Merge pull request #8 from SCT-Engineering/lb_cname

Lb cname
SCT-Engineering · Oct 17, 2024 · 640ece7 · 640ece7
2 parents 57397cd + 0594c99
commit 640ece7
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,15 @@
 # tfmod-eks-dns
 This module is designed to add DNS to an EKS cluster through the creation of the route53_zone for the cluster domain.
 
+As discussed in PR #7, the data items in the upstream module caused issues with planning. We don't need the heritage records from the aws-dns module either....
+digging deeper, it seems we haven't been using cname/alias records.  They are different than strict cnames -> https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
+
+the aws module docs have a note: `Exactly one of records or alias must be specified: this determines whether it's an alias record.`
+in my 15s of research, every place we have created lb cnames we used a cname record, and the module for cname records isn't using alias.
+
+There is a minor cost savings from this - alias record queries are not charged -> `Route 53 doesn't charge for alias queries to AWS resources. For more information, see [Amazon Route 53 Pricing](https://aws.amazon.com/route53/pricing/).`
+
+Additional information regarding comparison of alias and cname records -> https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html#resource-record-sets-choosing-alias-non-alias-comparison
 ## Changelog
 Change logs are auto-generated with commitizen.
 
@@ -25,14 +34,13 @@ Change logs are auto-generated with commitizen.
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_cname_cluster_domain"></a> [cname\_cluster\_domain](#module\_cname\_cluster\_domain) | git@github.e.it.census.gov:terraform-modules/aws-dns//cname | n/a |
+No modules.
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_route53_record.entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_vpc_association_authorization.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
@@ -48,7 +56,7 @@ Change logs are auto-generated with commitizen.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
-| <a name="input_istio_ingress_lb"></a> [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `string` | n/a | yes |
+| <a name="input_istio_ingress_lb"></a> [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `map(string)` | n/a | yes |
 | <a name="input_os_username"></a> [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS config region | `string` | `""` | no |
 | <a name="input_region_map"></a> [region\_map](#input\_region\_map) | AWS region map | `map(string)` | <pre>{<br>  "east": "us-gov-east-1",<br>  "west": "us-gov-west-1"<br>}</pre> | no |

diff --git a/dns-providers.tf b/dns-providers.tf
@@ -2,25 +2,28 @@
 # Providers for Cross Account DNS Action
 #-------------------------------------------------
 provider "aws" {
-  alias  = "route53_main_east"
-  region = var.region_map["east"]
+  alias   = "route53_main_east"
+  region  = var.region_map["east"]
+  profile = var.profile
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
     session_name = var.os_username
   }
 }
 
 provider "aws" {
-  alias  = "route53_main_west"
-  region = var.region_map["west"]
+  alias   = "route53_main_west"
+  region  = var.region_map["west"]
+  profile = var.profile
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
     session_name = var.os_username
   }
 }
 
 provider "aws" {
-  alias = "self"
+  alias   = "self"
+  profile = var.profile
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
     session_name = var.os_username

diff --git a/main.tf b/main.tf
@@ -1,8 +1,5 @@
 #-------------------------------------------------
 # DNS Zone for EKS
-#-------------------------------------------------
-
-#-------------------------------------------------
 # Locals
 #-------------------------------------------------
 
@@ -50,7 +47,7 @@ resource "aws_route53_vpc_association_authorization" "self_zone_east" {
   count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.self
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = var.route53_endpoints.route53_main["us-gov-east-1"]
   vpc_region = "us-gov-east-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
@@ -59,7 +56,7 @@ resource "aws_route53_zone_association" "self_zone_east" {
   count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.route53_main_east
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = var.route53_endpoints.route53_main["us-gov-east-1"]
   vpc_region = "us-gov-east-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 
@@ -73,7 +70,7 @@ resource "aws_route53_vpc_association_authorization" "self_zone_west" {
   count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.self
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = var.route53_endpoints.route53_main["us-gov-west-1"]
   vpc_region = "us-gov-west-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
@@ -82,7 +79,7 @@ resource "aws_route53_zone_association" "self_zone_west" {
   count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.route53_main_west
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = var.route53_endpoints.route53_main["us-gov-west-1"]
   vpc_region = "us-gov-west-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 
@@ -93,12 +90,14 @@ resource "aws_route53_zone_association" "self_zone_west" {
 # Cluster DNS CNAME MAPPED TO INGRESS NLB
 ###################################################################
 
-module "cname_cluster_domain" {
-  # tflint-ignore: terraform_module_pinned_source
-  source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname"
+resource "aws_route53_record" "entry" {
+  zone_id = aws_route53_zone.cluster_domain.zone_id
+  name    = "*.${local.cluster_domain_name}"
+  type    = "A"
 
-  name            = format("*.%v", local.cluster_domain_name)
-  values          = [var.istio_ingress_lb]
-  zone            = aws_route53_zone.cluster_domain.name
-  enable_heritage = false
+  alias {
+    name                   = var.istio_ingress_lb.dns_name
+    zone_id                = var.istio_ingress_lb.zone_id
+    evaluate_target_health = true
+  }
 }
diff --git a/variables.tf b/variables.tf
@@ -49,7 +49,7 @@ variable "os_username" {
 
 variable "istio_ingress_lb" {
   description = "The istio ingress load balancer DNS."
-  type        = string
+  type        = map(string)
 }
 
 variable "region_map" {