From 4334f8e5d2530a07c21fa2fc52b862a43dd41ab8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Sat, 20 Jul 2024 00:04:26 -0400 Subject: [PATCH 01/59] update image to AL2023 --- main.tf | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 074159b..b6e11c2 100644 --- a/main.tf +++ b/main.tf @@ -72,7 +72,7 @@ locals { } module "cluster" { - source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.8.5" + source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.20.0" #version = "19.16.0" cluster_name = var.cluster_name @@ -99,6 +99,9 @@ module "cluster" { kube-proxy = { most_recent = true } + eks-pod-identity-agent = { + most_recent = true + } vpc-cni = { most_recent = true service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn @@ -114,10 +117,10 @@ module "cluster" { } eks_managed_node_group_defaults = { - ami_type = "AL2_x86_64" + ami_type = "AL2023_x86_64_STANDARD" } - node_security_group_enable_recommended_rules = false + node_security_group_enable_recommended_rules = true node_security_group_additional_rules = local.node_security_group_additional_rules @@ -141,14 +144,23 @@ module "cluster" { ebs = { volume_size = var.eks_instance_disk_size volume_type = "gp3" - iops = 3000 - throughput = 125 + # iops = 3000 + # throughput = 125 encrypted = true delete_on_termination = true kms_key_id = data.aws_kms_key.ebs_key.arn } } } + taints = { + # This Taint aims to keep just EKS Addons and Karpenter running on this MNG + # The pods that do not tolerate this taint should run on nodes created by Karpenter + addons = { + key = "CriticalAddonsOnly" + value = "true" + effect = "NO_SCHEDULE" + }, + } } } From 4bb78444ac956b7268642a6032b2366b6f31ab5c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 22 Jul 2024 17:21:28 -0400 Subject: [PATCH 02/59] not for 1.30 apparently --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index b6e11c2..c523551 100644 --- a/main.tf +++ b/main.tf @@ -99,9 +99,6 @@ module "cluster" { kube-proxy = { most_recent = true } - eks-pod-identity-agent = { - most_recent = true - } vpc-cni = { most_recent = true service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn From 6b879effd1d992f15d9ceced62ae5b5409dee49d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 22 Jul 2024 17:46:43 -0400 Subject: [PATCH 03/59] comment the taint --- main.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/main.tf b/main.tf index c523551..6f24f57 100644 --- a/main.tf +++ b/main.tf @@ -149,15 +149,15 @@ module "cluster" { } } } - taints = { - # This Taint aims to keep just EKS Addons and Karpenter running on this MNG - # The pods that do not tolerate this taint should run on nodes created by Karpenter - addons = { - key = "CriticalAddonsOnly" - value = "true" - effect = "NO_SCHEDULE" - }, - } + # taints = { + # # This Taint aims to keep just EKS Addons and Karpenter running on this MNG + # # The pods that do not tolerate this taint should run on nodes created by Karpenter + # addons = { + # key = "CriticalAddonsOnly" + # value = "true" + # effect = "NO_SCHEDULE" + # }, + # } } } From 091915f2fce6e882f230f0a91374ff2d689fe84d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 22 Jul 2024 21:37:47 -0400 Subject: [PATCH 04/59] add changelog and update version --- README.md | 230 ++++++++++++++++++++++++++++++++++++++++++++++++++++- version.tf | 2 +- 2 files changed, 230 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7ceeffa..4d3cf48 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ kube-proxy ## Outputs +<<<<<<< HEAD | Name | Description | |------|-------------| | [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | Arn of cloudwatch log group created | @@ -131,4 +132,231 @@ kube-proxy | [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block associated with the VPC. | | [vpc\_cni\_irsa\_role](#output\_vpc\_cni\_irsa\_role) | The arn/name/unique\_id of the irsa role for the vpc-cni addon | | [vpc\_id](#output\_vpc\_id) | The VPC id where the EKS cluster was deployed. | - \ No newline at end of file + +======= +### Module information + +**module_name** + +Description: The name of this module. + + +**module_version** + +Description: The version of this module. + +### Networking information + +**vpc_id** + +Description: The VPC id where the EKS cluster was deployed. + + +**vpc_cidr_block** + +Description: The CIDR block associated with the VPC. + + +**subnets** + +Description: The subnets configured for the VPC. + + +**security_group_all_worker_mgmt_id** + +Description: The security group to manage all of the worker nodes. + + +**cluster_fqdn** + +Description: The `cluster_name`.`domain` + + +### IRSA Roles Created + +**vpc_cni_irsa_role** + +Description: The arn/name/unique_id of the irsa role for the vpc-cni addon + + +**ebs_csi_irsa_role** + +Description: The arn/name/unique_id of the irsa role for the ebs-csi-driver addon + + +**efs_csi_irsa_role** + +Description: The arn/name/unique_id of the irsa role for the efs-csi-driver addon + + +**cluster_iam_role** + +Description: The arn/name/unique_id of the iam role for the cluster + + +### Cluster information + +**cluster_arn** + +Description: The Amazon Resource Name (ARN) of the cluster + + +**cluster_certificate_authority_data** + +Description: Base64 encoded certificate data required to communicate with the cluster + + +**cluster_endpoint** + +Description: Endpoint for your Kubernetes API server + + +**cluster_id** + +Description: The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts + + +**cluster_name** + +Description: The name of the EKS cluster + + +**cluster_version** + +Description: The Kubernetes version for the cluster + + +**cluster_platform_version** + +Description: Platform version for the cluster + + +**cluster_status** + +Description: Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED` + + +### KMS Key + +**kms_key_arn** + +Description: The Amazon Resource Name (ARN) of the key + + +**kms_key_id** + +Description: The globally unique identifier for the key + + +**kms_key_policy** + +Description: The IAM resource policy set on the key + + +### Cluster Security Group + +**cluster_security_group_arn** + +Description: Amazon Resource Name (ARN) of the cluster security group + + +**cluster_security_group_id** + +Description: ID of the cluster security group + + +**cluster_primary_security_group_id** + +Description: Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console + + +### Node Security Group + +**node_security_group_arn** + +Description: Amazon Resource Name (ARN) of the node shared security group + + +**node_security_group_id** + +Description: ID of the node shared security group + + +### IRSA + +**oidc_provider** + +Description: The OpenID Connect identity provider (issuer URL without leading `https://`) + + +**oidc_provider_arn** + +Description: The ARN of the OIDC Provider if `enable_irsa = true` + + +**cluster_oidc_issuer_url** + +Description: The URL on the EKS cluster for the OpenID Connect identity provider + + +**cluster_tls_certificate_sha1_fingerprint** + +Description: The SHA1 fingerprint of the public key of the cluster's certificate + + +### EKS Addons + +**cluster_addons** + +Description: Map of attribute maps for all EKS cluster addons enabled + + +### EKS Identity Provider + +**cluster_identity_providers** + +Description: Map of attribute maps for all EKS identity providers enabled + + +### Cloudwatch Log Group + +**cloudwatch_log_group_arn** + +Description: Arn of cloudwatch log group created + + +**cloudwatch_log_group_name** + +Description: Name of cloudwatch log group created + + +### Fargate profile + +**fargate_profiles** + +Description: Map of attribute maps for all EKS Fargate Profiles created + + +### EKS Managed Node Group + +**eks_managed_node_groups** + +Description: Map of attribute maps for all EKS managed node groups created + + +**eks_managed_node_groups_autoscaling_group_names** + +Description: List of the autoscaling group names created by EKS managed node groups + + +### Self Managed Node Group + +**self_managed_node_groups** + +Description: Map of attribute maps for all self managed node groups created + + +**self_managed_node_groups_autoscaling_group_names** + +Description: List of the autoscaling group names created by self-managed node groups +>>>>>>> 225179a (add changelog and update version) diff --git a/version.tf b/version.tf index c703b7b..599189a 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { _module_name = "tfmod-eks" - _module_version = "0.0.1" + _module_version = "0.0.2" } From bcbf1e392c9639947eb92b8141db898e5b14d81e Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 26 Jul 2024 19:58:43 -0400 Subject: [PATCH 05/59] add node_group_name as output --- main.tf | 22 +--------------------- outputs.tf | 7 +++++-- 2 files changed, 6 insertions(+), 23 deletions(-) diff --git a/main.tf b/main.tf index 6f24f57..c75314b 100644 --- a/main.tf +++ b/main.tf @@ -114,7 +114,7 @@ module "cluster" { } eks_managed_node_group_defaults = { - ami_type = "AL2023_x86_64_STANDARD" + ami_type = "aws-k8s-1.30" } node_security_group_enable_recommended_rules = true @@ -149,15 +149,6 @@ module "cluster" { } } } - # taints = { - # # This Taint aims to keep just EKS Addons and Karpenter running on this MNG - # # The pods that do not tolerate this taint should run on nodes created by Karpenter - # addons = { - # key = "CriticalAddonsOnly" - # value = "true" - # effect = "NO_SCHEDULE" - # }, - # } } } @@ -185,14 +176,3 @@ resource "null_resource" "kube_config_create" { command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" } } - - -# resource "kubernetes_namespace" "operators" { -# depends_on = [ -# module.cluster.eks_managed_node_groups, -# ] - -# metadata { -# name = var.operators_ns -# } -# } diff --git a/outputs.tf b/outputs.tf index a17cf6b..83f2345 100644 --- a/outputs.tf +++ b/outputs.tf @@ -277,6 +277,9 @@ output "self_managed_node_groups_autoscaling_group_names" { ################################################################################ # Additional ################################################################################ -output "cluster_autoscaler_role_name" { - value = module.cluster_autoscaler_irsa_role.iam_role_name +# output "cluster_autoscaler_role_name" { +# value = module.cluster_autoscaler_irsa_role.iam_role_name +# } +output "node_group_name" { + value = local.ng_name } From 67393ac96f0ec2ca5ca3903d33e47be9b147d234 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 26 Jul 2024 20:06:55 -0400 Subject: [PATCH 06/59] use bottlerocket --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index c75314b..85c4da2 100644 --- a/main.tf +++ b/main.tf @@ -114,7 +114,7 @@ module "cluster" { } eks_managed_node_group_defaults = { - ami_type = "aws-k8s-1.30" + ami_type = "BOTTLEROCKET_x86_64" } node_security_group_enable_recommended_rules = true From 071e4b19f05f75c17139204fa15c60919205c055 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 26 Jul 2024 21:13:01 -0400 Subject: [PATCH 07/59] add _module_providers --- version.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/version.tf b/version.tf index 599189a..c28528d 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,5 @@ locals { _module_name = "tfmod-eks" _module_version = "0.0.2" + _module_providers = [] } From 97735fd4fead22b85dbd998d757ba48458c6fb01 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 26 Jul 2024 23:28:14 -0400 Subject: [PATCH 08/59] add outputs --- outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/outputs.tf b/outputs.tf index 83f2345..a256d3c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -16,6 +16,11 @@ output "module_version" { value = local._module_version } +output "_module_providers" { + description = "The providers used in this module." + value = local._module_providers +} + ################################################################################ # Networking information ################################################################################ From b4c17b50487e1b02d55a51a7e972313cc16a9a13 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 16:07:35 -0400 Subject: [PATCH 09/59] dns stuff --- dns-zone.tf | 128 ++++++++++++++++++++++++++++++++++++++++++ dns_zones.tf.off | 142 +++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 48 ++++++++++++++++ 3 files changed, 318 insertions(+) create mode 100644 dns-zone.tf create mode 100644 dns_zones.tf.off diff --git a/dns-zone.tf b/dns-zone.tf new file mode 100644 index 0000000..c9b3d85 --- /dev/null +++ b/dns-zone.tf @@ -0,0 +1,128 @@ +locals { + cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) + cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) + # true for gov, false for cat + aws_dns_infrastructure = false +} + +resource "aws_route53_zone" "cluster_domain" { + name = local.cluster_domain_name + comment = local.cluster_domain_description + force_destroy = false + + vpc { + vpc_id = data.aws_vpc.eks_vpc.id + vpc_region = local.region + } + + ## dynamic "vpc" { + ## for_each = true ? var.region_map : {} + ## iterator = r + ## content { + ## vpc_id = var.main_dns_vpcs[r.value] + ## vpc_region = r.value + ## } + ## } + + lifecycle { + ignore_changes = [vpc] + } + + tags = merge( + local.base_tags, + local.common_tags, + var.tags, + var.application_tags, + tomap({ "Name" = local.cluster_domain_name }), + ) + + # depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ] +} + +output "cluster_domain_name" { + description = "DNS Zone Name" + value = local.cluster_domain_name +} + +output "cluster_domain_id" { + description = "DNS Zone ID" + value = aws_route53_zone.cluster_domain.zone_id +} + +output "cluster_domain_ns" { + description = "DNS Zone Nameservers" + value = aws_route53_zone.cluster_domain.name_servers +} + +# now we need to add the NS records for the new zone to the parent zone +data "aws_route53_zone" "parent" { + name = var.vpc_domain_name + private_zone = true +} + +resource "aws_route53_record" "cluster_domain" { + allow_overwrite = true + name = local.cluster_domain_name + type = "NS" + ttl = 900 + zone_id = data.aws_route53_zone.parent.zone_id + + records = aws_route53_zone.cluster_domain.name_servers +} + +## #--- +## # associate to main do2-govcloud vpc1-services east and west for inbound resolution +## # NOT in cat +## #--- +## provider "aws" { +## alias = "east_main_dns" +## region = local.aws_dns_infrastructure ? var.region_map["east"] : "" +## profile = var.main_dns_profile +## } +## +## provider "aws" { +## alias = "west_main_dns" +## region = local.aws_dns_infrastructure ? var.region_map["west"] : "" +## profile = var.main_dns_profile +## } +## +## # resource "aws_route53_vpc_association_authorization" "cluster_domain" { +## # for_each = var.region_map +## # +## # zone_id = aws_route53_zone.cluster_domain.zone_id +## # vpc_region = each.value +## # vpc_id = var.main_dns_vpcs[each.value] +## # } +## +## resource "aws_route53_vpc_association_authorization" "west_cluster_domain" { +## for_each = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {} +## zone_id = each.value.zone_id +## vpc_region = "us-gov-west-1" +## vpc_id = var.main_dns_vpcs["us-gov-west-1"] +## } +## +## resource "aws_route53_vpc_association_authorization" "east_cluster_domain" { +## for_each = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {} +## zone_id = each.value.zone_id +## vpc_region = "us-gov-east-1" +## vpc_id = var.main_dns_vpcs["us-gov-east-1"] +## } +## +## resource "aws_route53_zone_association" "west_cluster_domain" { +## provider = aws.west_main_dns +## for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.west_cluster_domain : {} +## +## zone_id = each.value.zone_id +## vpc_id = each.value.vpc_id +## vpc_region = each.value.vpc_region +## } +## +## resource "aws_route53_zone_association" "east_cluster_domain" { +## provider = aws.east_main_dns +## for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.east_cluster_domain : {} +## +## zone_id = each.value.zone_id +## vpc_id = each.value.vpc_id +## vpc_region = each.value.vpc_region +## } +## diff --git a/dns_zones.tf.off b/dns_zones.tf.off new file mode 100644 index 0000000..20022e8 --- /dev/null +++ b/dns_zones.tf.off @@ -0,0 +1,142 @@ +#------------------------------------------------- +# DNS Zone for EKS +#------------------------------------------------- +locals { + cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) + cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) + zone_ids = compact(var.zone_ids) +} +#------------------------------------------------- +# Providers for Cross Account DNS Action +#------------------------------------------------- +provider "aws" { + alias = "self" + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +provider "aws" { + alias = "route53_main_east" + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +provider "aws" { + alias = "route53_main_west" + region = var.region_map["west"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +#------------------------------------------------- +# network prod for shared vpcs zones +#------------------------------------------------- + +## Associate between self (vpc8) and network-prod-west +resource "aws_route53_vpc_association_authorization" "self_zone" { + provider = aws.self + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["west"] + vpc_id = local.vpc_id +} + +resource "aws_route53_zone_association" "self_zone_west" { + provider = aws.route53_main_west + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = local.vpc_id + vpc_region = var.region_map["west"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] +} + +## Associate between self (vpc8) and network-prod-east +resource "aws_route53_vpc_association_authorization" "self_zone_east" { + provider = aws.self + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["east"] + vpc_id = local.vpc_id +} + +resource "aws_route53_zone_association" "self_zone_east" { + provider = aws.route53_main_east + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = local.vpc_id + vpc_region = var.region_map["east"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] +} + +#--- +# zone list +#--- +data "aws_route53_zone" "zones" { + provider = aws.self + for_each = toset(local.zone_ids) + zone_id = each.key + private_zone = true +} + +resource "aws_route53_zone" "cluster_domain" { + name = local.cluster_domain_name + comment = local.cluster_domain_description + force_destroy = false + depends_on = [ + data.aws_vpc.dummy_vpc + ] + vpc { + vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id + vpc_region = var.region + } + + lifecycle { + ignore_changes = [vpc] + } + + tags = merge( + # local.base_tags, + # local.common_tags, + var.tags, + # var.application_tags, + { "Name" = local.cluster_domain_name }, + ) +} + +## Dummy VPC + +#--- +# dummy vpc, so we can associate the zone to this account +#--- +data "aws_vpc" "dummy_vpc" { + depends_on = [aws_vpc.vpc] + count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] + } + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] + } +} + +resource "aws_vpc" "vpc" { + cidr_block = "192.168.0.0/24" + enable_dns_support = false + enable_dns_hostnames = false + tags = merge( + local.tags, + { "Name" = "vpc0-dummy" }, + ) +} diff --git a/variables.tf b/variables.tf index eb16b7f..f5b4280 100644 --- a/variables.tf +++ b/variables.tf @@ -112,3 +112,51 @@ variable "aws_environment" { type = string default = "" } + +################################################################### +# DNS variables +################################################################### + +variable "main_dns_vpcs" { + description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" + type = map(string) + default = { + "us-gov-west-1" = "vpc-77877a12" + "us-gov-east-1" = "vpc-099a991da7c4eb8a5" + } +} + +variable "main_dns_profile" { + description = "Profile name for AWS for the main DNS central account" + type = string + default = "107742151971-do2-govcloud" +} + + +variable "dns_zone_description_prefix" { + description = "Zone description with the org-project-program-environment" + type = string + default = "" +} + +variable "region_map" { + description = "AWS region map" + type = map(string) +} + +variable "route53_endpoints" { + description = "Map of target route53 endpoints (for inbound) central VPCs" + type = map(map(string)) + default = { + route53_main = { + "account_id" = "057405694017" + "us-gov-east-1" = "vpc-0871ba8a6040d623a" + "us-gov-west-1" = "vpc-0f03ea065333f72c5" + } + route53_main_legacy = { + "account_id" = "107742151971" + "us-gov-east-1" = "vpc-099a991da7c4eb8a5" + "us-gov-west-1" = "vpc-77877a12" + } + } +} From 94ee8604f64a27aff3ddc9f28b4545988471ba89 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 16:15:55 -0400 Subject: [PATCH 10/59] add region_map --- variables.tf | 79 ++++++++++++++++++++++++++-------------------------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/variables.tf b/variables.tf index f5b4280..6d85964 100644 --- a/variables.tf +++ b/variables.tf @@ -117,46 +117,47 @@ variable "aws_environment" { # DNS variables ################################################################### -variable "main_dns_vpcs" { - description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" - type = map(string) - default = { - "us-gov-west-1" = "vpc-77877a12" - "us-gov-east-1" = "vpc-099a991da7c4eb8a5" - } -} - -variable "main_dns_profile" { - description = "Profile name for AWS for the main DNS central account" - type = string - default = "107742151971-do2-govcloud" -} - - -variable "dns_zone_description_prefix" { - description = "Zone description with the org-project-program-environment" - type = string - default = "" -} +# variable "main_dns_vpcs" { +# description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" +# type = map(string) +# default = { +# "us-gov-west-1" = "vpc-77877a12" +# "us-gov-east-1" = "vpc-099a991da7c4eb8a5" +# } +# } + +# variable "main_dns_profile" { +# description = "Profile name for AWS for the main DNS central account" +# type = string +# default = "107742151971-do2-govcloud" +# } + + +# variable "dns_zone_description_prefix" { +# description = "Zone description with the org-project-program-environment" +# type = string +# default = "" +# } variable "region_map" { description = "AWS region map" type = map(string) -} - -variable "route53_endpoints" { - description = "Map of target route53 endpoints (for inbound) central VPCs" - type = map(map(string)) - default = { - route53_main = { - "account_id" = "057405694017" - "us-gov-east-1" = "vpc-0871ba8a6040d623a" - "us-gov-west-1" = "vpc-0f03ea065333f72c5" - } - route53_main_legacy = { - "account_id" = "107742151971" - "us-gov-east-1" = "vpc-099a991da7c4eb8a5" - "us-gov-west-1" = "vpc-77877a12" - } - } -} + default = {"east": "us-gov-east-1", "west": "us-gov-west-1"} +} + +# variable "route53_endpoints" { +# description = "Map of target route53 endpoints (for inbound) central VPCs" +# type = map(map(string)) +# default = { +# route53_main = { +# "account_id" = "057405694017" +# "us-gov-east-1" = "vpc-0871ba8a6040d623a" +# "us-gov-west-1" = "vpc-0f03ea065333f72c5" +# } +# route53_main_legacy = { +# "account_id" = "107742151971" +# "us-gov-east-1" = "vpc-099a991da7c4eb8a5" +# "us-gov-west-1" = "vpc-77877a12" +# } +# } +# } From fa4a500bebde123ef8166762d78e98b525d18758 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 16:18:15 -0400 Subject: [PATCH 11/59] rename and fix domain --- dns-zone.tf => dns-zone-cat.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename dns-zone.tf => dns-zone-cat.tf (98%) diff --git a/dns-zone.tf b/dns-zone-cat.tf similarity index 98% rename from dns-zone.tf rename to dns-zone-cat.tf index c9b3d85..490b6aa 100644 --- a/dns-zone.tf +++ b/dns-zone-cat.tf @@ -1,5 +1,5 @@ locals { - cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) + cluster_domain_name = format("%v.%v", var.cluster_name, var.domain) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) # true for gov, false for cat aws_dns_infrastructure = false @@ -56,7 +56,7 @@ output "cluster_domain_ns" { # now we need to add the NS records for the new zone to the parent zone data "aws_route53_zone" "parent" { - name = var.vpc_domain_name + name = var.domain private_zone = true } From 7275463f00b574aeb6e46c60a80133d65400c2d4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 16:20:05 -0400 Subject: [PATCH 12/59] add local.region --- dns-zone-cat.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf index 490b6aa..7235ef3 100644 --- a/dns-zone-cat.tf +++ b/dns-zone-cat.tf @@ -3,6 +3,7 @@ locals { cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) # true for gov, false for cat aws_dns_infrastructure = false + region = data.aws_region.current.name } resource "aws_route53_zone" "cluster_domain" { From b0dabb4576f351e2b967b1401dd5ec83b624b4b4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 16:21:00 -0400 Subject: [PATCH 13/59] tags --- dns-zone-cat.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf index 7235ef3..7b244bf 100644 --- a/dns-zone-cat.tf +++ b/dns-zone-cat.tf @@ -31,9 +31,9 @@ resource "aws_route53_zone" "cluster_domain" { tags = merge( local.base_tags, - local.common_tags, + # local.common_tags, var.tags, - var.application_tags, + # var.application_tags, tomap({ "Name" = local.cluster_domain_name }), ) From e7659c9cba85e8ebd0a5ab9b5134f529a4db3f7d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 16:39:39 -0400 Subject: [PATCH 14/59] no parent zone needed --- dns-zone-cat.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf index 7b244bf..91ec2e7 100644 --- a/dns-zone-cat.tf +++ b/dns-zone-cat.tf @@ -56,10 +56,10 @@ output "cluster_domain_ns" { } # now we need to add the NS records for the new zone to the parent zone -data "aws_route53_zone" "parent" { - name = var.domain - private_zone = true -} +# data "aws_route53_zone" "parent" { +# name = var.domain +# private_zone = true +# } resource "aws_route53_record" "cluster_domain" { allow_overwrite = true From a98436ac326e1f0ddb9acff256310c455a0816ca Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 16:41:23 -0400 Subject: [PATCH 15/59] nope --- dns-zone-cat.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf index 91ec2e7..6b7abdb 100644 --- a/dns-zone-cat.tf +++ b/dns-zone-cat.tf @@ -61,15 +61,15 @@ output "cluster_domain_ns" { # private_zone = true # } -resource "aws_route53_record" "cluster_domain" { - allow_overwrite = true - name = local.cluster_domain_name - type = "NS" - ttl = 900 - zone_id = data.aws_route53_zone.parent.zone_id +# resource "aws_route53_record" "cluster_domain" { +# allow_overwrite = true +# name = local.cluster_domain_name +# type = "NS" +# ttl = 900 +# zone_id = data.aws_route53_zone.parent.zone_id - records = aws_route53_zone.cluster_domain.name_servers -} +# records = aws_route53_zone.cluster_domain.name_servers +# } ## #--- ## # associate to main do2-govcloud vpc1-services east and west for inbound resolution From c9d2fa56efefc8041034c5c58ac480d21c834bf1 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 17:29:11 -0400 Subject: [PATCH 16/59] add route53 endpoints --- dns-zone-cat.tf | 40 +++++++++++++--------------------------- variables.tf | 28 ++++++++++++---------------- 2 files changed, 25 insertions(+), 43 deletions(-) diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf index 6b7abdb..914603d 100644 --- a/dns-zone-cat.tf +++ b/dns-zone-cat.tf @@ -1,9 +1,8 @@ locals { - cluster_domain_name = format("%v.