diff --git a/infrastructure/commons/external_dns/README.md b/infrastructure/commons/external_dns/README.md index 70106213..80b36cf9 100644 --- a/infrastructure/commons/external_dns/README.md +++ b/infrastructure/commons/external_dns/README.md @@ -171,7 +171,7 @@ resource "example_resource" "this" { | [oci\_zone\_scope](#input\_oci\_zone\_scope) | The scope of the DNS zones in OCI (GLOBAL or PRIVATE) | `string` | `"GLOBAL"` | no | | [oci\_zones\_cache\_duration](#input\_oci\_zones\_cache\_duration) | The duration to cache OCI DNS zones (e.g., '30s', '1m'). Set to '0s' to disable caching. | `string` | `"30s"` | no | | [policy](#input\_policy) | The policy to external dns manage the DNS records | `string` | `"sync"` | no | -| [sources](#input\_sources) | Array contents the sources to external dns work | `list(string)` |
[| no | +| [sources](#input\_sources) | Array contents the sources to external dns work | `list(string)` |
"crd",
"gateway-httproute"
]
[| no | | [txt\_owner\_id](#input\_txt\_owner\_id) | The TXT owner ID used by ExternalDNS to identify DNS records it manages | `string` | `"external_dns"` | no | | [type](#input\_type) | Determines whether the external-dns deployment is public or private | `string` | `"public"` | no | | [zone\_id\_filter](#input\_zone\_id\_filter) | The Route53 public or private hosted zone ID for ExternalDNS to manage (required when dns\_provider\_name is 'aws') | `string` | `""` | no | diff --git a/infrastructure/commons/external_dns/locals.tf b/infrastructure/commons/external_dns/locals.tf index bcc0bb71..0bd7d99c 100644 --- a/infrastructure/commons/external_dns/locals.tf +++ b/infrastructure/commons/external_dns/locals.tf @@ -46,11 +46,6 @@ locals { apiGroups = ["externaldns.k8s.io"] resources = ["dnsendpoints"] verbs = ["get", "list", "watch", "create", "update", "patch", "delete"] - }, - { - apiGroups = ["gateway.networking.k8s.io"] - resources = ["gateways", "httproutes"] - verbs = ["get", "list", "watch"] } ] } diff --git a/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl b/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl index 1ce114f2..ed1b1ff5 100644 --- a/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl +++ b/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl @@ -43,6 +43,37 @@ run "aws_zone_filtering_args" { } } +run "default_sources_is_crd_only" { + command = plan + + assert { + condition = length(local.base_config.sources) == 1 && local.base_config.sources[0] == "crd" + error_message = "Default sources should be crd-only (no gateway-httproute)" + } +} + +run "rbac_has_no_gateway_permissions" { + command = plan + + assert { + condition = length(local.route53_config.rbac.additionalPermissions) == 1 + error_message = "RBAC should only grant the crd (dnsendpoints) permission" + } + + assert { + condition = local.route53_config.rbac.additionalPermissions[0].apiGroups == ["externaldns.k8s.io"] + error_message = "The only additional RBAC permission should be for externaldns.k8s.io/dnsendpoints" + } + + assert { + condition = !contains( + [for p in local.route53_config.rbac.additionalPermissions : p.apiGroups[0]], + "gateway.networking.k8s.io" + ) + error_message = "RBAC must not include gateway.networking.k8s.io permissions after removing the gateway-httproute source" + } +} + run "no_cloudflare_secret_for_aws" { command = plan diff --git a/infrastructure/commons/external_dns/variables.tf b/infrastructure/commons/external_dns/variables.tf index 919a7aee..159e40d7 100644 --- a/infrastructure/commons/external_dns/variables.tf +++ b/infrastructure/commons/external_dns/variables.tf @@ -44,7 +44,7 @@ variable "policy" { variable "sources" { description = "Array contents the sources to external dns work" type = list(string) - default = ["crd", "gateway-httproute"] + default = ["crd"] } variable "type" {
"crd"
]