diff --git a/README.md b/README.md
index 9521572..4552b2e 100644
--- a/README.md
+++ b/README.md
@@ -13,15 +13,19 @@ Change logs are auto-generated with commitizen.
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.5 |
| [aws](#requirement\_aws) | >= 5.14.0 |
+| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| [time](#requirement\_time) | >= 0.9 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.68.0 |
-| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.68.0 |
-| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.68.0 |
-| [aws.self](#provider\_aws.self) | 5.68.0 |
+| [aws](#provider\_aws) | 5.70.0 |
+| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.70.0 |
+| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.70.0 |
+| [aws.self](#provider\_aws.self) | 5.70.0 |
+| [kubernetes](#provider\_kubernetes) | 2.32.0 |
+| [time](#provider\_time) | 0.12.1 |
## Modules
@@ -31,21 +35,27 @@ No modules.
| Name | Type |
|------|------|
+| [aws_route53_record.entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.entry_heritage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
| [aws_route53_vpc_association_authorization.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
| [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
| [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
| [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [time_static.timestamp](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_lb.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source |
| [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
| [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [kubernetes_service.istio_ingressgateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| [istio\_namespace](#input\_istio\_namespace) | The namespace to install the istio components. Defaults to 'istio-system' | `string` | `"istio-system"` | no |
| [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
| [region](#input\_region) | AWS config region | `string` | `""` | no |
| [region\_map](#input\_region\_map) | AWS region map | `map(string)` | {
"east": "us-gov-east-1",
"west": "us-gov-west-1"
} | no |
diff --git a/aws_data.tf b/aws_data.tf
index 050df9e..7bfda66 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -21,3 +21,16 @@ data "aws_vpc" "dummy_vpc" {
values = ["vpc0-dummy"]
}
}
+
+data "kubernetes_service" "istio_ingressgateway" {
+ depends_on = [aws_route53_zone.cluster_domain]
+ metadata {
+ name = "istio-ingressgateway"
+ namespace = var.istio_namespace
+ }
+}
+
+data "aws_lb" "lb" {
+ depends_on = [aws_route53_zone.cluster_domain]
+ name = split("-", data.kubernetes_service.istio_ingressgateway.status[0].load_balancer[0].ingress[0].hostname)[0]
+}
diff --git a/main.tf b/main.tf
index 247359c..fb4beda 100644
--- a/main.tf
+++ b/main.tf
@@ -7,13 +7,42 @@
#-------------------------------------------------
locals {
+ defaults = {
+ enable_ptr = {
+ cname = false
+ a = false
+ aaaa = false
+ txt = false
+ host = true
+ ptr = true
+ }
+ heritage_label = "terraform"
+ heritage_prefix = {
+ cname = "_txt"
+ a = ""
+ aaaa = ""
+ txt = "_txt"
+ host = ""
+ ptr = ""
+ }
+ }
+ base_heritage_tags = [
+ format("heritage=%v", local.defaults.heritage_label),
+ format("%v/account_id=%v", local.defaults.heritage_label, data.aws_caller_identity.current.account_id),
+ format("%v/region=%v", local.defaults.heritage_label, local.region),
+ format("%v/create_time=%d", local.defaults.heritage_label, time_static.timestamp.unix)
+ ]
cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name)
- region = var.region
+ default_heritage_prefix = lookup(local.defaults.heritage_prefix, local.record_type, "") != "" ? format("%v.", local.defaults.heritage_prefix[local.record_type]) : ""
is_shared_vpc = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
+ record_type = "cname"
+ region = var.region
vpc_domain_name = var.vpc_domain_name
}
+resource "time_static" "timestamp" {}
+
#-------------------------------------------------
# cluster_domain dns zone
#-------------------------------------------------
@@ -47,22 +76,21 @@ resource "aws_route53_zone" "cluster_domain" {
# east region
#---
resource "aws_route53_vpc_association_authorization" "self_zone_east" {
- depends_on = [aws_route53_zone.cluster_domain]
- count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+ count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
provider = aws.self
- zone_id = aws_route53_zone.cluster_domain.zone_id
- vpc_region = "us-gov-east-1"
vpc_id = data.aws_vpc.eks_vpc.id
+ vpc_region = "us-gov-east-1"
+ zone_id = aws_route53_zone.cluster_domain.zone_id
}
resource "aws_route53_zone_association" "self_zone_east" {
- provider = aws.route53_main_east
- count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+ count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
- zone_id = aws_route53_zone.cluster_domain.zone_id
+ provider = aws.route53_main_east
vpc_id = data.aws_vpc.eks_vpc.id
vpc_region = "us-gov-east-1"
+ zone_id = aws_route53_zone.cluster_domain.zone_id
depends_on = [aws_route53_vpc_association_authorization.self_zone_east]
}
@@ -71,22 +99,41 @@ resource "aws_route53_zone_association" "self_zone_east" {
# west region
#-------------------------------------------------
resource "aws_route53_vpc_association_authorization" "self_zone_west" {
- depends_on = [aws_route53_zone.cluster_domain]
- count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+ count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
provider = aws.self
- zone_id = aws_route53_zone.cluster_domain.zone_id
- vpc_region = "us-gov-west-1"
vpc_id = data.aws_vpc.eks_vpc.id
+ vpc_region = "us-gov-west-1"
+ zone_id = aws_route53_zone.cluster_domain.zone_id
}
resource "aws_route53_zone_association" "self_zone_west" {
- provider = aws.route53_main_west
- count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+ count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
- zone_id = aws_route53_zone.cluster_domain.zone_id
+ provider = aws.route53_main_west
vpc_id = data.aws_vpc.eks_vpc.id
vpc_region = "us-gov-west-1"
+ zone_id = aws_route53_zone.cluster_domain.zone_id
depends_on = [aws_route53_vpc_association_authorization.self_zone_west]
}
+
+###################################################################
+# Cluster DNS CNAME MAPPED TO INGRESS NLB
+###################################################################
+
+resource "aws_route53_record" "entry" {
+ name = "*.${local.cluster_domain_name}"
+ records = [data.aws_lb.lb.dns_name]
+ ttl = 900
+ type = "CNAME"
+ zone_id = aws_route53_zone.cluster_domain.zone_id
+}
+
+resource "aws_route53_record" "entry_heritage" {
+ name = format("%v%v", local.default_heritage_prefix, "*.${local.cluster_domain_name}")
+ records = [join(",", local.base_heritage_tags)]
+ ttl = 900
+ type = "TXT"
+ zone_id = aws_route53_zone.cluster_domain.zone_id
+}
diff --git a/requirements.tf b/requirements.tf
index 94a08f3..2ce3460 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -6,5 +6,13 @@ terraform {
source = "hashicorp/aws"
version = ">= 5.14.0"
}
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = ">= 2.23.0"
+ }
+ time = {
+ source = "hashicorp/time"
+ version = ">= 0.9"
+ }
}
}
diff --git a/variables.tf b/variables.tf
index 2336ee9..3387100 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,6 +47,12 @@ variable "os_username" {
# DNS variables
###################################################################
+variable "istio_namespace" {
+ description = "The namespace to install the istio components. Defaults to 'istio-system'"
+ type = string
+ default = "istio-system"
+}
+
variable "region_map" {
description = "AWS region map"
type = map(string)