From 885b8f8bd178600c3a44f3f55d871ac469c1ea9e Mon Sep 17 00:00:00 2001
From: mcgin314 <luther.coleman.mcginty@census.gov>
Date: Mon, 7 Oct 2024 17:22:47 -0400
Subject: [PATCH 01/10] Retrieve load balancer dns

---
 aws_data.tf          | 11 +++++++++++
 load_balancer_dns.sh | 15 +++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100755 load_balancer_dns.sh

diff --git a/aws_data.tf b/aws_data.tf
index 050df9e..e735d7b 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -21,3 +21,14 @@ data "aws_vpc" "dummy_vpc" {
     values = ["vpc0-dummy"]
   }
 }
+
+# We need to lookup the DNS entry for the istio ingress load balancer created by the tfmod-istio
+# We then use this value to create the CNAME record for cluster app/api addressing
+data "external" "load_balancer_dns" {
+  program = ["bash", "${path.module}/load_balancer_dns.sh", format("%v-%v", var.cluster_name, "istio-ingress")]
+}
+
+# format("%v-%v", var.cluster_name, "metrics-server")
+output "load_balancer_dns" {
+  value = data.external.load_balancer_dns.result.dnsName
+}
\ No newline at end of file
diff --git a/load_balancer_dns.sh b/load_balancer_dns.sh
new file mode 100755
index 0000000..744a801
--- /dev/null
+++ b/load_balancer_dns.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# Script to get Load Balancer DNS Name based on the tag Name
+
+LB_NAME=$1
+
+lb_arn=$(for i in $(aws elbv2 describe-load-balancers --query 'LoadBalancers[].LoadBalancerArn' --output text); \
+do aws elbv2 describe-tags --resource-arns "$i" --query "TagDescriptions[?Tags[?Key=='Name' &&Value=='$LB_NAME']].ResourceArn" --output text ;done)
+
+if [ -z "$lb_arn" ]; then
+  lb_arn="no_arn_exists_for_this_lb_name"
+fi
+
+dns_name=$(aws elbv2 describe-load-balancers --load-balancer-arns $lb_arn --query 'LoadBalancers[].DNSName' --output text)
+
+jq -n --arg dnsName "$dns_name" '{"dnsName":$dnsName}'
\ No newline at end of file

From f299c5f69f90020178e15ab47f79683314a9cb23 Mon Sep 17 00:00:00 2001
From: mcgin314 <luther.coleman.mcginty@census.gov>
Date: Tue, 8 Oct 2024 17:37:11 -0400
Subject: [PATCH 02/10] Final updates for cluster cname

---
 aws_data.tf          | 11 --------
 load_balancer_dns.sh | 15 -----------
 main.tf              | 60 ++++++++++++++++++++++++++++++++++++++++++++
 variables.tf         |  5 ++++
 4 files changed, 65 insertions(+), 26 deletions(-)
 delete mode 100755 load_balancer_dns.sh

diff --git a/aws_data.tf b/aws_data.tf
index e735d7b..92d996a 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -20,15 +20,4 @@ data "aws_vpc" "dummy_vpc" {
     name   = "tag:Name"
     values = ["vpc0-dummy"]
   }
-}
-
-# We need to lookup the DNS entry for the istio ingress load balancer created by the tfmod-istio
-# We then use this value to create the CNAME record for cluster app/api addressing
-data "external" "load_balancer_dns" {
-  program = ["bash", "${path.module}/load_balancer_dns.sh", format("%v-%v", var.cluster_name, "istio-ingress")]
-}
-
-# format("%v-%v", var.cluster_name, "metrics-server")
-output "load_balancer_dns" {
-  value = data.external.load_balancer_dns.result.dnsName
 }
\ No newline at end of file
diff --git a/load_balancer_dns.sh b/load_balancer_dns.sh
deleted file mode 100755
index 744a801..0000000
--- a/load_balancer_dns.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-# Script to get Load Balancer DNS Name based on the tag Name
-
-LB_NAME=$1
-
-lb_arn=$(for i in $(aws elbv2 describe-load-balancers --query 'LoadBalancers[].LoadBalancerArn' --output text); \
-do aws elbv2 describe-tags --resource-arns "$i" --query "TagDescriptions[?Tags[?Key=='Name' &&Value=='$LB_NAME']].ResourceArn" --output text ;done)
-
-if [ -z "$lb_arn" ]; then
-  lb_arn="no_arn_exists_for_this_lb_name"
-fi
-
-dns_name=$(aws elbv2 describe-load-balancers --load-balancer-arns $lb_arn --query 'LoadBalancers[].DNSName' --output text)
-
-jq -n --arg dnsName "$dns_name" '{"dnsName":$dnsName}'
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 247359c..6ce4bb6 100644
--- a/main.tf
+++ b/main.tf
@@ -6,14 +6,52 @@
 # Locals
 #-------------------------------------------------
 
