dns stuff

SCT-Engineering · Jul 30, 2024 · b4c17b5 · b4c17b5
1 parent 97735fd
commit b4c17b5
Show file tree

Hide file tree

Showing 3 changed files with 318 additions and 0 deletions.
diff --git a/dns-zone.tf b/dns-zone.tf
@@ -0,0 +1,128 @@
+locals {
+  cluster_domain_name        = format("%v.%v", var.cluster_name, var.vpc_domain_name)
+  cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
+  # true for gov, false for cat
+  aws_dns_infrastructure     = false
+}
+
+resource "aws_route53_zone" "cluster_domain" {
+  name          = local.cluster_domain_name
+  comment       = local.cluster_domain_description
+  force_destroy = false
+
+  vpc {
+    vpc_id     = data.aws_vpc.eks_vpc.id
+    vpc_region = local.region
+  }
+
+  ##   dynamic "vpc" {
+  ##     for_each = true ? var.region_map : {}
+  ##     iterator = r
+  ##     content {
+  ##       vpc_id     = var.main_dns_vpcs[r.value]
+  ##       vpc_region = r.value
+  ##     }
+  ##   }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.tags,
+    var.application_tags,
+    tomap({ "Name" = local.cluster_domain_name }),
+  )
+
+  #  depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ]
+}
+
+output "cluster_domain_name" {
+  description = "DNS Zone Name"
+  value       = local.cluster_domain_name
+}
+
+output "cluster_domain_id" {
+  description = "DNS Zone ID"
+  value       = aws_route53_zone.cluster_domain.zone_id
+}
+
+output "cluster_domain_ns" {
+  description = "DNS Zone Nameservers"
+  value       = aws_route53_zone.cluster_domain.name_servers
+}
+
+# now we need to add the NS records for the new zone to the parent zone
+data "aws_route53_zone" "parent" {
+  name         = var.vpc_domain_name
+  private_zone = true
+}
+
+resource "aws_route53_record" "cluster_domain" {
+  allow_overwrite = true
+  name            = local.cluster_domain_name
+  type            = "NS"
+  ttl             = 900
+  zone_id         = data.aws_route53_zone.parent.zone_id
+
+  records = aws_route53_zone.cluster_domain.name_servers
+}
+
+## #---
+## # associate to main do2-govcloud vpc1-services east and west for inbound resolution
+## # NOT in cat
+## #---
+## provider "aws" {
+##   alias   = "east_main_dns"
+##   region  = local.aws_dns_infrastructure ? var.region_map["east"] : ""
+##   profile = var.main_dns_profile
+## }
+## 
+## provider "aws" {
+##   alias   = "west_main_dns"
+##   region  = local.aws_dns_infrastructure ? var.region_map["west"] : ""
+##   profile = var.main_dns_profile
+## }
+## 
+## # resource "aws_route53_vpc_association_authorization" "cluster_domain" {
+## #   for_each = var.region_map
+## # 
+## #   zone_id    = aws_route53_zone.cluster_domain.zone_id
+## #   vpc_region = each.value
+## #   vpc_id     = var.main_dns_vpcs[each.value]
+## # }
+## 
+## resource "aws_route53_vpc_association_authorization" "west_cluster_domain" {
+##   for_each   = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {}
+##   zone_id    = each.value.zone_id
+##   vpc_region = "us-gov-west-1"
+##   vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
+## }
+## 
+## resource "aws_route53_vpc_association_authorization" "east_cluster_domain" {
+##   for_each   = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {}
+##   zone_id    = each.value.zone_id
+##   vpc_region = "us-gov-east-1"
+##   vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+## }
+## 
+## resource "aws_route53_zone_association" "west_cluster_domain" {
+##   provider = aws.west_main_dns
+##   for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.west_cluster_domain : {}
+## 
+##   zone_id    = each.value.zone_id
+##   vpc_id     = each.value.vpc_id
+##   vpc_region = each.value.vpc_region
+## }
+## 
+## resource "aws_route53_zone_association" "east_cluster_domain" {
+##   provider = aws.east_main_dns
+##   for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.east_cluster_domain : {}
+## 
+##   zone_id    = each.value.zone_id
+##   vpc_id     = each.value.vpc_id
+##   vpc_region = each.value.vpc_region
+## }
+## 
diff --git a/dns_zones.tf.off b/dns_zones.tf.off
@@ -0,0 +1,142 @@
+#-------------------------------------------------
+# DNS Zone for EKS 
+#-------------------------------------------------
+locals {
+  cluster_domain_name        = format("%v.%v", var.cluster_name, var.vpc_domain_name)
+  cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
+  account_environment        = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region_short               = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+  zone_ids                   = compact(var.zone_ids)