%v", var.cluster_name, var.domain) + cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) # true for gov, false for cat aws_dns_infrastructure = false - region = data.aws_region.current.name } resource "aws_route53_zone" "cluster_domain" { @@ -16,28 +15,15 @@ resource "aws_route53_zone" "cluster_domain" { vpc_region = local.region } - ## dynamic "vpc" { - ## for_each = true ? var.region_map : {} - ## iterator = r - ## content { - ## vpc_id = var.main_dns_vpcs[r.value] - ## vpc_region = r.value - ## } - ## } - lifecycle { ignore_changes = [vpc] } tags = merge( local.base_tags, - # local.common_tags, var.tags, - # var.application_tags, tomap({ "Name" = local.cluster_domain_name }), ) - - # depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ] } output "cluster_domain_name" { @@ -56,20 +42,20 @@ output "cluster_domain_ns" { } # now we need to add the NS records for the new zone to the parent zone -# data "aws_route53_zone" "parent" { -# name = var.domain -# private_zone = true -# } +data "aws_route53_zone" "parent" { + name = var.vpc_domain_name + private_zone = true +} -# resource "aws_route53_record" "cluster_domain" { -# allow_overwrite = true -# name = local.cluster_domain_name -# type = "NS" -# ttl = 900 -# zone_id = data.aws_route53_zone.parent.zone_id +resource "aws_route53_record" "cluster_domain" { + allow_overwrite = true + name = local.cluster_domain_name + type = "NS" + ttl = 900 + zone_id = data.aws_route53_zone.parent.zone_id -# records = aws_route53_zone.cluster_domain.name_servers -# } + records = aws_route53_zone.cluster_domain.name_servers +} ## #--- ## # associate to main do2-govcloud vpc1-services east and west for inbound resolution diff --git a/variables.tf b/variables.tf index 6d85964..7b37455 100644 --- a/variables.tf +++ b/variables.tf @@ -145,19 +145,15 @@ variable "region_map" { default = {"east": "us-gov-east-1", "west": "us-gov-west-1"} } -# variable "route53_endpoints" { -# description = "Map of target route53 endpoints (for inbound) central VPCs" -# type = map(map(string)) -# default = { -# route53_main = { -# "account_id" = "057405694017" -# "us-gov-east-1" = "vpc-0871ba8a6040d623a" -# "us-gov-west-1" = "vpc-0f03ea065333f72c5" -# } -# route53_main_legacy = { -# "account_id" = "107742151971" -# "us-gov-east-1" = "vpc-099a991da7c4eb8a5" -# "us-gov-west-1" = "vpc-77877a12" -# } -# } -# } +variable "route53_endpoints" { + description = "Map of target route53 endpoints (for inbound) central VPCs" + type = map(map(string)) + default = { + route53_main = { + "account_id" = "269244441389" + "alias" = "lab-gov-network-nonprod" + "us-gov-east-1" = "vpc-070595c5b133243dd" + "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" + } + } +} From 2b8453c301017b39e10c2fefa13bf3478209e692 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 17:34:39 -0400 Subject: [PATCH 17/59] domain to vpc_domain_name --- variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index 7b37455..a2b71d1 100644 --- a/variables.tf +++ b/variables.tf @@ -32,8 +32,8 @@ variable "subnets_name" { default = "*-container-*" } -variable "domain" { - description = "The DNS domain name of the cluster." +variable "vpc_domain_name" { + description = "The DNS domain name of the vpc the cluster is in." type = string } From bf19049232de12966f0c77e263618be38e55d5bb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 17:37:12 -0400 Subject: [PATCH 18/59] add region --- dns-zone-cat.tf | 1 + outputs.tf | 2 +- variables.tf | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf index 914603d..a47bda9 100644 --- a/dns-zone-cat.tf +++ b/dns-zone-cat.tf @@ -3,6 +3,7 @@ locals { cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) # true for gov, false for cat aws_dns_infrastructure = false + region = var.region } resource "aws_route53_zone" "cluster_domain" { diff --git a/outputs.tf b/outputs.tf index a256d3c..dc00bff 100644 --- a/outputs.tf +++ b/outputs.tf @@ -47,7 +47,7 @@ output "security_group_all_worker_mgmt_id" { output "cluster_fqdn" { description = "The cluster_name.domain" - value = format("%v.%v", var.cluster_name, var.domain) + value = format("%v.%v", var.cluster_name, var.vpc_domain_name) } ################################################################################ diff --git a/variables.tf b/variables.tf index a2b71d1..7de4c47 100644 --- a/variables.tf +++ b/variables.tf @@ -107,6 +107,12 @@ variable "profile" { default = "" } +variable "region" { + description = "AWS config region" + type = string + default = "" +} + variable "aws_environment" { description = "AWS Environment (govcloud | east-west)" type = string From 4bd19807e7d8fadd071883382a8d06f36b52ad4b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 17:39:51 -0400 Subject: [PATCH 19/59] not needed --- dns-zone-cat.tf | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf index a47bda9..f41ac1a 100644 --- a/dns-zone-cat.tf +++ b/dns-zone-cat.tf @@ -42,21 +42,21 @@ output "cluster_domain_ns" { value = aws_route53_zone.cluster_domain.name_servers } -# now we need to add the NS records for the new zone to the parent zone -data "aws_route53_zone" "parent" { - name = var.vpc_domain_name - private_zone = true -} +# # now we need to add the NS records for the new zone to the parent zone +# data "aws_route53_zone" "parent" { +# name = var.vpc_domain_name +# private_zone = true +# } -resource "aws_route53_record" "cluster_domain" { - allow_overwrite = true - name = local.cluster_domain_name - type = "NS" - ttl = 900 - zone_id = data.aws_route53_zone.parent.zone_id +# resource "aws_route53_record" "cluster_domain" { +# allow_overwrite = true +# name = local.cluster_domain_name +# type = "NS" +# ttl = 900 +# zone_id = data.aws_route53_zone.parent.zone_id - records = aws_route53_zone.cluster_domain.name_servers -} +# records = aws_route53_zone.cluster_domain.name_servers +# } ## #--- ## # associate to main do2-govcloud vpc1-services east and west for inbound resolution From de3c4949c25d27dc6c8c49c78a3c9c0221dce77c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 17:50:16 -0400 Subject: [PATCH 20/59] convert to example --- dns-zone-cat.tf | 116 ----------------------- dns_zones.tf | 236 +++++++++++++++++++++++++++++++++++++++++++++++ dns_zones.tf.off | 142 ---------------------------- variables.tf | 31 ++----- 4 files changed, 245 insertions(+), 280 deletions(-) delete mode 100644 dns-zone-cat.tf create mode 100644 dns_zones.tf delete mode 100644 dns_zones.tf.off diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf deleted file mode 100644 index f41ac1a..0000000 --- a/dns-zone-cat.tf +++ /dev/null @@ -1,116 +0,0 @@ -locals { - cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) - cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - # true for gov, false for cat - aws_dns_infrastructure = false - region = var.region -} - -resource "aws_route53_zone" "cluster_domain" { - name = local.cluster_domain_name - comment = local.cluster_domain_description - force_destroy = false - - vpc { - vpc_id = data.aws_vpc.eks_vpc.id - vpc_region = local.region - } - - lifecycle { - ignore_changes = [vpc] - } - - tags = merge( - local.base_tags, - var.tags, - tomap({ "Name" = local.cluster_domain_name }), - ) -} - -output "cluster_domain_name" { - description = "DNS Zone Name" - value = local.cluster_domain_name -} - -output "cluster_domain_id" { - description = "DNS Zone ID" - value = aws_route53_zone.cluster_domain.zone_id -} - -output "cluster_domain_ns" { - description = "DNS Zone Nameservers" - value = aws_route53_zone.cluster_domain.name_servers -} - -# # now we need to add the NS records for the new zone to the parent zone -# data "aws_route53_zone" "parent" { -# name = var.vpc_domain_name -# private_zone = true -# } - -# resource "aws_route53_record" "cluster_domain" { -# allow_overwrite = true -# name = local.cluster_domain_name -# type = "NS" -# ttl = 900 -# zone_id = data.aws_route53_zone.parent.zone_id - -# records = aws_route53_zone.cluster_domain.name_servers -# } - -## #--- -## # associate to main do2-govcloud vpc1-services east and west for inbound resolution -## # NOT in cat -## #--- -## provider "aws" { -## alias = "east_main_dns" -## region = local.aws_dns_infrastructure ? var.region_map["east"] : "" -## profile = var.main_dns_profile -## } -## -## provider "aws" { -## alias = "west_main_dns" -## region = local.aws_dns_infrastructure ? var.region_map["west"] : "" -## profile = var.main_dns_profile -## } -## -## # resource "aws_route53_vpc_association_authorization" "cluster_domain" { -## # for_each = var.region_map -## # -## # zone_id = aws_route53_zone.cluster_domain.zone_id -## # vpc_region = each.value -## # vpc_id = var.main_dns_vpcs[each.value] -## # } -## -## resource "aws_route53_vpc_association_authorization" "west_cluster_domain" { -## for_each = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {} -## zone_id = each.value.zone_id -## vpc_region = "us-gov-west-1" -## vpc_id = var.main_dns_vpcs["us-gov-west-1"] -## } -## -## resource "aws_route53_vpc_association_authorization" "east_cluster_domain" { -## for_each = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {} -## zone_id = each.value.zone_id -## vpc_region = "us-gov-east-1" -## vpc_id = var.main_dns_vpcs["us-gov-east-1"] -## } -## -## resource "aws_route53_zone_association" "west_cluster_domain" { -## provider = aws.west_main_dns -## for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.west_cluster_domain : {} -## -## zone_id = each.value.zone_id -## vpc_id = each.value.vpc_id -## vpc_region = each.value.vpc_region -## } -## -## resource "aws_route53_zone_association" "east_cluster_domain" { -## provider = aws.east_main_dns -## for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.east_cluster_domain : {} -## -## zone_id = each.value.zone_id -## vpc_id = each.value.vpc_id -## vpc_region = each.value.vpc_region -## } -## diff --git a/dns_zones.tf b/dns_zones.tf new file mode 100644 index 0000000..e4904f3 --- /dev/null +++ b/dns_zones.tf @@ -0,0 +1,236 @@ +locals { + vpc_domain_name = coalesce(var.domain, var.vpc_domain_name) + cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) + cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) +} + +#--- +# network prod +#--- +provider "aws" { + alias = "route53_main_east" + profile = var.profile + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +provider "aws" { + alias = "route53_main_west" + profile = var.profile + region = var.region_map["west"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +#--- +# dummy vpc, so we can associate the zone to this account +#--- +data "aws_vpc" "dummy_vpc" { + count = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] + } +} + +resource "aws_route53_zone" "cluster_domain" { + name = local.cluster_domain_name + comment = local.cluster_domain_description + force_destroy = false + + vpc { + vpc_id = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id + vpc_region = local.region + } + + lifecycle { + ignore_changes = [vpc] + precondition { + condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (! (var.shared_vpc_label == null || var.shared_vpc_label == "") && ! (var.domain == null || var.domain == "")) + error_message = "var.domain must be provided when shared VPCs are in use." + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.tags, + var.application_tags, + { "Name" = local.cluster_domain_name }, + ) +} + +#--- +# need to also associate with network-prod account and this vpc +#--- +module "route53_cluster_domain_east" { + count = local.region == "us-gov-east-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_east + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_cluster_domain_west" { + count = local.region == "us-gov-west-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_west + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + + +## # now we need to add the NS records for the new zone to the parent zone +## data "aws_route53_zone" "parent" { +## name = var.vpc_domain_name +## private_zone = true +## } +## +## resource "aws_route53_record" "cluster_domain" { +## allow_overwrite = true +## name = local.cluster_domain_name +## type = "NS" +## ttl = 900 +## zone_id = data.aws_route53_zone.parent.zone_id +## +## records = aws_route53_zone.cluster_domain.name_servers +## } + +output "cluster_domain_name" { + description = "DNS Zone Name" + value = local.cluster_domain_name +} + +output "cluster_domain_id" { + description = "DNS Zone ID" + value = aws_route53_zone.cluster_domain.zone_id +} + +output "cluster_domain_ns" { + description = "DNS Zone Nameservers" + value = aws_route53_zone.cluster_domain.name_servers +} + +#--- +# associate to main do2-govcloud vpc1-services east and west for inbound resolution +# and to vpc7-endpoints in network prod +#--- + +#--- +# network prod +#--- +provider "aws" { + alias = "route53_main" + region = var.region_map["east"] + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +module "route53_main_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_main_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +#--- +# do2-gov ("legacy") +#--- +provider "aws" { + alias = "route53_main_legacy" + region = var.region_map["east"] + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) + session_name = var.os_username + } +} + +module "route53_main_legacy_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_main_legacy_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} diff --git a/dns_zones.tf.off b/dns_zones.tf.off deleted file mode 100644 index 20022e8..0000000 --- a/dns_zones.tf.off +++ /dev/null @@ -1,142 +0,0 @@ -#------------------------------------------------- -# DNS Zone for EKS -#------------------------------------------------- -locals { - cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) - cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) - zone_ids = compact(var.zone_ids) -} -#------------------------------------------------- -# Providers for Cross Account DNS Action -#------------------------------------------------- -provider "aws" { - alias = "self" - region = var.region_map["east"] - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} - -provider "aws" { - alias = "route53_main_east" - region = var.region_map["east"] - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} - -provider "aws" { - alias = "route53_main_west" - region = var.region_map["west"] - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} - -#------------------------------------------------- -# network prod for shared vpcs zones -#------------------------------------------------- - -## Associate between self (vpc8) and network-prod-west -resource "aws_route53_vpc_association_authorization" "self_zone" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_region = var.region_map["west"] - vpc_id = local.vpc_id -} - -resource "aws_route53_zone_association" "self_zone_west" { - provider = aws.route53_main_west - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_id = local.vpc_id - vpc_region = var.region_map["west"] - depends_on = [aws_route53_vpc_association_authorization.self_zone] -} - -## Associate between self (vpc8) and network-prod-east -resource "aws_route53_vpc_association_authorization" "self_zone_east" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_region = var.region_map["east"] - vpc_id = local.vpc_id -} - -resource "aws_route53_zone_association" "self_zone_east" { - provider = aws.route53_main_east - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_id = local.vpc_id - vpc_region = var.region_map["east"] - depends_on = [aws_route53_vpc_association_authorization.self_zone] -} - -#--- -# zone list -#--- -data "aws_route53_zone" "zones" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - private_zone = true -} - -resource "aws_route53_zone" "cluster_domain" { - name = local.cluster_domain_name - comment = local.cluster_domain_description - force_destroy = false - depends_on = [ - data.aws_vpc.dummy_vpc - ] - vpc { - vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id - vpc_region = var.region - } - - lifecycle { - ignore_changes = [vpc] - } - - tags = merge( - # local.base_tags, - # local.common_tags, - var.tags, - # var.application_tags, - { "Name" = local.cluster_domain_name }, - ) -} - -## Dummy VPC - -#--- -# dummy vpc, so we can associate the