+locals {
+  _defaults = {
+    enable_ptr = {
+      cname = false
+      a     = false
+      aaaa  = false
+      txt   = false
+      host  = true
+      ptr   = true
+    }
+    heritage_label = "terraform"
+    heritage_prefix = {
+      cname = "_txt"
+      a     = ""
+      aaaa  = ""
+      txt   = "_txt"
+      host  = ""
+      ptr   = ""
+    }
+  }
+}
+
+locals {
+  base_heritage_tags = [
+    format("heritage=%v", local._defaults.heritage_label),
+    format("%v/account_id=%v", local._defaults.heritage_label, data.aws_caller_identity.current.account_id),
+    format("%v/region=%v", local._defaults.heritage_label, local.region),
+    format("%v/create_time=%d", local._defaults.heritage_label, time_static.timestamp.unix)
+  ]
+  # heritage_tags = [for k, v in {} : format("%v/%v=%v", local._defaults.heritage_label, k, v)]
+}
+
 locals {
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
   region                     = var.region
   is_shared_vpc              = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
   vpc_domain_name            = var.vpc_domain_name
+  record_type                = "cname"
+  ttl                        = 900
+
+  default_heritage_prefix = lookup(local._defaults.heritage_prefix, local.record_type, "") != "" ? format("%v.", lookup(local._defaults.heritage_prefix, local.record_type)) : ""
 }
 
+resource "time_static" "timestamp" {}
+
 #-------------------------------------------------
 # cluster_domain dns zone
 #-------------------------------------------------
@@ -90,3 +128,25 @@ resource "aws_route53_zone_association" "self_zone_west" {
 
   depends_on = [aws_route53_vpc_association_authorization.self_zone_west]
 }
+
+###################################################################
+# Cluster DNS CNAME MAPPED TO INGRESS NLB
+###################################################################
+
+resource "aws_route53_record" "entry" {
+  zone_id = aws_route53_zone.cluster_domain.zone_id
+  name    = "*.${local.cluster_domain_name}"
+  type    = upper(local.record_type)
+  ttl     = local.ttl
+  records = [var.istio_ingress_lb]
+}
+
+resource "aws_route53_record" "entry_heritage" {
+  zone_id = aws_route53_zone.cluster_domain.zone_id
+  name    = format("%v%v", local.default_heritage_prefix, "*.${local.cluster_domain_name}")
+
+  type = "TXT"
+  ttl  = local.ttl
+  # records = [join(",", concat(local.base_heritage_tags, local.heritage_tags))]
+  records = local.base_heritage_tags
+}
diff --git a/variables.tf b/variables.tf
index 2336ee9..46ed081 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,6 +47,11 @@ variable "os_username" {
 # DNS variables
 ###################################################################
 
+variable "istio_ingress_lb" {
+  description = "The Istio ingress network load balancer."
+  type        = string
+}
+
 variable "region_map" {
   description = "AWS region map"
   type        = map(string)

From d7d54b04d79f5cd6208c751431419317dddc57ef Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 00:11:12 -0400
Subject: [PATCH 03/10] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20=20refactor(heritage?=
 =?UTF-8?q?-records):=20refactor=20to=20use=20tf=20native=20instead=20of?=
 =?UTF-8?q?=20shell?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md       | 17 +++++++++---
 aws_data.tf     | 14 +++++++++-
 main.tf         | 73 ++++++++++++++++++++++---------------------------
 requirements.tf |  8 ++++++
 variables.tf    |  4 ---
 5 files changed, 66 insertions(+), 50 deletions(-)

diff --git a/README.md b/README.md
index 9521572..2b64e8a 100644
--- a/README.md
+++ b/README.md
@@ -13,15 +13,19 @@ Change logs are auto-generated with commitizen.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.68.0 |
-| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.68.0 |
-| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.68.0 |
-| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.68.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.70.0 |
+| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.70.0 |
+| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.70.0 |
+| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.70.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.32.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | 0.12.1 |
 
 ## Modules
 
@@ -31,15 +35,20 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_route53_record.entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.entry_heritage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_vpc_association_authorization.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
 | [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [time_static.timestamp](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_lb.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source |
 | [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [kubernetes_service.istio_ingressgateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source |
 
