From 3b7fbe1a0db3cce5182ae4ac44deab886e9c36d9 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 9 Jul 2025 18:07:44 -0400
Subject: [PATCH] add changes for prod dns

---
 README.md        | 15 ++++++++----
 dns-providers.tf |  8 +++----
 main.tf          | 62 ++++++++++++++++++++++++++++++++++++++++++------
 variables.tf     |  6 +++++
 4 files changed, 75 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 2992eeb..6b2bfbc 100644
--- a/README.md
+++ b/README.md
@@ -28,11 +28,11 @@ Change logs are auto-generated with commitizen.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.14.0 |
-| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | >= 5.14.0 |
-| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | >= 5.14.0 |
-| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | >= 5.14.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.0.0 |
+| <a name="provider_aws.route53_main"></a> [aws.route53\_main](#provider\_aws.route53\_main) | 6.0.0 |
+| <a name="provider_aws.route53_main_legacy"></a> [aws.route53\_main\_legacy](#provider\_aws.route53\_main\_legacy) | 6.0.0 |
+| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 6.0.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 
 ## Modules
 
@@ -47,11 +47,15 @@ No modules.
 | [aws_route53_vpc_association_authorization.central_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_vpc_association_authorization.cluster_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_vpc_association_authorization.cluster_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.legacy_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.legacy_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_route53_zone_association.central_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
 | [aws_route53_zone_association.central_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
 | [aws_route53_zone_association.cluster_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
 | [aws_route53_zone_association.cluster_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.legacy_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.legacy_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
 | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -63,6 +67,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| <a name="input_environment_abbr"></a> [environment\_abbr](#input\_environment\_abbr) | Environment abbreviation (ex: dev, prod) | `string` | `"lab"` | no |
 | <a name="input_istio_ingress_lb"></a> [istio\_ingress\_lb](#input\_istio\_ingress\_lb) | The istio ingress load balancer DNS. | `map(string)` | n/a | yes |
 | <a name="input_os_username"></a> [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | `""` | no |
diff --git a/dns-providers.tf b/dns-providers.tf
index 797e001..ea2f427 100644
--- a/dns-providers.tf
+++ b/dns-providers.tf
@@ -2,7 +2,7 @@
 # Providers for Cross Account DNS Action
 #-------------------------------------------------
 provider "aws" {
-  alias   = "route53_main_east"
+  alias   = "route53_main"
   region  = var.region_map["east"]
   profile = var.profile
   assume_role {
@@ -12,11 +12,11 @@ provider "aws" {
 }
 
 provider "aws" {
-  alias   = "route53_main_west"
-  region  = var.region_map["west"]
+  alias   = "route53_main_legacy"
+  region  = var.region_map["east"]
   profile = var.profile
   assume_role {
-    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
     session_name = var.os_username
   }
 }
diff --git a/main.tf b/main.tf
index d0578de..6c601e2 100644
--- a/main.tf
+++ b/main.tf
@@ -9,6 +9,7 @@ locals {
   is_shared_vpc              = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
   region                     = var.region
   vpc_domain_name            = var.vpc_domain_name
+  environment_abbr           = var.environment_abbr
 }
 
 #-------------------------------------------------
@@ -28,7 +29,7 @@ resource "aws_route53_zone" "cluster_domain" {
   lifecycle {
     ignore_changes = [vpc]
     precondition {
-      condition     = local.is_shared_vpc && !(var.vpc_domain_name == null || var.vpc_domain_name == "")
+      condition     = local.is_shared_vpc && ! (var.vpc_domain_name == null || var.vpc_domain_name == "")
       error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
     }
   }
@@ -55,7 +56,7 @@ resource "aws_route53_vpc_association_authorization" "cluster_zone_east" {
 resource "aws_route53_zone_association" "cluster_zone_east" {
   count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
 