zone to this account -#--- -data "aws_vpc" "dummy_vpc" { - depends_on = [aws_vpc.vpc] - count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - filter { - name = "tag:Name" - values = ["vpc0-dummy"] - } - filter { - name = "tag:eks-cluster-name" - values = [var.cluster_name] - } -} - -resource "aws_vpc" "vpc" { - cidr_block = "192.168.0.0/24" - enable_dns_support = false - enable_dns_hostnames = false - tags = merge( - local.tags, - { "Name" = "vpc0-dummy" }, - ) -} diff --git a/variables.tf b/variables.tf index 7de4c47..aea4b07 100644 --- a/variables.tf +++ b/variables.tf @@ -123,28 +123,6 @@ variable "aws_environment" { # DNS variables ################################################################### -# variable "main_dns_vpcs" { -# description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" -# type = map(string) -# default = { -# "us-gov-west-1" = "vpc-77877a12" -# "us-gov-east-1" = "vpc-099a991da7c4eb8a5" -# } -# } - -# variable "main_dns_profile" { -# description = "Profile name for AWS for the main DNS central account" -# type = string -# default = "107742151971-do2-govcloud" -# } - - -# variable "dns_zone_description_prefix" { -# description = "Zone description with the org-project-program-environment" -# type = string -# default = "" -# } - variable "region_map" { description = "AWS region map" type = map(string) @@ -163,3 +141,12 @@ variable "route53_endpoints" { } } } + +#-- +# lab-gov +#-- +main_dns_vpcs = { + "us-gov-east-1" = "vpc-070595c5b133243dd" + "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" +} +main_dns_profile = " "269244441389-lab-gov-network-nonprod" From 9eb59cf962757f5bb2149a5a5464ce46dba2a6f0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 17:52:01 -0400 Subject: [PATCH 21/59] fix vars --- variables.tf | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/variables.tf b/variables.tf index aea4b07..272ee46 100644 --- a/variables.tf +++ b/variables.tf @@ -123,6 +123,27 @@ variable "aws_environment" { # DNS variables ################################################################### +variable "main_dns_vpcs" { + description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" + type = map(string) + default = { + "us-gov-east-1" = "vpc-070595c5b133243dd" + "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" + } +} + +variable "main_dns_profile" { + description = "Profile name for AWS for the main DNS central account" + type = string + default = "269244441389-lab-gov-network-nonprod" +} + +# variable "dns_zone_description_prefix" { +# description = "Zone description with the org-project-program-environment" +# type = string +# default = "" +# } + variable "region_map" { description = "AWS region map" type = map(string) @@ -141,12 +162,3 @@ variable "route53_endpoints" { } } } - -#-- -# lab-gov -#-- -main_dns_vpcs = { - "us-gov-east-1" = "vpc-070595c5b133243dd" - "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" -} -main_dns_profile = " "269244441389-lab-gov-network-nonprod" From 5db300453f3fc8a99fa995b25421498a05088197 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 17:54:38 -0400 Subject: [PATCH 22/59] cleanup tags --- dns_zones.tf | 49 ++++++------------------------------------------- 1 file changed, 6 insertions(+), 43 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index e4904f3..55284df 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -58,9 +58,7 @@ resource "aws_route53_zone" "cluster_domain" { tags = merge( local.base_tags, - local.common_tags, var.tags, - var.application_tags, { "Name" = local.cluster_domain_name }, ) } @@ -80,10 +78,7 @@ module "route53_cluster_domain_east" { vpc_id = data.aws_vpc.eks_vpc.id zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = merge( - local.common_tags, - var.application_tags, - ) + tags = var.tags } module "route53_cluster_domain_west" { @@ -98,29 +93,9 @@ module "route53_cluster_domain_west" { vpc_id = data.aws_vpc.eks_vpc.id zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = merge( - local.common_tags, - var.application_tags, - ) + tags = var.tags } - -## # now we need to add the NS records for the new zone to the parent zone -## data "aws_route53_zone" "parent" { -## name = var.vpc_domain_name -## private_zone = true -## } -## -## resource "aws_route53_record" "cluster_domain" { -## allow_overwrite = true -## name = local.cluster_domain_name -## type = "NS" -## ttl = 900 -## zone_id = data.aws_route53_zone.parent.zone_id -## -## records = aws_route53_zone.cluster_domain.name_servers -## } - output "cluster_domain_name" { description = "DNS Zone Name" value = local.cluster_domain_name @@ -165,10 +140,7 @@ module "route53_main_east" { vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = merge( - local.common_tags, - var.application_tags, - ) + tags = var.tags } module "route53_main_west" { @@ -182,10 +154,7 @@ module "route53_main_west" { vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = merge( - local.common_tags, - var.application_tags, - ) + tags = var.tags } #--- @@ -212,10 +181,7 @@ module "route53_main_legacy_east" { vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = merge( - local.common_tags, - var.application_tags, - ) + tags = var.tags } module "route53_main_legacy_west" { @@ -229,8 +195,5 @@ module "route53_main_legacy_west" { vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = merge( - local.common_tags, - var.application_tags, - ) + tags = var.tags } From 4f261ddcb67edb74334dc48bad5d4886bf19086d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 18:13:12 -0400 Subject: [PATCH 23/59] fixes_for_vars --- dns_zones.tf | 2 +- variables.tf | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/dns_zones.tf b/dns_zones.tf index 55284df..e6f6c6c 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,5 +1,5 @@ locals { - vpc_domain_name = coalesce(var.domain, var.vpc_domain_name) + vpc_domain_name = var.vpc_domain_name cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) } diff --git a/variables.tf b/variables.tf index 272ee46..5a9d599 100644 --- a/variables.tf +++ b/variables.tf @@ -119,6 +119,12 @@ variable "aws_environment" { default = "" } +variable "os_username" { + description = "OS username from environment variable, ideally as $USER" + type = string + default = null +} + ################################################################### # DNS variables ################################################################### @@ -144,6 +150,12 @@ variable "main_dns_profile" { # default = "" # } +variable "shared_vpc_label" { + description = "Label to use for shared VPC for flowlogs and other things" + type = string + default = null +} + variable "region_map" { description = "AWS region map" type = map(string) From 238a6a11a474f1cf9711eac7e4b28e9bd53005f0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 18:23:04 -0400 Subject: [PATCH 24/59] another fix --- dns_zones.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index e6f6c6c..2b974ae 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -2,6 +2,7 @@ locals { vpc_domain_name = var.vpc_domain_name cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) + region = var.region } #--- @@ -51,8 +52,8 @@ resource "aws_route53_zone" "cluster_domain" { lifecycle { ignore_changes = [vpc] precondition { - condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (! (var.shared_vpc_label == null || var.shared_vpc_label == "") && ! (var.domain == null || var.domain == "")) - error_message = "var.domain must be provided when shared VPCs are in use." + condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (! (var.shared_vpc_label == null || var.shared_vpc_label == "") && ! (var.vpc_domain_name == null || var.vpc_domain_name == "")) + error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." } } From 12b9ca30a6876cd6d1d5cf8e2fb0af5ae0cea885 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 18:26:33 -0400 Subject: [PATCH 25/59] fmt --- dns_zones.tf | 12 ++++++------ main.tf | 4 ++-- variables.tf | 3 ++- version.tf | 4 ++-- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 2b974ae..fe40ef7 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -2,7 +2,7 @@ locals { vpc_domain_name = var.vpc_domain_name cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - region = var.region + region = var.region } #--- @@ -32,7 +32,7 @@ provider "aws" { # dummy vpc, so we can associate the zone to this account #--- data "aws_vpc" "dummy_vpc" { - count = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 filter { name = "tag:Name" values = ["vpc0-dummy"] @@ -45,14 +45,14 @@ resource "aws_route53_zone" "cluster_domain" { force_destroy = false vpc { - vpc_id = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id + vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id vpc_region = local.region } lifecycle { ignore_changes = [vpc] precondition { - condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (! (var.shared_vpc_label == null || var.shared_vpc_label == "") && ! (var.vpc_domain_name == null || var.vpc_domain_name == "")) + condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == "")) error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." } } @@ -68,7 +68,7 @@ resource "aws_route53_zone" "cluster_domain" { # need to also associate with network-prod account and this vpc #--- module "route53_cluster_domain_east" { - count = local.region == "us-gov-east-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 providers = { aws.self = aws aws.peer = aws.route53_main_east @@ -83,7 +83,7 @@ module "route53_cluster_domain_east" { } module "route53_cluster_domain_west" { - count = local.region == "us-gov-west-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 providers = { aws.self = aws aws.peer = aws.route53_main_west diff --git a/main.tf b/main.tf index 85c4da2..60f4400 100644 --- a/main.tf +++ b/main.tf @@ -139,8 +139,8 @@ module "cluster" { xvda = { device_name = "/dev/xvda" ebs = { - volume_size = var.eks_instance_disk_size - volume_type = "gp3" + volume_size = var.eks_instance_disk_size + volume_type = "gp3" # iops = 3000 # throughput = 125 encrypted = true diff --git a/variables.tf b/variables.tf index 5a9d599..bd993f2 100644 --- a/variables.tf +++ b/variables.tf @@ -159,7 +159,7 @@ variable "shared_vpc_label" { variable "region_map" { description = "AWS region map" type = map(string) - default = {"east": "us-gov-east-1", "west": "us-gov-west-1"} + default = { "east" : "us-gov-east-1", "west" : "us-gov-west-1" } } variable "route53_endpoints" { @@ -172,5 +172,6 @@ variable "route53_endpoints" { "us-gov-east-1" = "vpc-070595c5b133243dd" "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" } + route53_main_legacy = {} } } diff --git a/version.tf b/version.tf index c28528d..1223816 100644 --- a/version.tf +++ b/version.tf @@ -1,5 +1,5 @@ locals { - _module_name = "tfmod-eks" - _module_version = "0.0.2" + _module_name = "tfmod-eks" + _module_version = "0.0.2" _module_providers = [] } From 7225a99b26c1cddd95a9d9eaf81873cbc61c738d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 18:29:57 -0400 Subject: [PATCH 26/59] empty --- variables.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index bd993f2..2fe95b0 100644 --- a/variables.tf +++ b/variables.tf @@ -172,6 +172,12 @@ variable "route53_endpoints" { "us-gov-east-1" = "vpc-070595c5b133243dd" "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" } - route53_main_legacy = {} + route53_main_legacy = { + "account_id" = "" + "alias" = "" + "us-gov-east-1" = "" + "us-gov-west-1" = "" + + } } } From 159e8b497bd9c2f50cc8d4c0ecf36495505889f2 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 18:41:53 -0400 Subject: [PATCH 27/59] no legacy --- dns_zones.tf | 74 ++++++++++++++++++++++++++-------------------------- variables.tf | 7 ----- 2 files changed, 37 insertions(+), 44 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index fe40ef7..32b245b 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -161,40 +161,40 @@ module "route53_main_west" { #--- # do2-gov ("legacy") #--- -provider "aws" { - alias = "route53_main_legacy" - region = var.region_map["east"] - profile = var.profile - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) - session_name = var.os_username - } -} - -module "route53_main_legacy_east" { - providers = { - aws.self = aws - aws.peer = aws.route53_main_legacy - } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-east-1" - vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags -} - -module "route53_main_legacy_west" { - providers = { - aws.self = aws - aws.peer = aws.route53_main_legacy - } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-west-1" - vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags -} +# provider "aws" { +# alias = "route53_main_legacy" +# region = var.region_map["east"] +# profile = var.profile +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) +# session_name = var.os_username +# } +# } + +# module "route53_main_legacy_east" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main_legacy +# } + +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-east-1" +# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# tags = var.tags +# } + +# module "route53_main_legacy_west" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main_legacy +# } + +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-west-1" +# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# tags = var.tags +# } diff --git a/variables.tf b/variables.tf index 2fe95b0..c737d51 100644 --- a/variables.tf +++ b/variables.tf @@ -172,12 +172,5 @@ variable "route53_endpoints" { "us-gov-east-1" = "vpc-070595c5b133243dd" "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" } - route53_main_legacy = { - "account_id" = "" - "alias" = "" - "us-gov-east-1" = "" - "us-gov-west-1" = "" - - } } } From cfb29d5604343e2152a9ac3f641260da9e5c44ff Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 18:56:52 -0400 Subject: [PATCH 28/59] comment west --- dns_zones.tf | 64 ++++++++++++++++++++++++++-------------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 32b245b..c345390 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -18,15 +18,15 @@ provider "aws" { } } -provider "aws" { - alias = "route53_main_west" - profile = var.profile - region = var.region_map["west"] - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} +# provider "aws" { +# alias = "route53_main_west" +# profile = var.profile +# region = var.region_map["west"] +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) +# session_name = var.os_username +# } +# } #--- # dummy vpc, so we can associate the zone to this account @@ -82,20 +82,20 @@ module "route53_cluster_domain_east" { tags = var.tags } -module "route53_cluster_domain_west" { - count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - providers = { - aws.self = aws - aws.peer = aws.route53_main_west - } +# module "route53_cluster_domain_west" { +# count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main_west +# } - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-west-1" - vpc_id = data.aws_vpc.eks_vpc.id - zone_ids = [aws_route53_zone.cluster_domain.zone_id] +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-west-1" +# vpc_id = data.aws_vpc.eks_vpc.id +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = var.tags -} +# tags = var.tags +# } output "cluster_domain_name" { description = "DNS Zone Name" @@ -144,19 +144,19 @@ module "route53_main_east" { tags = var.tags } -module "route53_main_west" { - providers = { - aws.self = aws - aws.peer = aws.route53_main - } +# module "route53_main_west" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main +# } - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-west-1" - vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] - zone_ids = [aws_route53_zone.cluster_domain.zone_id] +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-west-1" +# vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = var.tags -} +# tags = var.tags +# } #--- # do2-gov ("legacy") From 368bdb7fa0c9f4e33ec694a1b251391656392187 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 18:59:30 -0400 Subject: [PATCH 29/59] zones --- dns_zones.tf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/dns_zones.tf b/dns_zones.tf index c345390..3cbf732 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -5,6 +5,34 @@ locals { region = var.region } +#--- +# availability-zones +#--- +data "aws_availability_zones" "zones" { + state = "available" +} + +data "aws_availability_zone" "zone" { + count = length(data.aws_availability_zones.zones.names) + state = "available" + name = data.aws_availability_zones.zones.names[count.index] +} + +output "availability_zone_names" { + description = "VPC Availability zone name list (3)" + value = data.aws_availability_zones.zones.names +} + +output "availability_zone_ids" { + description = "VPC Availability zone id list (3)" + value = data.aws_availability_zones.zones.zone_ids +} + +output "availability_zone_suffixes" { + description = "VPC Availability zone suffix list (3)" + value = data.aws_availability_zone.zone[*].name_suffix +} + #--- # network prod #--- From d8bcb902127e60c340b62b4d65f0fc66e0585c47 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 19:14:32 -0400 Subject: [PATCH 30/59] no vpc7 stuff --- dns_zones.tf | 116 +++++++++++++++++++-------------------------------- 1 file changed, 44 insertions(+), 72 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 3cbf732..0bb37bc 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -5,34 +5,6 @@ locals { region = var.region } -#--- -# availability-zones -#--- -data "aws_availability_zones" "zones" { - state = "available" -} - -data "aws_availability_zone" "zone" { - count = length(data.aws_availability_zones.zones.names) - state = "available" - name = data.aws_availability_zones.zones.names[count.index] -} - -output "availability_zone_names" { - description = "VPC Availability zone name list (3)" - value = data.aws_availability_zones.zones.names -} - -output "availability_zone_ids" { - description = "VPC Availability zone id list (3)" - value = data.aws_availability_zones.zones.zone_ids -} - -output "availability_zone_suffixes" { - description = "VPC Availability zone suffix list (3)" - value = data.aws_availability_zone.zone[*].name_suffix -} - #--- # network prod #--- @@ -46,15 +18,15 @@ provider "aws" { } } -# provider "aws" { -# alias = "route53_main_west" -# profile = var.profile -# region = var.region_map["west"] -# assume_role { -# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) -# session_name = var.os_username -# } -# } +provider "aws" { + alias = "route53_main_west" + profile = var.profile + region = var.region_map["west"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} #--- # dummy vpc, so we can associate the zone to this account @@ -110,20 +82,20 @@ module "route53_cluster_domain_east" { tags = var.tags } -# module "route53_cluster_domain_west" { -# count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main_west -# } +module "route53_cluster_domain_west" { + count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_west + } -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-west-1" -# vpc_id = data.aws_vpc.eks_vpc.id -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] -# tags = var.tags -# } + tags = var.tags +} output "cluster_domain_name" { description = "DNS Zone Name" @@ -145,32 +117,32 @@ output "cluster_domain_ns" { # and to vpc7-endpoints in network prod #--- -#--- -# network prod -#--- -provider "aws" { - alias = "route53_main" - region = var.region_map["east"] - profile = var.profile - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} +# #--- +# # network prod +# #--- +# provider "aws" { +# alias = "route53_main" +# region = var.region_map["east"] +# profile = var.profile +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) +# session_name = var.os_username +# } +# } -module "route53_main_east" { - providers = { - aws.self = aws - aws.peer = aws.route53_main - } +# module "route53_main_east" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main +# } - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-east-1" - vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] - zone_ids = [aws_route53_zone.cluster_domain.zone_id] +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-east-1" +# vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - tags = var.tags -} +# tags = var.tags +# } # module "route53_main_west" { # providers = { From 999d79ea2a6b12832007f263b855146530c02eee Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 19:53:00 -0400 Subject: [PATCH 31/59] bad idea removed --- dns_zones.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dns_zones.tf b/dns_zones.tf index 0bb37bc..af685e3 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -68,6 +68,7 @@ resource "aws_route53_zone" "cluster_domain" { # need to also associate with network-prod account and this vpc #--- module "route53_cluster_domain_east" { + count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 providers = { aws.self = aws @@ -83,6 +84,7 @@ module "route53_cluster_domain_east" { } module "route53_cluster_domain_west" { + count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 providers = { aws.self = aws From 0d673173e44aa687dee1ba5b973d35f9136c0dc8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 20:04:02 -0400 Subject: [PATCH 32/59] add dummy vpc --- dns_zones.tf | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index af685e3..24a58ef 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -32,13 +32,30 @@ provider "aws" { # dummy vpc, so we can associate the zone to this account #--- data "aws_vpc" "dummy_vpc" { - count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + depends_on = [aws_vpc.vpc] + count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 filter { name = "tag:Name" values = ["vpc0-dummy"] } + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] + } +} + +## Dummy VPC +resource "aws_vpc" "vpc" { + cidr_block = "192.168.0.0/24" + enable_dns_support = false + enable_dns_hostnames = false + tags = merge( + var.tags, + { "Name" = "vpc0-dummy" }, + ) } + resource "aws_route53_zone" "cluster_domain" { name = local.cluster_domain_name comment = local.cluster_domain_description @@ -58,7 +75,6 @@ resource "aws_route53_zone" "cluster_domain" { } tags = merge( - local.base_tags, var.tags, { "Name" = local.cluster_domain_name }, ) From 6c1764f7b9bd55ffd5fd55cdb746d0c8dd4d3296 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 20:08:37 -0400 Subject: [PATCH 33/59] zone_ids --- dns_zones.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/dns_zones.tf b/dns_zones.tf index 24a58ef..019cfce 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -3,6 +3,7 @@ locals { cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) region = var.region + zone_ids = [] } #--- From 0f0a96911727d16e34810cde3bb0423363bf99ac Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 20:32:23 -0400 Subject: [PATCH 34/59] zone_ids are queried after cluster_domain is created --- dns_zones.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/dns_zones.tf b/dns_zones.tf index 019cfce..24a58ef 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -3,7 +3,6 @@ locals { cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) region = var.region - zone_ids = [] } #--- From e150438728bd3d82ef8af3caf20dcea6ba14dc51 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 20:47:43 -0400 Subject: [PATCH 35/59] no profile? --- dns_zones.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 24a58ef..3676347 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -3,6 +3,7 @@ locals { cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) region = var.region + zone_ids = compact(var.zone_ids) } #--- @@ -10,7 +11,6 @@ locals { #--- provider "aws" { alias = "route53_main_east" - profile = var.profile region = var.region_map["east"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) @@ -20,7 +20,6 @@ provider "aws" { provider "aws" { alias = "route53_main_west" - profile = var.profile region = var.region_map["west"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) From b41f1bae21e30841438c6877a33d645249a8c808 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 20:49:35 -0400 Subject: [PATCH 36/59] add var --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index c737d51..539d00e 100644 --- a/variables.tf +++ b/variables.tf @@ -174,3 +174,9 @@ variable "route53_endpoints" { } } } + +variable "zone_ids" { + description = "List of Route53 PHZ IDs to associate with a (local/remote) VPC" + type = list(string) + default = [] +} From d8f800f8ae665421b1ac73998caf4cac03de6865 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 20:52:57 -0400 Subject: [PATCH 37/59] define self --- dns_zones.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/dns_zones.tf b/dns_zones.tf index 3676347..edd6541 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -6,6 +6,17 @@ locals { zone_ids = compact(var.zone_ids) } +#------------------------------------------------- +# Providers for Cross Account DNS Action +#------------------------------------------------- +provider "aws" { + alias = "self" + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, var.account_id) + session_name = var.os_username + } +} + #--- # network prod #--- From c0954d14e1a442d67395deaf76c6adda34918fae Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 20:59:46 -0400 Subject: [PATCH 38/59] add zone list --- dns_zones.tf | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index edd6541..c4585c4 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -6,17 +6,6 @@ locals { zone_ids = compact(var.zone_ids) } -#------------------------------------------------- -# Providers for Cross Account DNS Action -#------------------------------------------------- -provider "aws" { - alias = "self" - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, var.account_id) - session_name = var.os_username - } -} - #--- # network prod #--- @@ -42,6 +31,7 @@ provider "aws" { # dummy vpc, so we can associate the zone to this account #--- data "aws_vpc" "dummy_vpc" { + provider = aws depends_on = [aws_vpc.vpc] count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 filter { @@ -56,6 +46,7 @@ data "aws_vpc" "dummy_vpc" { ## Dummy VPC resource "aws_vpc" "vpc" { + provider = aws cidr_block = "192.168.0.0/24" enable_dns_support = false enable_dns_hostnames = false @@ -65,8 +56,18 @@ resource "aws_vpc" "vpc" { ) } +#--- +# zone list +#--- +data "aws_route53_zone" "zones" { + provider = aws.self + for_each = toset(local.zone_ids) + zone_id = each.key + private_zone = true +} resource "aws_route53_zone" "cluster_domain" { + provider = aws name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false From c336d9672c6c235b12ec48f14610bf23107eb4ea Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:01:14 -0400 Subject: [PATCH 39/59] add self back --- dns_zones.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dns_zones.tf b/dns_zones.tf index c4585c4..507a30b 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -27,6 +27,13 @@ provider "aws" { } } +provider "aws" { + alias = "self" + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, var.account_id) + session_name = var.os_username + } +} #--- # dummy vpc, so we can associate the zone to this account #--- From 80ed38cb724848b51fcaa91f5eddfbf2669d1d7a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:04:05 -0400 Subject: [PATCH 40/59] account --- dns_zones.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dns_zones.tf b/dns_zones.tf index 507a30b..8877358 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -30,7 +30,7 @@ provider "aws" { provider "aws" { alias = "self" assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, var.account_id) + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_arn.current.account_id) session_name = var.os_username } } From b85324fbb88439d109d8f45e6dffd6325e716224 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:06:36 -0400 Subject: [PATCH 41/59] maybe --- dns_zones.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 8877358..19cf7f2 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -38,7 +38,7 @@ provider "aws" { # dummy vpc, so we can associate the zone to this account #--- data "aws_vpc" "dummy_vpc" { - provider = aws + provider = aws.self depends_on = [aws_vpc.vpc] count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 filter { @@ -53,7 +53,7 @@ data "aws_vpc" "dummy_vpc" { ## Dummy VPC resource "aws_vpc" "vpc" { - provider = aws + provider = aws.self cidr_block = "192.168.0.0/24" enable_dns_support = false enable_dns_hostnames = false @@ -74,7 +74,7 @@ data "aws_route53_zone" "zones" { } resource "aws_route53_zone" "cluster_domain" { - provider = aws + provider = aws.self name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false From af7ec5f18e280c725596ee94c74d2c4b18a9adb3 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:08:46 -0400 Subject: [PATCH 42/59] current identity --- dns_zones.