 ## Inputs
 
diff --git a/aws_data.tf b/aws_data.tf
index 92d996a..e3e0caa 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -20,4 +20,16 @@ data "aws_vpc" "dummy_vpc" {
     name   = "tag:Name"
     values = ["vpc0-dummy"]
   }
-}
\ No newline at end of file
+}
+
+data "kubernetes_service" "istio_ingressgateway" {
+  metadata {
+    name      = "istio-ingressgateway"
+    namespace = "istio-system"
+  }
+}
+
+data "aws_lb" "lb" {
+  count = local.is_gateway_active ? 1 : 0
+  name  = split("-", data.kubernetes_service.istio_ingressgateway.status[0].load_balancer[0].ingress[0].hostname)[0]
+}
diff --git a/main.tf b/main.tf
index 6ce4bb6..e410f9e 100644
--- a/main.tf
+++ b/main.tf
@@ -7,7 +7,7 @@
 #-------------------------------------------------
 
 locals {
-  _defaults = {
+  defaults = {
     enable_ptr = {
       cname = false
       a     = false
@@ -26,28 +26,23 @@ locals {
       ptr   = ""
     }
   }
-}
-
-locals {
   base_heritage_tags = [
-    format("heritage=%v", local._defaults.heritage_label),
-    format("%v/account_id=%v", local._defaults.heritage_label, data.aws_caller_identity.current.account_id),
-    format("%v/region=%v", local._defaults.heritage_label, local.region),
-    format("%v/create_time=%d", local._defaults.heritage_label, time_static.timestamp.unix)
+    format("heritage=%v", local.defaults.heritage_label),
+    format("%v/account_id=%v", local.defaults.heritage_label, data.aws_caller_identity.current.account_id),
+    format("%v/region=%v", local.defaults.heritage_label, local.region),
+    format("%v/create_time=%d", local.defaults.heritage_label, time_static.timestamp.unix)
   ]
-  # heritage_tags = [for k, v in {} : format("%v/%v=%v", local._defaults.heritage_label, k, v)]
-}
 
-locals {
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
-  region                     = var.region
-  is_shared_vpc              = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
-  vpc_domain_name            = var.vpc_domain_name
-  record_type                = "cname"
-  ttl                        = 900
+  default_heritage_prefix    = lookup(local.defaults.heritage_prefix, local.record_type, "") != "" ? format("%v.", local.defaults.heritage_prefix[local.record_type]) : ""
+
+  is_gateway_active = data.kubernetes_service.istio-ingressgateway.status != null
 
-  default_heritage_prefix = lookup(local._defaults.heritage_prefix, local.record_type, "") != "" ? format("%v.", lookup(local._defaults.heritage_prefix, local.record_type)) : ""
+  is_shared_vpc   = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
+  record_type     = "cname"
+  region          = var.region
+  vpc_domain_name = var.vpc_domain_name
 }
 
 resource "time_static" "timestamp" {}
@@ -85,22 +80,21 @@ resource "aws_route53_zone" "cluster_domain" {
 # east region
 #---
 resource "aws_route53_vpc_association_authorization" "self_zone_east" {
-  depends_on = [aws_route53_zone.cluster_domain]
-  count      = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.self
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
-  vpc_region = "us-gov-east-1"
   vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_region = "us-gov-east-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
 
 resource "aws_route53_zone_association" "self_zone_east" {
-  provider = aws.route53_main_east
-  count    = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
 
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
+  provider   = aws.route53_main_east
   vpc_id     = data.aws_vpc.eks_vpc.id
   vpc_region = "us-gov-east-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 
   depends_on = [aws_route53_vpc_association_authorization.self_zone_east]
 }
@@ -109,22 +103,21 @@ resource "aws_route53_zone_association" "self_zone_east" {
 # west region
 #-------------------------------------------------
 resource "aws_route53_vpc_association_authorization" "self_zone_west" {
-  depends_on = [aws_route53_zone.cluster_domain]
-  count      = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.self
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
-  vpc_region = "us-gov-west-1"
   vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_region = "us-gov-west-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
 
 resource "aws_route53_zone_association" "self_zone_west" {
-  provider = aws.route53_main_west
-  count    = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
+  provider   = aws.route53_main_west
   vpc_id     = data.aws_vpc.eks_vpc.id
   vpc_region = "us-gov-west-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 
   depends_on = [aws_route53_vpc_association_authorization.self_zone_west]
 }
@@ -134,19 +127,17 @@ resource "aws_route53_zone_association" "self_zone_west" {
 ###################################################################
 