-  provider   = aws.route53_main_east
+  provider   = aws.route53_main
   vpc_id     = data.aws_vpc.eks_vpc.id
   vpc_region = "us-gov-east-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
@@ -78,7 +79,7 @@ resource "aws_route53_vpc_association_authorization" "cluster_zone_west" {
 resource "aws_route53_zone_association" "cluster_zone_west" {
   count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
-  provider   = aws.route53_main_west
+  provider   = aws.route53_main
   vpc_id     = data.aws_vpc.eks_vpc.id
   vpc_region = "us-gov-west-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
@@ -91,7 +92,7 @@ resource "aws_route53_zone_association" "cluster_zone_west" {
 # east region
 #---
 resource "aws_route53_vpc_association_authorization" "central_zone_east" {
-  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 0 : 1
 
   provider   = aws.self
   vpc_id     = var.route53_endpoints.route53_main["us-gov-east-1"]
@@ -100,9 +101,9 @@ resource "aws_route53_vpc_association_authorization" "central_zone_east" {
 }
 
 resource "aws_route53_zone_association" "central_zone_east" {
-  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 0 : 1
 
-  provider   = aws.route53_main_east
+  provider   = aws.route53_main
   vpc_id     = var.route53_endpoints.route53_main["us-gov-east-1"]
   vpc_region = "us-gov-east-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
@@ -125,7 +126,7 @@ resource "aws_route53_vpc_association_authorization" "central_zone_west" {
 resource "aws_route53_zone_association" "central_zone_west" {
   count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
-  provider   = aws.route53_main_west
+  provider   = aws.route53_main
   vpc_id     = var.route53_endpoints.route53_main["us-gov-west-1"]
   vpc_region = "us-gov-west-1"
   zone_id    = aws_route53_zone.cluster_domain.zone_id
@@ -133,6 +134,53 @@ resource "aws_route53_zone_association" "central_zone_west" {
   depends_on = [aws_route53_vpc_association_authorization.central_zone_west]
 }
 
+#---
+# cluster domain associations with legacy do2-gov networking
+# east region
+#---
+resource "aws_route53_vpc_association_authorization" "legacy_zone_east" {
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc && local.environment_abbr == "prod" ? 1 : 0
+
+  provider   = aws.self
+  vpc_id     = var.route53_endpoints.route53_main_legacy["us-gov-east-1"]
+  vpc_region = "us-gov-east-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
+}
+
+resource "aws_route53_zone_association" "legacy_zone_east" {
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc && local.environment_abbr == "prod" ? 1 : 0
+
+  provider   = aws.route53_main_legacy
+  vpc_id     = var.route53_endpoints.route53_main_legacy["us-gov-east-1"]
+  vpc_region = "us-gov-east-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
+
+  depends_on = [aws_route53_vpc_association_authorization.legacy_zone_east]
+}
+
+#-------------------------------------------------
+# west region
+#-------------------------------------------------
+resource "aws_route53_vpc_association_authorization" "legacy_zone_west" {
+  count = local.region == "us-gov-west-1" && local.is_shared_vpc && local.environment_abbr == "prod" ? 1 : 0
+
+  provider   = aws.self
+  vpc_id     = var.route53_endpoints.route53_main_legacy["us-gov-west-1"]
+  vpc_region = "us-gov-west-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
+}
+
+resource "aws_route53_zone_association" "legacy_zone_west" {
+  count = local.region == "us-gov-west-1" && local.is_shared_vpc && local.environment_abbr == "prod" ? 1 : 0
+
+  provider   = aws.route53_main_legacy
+  vpc_id     = var.route53_endpoints.route53_main_legacy["us-gov-west-1"]
+  vpc_region = "us-gov-west-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
+
+  depends_on = [aws_route53_vpc_association_authorization.legacy_zone_west]
+}
+
 ###################################################################
 # Cluster DNS CNAME MAPPED TO INGRESS NLB
 ###################################################################
diff --git a/variables.tf b/variables.tf
index a536f21..f48d0fc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -49,6 +49,12 @@ variable "os_username" {
   default     = null
 }
 
+variable "environment_abbr" {
+  description = "Environment abbreviation (ex: dev, prod)"
+  type        = string
+  default     = "lab"
+}
+
 ###################################################################
 # DNS variables
 ###################################################################