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dns_zones.tf b/dns_zones.tf index 19cf7f2..fc76398 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -30,7 +30,7 @@ provider "aws" { provider "aws" { alias = "self" assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_arn.current.account_id) + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) session_name = var.os_username } } From fc42c4bbe3d15898eb193ab86a1a237da2962523 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:20:02 -0400 Subject: [PATCH 43/59] without modules --- dns_zones.tf | 255 +++++++++++++++------------------------------------ 1 file changed, 76 insertions(+), 179 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index fc76398..c4e0604 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,17 +1,19 @@ +#------------------------------------------------- +# DNS Zone for EKS +#------------------------------------------------- locals { - vpc_domain_name = var.vpc_domain_name - cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) + cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - region = var.region - zone_ids = compact(var.zone_ids) + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) + zone_ids = compact(var.zone_ids) } - -#--- -# network prod -#--- +#------------------------------------------------- +# Providers for Cross Account DNS Action +#------------------------------------------------- provider "aws" { - alias = "route53_main_east" - region = var.region_map["east"] + alias = "route53_main_east" + region = var.region_map["east"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username @@ -19,48 +21,52 @@ provider "aws" { } provider "aws" { - alias = "route53_main_west" - region = var.region_map["west"] + alias = "route53_main_west" + region = var.region_map["west"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username } } -provider "aws" { - alias = "self" - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - session_name = var.os_username - } -} -#--- -# dummy vpc, so we can associate the zone to this account -#--- -data "aws_vpc" "dummy_vpc" { +#------------------------------------------------- +# network prod for shared vpcs zones +#------------------------------------------------- + +## Associate between self (vpc8) and network-prod-west +resource "aws_route53_vpc_association_authorization" "self_zone" { provider = aws.self - depends_on = [aws_vpc.vpc] - count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - filter { - name = "tag:Name" - values = ["vpc0-dummy"] - } - filter { - name = "tag:eks-cluster-name" - values = [var.cluster_name] - } + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["west"] + vpc_id = var.vpc_id } -## Dummy VPC -resource "aws_vpc" "vpc" { +resource "aws_route53_zone_association" "self_zone_west" { + provider = aws.route53_main_west + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = var.vpc_id + vpc_region = var.region_map["west"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] +} + +## Associate between self (vpc8) and network-prod-east +resource "aws_route53_vpc_association_authorization" "self_zone_east" { provider = aws.self - cidr_block = "192.168.0.0/24" - enable_dns_support = false - enable_dns_hostnames = false - tags = merge( - var.tags, - { "Name" = "vpc0-dummy" }, - ) + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["east"] + vpc_id = var.vpc_id +} + +resource "aws_route53_zone_association" "self_zone_east" { + provider = aws.route53_main_east + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = var.vpc_id + vpc_region = var.region_map["east"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] } #--- @@ -74,163 +80,54 @@ data "aws_route53_zone" "zones" { } resource "aws_route53_zone" "cluster_domain" { - provider = aws.self name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false - + depends_on = [ + data.aws_vpc.dummy_vpc + ] vpc { - vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id - vpc_region = local.region + vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id + vpc_region = var.region } lifecycle { ignore_changes = [vpc] - precondition { - condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == "")) - error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." - } } tags = merge( + local.base_tags, + local.common_tags, var.tags, + var.application_tags, { "Name" = local.cluster_domain_name }, ) } +## Dummy VPC + #--- -# need to also associate with network-prod account and this vpc +# dummy vpc, so we can associate the zone to this account #--- -module "route53_cluster_domain_east" { - - count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - providers = { - aws.self = aws - aws.peer = aws.route53_main_east +data "aws_vpc" "dummy_vpc" { + depends_on = [aws_vpc.vpc] + count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-east-1" - vpc_id = data.aws_vpc.eks_vpc.id - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags -} - -module "route53_cluster_domain_west" { - - count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - providers = { - aws.self = aws - aws.peer = aws.route53_main_west + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-west-1" - vpc_id = data.aws_vpc.eks_vpc.id - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags } -output "cluster_domain_name" { - description = "DNS Zone Name" - value = local.cluster_domain_name -} - -output "cluster_domain_id" { - description = "DNS Zone ID" - value = aws_route53_zone.cluster_domain.zone_id -} - -output "cluster_domain_ns" { - description = "DNS Zone Nameservers" - value = aws_route53_zone.cluster_domain.name_servers +resource "aws_vpc" "vpc" { + cidr_block = "192.168.0.0/24" + enable_dns_support = false + enable_dns_hostnames = false + tags = merge( + local.base_tags, + { "Name" = "vpc0-dummy" }, + ) } - -#--- -# associate to main do2-govcloud vpc1-services east and west for inbound resolution -# and to vpc7-endpoints in network prod -#--- - -# #--- -# # network prod -# #--- -# provider "aws" { -# alias = "route53_main" -# region = var.region_map["east"] -# profile = var.profile -# assume_role { -# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) -# session_name = var.os_username -# } -# } - -# module "route53_main_east" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main -# } - -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-east-1" -# vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - -# tags = var.tags -# } - -# module "route53_main_west" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main -# } - -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-west-1" -# vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - -# tags = var.tags -# } - -#--- -# do2-gov ("legacy") -#--- -# provider "aws" { -# alias = "route53_main_legacy" -# region = var.region_map["east"] -# profile = var.profile -# assume_role { -# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) -# session_name = var.os_username -# } -# } - -# module "route53_main_legacy_east" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main_legacy -# } - -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-east-1" -# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - -# tags = var.tags -# } - -# module "route53_main_legacy_west" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main_legacy -# } - -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-west-1" -# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - -# tags = var.tags -# } From 1befc7d9404a01b2abd0c1a086810f3079f2ec86 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:21:12 -0400 Subject: [PATCH 44/59] delete state --- dns_zones.tf | 255 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 179 insertions(+), 76 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index c4e0604..033de5b 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,19 +1,17 @@ -#------------------------------------------------- -# DNS Zone for EKS -#------------------------------------------------- locals { - cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) + vpc_domain_name = var.vpc_domain_name + cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) - zone_ids = compact(var.zone_ids) + region = var.region + zone_ids = compact(var.zone_ids) } -#------------------------------------------------- -# Providers for Cross Account DNS Action -#------------------------------------------------- + +#--- +# network prod +#--- provider "aws" { - alias = "route53_main_east" - region = var.region_map["east"] + alias = "route53_main_east" + region = var.region_map["east"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username @@ -21,52 +19,48 @@ provider "aws" { } provider "aws" { - alias = "route53_main_west" - region = var.region_map["west"] + alias = "route53_main_west" + region = var.region_map["west"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username } } -#------------------------------------------------- -# network prod for shared vpcs zones -#------------------------------------------------- - -## Associate between self (vpc8) and network-prod-west -resource "aws_route53_vpc_association_authorization" "self_zone" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_region = var.region_map["west"] - vpc_id = var.vpc_id -} - -resource "aws_route53_zone_association" "self_zone_west" { - provider = aws.route53_main_west - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_id = var.vpc_id - vpc_region = var.region_map["west"] - depends_on = [aws_route53_vpc_association_authorization.self_zone] +provider "aws" { + alias = "self" + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_idgst) + session_name = var.os_username + } } - -## Associate between self (vpc8) and network-prod-east -resource "aws_route53_vpc_association_authorization" "self_zone_east" { +#--- +# dummy vpc, so we can associate the zone to this account +#--- +data "aws_vpc" "dummy_vpc" { provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_region = var.region_map["east"] - vpc_id = var.vpc_id + depends_on = [aws_vpc.vpc] + count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] + } + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] + } } -resource "aws_route53_zone_association" "self_zone_east" { - provider = aws.route53_main_east - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_id = var.vpc_id - vpc_region = var.region_map["east"] - depends_on = [aws_route53_vpc_association_authorization.self_zone] +## Dummy VPC +resource "aws_vpc" "vpc" { + provider = aws.self + cidr_block = "192.168.0.0/24" + enable_dns_support = false + enable_dns_hostnames = false + tags = merge( + var.tags, + { "Name" = "vpc0-dummy" }, + ) } #--- @@ -80,54 +74,163 @@ data "aws_route53_zone" "zones" { } resource "aws_route53_zone" "cluster_domain" { + provider = aws.self name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false - depends_on = [ - data.aws_vpc.dummy_vpc - ] + vpc { - vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id - vpc_region = var.region + vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id + vpc_region = local.region } lifecycle { ignore_changes = [vpc] + precondition { + condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == "")) + error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." + } } tags = merge( - local.base_tags, - local.common_tags, var.tags, - var.application_tags, { "Name" = local.cluster_domain_name }, ) } -## Dummy VPC - #--- -# dummy vpc, so we can associate the zone to this account +# need to also associate with network-prod account and this vpc #--- -data "aws_vpc" "dummy_vpc" { - depends_on = [aws_vpc.vpc] - count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - filter { - name = "tag:Name" - values = ["vpc0-dummy"] +module "route53_cluster_domain_east" { + + count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_east } - filter { - name = "tag:eks-cluster-name" - values = [var.cluster_name] + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = var.tags +} + +module "route53_cluster_domain_west" { + + count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_west } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = var.tags } -resource "aws_vpc" "vpc" { - cidr_block = "192.168.0.0/24" - enable_dns_support = false - enable_dns_hostnames = false - tags = merge( - local.base_tags, - { "Name" = "vpc0-dummy" }, - ) +output "cluster_domain_name" { + description = "DNS Zone Name" + value = local.cluster_domain_name +} + +output "cluster_domain_id" { + description = "DNS Zone ID" + value = aws_route53_zone.cluster_domain.zone_id +} + +output "cluster_domain_ns" { + description = "DNS Zone Nameservers" + value = aws_route53_zone.cluster_domain.name_servers } + +#--- +# associate to main do2-govcloud vpc1-services east and west for inbound resolution +# and to vpc7-endpoints in network prod +#--- + +# #--- +# # network prod +# #--- +# provider "aws" { +# alias = "route53_main" +# region = var.region_map["east"] +# profile = var.profile +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) +# session_name = var.os_username +# } +# } + +# module "route53_main_east" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main +# } + +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-east-1" +# vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# tags = var.tags +# } + +# module "route53_main_west" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main +# } + +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-west-1" +# vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# tags = var.tags +# } + +#--- +# do2-gov ("legacy") +#--- +# provider "aws" { +# alias = "route53_main_legacy" +# region = var.region_map["east"] +# profile = var.profile +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) +# session_name = var.os_username +# } +# } + +# module "route53_main_legacy_east" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main_legacy +# } + +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-east-1" +# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# tags = var.tags +# } + +# module "route53_main_legacy_west" { +# providers = { +# aws.self = aws +# aws.peer = aws.route53_main_legacy +# } + +# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# region = "us-gov-west-1" +# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] +# zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# tags = var.tags +# } From 89df119ecf6828326c494770f0e780f78b1075e9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:22:54 -0400 Subject: [PATCH 45/59] typo --- dns_zones.