diff --git a/dns_zones.tf b/dns_zones.tf index fc76398..1dcb9af 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,17 +1,19 @@ +#------------------------------------------------- +# DNS Zone for EKS +#------------------------------------------------- locals { - vpc_domain_name = var.vpc_domain_name - cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) + cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - region = var.region - zone_ids = compact(var.zone_ids) + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) + zone_ids = compact(var.zone_ids) } - -#--- -# network prod -#--- +#------------------------------------------------- +# Providers for Cross Account DNS Action +#------------------------------------------------- provider "aws" { - alias = "route53_main_east" - region = var.region_map["east"] + alias = "route53_main_east" + region = var.region_map["east"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username @@ -19,48 +21,52 @@ provider "aws" { } provider "aws" { - alias = "route53_main_west" - region = var.region_map["west"] + alias = "route53_main_west" + region = var.region_map["west"] assume_role { role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) session_name = var.os_username } } -provider "aws" { - alias = "self" - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - session_name = var.os_username - } -} -#--- -# dummy vpc, so we can associate the zone to this account -#--- -data "aws_vpc" "dummy_vpc" { +#------------------------------------------------- +# network prod for shared vpcs zones +#------------------------------------------------- + +## Associate between self (vpc8) and network-prod-west +resource "aws_route53_vpc_association_authorization" "self_zone" { provider = aws.self - depends_on = [aws_vpc.vpc] - count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - filter { - name = "tag:Name" - values = ["vpc0-dummy"] - } - filter { - name = "tag:eks-cluster-name" - values = [var.cluster_name] - } + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["west"] + vpc_id = var.vpc_id } -## Dummy VPC -resource "aws_vpc" "vpc" { +resource "aws_route53_zone_association" "self_zone_west" { + provider = aws.route53_main_west + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = var.vpc_id + vpc_region = var.region_map["west"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] +} + +## Associate between self (vpc8) and network-prod-east +resource "aws_route53_vpc_association_authorization" "self_zone_east" { provider = aws.self - cidr_block = "192.168.0.0/24" - enable_dns_support = false - enable_dns_hostnames = false - tags = merge( - var.tags, - { "Name" = "vpc0-dummy" }, - ) + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_region = var.region_map["east"] + vpc_id = var.vpc_id +} + +resource "aws_route53_zone_association" "self_zone_east" { + provider = aws.route53_main_east + for_each = toset(local.zone_ids) + zone_id = each.key + vpc_id = var.vpc_id + vpc_region = var.region_map["east"] + depends_on = [aws_route53_vpc_association_authorization.self_zone] } #--- @@ -74,163 +80,294 @@ data "aws_route53_zone" "zones" { } resource "aws_route53_zone" "cluster_domain" { - provider = aws.self name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false - + depends_on = [ + data.aws_vpc.dummy_vpc + ] vpc { - vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id - vpc_region = local.region + vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id + vpc_region = var.region } lifecycle { ignore_changes = [vpc] - precondition { - condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == "")) - error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." - } } tags = merge( + local.base_tags, + local.common_tags, var.tags, + var.application_tags, { "Name" = local.cluster_domain_name }, ) } +## Dummy VPC + #--- -# need to also associate with network-prod account and this vpc +# dummy vpc, so we can associate the zone to this account #--- -module "route53_cluster_domain_east" { - - count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - providers = { - aws.self = aws - aws.peer = aws.route53_main_east +data "aws_vpc" "dummy_vpc" { + depends_on = [aws_vpc.vpc] + count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-east-1" - vpc_id = data.aws_vpc.eks_vpc.id - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags -} - -module "route53_cluster_domain_west" { - - count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - providers = { - aws.self = aws - aws.peer = aws.route53_main_west + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] } - - source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" - region = "us-gov-west-1" - vpc_id = data.aws_vpc.eks_vpc.id - zone_ids = [aws_route53_zone.cluster_domain.zone_id] - - tags = var.tags -} - -output "cluster_domain_name" { - description = "DNS Zone Name" - value = local.cluster_domain_name -} - -output "cluster_domain_id" { - description = "DNS Zone ID" - value = aws_route53_zone.cluster_domain.zone_id } -output "cluster_domain_ns" { - description = "DNS Zone Nameservers" - value = aws_route53_zone.cluster_domain.name_servers +resource "aws_vpc" "vpc" { + cidr_block = "192.168.0.0/24" + enable_dns_support = false + enable_dns_hostnames = false + tags = merge( + local.base_tags, + { "Name" = "vpc0-dummy" }, + ) } -#--- -# associate to main do2-govcloud vpc1-services east and west for inbound resolution -# and to vpc7-endpoints in network prod -#--- +#### This is the correct way, it's commented because +#### the module is throwing an error on the for_each +#### in the module. +# locals { +# vpc_domain_name = var.vpc_domain_name +# cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) +# cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) +# region = var.region +# zone_ids = compact(var.zone_ids) +# } # #--- # # network prod # #--- # provider "aws" { -# alias = "route53_main" +# alias = "route53_main_east" # region = var.region_map["east"] -# profile = var.profile # assume_role { # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) # session_name = var.os_username # } # } -# module "route53_main_east" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main +# provider "aws" { +# alias = "route53_main_west" +# region = var.region_map["west"] +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) +# session_name = var.os_username # } - -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-east-1" -# vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] - -# tags = var.tags # } -# module "route53_main_west" { -# providers = { -# aws.self = aws -# aws.peer = aws.route53_main +# provider "aws" { +# alias = "self" +# assume_role { +# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) +# session_name = var.os_username # } +# } +# #--- +# # dummy vpc, so we can associate the zone to this account +# #--- +# data "aws_vpc" "dummy_vpc" { +# provider = aws.self +# depends_on = [aws_vpc.vpc] +# count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 +# filter { +# name = "tag:Name" +# values = ["vpc0-dummy"] +# } +# filter { +# name = "tag:eks-cluster-name" +# values = [var.cluster_name] +# } +# } -# source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" -# region = "us-gov-west-1" -# vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] -# zone_ids = [aws_route53_zone.cluster_domain.zone_id] +# ## Dummy VPC +# resource "aws_vpc" "vpc" { +# provider = aws.self +# cidr_block = "192.168.0.0/24" +# enable_dns_support = false +# enable_dns_hostnames = false +# tags = merge( +# var.tags, +# { "Name" = "vpc0-dummy" }, +# ) +# } -# tags = var.tags +# #--- +# # zone list +# #--- +# data "aws_route53_zone" "zones" { +# provider = aws.self +# for_each = toset(local.zone_ids) +# zone_id = each.key +# private_zone = true # } -#--- -# do2-gov ("legacy") -#--- -# provider "aws" { -# alias = "route53_main_legacy" -# region = var.region_map["east"] -# profile = var.profile -# assume_role { -# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) -# session_name = var.os_username +# resource "aws_route53_zone" "cluster_domain" { +# provider = aws.self +# name = local.cluster_domain_name +# comment = local.cluster_domain_description +# force_destroy = false + +# vpc { +# vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id +# vpc_region = local.region # } + +# lifecycle { +# ignore_changes = [vpc] +# precondition { +# condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == "")) +# error_message = "var.vpc_domain_name must be provided when shared VPCs are in use." +# } +# } + +# tags = merge( +# var.tags, +# { "Name" = local.cluster_domain_name }, +# ) # } -# module "route53_main_legacy_east" { +# #--- +# # need to also associate with network-prod account and this vpc +# #--- +# module "route53_cluster_domain_east" { + +# count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 # providers = { # aws.self = aws -# aws.peer = aws.route53_main_legacy +# aws.peer = aws.route53_main_east # } # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" # region = "us-gov-east-1" -# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] +# vpc_id = data.aws_vpc.eks_vpc.id # zone_ids = [aws_route53_zone.cluster_domain.zone_id] # tags = var.tags # } -# module "route53_main_legacy_west" { +# module "route53_cluster_domain_west" { + +# count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 # providers = { # aws.self = aws -# aws.peer = aws.route53_main_legacy +# aws.peer = aws.route53_main_west # } # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" # region = "us-gov-west-1" -# vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] +# vpc_id = data.aws_vpc.eks_vpc.id # zone_ids = [aws_route53_zone.cluster_domain.zone_id] # tags = var.tags # } + +# output "cluster_domain_name" { +# description = "DNS Zone Name" +# value = local.cluster_domain_name +# } + +# output "cluster_domain_id" { +# description = "DNS Zone ID" +# value = aws_route53_zone.cluster_domain.zone_id +# } + +# output "cluster_domain_ns" { +# description = "DNS Zone Nameservers" +# value = aws_route53_zone.cluster_domain.name_servers +# } + +# #--- +# # associate to main do2-govcloud vpc1-services east and west for inbound resolution +# # and to vpc7-endpoints in network prod +# #--- + +# # #--- +# # # network prod +# # #--- +# # provider "aws" { +# # alias = "route53_main" +# # region = var.region_map["east"] +# # profile = var.profile +# # assume_role { +# # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) +# # session_name = var.os_username +# # } +# # } + +# # module "route53_main_east" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-east-1" +# # vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # } + +# # module "route53_main_west" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-west-1" +# # vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # } + +# #--- +# # do2-gov ("legacy") +# #--- +# # provider "aws" { +# # alias = "route53_main_legacy" +# # region = var.region_map["east"] +# # profile = var.profile +# # assume_role { +# # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) +# # session_name = var.os_username +# # } +# # } + +# # module "route53_main_legacy_east" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main_legacy +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-east-1" +# # vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # } + +# # module "route53_main_legacy_west" { +# # providers = { +# # aws.self = aws +# # aws.peer = aws.route53_main_legacy +# # } + +# # source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" +# # region = "us-gov-west-1" +# # vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] +# # zone_ids = [aws_route53_zone.cluster_domain.zone_id] + +# # tags = var.tags +# # }