 resource "aws_route53_record" "entry" {
-  zone_id = aws_route53_zone.cluster_domain.zone_id
   name    = "*.${local.cluster_domain_name}"
-  type    = upper(local.record_type)
-  ttl     = local.ttl
-  records = [var.istio_ingress_lb]
+  records = [data.aws_lb.lb[0].dns_name]
+  ttl     = 900
+  type    = "CNAME"
+  zone_id = aws_route53_zone.cluster_domain.zone_id
 }
 
 resource "aws_route53_record" "entry_heritage" {
-  zone_id = aws_route53_zone.cluster_domain.zone_id
   name    = format("%v%v", local.default_heritage_prefix, "*.${local.cluster_domain_name}")
-
-  type = "TXT"
-  ttl  = local.ttl
-  # records = [join(",", concat(local.base_heritage_tags, local.heritage_tags))]
-  records = local.base_heritage_tags
+  records = [join(",", local.base_heritage_tags)]
+  ttl     = 900
+  type    = "TXT"
+  zone_id = aws_route53_zone.cluster_domain.zone_id
 }
diff --git a/requirements.tf b/requirements.tf
index 94a08f3..2ce3460 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -6,5 +6,13 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.14.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.23.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
   }
 }
diff --git a/variables.tf b/variables.tf
index 46ed081..fd07e63 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,10 +47,6 @@ variable "os_username" {
 # DNS variables
 ###################################################################
 
-variable "istio_ingress_lb" {
-  description = "The Istio ingress network load balancer."
-  type        = string
-}
 
 variable "region_map" {
   description = "AWS region map"

From 95e2784fc251ca852730cfff3fd43e26f68dce83 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 00:15:58 -0400
Subject: [PATCH 04/10] =?UTF-8?q?=F0=9F=8E=A8=20style(cleanup):=20remove?=
 =?UTF-8?q?=20extra=20whitespace=20and=20fix=20service=20ref?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 main.tf | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/main.tf b/main.tf
index e410f9e..a7a55e2 100644
--- a/main.tf
+++ b/main.tf
@@ -32,17 +32,14 @@ locals {
     format("%v/region=%v", local.defaults.heritage_label, local.region),
     format("%v/create_time=%d", local.defaults.heritage_label, time_static.timestamp.unix)
   ]
-
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
   default_heritage_prefix    = lookup(local.defaults.heritage_prefix, local.record_type, "") != "" ? format("%v.", local.defaults.heritage_prefix[local.record_type]) : ""
-
-  is_gateway_active = data.kubernetes_service.istio-ingressgateway.status != null
-
-  is_shared_vpc   = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
-  record_type     = "cname"
-  region          = var.region
-  vpc_domain_name = var.vpc_domain_name
+  is_gateway_active          = data.kubernetes_service.istio_ingressgateway.status != null
+  is_shared_vpc              = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
+  record_type                = "cname"
+  region                     = var.region
+  vpc_domain_name            = var.vpc_domain_name
 }
 
 resource "time_static" "timestamp" {}

From bfc3d0376387f87804124a9466cacd207c3dd640 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 00:48:09 -0400
Subject: [PATCH 05/10] =?UTF-8?q?=F0=9F=90=9B=20fix(variables):=20add=20is?=
 =?UTF-8?q?tio=5Fnamespace?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md    | 1 +
 aws_data.tf  | 2 +-
 variables.tf | 5 +++++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2b64e8a..4552b2e 100644
--- a/README.md
+++ b/README.md
@@ -55,6 +55,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| <a name="input_istio_namespace"></a> [istio\_namespace](#input\_istio\_namespace) | The namespace to install the istio components. Defaults to 'istio-system' | `string` | `"istio-system"` | no |
 | <a name="input_os_username"></a> [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS config region | `string` | `""` | no |
 | <a name="input_region_map"></a> [region\_map](#input\_region\_map) | AWS region map | `map(string)` | <pre>{<br>  "east": "us-gov-east-1",<br>  "west": "us-gov-west-1"<br>}</pre> | no |
diff --git a/aws_data.tf b/aws_data.tf
index e3e0caa..ba784be 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -25,7 +25,7 @@ data "aws_vpc" "dummy_vpc" {
 data "kubernetes_service" "istio_ingressgateway" {
   metadata {
     name      = "istio-ingressgateway"
-    namespace = "istio-system"
+    namespace = var.istio_namespace
   }
 }
 
diff --git a/variables.tf b/variables.tf
index fd07e63..3387100 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,6 +47,11 @@ variable "os_username" {
 # DNS variables
 ###################################################################
 