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dns_zones.tf b/dns_zones.tf index 033de5b..fc76398 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -30,7 +30,7 @@ provider "aws" { provider "aws" { alias = "self" assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_idgst) + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) session_name = var.os_username } } From 2ea62cf99874a17aa49ada929d1312908eee551a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:25:49 -0400 Subject: [PATCH 46/59] comment correct --- dns_zones.tf | 405 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 271 insertions(+), 134 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index fc76398..1dcb9af 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,17 +1,19 @@ +#------------------------------------------------- +# DNS Zone for EKS +#------------------------------------------------- locals { - vpc_domain_name = var.vpc_domain_name - cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) + cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - region = var.region - zone_ids = compact(var.zone_ids) + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) + zone_ids = compact(var.zone_ids) } - -#--- -# network prod -#--- +#------------------------------------------------- +# Providers for Cross Account DNS Action +#------------------------------------------------- provider "aws" { - alias = "route53_main_east" - region = var.region_map["east"] + alias = "route53_main_east" + region = var.region_map["east"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username @@ -19,48 +21,52 @@ provider "aws" { } provider "aws" { - alias = "route53_main_west" - region = var.region_map["west"] + alias = "route53_main_west" + region = var.region_map["west"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username } } -provider "aws" { - alias = "self" - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - session_name = var.os_username - } -} -#--- -# dummy vpc, so we can associate the zone to this account -#--- -data "aws_vpc" "dummy_vpc" { +#------------------------------------------------- +# network prod for shared vpcs zones +#------------------------------------------------- + +## Associate between self (vpc8) and network-prod-west +resource "aws_route53_vpc_association_authorization" "self_zone" { provider = aws.self - depends_on = [aws_vpc.vpc] - count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - filter { - name = "tag:Name" - values = ["vpc0-dummy"] - } - filter { - name = "tag:eks-cluster-name" - values = [var.cluster_name] - } + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["west"] + vpc_id = var.vpc_id } -## Dummy VPC -resource "aws_vpc" "vpc" { +resource "aws_route53_zone_association" "self_zone_west" { + provider = aws.route53_main_west + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = var.vpc_id + vpc_region = var.region_map["west"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] +} + +## Associate between self (vpc8) and network-prod-east +resource "aws_route53_vpc_association_authorization" "self_zone_east" { provider = aws.self - cidr_block = "192.168.0.0/24" - enable_dns_support = false - enable_dns_hostnames = false - tags = merge( - var.tags, - { "Name" = "vpc0-dummy" }, - ) + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["east"] + vpc_id = var.vpc_id +} + +resource "aws_route53_zone_association" "self_zone_east" { + provider = aws.route53_main_east + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = var.vpc_id + vpc_region = var.region_map["east"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] } #--- @@ -74,163 +80,294 @@ data "aws_route53_zone" "zones" { } resource "aws_route53_zone" "cluster_domain" { - provider = aws.self name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false - + depends_on = [ + data.aws_vpc.dummy_vpc + ] vpc { - vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id - vpc_region = local.region + vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id + vpc_region = var.region } lifecycle { ignore_changes = [vpc] - precondition { - condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == "")) - error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." - } } tags = merge( + local.base_tags, + local.common_tags, var.tags, + var.application_tags, { "Name" = local.cluster_domain_name }, ) } +## Dummy VPC + #--- -# need to also associate with network-prod account and this vpc +# dummy vpc, so we can associate the zone to this account #--- -module "route53_cluster_domain_east" { - - count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - providers = { - aws.self = aws - aws.peer = aws.route53_main_east +data "aws_vpc" "dummy_vpc" { + depends_on = [aws_vpc.vpc] + count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-east-1" - vpc_id = data.aws_vpc.eks_vpc.id - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags -} - -module "route53_cluster_domain_west" { - - count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - providers = { - aws.self = aws - aws.peer = aws.route53_main_west + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-west-1" - vpc_id = data.aws_vpc.eks_vpc.id - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags -} - -output "cluster_domain_name" { - description = "DNS Zone Name" - value = local.cluster_domain_name -} - -output "cluster_domain_id" { - description = "DNS Zone ID" - value = aws_route53_zone.cluster_domain.zone_id } -output "cluster_domain_ns" { - description = "DNS Zone Nameservers" - value = aws_route53_zone.cluster_domain.name_servers +resource "aws_vpc" "vpc" { + cidr_block = "192.168.0.0/24" + enable_dns_support = false + enable_dns_hostnames = false + tags = merge( + local.base_tags, + { "Name" = "vpc0-dummy" }, + ) } -#--- -# associate to main do2-govcloud vpc1-services east and west for inbound resolution -# and to vpc7-endpoints in network prod -#--- +#### This is the correct way, it's commented because +#### the module is throwing an error on the for_each +#### in the module. +# locals { +# vpc_domain_name = var.vpc_domain_name +# cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) +# cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) +# region = var.region +# zone_ids = compact(var.zone_ids) +# } # #--- # # network prod # #--- # provider "aws" { -# alias = "route53_main" +# alias = "route53_main_east" # region = var.region_map["east"] -# profile = var.profile # assume_role { # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) # session_name = var.os_username # } # } -# module "route53_main_east" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main +# provider "aws" { +# alias = "route53_main_west" +# region = var.region_map["west"] +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) +# session_name = var.os_username # } - -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-east-1" -# vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - -# tags = var.tags # } -# module "route53_main_west" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main +# provider "aws" { +# alias = "self" +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) +# session_name = var.os_username # } +# } +# #--- +# # dummy vpc, so we can associate the zone to this account +# #--- +# data "aws_vpc" "dummy_vpc" { +# provider = aws.self +# depends_on = [aws_vpc.vpc] +# count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 +# filter { +# name = "tag:Name" +# values = ["vpc0-dummy"] +# } +# filter { +# name = "tag:eks-cluster-name" +# values = [var.cluster_name] +# } +# } -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-west-1" -# vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] +# ## Dummy VPC +# resource "aws_vpc" "vpc" { +# provider = aws.self +# cidr_block = "192.168.0.0/24" +# enable_dns_support = false +# enable_dns_hostnames = false +# tags = merge( +# var.tags, +# { "Name" = "vpc0-dummy" }, +# ) +# } -# tags = var.tags +# #--- +# # zone list +# #--- +# data "aws_route53_zone" "zones" { +# provider = aws.self +# for_each = toset(local.zone_ids) +# zone_id = each.key +# private_zone = true # } -#--- -# do2-gov ("legacy") -#--- -# provider "aws" { -# alias = "route53_main_legacy" -# region = var.region_map["east"] -# profile = var.profile -# assume_role { -# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) -# session_name = var.os_username +# resource "aws_route53_zone" "cluster_domain" { +# provider = aws.self +# name = local.cluster_domain_name +# comment = local.cluster_domain_description +# force_destroy = false + +# vpc { +# vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id +# vpc_region = local.region # } + +# lifecycle { +# ignore_changes = [vpc] +# precondition { +# condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == "")) +# error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." +# } +# } + +# tags = merge( +# var.tags, +# { "Name" = local.cluster_domain_name }, +# ) # } -# module "route53_main_legacy_east" { +# #--- +# # need to also associate with network-prod account and this vpc +# #--- +# module "route53_cluster_domain_east" { + +# count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 # providers = { # aws.self = aws -# aws.peer = aws.route53_main_legacy +# aws.peer = aws.route53_main_east # } # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" # region = "us-gov-east-1" -# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] +# vpc_id = data.aws_vpc.eks_vpc.id # zone_ids = [aws_route53_zone.cluster_domain.zone_id] # tags = var.tags # } -# module "route53_main_legacy_west" { +# module "route53_cluster_domain_west" { + +# count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 # providers = { # aws.self = aws -# aws.peer = aws.route53_main_legacy +# aws.peer = aws.route53_main_west # } # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" # region = "us-gov-west-1" -# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] +# vpc_id = data.aws_vpc.eks_vpc.id # zone_ids = [aws_route53_zone.cluster_domain.zone_id] # tags = var.tags # } + +# output "cluster_domain_name" { +# description = "DNS Zone Name" +# value = local.cluster_domain_name +# } + +# output "cluster_domain_id" { +# description = "DNS Zone ID" +# value = aws_route53_zone.cluster_domain.zone_id +# } + +# output "cluster_domain_ns" { +# description = "DNS Zone Nameservers" +# value = aws_route53_zone.cluster_domain.name_servers +# } + +# #--- +# # associate to main do2-govcloud vpc1-services east and west for inbound resolution +# # and to vpc7-endpoints in network prod +# #--- + +# # #--- +# # # network prod +# # #--- +# # provider "aws" { +# # alias = "route53_main" +# # region = var.region_map["east"] +# # profile = var.profile +# # assume_role { +# # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) +# # session_name = var.os_username +# # } +# # } + +# # module "route53_main_east" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-east-1" +# # vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # } + +# # module "route53_main_west" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-west-1" +# # vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # } + +# #--- +# # do2-gov ("legacy") +# #--- +# # provider "aws" { +# # alias = "route53_main_legacy" +# # region = var.region_map["east"] +# # profile = var.profile +# # assume_role { +# # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) +# # session_name = var.os_username +# # } +# # } + +# # module "route53_main_legacy_east" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main_legacy +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-east-1" +# # vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # } + +# # module "route53_main_legacy_west" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main_legacy +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-west-1" +# # vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # } From 5cc452819102461f9ecac30f35b7773c7f900570 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:33:07 -0400 Subject: [PATCH 47/59] fix missing things --- dns_zones.tf | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 1dcb9af..c4b06f0 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -39,14 +39,14 @@ resource "aws_route53_vpc_association_authorization" "self_zone" { for_each = toset(local.zone_ids) zone_id = each.key vpc_region = var.region_map["west"] - vpc_id = var.vpc_id + vpc_id = data.aws_vpc.eks_vpc.id } resource "aws_route53_zone_association" "self_zone_west" { provider = aws.route53_main_west for_each = toset(local.zone_ids) zone_id = each.key - vpc_id = var.vpc_id + vpc_id = data.aws_vpc.eks_vpc.id vpc_region = var.region_map["west"] depends_on = [aws_route53_vpc_association_authorization.self_zone] } @@ -57,14 +57,14 @@ resource "aws_route53_vpc_association_authorization" "self_zone_east" { for_each = toset(local.zone_ids) zone_id = each.key vpc_region = var.region_map["east"] - vpc_id = var.vpc_id + vpc_id = data.aws_vpc.eks_vpc.id } resource "aws_route53_zone_association" "self_zone_east" { provider = aws.route53_main_east for_each = toset(local.zone_ids) zone_id = each.key - vpc_id = var.vpc_id + vpc_id = data.aws_vpc.eks_vpc.id vpc_region = var.region_map["east"] depends_on = [aws_route53_vpc_association_authorization.self_zone] } @@ -96,10 +96,7 @@ resource "aws_route53_zone" "cluster_domain" { } tags = merge( - local.base_tags, - local.common_tags, var.tags, - var.application_tags, { "Name" = local.cluster_domain_name }, ) } @@ -127,7 +124,7 @@ resource "aws_vpc" "vpc" { enable_dns_support = false enable_dns_hostnames = false tags = merge( - local.base_tags, + var.tags, { "Name" = "vpc0-dummy" }, ) } From ec51a22dd5640ea053fd60c778c07bec993b8fa6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:42:30 -0400 Subject: [PATCH 48/59] add self again --- dns_zones.tf | 8 ++++++++ variables.tf | 6 ------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index c4b06f0..28abafe 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -29,6 +29,14 @@ provider "aws" { } } +provider "aws" { + alias = "self" + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, local.aws_account_id) + session_name = var.os_username + } +} + #------------------------------------------------- # network prod for shared vpcs zones #------------------------------------------------- diff --git a/variables.tf b/variables.tf index 539d00e..cad6db0 100644 --- a/variables.tf +++ b/variables.tf @@ -144,12 +144,6 @@ variable "main_dns_profile" { default = "269244441389-lab-gov-network-nonprod" } -# variable "dns_zone_description_prefix" { -# description = "Zone description with the org-project-program-environment" -# type = string -# default = "" -# } - variable "shared_vpc_label" { description = "Label to use for shared VPC for flowlogs and other things" type = string From e8b03fdd11a78fc00825510c9dacd0feb4381ed7 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:45:36 -0400 Subject: [PATCH 49/59] stupidity --- dns_zones.