+}
+#-------------------------------------------------
+# Providers for Cross Account DNS Action 
+#-------------------------------------------------
+provider "aws" {
+  alias  = "self"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+provider "aws" {
+  alias  = "route53_main_east"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+provider "aws" {
+  alias  = "route53_main_west"
+  region = var.region_map["west"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+#-------------------------------------------------
+# network prod for shared vpcs zones
+#-------------------------------------------------
+
+## Associate between self (vpc8) and network-prod-west
+resource "aws_route53_vpc_association_authorization" "self_zone" {
+  provider   = aws.self
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_region = var.region_map["west"]
+  vpc_id     = local.vpc_id
+}
+
+resource "aws_route53_zone_association" "self_zone_west" {
+  provider   = aws.route53_main_west
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_id     = local.vpc_id
+  vpc_region = var.region_map["west"]
+  depends_on = [aws_route53_vpc_association_authorization.self_zone]
+}
+
+## Associate between self (vpc8) and network-prod-east
+resource "aws_route53_vpc_association_authorization" "self_zone_east" {
+  provider   = aws.self
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_region = var.region_map["east"]
+  vpc_id     = local.vpc_id
+}
+
+resource "aws_route53_zone_association" "self_zone_east" {
+  provider   = aws.route53_main_east
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_id     = local.vpc_id
+  vpc_region = var.region_map["east"]
+  depends_on = [aws_route53_vpc_association_authorization.self_zone]
+}
+
+#---
+# zone list
+#---
+data "aws_route53_zone" "zones" {
+  provider     = aws.self
+  for_each     = toset(local.zone_ids)
+  zone_id      = each.key
+  private_zone = true
+}
+
+resource "aws_route53_zone" "cluster_domain" {
+  name          = local.cluster_domain_name
+  comment       = local.cluster_domain_description
+  force_destroy = false
+  depends_on = [
+    data.aws_vpc.dummy_vpc
+  ]
+  vpc {
+    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id
+    vpc_region = var.region
+  }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
+
+  tags = merge(
+    # local.base_tags,
+    # local.common_tags,
+    var.tags,
+    # var.application_tags,
+    { "Name" = local.cluster_domain_name },
+  )
+}
+
+## Dummy VPC
+
+#---
+# dummy vpc, so we can associate the zone to this account
+#---
+data "aws_vpc" "dummy_vpc" {
+  depends_on = [aws_vpc.vpc]
+  count      = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  filter {
+    name   = "tag:Name"
+    values = ["vpc0-dummy"]
+  }
+  filter {
+    name   = "tag:eks-cluster-name"
+    values = [var.cluster_name]
+  }
+}
+
+resource "aws_vpc" "vpc" {
+  cidr_block           = "192.168.0.0/24"
+  enable_dns_support   = false
+  enable_dns_hostnames = false
+  tags = merge(
+    local.tags,
+    { "Name" = "vpc0-dummy" },
+  )
+}
diff --git a/variables.tf b/variables.tf
@@ -112,3 +112,51 @@ variable "aws_environment" {
   type        = string
   default     = ""
 }
+
+###################################################################
+# DNS variables
+###################################################################
+
+variable "main_dns_vpcs" {
+  description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
+  type        = map(string)
+  default = {
+    "us-gov-west-1" = "vpc-77877a12"
+    "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+  }
+}
+
+variable "main_dns_profile" {
+  description = "Profile name for AWS for the main DNS central account"
+  type        = string
+  default     = "107742151971-do2-govcloud"
+}
+
+
+variable "dns_zone_description_prefix" {
+  description = "Zone description with the org-project-program-environment"
+  type        = string
+  default     = ""
+}
+
+variable "region_map" {
+  description = "AWS region map"
+  type        = map(string)
+}
+
+variable "route53_endpoints" {
+  description = "Map of target route53 endpoints (for inbound) central VPCs"
+  type        = map(map(string))
+  default = {
+    route53_main = {
+      "account_id"    = "057405694017"
+      "us-gov-east-1" = "vpc-0871ba8a6040d623a"
+      "us-gov-west-1" = "vpc-0f03ea065333f72c5"
+    }
+    route53_main_legacy = {
+      "account_id"    = "107742151971"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+  }
+}