+variable "istio_namespace" {
+  description = "The namespace to install the istio components. Defaults to 'istio-system'"
+  type        = string
+  default     = "istio-system"
+}
 
 variable "region_map" {
   description = "AWS region map"

From 6705bb460b68781cc28c93c9e3c578e08550dedc Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 01:02:49 -0400
Subject: [PATCH 06/10] only when active

---
 aws_data.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/aws_data.tf b/aws_data.tf
index ba784be..566dcc8 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -23,6 +23,7 @@ data "aws_vpc" "dummy_vpc" {
 }
 
 data "kubernetes_service" "istio_ingressgateway" {
+  count = local.is_gateway_active ? 1 : 0
   metadata {
     name      = "istio-ingressgateway"
     namespace = var.istio_namespace

From e644fa38bb6031d48f7d03e71eecc8727c75b640 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 01:21:39 -0400
Subject: [PATCH 07/10] add depends

---
 aws_data.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws_data.tf b/aws_data.tf
index 566dcc8..6252d2f 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -23,7 +23,7 @@ data "aws_vpc" "dummy_vpc" {
 }
 
 data "kubernetes_service" "istio_ingressgateway" {
-  count = local.is_gateway_active ? 1 : 0
+  depends_on = [aws_route53_zone.cluster_domain]
   metadata {
     name      = "istio-ingressgateway"
     namespace = var.istio_namespace

From ac91c1742d70cc6256905d3cb16045eb0caff24d Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 01:24:21 -0400
Subject: [PATCH 08/10] here also

---
 aws_data.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/aws_data.tf b/aws_data.tf
index 6252d2f..52601d0 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -31,6 +31,7 @@ data "kubernetes_service" "istio_ingressgateway" {
 }
 
 data "aws_lb" "lb" {
-  count = local.is_gateway_active ? 1 : 0
-  name  = split("-", data.kubernetes_service.istio_ingressgateway.status[0].load_balancer[0].ingress[0].hostname)[0]
+  depends_on = [aws_route53_zone.cluster_domain]
+  count      = local.is_gateway_active ? 1 : 0
+  name       = split("-", data.kubernetes_service.istio_ingressgateway.status[0].load_balancer[0].ingress[0].hostname)[0]
 }

From 610eb020d510803dde43d9a40e7372a7e22a9a3a Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 01:25:41 -0400
Subject: [PATCH 09/10] assume active here

---
 aws_data.tf | 1 -
 main.tf     | 1 -
 2 files changed, 2 deletions(-)

diff --git a/aws_data.tf b/aws_data.tf
index 52601d0..7bfda66 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -32,6 +32,5 @@ data "kubernetes_service" "istio_ingressgateway" {
 
 data "aws_lb" "lb" {
   depends_on = [aws_route53_zone.cluster_domain]
-  count      = local.is_gateway_active ? 1 : 0
   name       = split("-", data.kubernetes_service.istio_ingressgateway.status[0].load_balancer[0].ingress[0].hostname)[0]
 }
diff --git a/main.tf b/main.tf
index a7a55e2..532bf5e 100644
--- a/main.tf
+++ b/main.tf
@@ -35,7 +35,6 @@ locals {
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
   default_heritage_prefix    = lookup(local.defaults.heritage_prefix, local.record_type, "") != "" ? format("%v.", local.defaults.heritage_prefix[local.record_type]) : ""
-  is_gateway_active          = data.kubernetes_service.istio_ingressgateway.status != null
   is_shared_vpc              = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
   record_type                = "cname"
   region                     = var.region

From 4a7ff7fdb263c1ebe987fd2f24b908c8baece3f5 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 10 Oct 2024 01:27:57 -0400
Subject: [PATCH 10/10] no count

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 532bf5e..fb4beda 100644
--- a/main.tf
+++ b/main.tf
@@ -124,7 +124,7 @@ resource "aws_route53_zone_association" "self_zone_west" {
 
 resource "aws_route53_record" "entry" {
   name    = "*.${local.cluster_domain_name}"
-  records = [data.aws_lb.lb[0].dns_name]
+  records = [data.aws_lb.lb.dns_name]
   ttl     = 900
   type    = "CNAME"
   zone_id = aws_route53_zone.cluster_domain.zone_id