s.io, cx.prod-aks.sovcloud-api.fr, etc.). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: benmille <benmille@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/locals.tf b/locals.tf
@@ -68,9 +68,9 @@ locals {
   use_brown_field_gw_for_ingress = var.brown_field_application_gateway_for_ingress != null
   use_green_field_gw_for_ingress = var.green_field_application_gateway_for_ingress != null
   valid_private_dns_zone_regexs = [
-    "private\\.[a-z0-9]+\\.azmk8s\\.io",
-    "privatelink\\.[a-z0-9]+\\.azmk8s\\.io",
-    "[a-zA-Z0-9\\-]{1,32}\\.private\\.[a-z0-9]+\\.azmk8s\\.io",
-    "[a-zA-Z0-9\\-]{1,32}\\.privatelink\\.[a-z0-9]+\\.azmk8s\\.io",
+    "private\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+",
+    "privatelink\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+",
+    "[a-zA-Z0-9\\-]{1,32}\\.private\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+",
+    "[a-zA-Z0-9\\-]{1,32}\\.privatelink\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+",
   ]
 }
diff --git a/main.tf b/main.tf
@@ -730,7 +730,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
     precondition {
       condition     = (var.private_dns_zone_id == null || var.private_dns_zone_id == "None" || var.private_dns_zone_id == "System") ? true : (anytrue([for r in local.valid_private_dns_zone_regexs : try(regex(r, local.private_dns_zone_name) == local.private_dns_zone_name, false)]))
-      error_message = "The private_dns_zone_id must be either null, \"None\", \"System\", or a valid private DNS zone resource ID. Valid DNS zone formats are: `privatelink.<region>.azmk8s.io`, `<subzone>.privatelink.<region>.azmk8s.io`, `private.<region>.azmk8s.io`, `<subzone>.private.<region>.azmk8s.io`"
+      error_message = "The private_dns_zone_id must be either null, \"None\", \"System\", or a valid private DNS zone resource ID. Valid DNS zone formats are: `private.<region>.<cloud-suffix>`, `privatelink.<region>.<cloud-suffix>`, `<subzone>.private.<region>.<cloud-suffix>`, or `<subzone>.privatelink.<region>.<cloud-suffix>`. Azure validates the exact cloud-specific suffix server-side."
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -68,9 +68,9 @@ locals {`
`68`	`68`	`use_brown_field_gw_for_ingress = var.brown_field_application_gateway_for_ingress != null`
`69`	`69`	`use_green_field_gw_for_ingress = var.green_field_application_gateway_for_ingress != null`
`70`	`70`	`valid_private_dns_zone_regexs = [`
`71`		`- "private\\.[a-z0-9]+\\.azmk8s\\.io",`
`72`		`- "privatelink\\.[a-z0-9]+\\.azmk8s\\.io",`
`73`		`- "[a-zA-Z0-9\\-]{1,32}\\.private\\.[a-z0-9]+\\.azmk8s\\.io",`
`74`		`- "[a-zA-Z0-9\\-]{1,32}\\.privatelink\\.[a-z0-9]+\\.azmk8s\\.io",`
	`71`	`+ "private\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?)+",`
	`72`	`+ "privatelink\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?)+",`
	`73`	`+ "[a-zA-Z0-9\\-]{1,32}\\.private\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?)+",`
	`74`	`+ "[a-zA-Z0-9\\-]{1,32}\\.privatelink\\.[a-z0-9]+\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?(?:\\.[a-z0-9](?:[a-z0-9-][a-z0-9])?)+",`
`75`	`75`	`]`
`76`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -730,7 +730,7 @@ resource "azurerm_kubernetes_cluster" "main" {`
`730`	`730`	`}`
`731`	`731`	`precondition {`
`732`	`732`	`condition = (var.private_dns_zone_id == null \|\| var.private_dns_zone_id == "None" \|\| var.private_dns_zone_id == "System") ? true : (anytrue([for r in local.valid_private_dns_zone_regexs : try(regex(r, local.private_dns_zone_name) == local.private_dns_zone_name, false)]))`
`733`		- error_message = "The private_dns_zone_id must be either null, \"None\", \"System\", or a valid private DNS zone resource ID. Valid DNS zone formats are: `privatelink.<region>.azmk8s.io`, `<subzone>.privatelink.<region>.azmk8s.io`, `private.<region>.azmk8s.io`, `<subzone>.private.<region>.azmk8s.io`"
	`733`	+ error_message = "The private_dns_zone_id must be either null, \"None\", \"System\", or a valid private DNS zone resource ID. Valid DNS zone formats are: `private.<region>.<cloud-suffix>`, `privatelink.<region>.<cloud-suffix>`, `<subzone>.private.<region>.<cloud-suffix>`, or `<subzone>.privatelink.<region>.<cloud-suffix>`. Azure validates the exact cloud-specific suffix server-side."
`734`	`734`	`}`
`735`	`735`	`}`
`736`	`736`	`}`