From 39f4989f45196f477ba18d7260a263731f59dc18 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 16 Oct 2024 20:32:32 -0400 Subject: [PATCH 1/6] zone_id instead of name --- main.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 28076cb..b719ff3 100644 --- a/main.tf +++ b/main.tf @@ -1,8 +1,5 @@ #------------------------------------------------- # DNS Zone for EKS -#------------------------------------------------- - -#------------------------------------------------- # Locals #------------------------------------------------- @@ -99,6 +96,6 @@ module "cname_cluster_domain" { name = format("*.%v", local.cluster_domain_name) values = [var.istio_ingress_lb] - zone = aws_route53_zone.cluster_domain.name + zone = aws_route53_zone.cluster_domain.zone_id enable_heritage = false } From 18ad3f997cf8327437bda34e5a7c37cd61e3158c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 16 Oct 2024 23:54:58 -0400 Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=90=9B=20fix(dns):=20create=20alias?= =?UTF-8?q?=20record=20for=20lb?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 7 +++---- main.tf | 18 ++++++++++-------- variables.tf | 6 +++++- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index c4aead1..e0bbfcc 100644 --- a/README.md +++ b/README.md @@ -25,14 +25,13 @@ Change logs are auto-generated with commitizen. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [cname\_cluster\_domain](#module\_cname\_cluster\_domain) | git@github.e.it.census.gov:terraform-modules/aws-dns//cname | n/a | +No modules. ## Resources | Name | Type | |------|------| +| [aws_route53_record.entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | | [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | | [aws_route53_vpc_association_authorization.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | @@ -48,7 +47,7 @@ Change logs are auto-generated with commitizen. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | -| [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `string` | n/a | yes | +| [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `map(string)` | 
{
  "dns_name": "abc-123.elb.region.amazonaws.com",
  "zone_id": "ZABC123455"
}
| no | | [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [region](#input\_region) | AWS config region | `string` | `""` | no | | [region\_map](#input\_region\_map) | AWS region map | `map(string)` | 
{
  "east": "us-gov-east-1",
  "west": "us-gov-west-1"
}
| no | diff --git a/main.tf b/main.tf index b719ff3..c7eb1f2 100644 --- a/main.tf +++ b/main.tf @@ -90,12 +90,14 @@ resource "aws_route53_zone_association" "self_zone_west" { # Cluster DNS CNAME MAPPED TO INGRESS NLB ################################################################### -module "cname_cluster_domain" { - # tflint-ignore: terraform_module_pinned_source - source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname" - - name = format("*.%v", local.cluster_domain_name) - values = [var.istio_ingress_lb] - zone = aws_route53_zone.cluster_domain.zone_id - enable_heritage = false +resource "aws_route53_record" "entry" { + zone_id = aws_route53_zone.cluster_domain.zone_id + name = "*.${local.cluster_domain_name}" + type = "CNAME" + + alias { + name = var.istio_ingress_lb.dns_name + zone_id = var.istio_ingress_lb.zone_id + evaluate_target_health = true + } } diff --git a/variables.tf b/variables.tf index 576605a..a17a541 100644 --- a/variables.tf +++ b/variables.tf @@ -49,7 +49,11 @@ variable "os_username" { variable "istio_ingress_lb" { description = "The istio ingress load balancer DNS." - type = string + type = map(string) + default = { + dns_name = "abc-123.elb.region.amazonaws.com" + zone_id = "ZABC123455" + } } variable "region_map" { From 53cba9039ab96fb90a146dc65290852d8fa43c87 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Oct 2024 00:28:43 -0400 Subject: [PATCH 3/6] =?UTF-8?q?=F0=9F=93=9D=20docs(README):=20add=20notes?= =?UTF-8?q?=20about=20cname=20vs=20alias=20records?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index e0bbfcc..6b618d9 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,15 @@ # tfmod-eks-dns This module is designed to add DNS to an EKS cluster through the creation of the route53_zone for the cluster domain. +As discussed in PR #7, the data items in the upstream module caused issues with planning. We don't need the heritage records from the aws-dns module either.... +digging deeper, it seems we haven't been using cname/alias records. They are different than strict cnames -> https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html + +the aws module docs have a note: `Exactly one of records or alias must be specified: this determines whether it's an alias record.` +in my 15s of research, every place we have created lb cnames we used a cname record, and the module for cname records isn't using alias. + +There is a minor cost savings from this - alias record queries are not charged -> `Route 53 doesn't charge for alias queries to AWS resources. For more information, see [Amazon Route 53 Pricing](https://aws.amazon.com/route53/pricing/).