diff --git a/README.md b/README.md
index 7d5c878..9521572 100644
--- a/README.md
+++ b/README.md
@@ -19,19 +19,23 @@ Change logs are auto-generated with commitizen.
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | 5.68.0 |
+| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.68.0 |
+| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.68.0 |
+| [aws.self](#provider\_aws.self) | 5.68.0 |
## Modules
-| Name | Source | Version |
-|------|--------|---------|
-| [route53\_cluster\_domain\_east](#module\_route53\_cluster\_domain\_east) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone | tf-upgrade |
-| [route53\_cluster\_domain\_west](#module\_route53\_cluster\_domain\_west) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone | tf-upgrade |
+No modules.
## Resources
| Name | Type |
|------|------|
+| [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
| [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -46,7 +50,6 @@ Change logs are auto-generated with commitizen.
| [region](#input\_region) | AWS config region | `string` | `""` | no |
| [region\_map](#input\_region\_map) | AWS region map | `map(string)` | {
"east": "us-gov-east-1",
"west": "us-gov-west-1"
} | no |
| [route53\_endpoints](#input\_route53\_endpoints) | Map of target route53 endpoints (for inbound) central VPCs | `map(map(string))` | {
"route53_main": {
"account_id": "269244441389",
"alias": "lab-gov-network-nonprod",
"us-gov-east-1": "vpc-070595c5b133243dd",
"us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
}
} | no |
-| [shared\_vpc\_label](#input\_shared\_vpc\_label) | Label to use for shared VPC for flowlogs and other things | `string` | `null` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
| [vpc\_domain\_name](#input\_vpc\_domain\_name) | The DNS domain name of the vpc the cluster is in. | `string` | n/a | yes |
| [vpc\_name](#input\_vpc\_name) | Define the VPC name that will be used by this cluster | `string` | n/a | yes |
diff --git a/aws_data.tf b/aws_data.tf
index 81d8da8..050df9e 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -15,7 +15,7 @@ data "aws_arn" "current" {
# dummy vpc, so we can associate the zone to this account
#---
data "aws_vpc" "dummy_vpc" {
- count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+ count = local.is_shared_vpc ? 1 : 0
filter {
name = "tag:Name"
values = ["vpc0-dummy"]
diff --git a/main.tf b/main.tf
index 45f3bbe..247359c 100644
--- a/main.tf
+++ b/main.tf
@@ -10,6 +10,7 @@ locals {
cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name)
region = var.region
+ is_shared_vpc = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
vpc_domain_name = var.vpc_domain_name
}
@@ -23,14 +24,14 @@ resource "aws_route53_zone" "cluster_domain" {
force_destroy = false
vpc {
- vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
+ vpc_id = local.is_shared_vpc ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
vpc_region = local.region
}
lifecycle {
ignore_changes = [vpc]
precondition {
- condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
+ condition = local.is_shared_vpc && !(var.vpc_domain_name == null || var.vpc_domain_name == "")
error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
}
}
@@ -45,37 +46,47 @@ resource "aws_route53_zone" "cluster_domain" {
# cluster domain associations with central networking account
# east region
#---
-module "route53_cluster_domain_east" {
+resource "aws_route53_vpc_association_authorization" "self_zone_east" {
+ depends_on = [aws_route53_zone.cluster_domain]
+ count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
- count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
- providers = {
- aws.self = aws.self
- aws.peer = aws.route53_main_east
- }
+ provider = aws.self
+ zone_id = aws_route53_zone.cluster_domain.zone_id
+ vpc_region = "us-gov-east-1"
+ vpc_id = data.aws_vpc.eks_vpc.id
+}
+
+resource "aws_route53_zone_association" "self_zone_east" {
+ provider = aws.route53_main_east
+ count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
- source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
- region = "us-gov-east-1"
- vpc_id = data.aws_vpc.eks_vpc.id
- zone_ids = try([aws_route53_zone.cluster_domain.zone_id])
+ zone_id = aws_route53_zone.cluster_domain.zone_id
+ vpc_id = data.aws_vpc.eks_vpc.id
+ vpc_region = "us-gov-east-1"
- tags = var.tags
+ depends_on = [aws_route53_vpc_association_authorization.self_zone_east]
}
#-------------------------------------------------
# west region
#-------------------------------------------------
-module "route53_cluster_domain_west" {
+resource "aws_route53_vpc_association_authorization" "self_zone_west" {
+ depends_on = [aws_route53_zone.cluster_domain]
+ count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
- count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
- providers = {
- aws.self = aws.self
- aws.peer = aws.route53_main_west
- }
+ provider = aws.self
+ zone_id = aws_route53_zone.cluster_domain.zone_id
+ vpc_region = "us-gov-west-1"
+ vpc_id = data.aws_vpc.eks_vpc.id
+}
+
+resource "aws_route53_zone_association" "self_zone_west" {
+ provider = aws.route53_main_west
+ count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
- source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
- region = "us-gov-west-1"
- vpc_id = data.aws_vpc.eks_vpc.id
- zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+ zone_id = aws_route53_zone.cluster_domain.zone_id
+ vpc_id = data.aws_vpc.eks_vpc.id
+ vpc_region = "us-gov-west-1"
- tags = var.tags
+ depends_on = [aws_route53_vpc_association_authorization.self_zone_west]
}
diff --git a/variables.tf b/variables.tf
index 72ab6a6..2336ee9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,12 +47,6 @@ variable "os_username" {
# DNS variables
###################################################################
-variable "shared_vpc_label" {
- description = "Label to use for shared VPC for flowlogs and other things"
- type = string
- default = null
-}
-
variable "region_map" {
description = "AWS region map"
type = map(string)