From ce25ef5078de6fcd87a7834b59eab4454e55fac6 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Mon, 15 Dec 2025 14:12:31 -0500
Subject: [PATCH 1/2] cname module instead of alias record

---
 main.tf | 32 +++++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/main.tf b/main.tf
index f028bb1..c3a732b 100644
--- a/main.tf
+++ b/main.tf
@@ -29,8 +29,8 @@ resource "aws_route53_zone" "cluster_domain" {
   lifecycle {
     ignore_changes = [vpc]
     precondition {
-      condition     = local.is_shared_vpc && ! (var.vpc_domain_name == null || var.vpc_domain_name == "")
-      error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
+      condition     = ! (var.vpc_domain_name == null || var.vpc_domain_name == "")
+      error_message = "var.vpc_domain_name must be provided."
     }
   }
 
@@ -45,19 +45,19 @@ resource "aws_route53_zone" "cluster_domain" {
 # east region
 #---
 resource "aws_route53_vpc_association_authorization" "cluster_zone_east" {
-  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" ? 1 : 0
 
   provider   = aws.self
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = local.is_shared_vpc ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
   vpc_region = var.region_map["east"]
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
 
 resource "aws_route53_zone_association" "cluster_zone_east" {
-  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" ? 1 : 0
 
   provider   = aws.route53_main
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = local.is_shared_vpc ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
   vpc_region = var.region_map["east"]
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 
@@ -65,22 +65,22 @@ resource "aws_route53_zone_association" "cluster_zone_east" {
 }
 
 #-------------------------------------------------
-# west region
+# cluster PHZ Association west region
 #-------------------------------------------------
 resource "aws_route53_vpc_association_authorization" "cluster_zone_west" {
-  count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-west-1" ? 1 : 0
 
   provider   = aws.self
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = local.is_shared_vpc ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
   vpc_region = var.region_map["west"]
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
 
 resource "aws_route53_zone_association" "cluster_zone_west" {
-  count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-west-1" ? 1 : 0
 
   provider   = aws.route53_main
-  vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_id     = local.is_shared_vpc ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
   vpc_region = var.region_map["west"]
   zone_id    = aws_route53_zone.cluster_domain.zone_id
 
@@ -180,3 +180,13 @@ resource "aws_route53_record" "entry" {
     evaluate_target_health = true
   }
 }
+
+# Equivalent module implementation
+# module "istio_ingress" {
+#   source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname"
+
+#   name = "*.${local.cluster_domain_name}"
+#   zone = aws_route53_zone.cluster_domain.zone_id
+#   values = [var.istio_ingress_lb.dns_name]
+#   enable_heritage = false
+# }

From a1e8f50990544c1f174630299b80417d7b7a5949 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 16 Dec 2025 18:14:37 -0500
Subject: [PATCH 2/2] flip eval target health to false

---
 README.md    | 1 -
 main.tf      | 3 +--
 variables.tf | 6 ------
 3 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 6b2bfbc..6f2611c 100644
--- a/README.md
+++ b/README.md
@@ -67,7 +67,6 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
-| <a name="input_environment_abbr"></a> [environment\_abbr](#input\_environment\_abbr) | Environment abbreviation (ex: dev, prod) | `string` | `"lab"` | no |
 | <a name="input_istio_ingress_lb"></a> [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `map(string)` | n/a | yes |
 | <a name="input_os_username"></a> [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index c3a732b..f3efd4f 100644
--- a/main.tf
+++ b/main.tf
@@ -9,7 +9,6 @@ locals {
   is_shared_vpc              = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
   region                     = var.region
   vpc_domain_name            = var.vpc_domain_name
-  environment_abbr           = var.environment_abbr
 }
 
 #-------------------------------------------------
@@ -177,7 +176,7 @@ resource "aws_route53_record" "entry" {
   alias {
     name                   = var.istio_ingress_lb.dns_name
     zone_id                = var.istio_ingress_lb.zone_id
-    evaluate_target_health = true
+    evaluate_target_health = false # scaling actions will cause dns to drop otherwise
   }
 }
 
diff --git a/variables.tf b/variables.tf
index f48d0fc..a536f21 100644
--- a/variables.tf
+++ b/variables.tf
@@ -49,12 +49,6 @@ variable "os_username" {
   default     = null
 }
 
-variable "environment_abbr" {
-  description = "Environment abbreviation (ex: dev, prod)"
-  type        = string
-  default     = "lab"
-}
-
 ###################################################################
 # DNS variables
 ###################################################################