# ----------------------------------------------------------------------------- # DNS Zone and A Record (conditional — only when domain_name is set) # ----------------------------------------------------------------------------- resource "oci_dns_zone" "main" { count = var.domain_name != "" ? 1 : 0 compartment_id = var.compartment_ocid name = var.domain_name zone_type = "PRIMARY" freeform_tags = var.freeform_tags } resource "oci_dns_rrset" "a_record" { count = var.domain_name != "" ? 1 : 0 zone_name_or_id = oci_dns_zone.main[0].id domain = var.domain_name rtype = "A" compartment_id = var.compartment_ocid items { domain = var.domain_name rtype = "A" rdata = oci_load_balancer_load_balancer.main.ip_address_details[0].ip_address ttl = 300 } } # TODO: Add OCI Certificates Service integration for Let's Encrypt when domain # is validated. This requires: # 1. oci_certificates_management_certificate_authority (subordinate CA) # 2. oci_certificates_management_certificate with ISSUED_BY_INTERNAL_CA config # 3. DNS-01 challenge validation via the OCI DNS zone above # 4. Update LB listener SSL config to use the managed certificate # For now, the self-signed cert is used even when a domain is configured. # After DNS propagation, you can manually configure Let's Encrypt via certbot # or the OCI Certificates Service console.