Given:
dns_prod_serverdns_dev_serverdns_prod_server - dns_prod_gmsadns_dev_server - dns_dev_gmsadns_prod_build_server running an Azure DevOps build service as dns_prod_gmsadns_dev_build_server running an Azure DevOps build service as dns_dev_gmsaSo each build server is capable of running Azure DevOps pipelines updating the respective DNS server. And it works, because we do have such pipelines.
However, they are running ad hoc powershell code. I would like them to use terraform instead.
So we have https://registry.terraform.io/providers/hashicorp/dns/latest/docs, but it is totally unclear to me how to instruct terraform to authenticate against the DNS server. I do not have the gMSA password (that is the point of it, being an on-prem equivalent of the Azure Managed Identities). The DNS provider documentation mentions some keytab argument, but I doubt it even exists for a gMSA.
So my question is how can we use terraform to update DNS while using gMSA to authenticate with the respective DNS server?
I am embarrassed to admit, but I was fast on the trigger yet again. The documentation does not actually require us to provide anything, but the server in the update block. All the authentication properties are optional and in case of a gMSA looks like they can be left out.
I am getting an error though, but it seems to indicate that out DNS server does not support dynamic DNS updates (RFC 2136):
Error: Error updating DNS record: 4 (NOTIMP)
I cannot be entirely sure, but I want to believe that authentication errors manifest themselves differently.
EDIT 1
In our particular case the DNS server does not support the dynamic DNS updates and hence we cannot use this terraform module.