` + +Additional information regarding comparison of alias and cname records -> https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html#resource-record-sets-choosing-alias-non-alias-comparison ## Changelog Change logs are auto-generated with commitizen. From 6fdc15718858138c4846c6361b7936aef2806edf Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Oct 2024 11:33:05 -0400 Subject: [PATCH 4/6] =?UTF-8?q?=F0=9F=90=9B=20fix(dns):=20zone=20associati?= =?UTF-8?q?ons=20were=20targeting=20the=20wrong=20vpc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dns-providers.tf | 13 ++++++++----- main.tf | 8 ++++---- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/dns-providers.tf b/dns-providers.tf index 2fa7510..797e001 100644 --- a/dns-providers.tf +++ b/dns-providers.tf @@ -2,8 +2,9 @@ # Providers for Cross Account DNS Action #------------------------------------------------- provider "aws" { - alias = "route53_main_east" - region = var.region_map["east"] + alias = "route53_main_east" + region = var.region_map["east"] + profile = var.profile assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username @@ -11,8 +12,9 @@ provider "aws" { } provider "aws" { - alias = "route53_main_west" - region = var.region_map["west"] + alias = "route53_main_west" + region = var.region_map["west"] + profile = var.profile assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username @@ -20,7 +22,8 @@ provider "aws" { } provider "aws" { - alias = "self" + alias = "self" + profile = var.profile assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) session_name = var.os_username diff --git a/main.tf b/main.tf index c7eb1f2..1306d5f 100644 --- a/main.tf +++ b/main.tf @@ -47,7 +47,7 @@ resource "aws_route53_vpc_association_authorization" "self_zone_east" { count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0 provider = aws.self - vpc_id = data.aws_vpc.eks_vpc.id + vpc_id = var.route53_endpoints.route53_main["us-gov-east-1"] vpc_region = "us-gov-east-1" zone_id = aws_route53_zone.cluster_domain.zone_id } @@ -56,7 +56,7 @@ resource "aws_route53_zone_association" "self_zone_east" { count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0 provider = aws.route53_main_east - vpc_id = data.aws_vpc.eks_vpc.id + vpc_id = var.route53_endpoints.route53_main["us-gov-east-1"] vpc_region = "us-gov-east-1" zone_id = aws_route53_zone.cluster_domain.zone_id @@ -70,7 +70,7 @@ resource "aws_route53_vpc_association_authorization" "self_zone_west" { count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0 provider = aws.self - vpc_id = data.aws_vpc.eks_vpc.id + vpc_id = var.route53_endpoints.route53_main["us-gov-west-1"] vpc_region = "us-gov-west-1" zone_id = aws_route53_zone.cluster_domain.zone_id } @@ -79,7 +79,7 @@ resource "aws_route53_zone_association" "self_zone_west" { count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0 provider = aws.route53_main_west - vpc_id = data.aws_vpc.eks_vpc.id + vpc_id = var.route53_endpoints.route53_main["us-gov-west-1"] vpc_region = "us-gov-west-1" zone_id = aws_route53_zone.cluster_domain.zone_id From 677abad0da77f4bff4c02f048bb6cd517c44e543 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Oct 2024 11:36:40 -0400 Subject: [PATCH 5/6] remove defaults --- README.md | 2 +- variables.tf | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 6b618d9..a2071aa 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | -| [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `map(string)` | 
{
  "dns_name": "abc-123.elb.region.amazonaws.com",
  "zone_id": "ZABC123455"
}
| no | +| [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `map(string)` | n/a | yes | | [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [region](#input\_region) | AWS config region | `string` | `""` | no | | [region\_map](#input\_region\_map) | AWS region map | `map(string)` | 
{
  "east": "us-gov-east-1",
  "west": "us-gov-west-1"
}
| no | diff --git a/variables.tf b/variables.tf index a17a541..687eb25 100644 --- a/variables.tf +++ b/variables.tf @@ -50,10 +50,6 @@ variable "os_username" { variable "istio_ingress_lb" { description = "The istio ingress load balancer DNS." type = map(string) - default = { - dns_name = "abc-123.elb.region.amazonaws.com" - zone_id = "ZABC123455" - } } variable "region_map" { From 0594c99ba4531893435fce7f3250826390f43e47 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Oct 2024 11:37:32 -0400 Subject: [PATCH 6/6] A record not CNAME --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 1306d5f..d570b4c 100644 --- a/main.tf +++ b/main.tf @@ -93,7 +93,7 @@ resource "aws_route53_zone_association" "self_zone_west" { resource "aws_route53_record" "entry" { zone_id = aws_route53_zone.cluster_domain.zone_id name = "*.${local.cluster_domain_name}" - type = "CNAME" + type = "A" alias { name = var.istio_ingress_lb.dns_name