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/dns_zones.tf b/dns_zones.tf index 28abafe..975a69d 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -7,6 +7,7 @@ locals { account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) zone_ids = compact(var.zone_ids) + account_id = var.account_id } #------------------------------------------------- # Providers for Cross Account DNS Action From 0ee5305fa993e5a20fd76f03f7b71c40dc58c68a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:46:29 -0400 Subject: [PATCH 50/59] more stupid --- dns_zones.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dns_zones.tf b/dns_zones.tf index 975a69d..4ccf748 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -7,7 +7,7 @@ locals { account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) zone_ids = compact(var.zone_ids) - account_id = var.account_id + aws_account_id = var.account_id } #------------------------------------------------- # Providers for Cross Account DNS Action From cac77a6beea6a35c64c19eac0446226b9f750a20 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:48:48 -0400 Subject: [PATCH 51/59] ugh --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index cad6db0..b9043eb 100644 --- a/variables.tf +++ b/variables.tf @@ -107,6 +107,12 @@ variable "profile" { default = "" } +variable "account_id" { + description = "AWS account id" + type = string + default = "" +} + variable "region" { description = "AWS config region" type = string From 558d58637419b6bc7f509113b8283af0aec83472 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:53:57 -0400 Subject: [PATCH 52/59] use caller identity again --- dns_zones.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 4ccf748..3fd1923 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -7,7 +7,6 @@ locals { account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) zone_ids = compact(var.zone_ids) - aws_account_id = var.account_id } #------------------------------------------------- # Providers for Cross Account DNS Action @@ -33,7 +32,7 @@ provider "aws" { provider "aws" { alias = "self" assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, local.aws_account_id) + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) session_name = var.os_username } } From 2c7a9e24a53094a40bfd613884d55e45845dd436 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:55:24 -0400 Subject: [PATCH 53/59] we already are --- dns_zones.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 3fd1923..4dd6931 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -31,10 +31,10 @@ provider "aws" { provider "aws" { alias = "self" - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - session_name = var.os_username - } + # assume_role { + # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) + # session_name = var.os_username + # } } #------------------------------------------------- From 3e3977871c61baced39a1aaf0e92af2f01bc18b6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 21:59:01 -0400 Subject: [PATCH 54/59] getting warmer --- dns_zones.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dns_zones.tf b/dns_zones.tf index 4dd6931..380900b 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -121,10 +121,10 @@ data "aws_vpc" "dummy_vpc" { name = "tag:Name" values = ["vpc0-dummy"] } - filter { - name = "tag:eks-cluster-name" - values = [var.cluster_name] - } + # filter { + # name = "tag:eks-cluster-name" + # values = [var.cluster_name] + # } } resource "aws_vpc" "vpc" { From d8fc592fee9fe603bed97ea6caeda2285b2e5eda Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 22:01:35 -0400 Subject: [PATCH 55/59] add subnet tags --- dns_zones.tf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/dns_zones.tf b/dns_zones.tf index 380900b..c54d080 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -136,6 +136,22 @@ resource "aws_vpc" "vpc" { { "Name" = "vpc0-dummy" }, ) } +# Tag existing subnets for EKS +# Container subnets under data.aws_subnets.container-subnets +# Load Balance subnets under data.aws_subnets.lb-subnets +resource "aws_ec2_tag" "container-subnets" { + for_each = toset(data.aws_subnets.container-subnets.ids) + resource_id = each.value + key = "kubernetes.io/cluster/${var.cluster_name}" + value = "shared" +} + +resource "aws_ec2_tag" "lb-subnets" { + for_each = toset(data.aws_subnets.lb-subnets.ids) + resource_id = each.value + key = "kubernetes.io/role/internal-nlb" + value = "1" +} #### This is the correct way, it's commented because #### the module is throwing an error on the for_each From d6219b0e8092e574e4782312ae5e463298165b38 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 22:04:54 -0400 Subject: [PATCH 56/59] add some data --- aws_data.tf | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/aws_data.tf b/aws_data.tf index c2dfb22..d3b4207 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -5,7 +5,26 @@ data "aws_region" "current" {} data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } - +data "aws_subnets" "container-subnets" { + filter { + name = "tag:Name" + values = [local.container_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} +data "aws_subnets" "lb-subnets" { + filter { + name = "tag:Name" + values = [local.lb_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} locals { base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) From 092d385dfe46cbd565d0410fd7645ed7f786c883 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 29 Jul 2024 22:10:43 -0400 Subject: [PATCH 57/59] subnets --- aws_data.tf | 2 ++ variables.tf | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/aws_data.tf b/aws_data.tf index d3b4207..d3f0127 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -26,6 +26,8 @@ data "aws_subnets" "lb-subnets" { } } locals { + container_subnets_name = var.subnets_name + lb_subnets_name = "*-private-lb-*" base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) common_arn = format("arn:%v:%%v:%v:%v:%%v", diff --git a/variables.tf b/variables.tf index b9043eb..34bb5d4 100644 --- a/variables.tf +++ b/variables.tf @@ -32,6 +32,12 @@ variable "subnets_name" { default = "*-container-*" } +variable "lb_subnets_name" { + description = "Define the name of the subnets to be used by this cluster" + type = string + default = "*-container-*" +} + variable "vpc_domain_name" { description = "The DNS domain name of the vpc the cluster is in." type = string From 450b343a5dd69eda70af145243fa07629917c248 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 30 Jul 2024 15:27:21 -0400 Subject: [PATCH 58/59] increment version and add notes to changelog --- README.md | 241 ++------------------------------------------------- aws_data.tf | 6 +- outputs.tf | 8 -- variables.tf | 2 +- version.tf | 5 +- 5 files changed, 15 insertions(+), 247 deletions(-) diff --git a/README.md b/README.md index 4d3cf48..2f5aabd 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,15 @@ coredns kube-proxy # CHANGELOG -- created content in the README - - -## Requirements +* 0.0.3 -- 2024-07-30 + - updated to use karpenter + - misc cleanup +* 0.0.2 -- 2024-07-22 + - updated version.tf to 0.0.2 + - add kube.config update after cluster create + - update ami_type to AL2023 + - update upstream cluster module to 20.20.0 + - created changelog | Name | Version | |------|---------| @@ -88,7 +93,6 @@ kube-proxy ## Outputs -<<<<<<< HEAD | Name | Description | |------|-------------| | [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | Arn of cloudwatch log group created | @@ -133,230 +137,3 @@ kube-proxy | [vpc\_cni\_irsa\_role](#output\_vpc\_cni\_irsa\_role) | The arn/name/unique\_id of the irsa role for the vpc-cni addon | | [vpc\_id](#output\_vpc\_id) | The VPC id where the EKS cluster was deployed. | -======= -### Module information - -**module_name** - -Description: The name of this module. - - -**module_version** - -Description: The version of this module. - -### Networking information - -**vpc_id** - -Description: The VPC id where the EKS cluster was deployed. - - -**vpc_cidr_block** - -Description: The CIDR block associated with the VPC. - - -**subnets** - -Description: The subnets configured for the VPC. - - -**security_group_all_worker_mgmt_id** - -Description: The security group to manage all of the worker nodes. - - -**cluster_fqdn** - -Description: The `cluster_name`.`domain` - - -### IRSA Roles Created - -**vpc_cni_irsa_role** - -Description: The arn/name/unique_id of the irsa role for the vpc-cni addon - - -**ebs_csi_irsa_role** - -Description: The arn/name/unique_id of the irsa role for the ebs-csi-driver addon - - -**efs_csi_irsa_role** - -Description: The arn/name/unique_id of the irsa role for the efs-csi-driver addon - - -**cluster_iam_role** - -Description: The arn/name/unique_id of the iam role for the cluster - - -### Cluster information - -**cluster_arn** - -Description: The Amazon Resource Name (ARN) of the cluster - - -**cluster_certificate_authority_data** - -Description: Base64 encoded certificate data required to communicate with the cluster - - -**cluster_endpoint** - -Description: Endpoint for your Kubernetes API server - - -**cluster_id** - -Description: The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts - - -**cluster_name** - -Description: The name of the EKS cluster - - -**cluster_version** - -Description: The Kubernetes version for the cluster - - -**cluster_platform_version** - -Description: Platform version for the cluster - - -**cluster_status** - -Description: Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED` - - -### KMS Key - -**kms_key_arn** - -Description: The Amazon Resource Name (ARN) of the key - - -**kms_key_id** - -Description: The globally unique identifier for the key - - -**kms_key_policy** - -Description: The IAM resource policy set on the key - - -### Cluster Security Group - -**cluster_security_group_arn** - -Description: Amazon Resource Name (ARN) of the cluster security group - - -**cluster_security_group_id** - -Description: ID of the cluster security group - - -**cluster_primary_security_group_id** - -Description: Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console - - -### Node Security Group - -**node_security_group_arn** - -Description: Amazon Resource Name (ARN) of the node shared security group - - -**node_security_group_id** - -Description: ID of the node shared security group - - -### IRSA - -**oidc_provider** - -Description: The OpenID Connect identity provider (issuer URL without leading `https://`) - - -**oidc_provider_arn** - -Description: The ARN of the OIDC Provider if `enable_irsa = true` - - -**cluster_oidc_issuer_url** - -Description: The URL on the EKS cluster for the OpenID Connect identity provider - - -**cluster_tls_certificate_sha1_fingerprint** - -Description: The SHA1 fingerprint of the public key of the cluster's certificate - - -### EKS Addons - -**cluster_addons** - -Description: Map of attribute maps for all EKS cluster addons enabled - - -### EKS Identity Provider - -**cluster_identity_providers** - -Description: Map of attribute maps for all EKS identity providers enabled - - -### Cloudwatch Log Group - -**cloudwatch_log_group_arn** - -Description: Arn of cloudwatch log group created - - -**cloudwatch_log_group_name** - -Description: Name of cloudwatch log group created - - -### Fargate profile - -**fargate_profiles** - -Description: Map of attribute maps for all EKS Fargate Profiles created - - -### EKS Managed Node Group - -**eks_managed_node_groups** - -Description: Map of attribute maps for all EKS managed node groups created - - -**eks_managed_node_groups_autoscaling_group_names** - -Description: List of the autoscaling group names created by EKS managed node groups - - -### Self Managed Node Group - -**self_managed_node_groups** - -Description: Map of attribute maps for all self managed node groups created - - -**self_managed_node_groups_autoscaling_group_names** - -Description: List of the autoscaling group names created by self-managed node groups ->>>>>>> 225179a (add changelog and update version) diff --git a/aws_data.tf b/aws_data.tf index d3f0127..7dead47 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -27,9 +27,9 @@ data "aws_subnets" "lb-subnets" { } locals { container_subnets_name = var.subnets_name - lb_subnets_name = "*-private-lb-*" - base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) - iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) + lb_subnets_name = var.lb_subnets_name + base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) + iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, diff --git a/outputs.tf b/outputs.tf index dc00bff..d67e519 100644 --- a/outputs.tf +++ b/outputs.tf @@ -16,11 +16,6 @@ output "module_version" { value = local._module_version } -output "_module_providers" { - description = "The providers used in this module." - value = local._module_providers -} - ################################################################################ # Networking information ################################################################################ @@ -285,6 +280,3 @@ output "self_managed_node_groups_autoscaling_group_names" { # output "cluster_autoscaler_role_name" { # value = module.cluster_autoscaler_irsa_role.iam_role_name # } -output "node_group_name" { - value = local.ng_name -} diff --git a/variables.tf b/variables.tf index 34bb5d4..2481239 100644 --- a/variables.tf +++ b/variables.tf @@ -35,7 +35,7 @@ variable "subnets_name" { variable "lb_subnets_name" { description = "Define the name of the subnets to be used by this cluster" type = string - default = "*-container-*" + default = "*-private-lb-*" } variable "vpc_domain_name" { diff --git a/version.tf b/version.tf index 1223816..04110bc 100644 --- a/version.tf +++ b/version.tf @@ -1,5 +1,4 @@ locals { - _module_name = "tfmod-eks" - _module_version = "0.0.2" - _module_providers = [] + _module_name = "tfmod-eks" + _module_version = "0.0.3" } From 7631f11085600fa38d8dba6deeac148f9806fa48 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 30 Jul 2024 17:46:01 -0400 Subject: [PATCH 59/59] update changelog --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2f5aabd..47d7d46 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ kube-proxy * 0.0.3 -- 2024-07-30 - updated to use karpenter - misc cleanup + - add hack dns for today until modules work * 0.0.2 -- 2024-07-22 - updated version.tf to 0.0.2 - add kube.config update after cluster create