Feature dns ingress

README.md

@@ -13,15 +13,19 @@ Change logs are auto-generated with commitizen.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.68.0 |
-| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.68.0 |
-| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.68.0 |
-| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.68.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.70.0 |
+| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.70.0 |
+| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.70.0 |
+| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.70.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.32.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | 0.12.1 |
 
 ## Modules
 
@@ -31,21 +35,27 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_route53_record.entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.entry_heritage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_vpc_association_authorization.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
 | [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [time_static.timestamp](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_lb.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source |
 | [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [kubernetes_service.istio_ingressgateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| <a name="input_istio_namespace"></a> [istio\_namespace](#input\_istio\_namespace) | The namespace to install the istio components. Defaults to 'istio-system' | `string` | `"istio-system"` | no |
 | <a name="input_os_username"></a> [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS config region | `string` | `""` | no |
 | <a name="input_region_map"></a> [region\_map](#input\_region\_map) | AWS region map | `map(string)` | <pre>{<br>  "east": "us-gov-east-1",<br>  "west": "us-gov-west-1"<br>}</pre> | no |

aws_data.tf

@@ -21,3 +21,16 @@ data "aws_vpc" "dummy_vpc" {
     values = ["vpc0-dummy"]
   }
 }
+
+data "kubernetes_service" "istio_ingressgateway" {
+  depends_on = [aws_route53_zone.cluster_domain]
+  metadata {
+    name      = "istio-ingressgateway"
+    namespace = var.istio_namespace
+  }
+}
+
+data "aws_lb" "lb" {
+  depends_on = [aws_route53_zone.cluster_domain]
+  name       = split("-", data.kubernetes_service.istio_ingressgateway.status[0].load_balancer[0].ingress[0].hostname)[0]
+}

main.tf

@@ -7,13 +7,42 @@
 #-------------------------------------------------
 
 locals {
+  defaults = {
+    enable_ptr = {
+      cname = false
+      a     = false
+      aaaa  = false
+      txt   = false
+      host  = true
+      ptr   = true
+    }
+    heritage_label = "terraform"
+    heritage_prefix = {
+      cname = "_txt"
+      a     = ""
+      aaaa  = ""
+      txt   = "_txt"
+      host  = ""
+      ptr   = ""
+    }
+  }
+  base_heritage_tags = [
+    format("heritage=%v", local.defaults.heritage_label),
+    format("%v/account_id=%v", local.defaults.heritage_label, data.aws_caller_identity.current.account_id),
+    format("%v/region=%v", local.defaults.heritage_label, local.region),
+    format("%v/create_time=%d", local.defaults.heritage_label, time_static.timestamp.unix)
+  ]
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
-  region                     = var.region
+  default_heritage_prefix    = lookup(local.defaults.heritage_prefix, local.record_type, "") != "" ? format("%v.", local.defaults.heritage_prefix[local.record_type]) : ""
   is_shared_vpc              = data.aws_vpc.eks_vpc.owner_id != data.aws_caller_identity.current.account_id
+  record_type                = "cname"
+  region                     = var.region
   vpc_domain_name            = var.vpc_domain_name
 }
 
+resource "time_static" "timestamp" {}
+
 #-------------------------------------------------
 # cluster_domain dns zone
 #-------------------------------------------------
@@ -47,22 +76,21 @@ resource "aws_route53_zone" "cluster_domain" {
 # east region
 #---
 resource "aws_route53_vpc_association_authorization" "self_zone_east" {
-  depends_on = [aws_route53_zone.cluster_domain]
-  count      = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.self
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
-  vpc_region = "us-gov-east-1"
   vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_region = "us-gov-east-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
 
 resource "aws_route53_zone_association" "self_zone_east" {
-  provider = aws.route53_main_east
-  count    = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-east-1" && local.is_shared_vpc ? 1 : 0
 
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
+  provider   = aws.route53_main_east
   vpc_id     = data.aws_vpc.eks_vpc.id
   vpc_region = "us-gov-east-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 
   depends_on = [aws_route53_vpc_association_authorization.self_zone_east]
 }
@@ -71,22 +99,41 @@ resource "aws_route53_zone_association" "self_zone_east" {
 # west region
 #-------------------------------------------------
 resource "aws_route53_vpc_association_authorization" "self_zone_west" {
-  depends_on = [aws_route53_zone.cluster_domain]
-  count      = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
   provider   = aws.self
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
-  vpc_region = "us-gov-west-1"
   vpc_id     = data.aws_vpc.eks_vpc.id
+  vpc_region = "us-gov-west-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 }
 
 resource "aws_route53_zone_association" "self_zone_west" {
-  provider = aws.route53_main_west
-  count    = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
+  count = local.region == "us-gov-west-1" && local.is_shared_vpc ? 1 : 0
 
-  zone_id    = aws_route53_zone.cluster_domain.zone_id
+  provider   = aws.route53_main_west
   vpc_id     = data.aws_vpc.eks_vpc.id
   vpc_region = "us-gov-west-1"
+  zone_id    = aws_route53_zone.cluster_domain.zone_id
 
   depends_on = [aws_route53_vpc_association_authorization.self_zone_west]
 }
+
+###################################################################
+# Cluster DNS CNAME MAPPED TO INGRESS NLB
+###################################################################
+
+resource "aws_route53_record" "entry" {
+  name    = "*.${local.cluster_domain_name}"
+  records = [data.aws_lb.lb.dns_name]
+  ttl     = 900
+  type    = "CNAME"
+  zone_id = aws_route53_zone.cluster_domain.zone_id
+}
+
+resource "aws_route53_record" "entry_heritage" {
+  name    = format("%v%v", local.default_heritage_prefix, "*.${local.cluster_domain_name}")
+  records = [join(",", local.base_heritage_tags)]
+  ttl     = 900
+  type    = "TXT"
+  zone_id = aws_route53_zone.cluster_domain.zone_id
+}

requirements.tf

@@ -6,5 +6,13 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.14.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.23.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
   }
 }

variables.tf

@@ -47,6 +47,12 @@ variable "os_username" {
 # DNS variables
 ###################################################################
 
+variable "istio_namespace" {
+  description = "The namespace to install the istio components. Defaults to 'istio-system'"
+  type        = string
+  default     = "istio-system"
+}
+
 variable "region_map" {
   description = "AWS region map"
   type        = map(string)