diff --git a/dns-zone-cat.tf b/dns-zone-cat.tf deleted file mode 100644 index f41ac1a..0000000 --- a/dns-zone-cat.tf +++ /dev/null @@ -1,116 +0,0 @@ -locals { - cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) - cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - # true for gov, false for cat - aws_dns_infrastructure = false - region = var.region -} - -resource "aws_route53_zone" "cluster_domain" { - name = local.cluster_domain_name - comment = local.cluster_domain_description - force_destroy = false - - vpc { - vpc_id = data.aws_vpc.eks_vpc.id - vpc_region = local.region - } - - lifecycle { - ignore_changes = [vpc] - } - - tags = merge( - local.base_tags, - var.tags, - tomap({ "Name" = local.cluster_domain_name }), - ) -} - -output "cluster_domain_name" { - description = "DNS Zone Name" - value = local.cluster_domain_name -} - -output "cluster_domain_id" { - description = "DNS Zone ID" - value = aws_route53_zone.cluster_domain.zone_id -} - -output "cluster_domain_ns" { - description = "DNS Zone Nameservers" - value = aws_route53_zone.cluster_domain.name_servers -} - -# # now we need to add the NS records for the new zone to the parent zone -# data "aws_route53_zone" "parent" { -# name = var.vpc_domain_name -# private_zone = true -# } - -# resource "aws_route53_record" "cluster_domain" { -# allow_overwrite = true -# name = local.cluster_domain_name -# type = "NS" -# ttl = 900 -# zone_id = data.aws_route53_zone.parent.zone_id - -# records = aws_route53_zone.cluster_domain.name_servers -# } - -## #--- -## # associate to main do2-govcloud vpc1-services east and west for inbound resolution -## # NOT in cat -## #--- -## provider "aws" { -## alias = "east_main_dns" -## region = local.aws_dns_infrastructure ? var.region_map["east"] : "" -## profile = var.main_dns_profile -## } -## -## provider "aws" { -## alias = "west_main_dns" -## region = local.aws_dns_infrastructure ? var.region_map["west"] : "" -## profile = var.main_dns_profile -## } -## -## # resource "aws_route53_vpc_association_authorization" "cluster_domain" { -## # for_each = var.region_map -## # -## # zone_id = aws_route53_zone.cluster_domain.zone_id -## # vpc_region = each.value -## # vpc_id = var.main_dns_vpcs[each.value] -## # } -## -## resource "aws_route53_vpc_association_authorization" "west_cluster_domain" { -## for_each = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {} -## zone_id = each.value.zone_id -## vpc_region = "us-gov-west-1" -## vpc_id = var.main_dns_vpcs["us-gov-west-1"] -## } -## -## resource "aws_route53_vpc_association_authorization" "east_cluster_domain" { -## for_each = local.aws_dns_infrastructure ? tomap({ "zone" = aws_route53_zone.cluster_domain }) : {} -## zone_id = each.value.zone_id -## vpc_region = "us-gov-east-1" -## vpc_id = var.main_dns_vpcs["us-gov-east-1"] -## } -## -## resource "aws_route53_zone_association" "west_cluster_domain" { -## provider = aws.west_main_dns -## for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.west_cluster_domain : {} -## -## zone_id = each.value.zone_id -## vpc_id = each.value.vpc_id -## vpc_region = each.value.vpc_region -## } -## -## resource "aws_route53_zone_association" "east_cluster_domain" { -## provider = aws.east_main_dns -## for_each = local.aws_dns_infrastructure ? aws_route53_vpc_association_authorization.east_cluster_domain : {} -## -## zone_id = each.value.zone_id -## vpc_id = each.value.vpc_id -## vpc_region = each.value.vpc_region -## } -## diff --git a/dns_zones.tf b/dns_zones.tf new file mode 100644 index 0000000..e4904f3 --- /dev/null +++ b/dns_zones.tf @@ -0,0 +1,236 @@ +locals { + vpc_domain_name = coalesce(var.domain, var.vpc_domain_name) + cluster_domain_name = format("%v.%v", var.cluster_name, local.vpc_domain_name) + cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) +} + +#--- +# network prod +#--- +provider "aws" { + alias = "route53_main_east" + profile = var.profile + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +provider "aws" { + alias = "route53_main_west" + profile = var.profile + region = var.region_map["west"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +#--- +# dummy vpc, so we can associate the zone to this account +#--- +data "aws_vpc" "dummy_vpc" { + count = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] + } +} + +resource "aws_route53_zone" "cluster_domain" { + name = local.cluster_domain_name + comment = local.cluster_domain_description + force_destroy = false + + vpc { + vpc_id = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id + vpc_region = local.region + } + + lifecycle { + ignore_changes = [vpc] + precondition { + condition = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (! (var.shared_vpc_label == null || var.shared_vpc_label == "") && ! (var.domain == null || var.domain == "")) + error_message = "var.domain must be provided when shared VPCs are in use." + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.tags, + var.application_tags, + { "Name" = local.cluster_domain_name }, + ) +} + +#--- +# need to also associate with network-prod account and this vpc +#--- +module "route53_cluster_domain_east" { + count = local.region == "us-gov-east-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_east + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_cluster_domain_west" { + count = local.region == "us-gov-west-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_west + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + + +## # now we need to add the NS records for the new zone to the parent zone +## data "aws_route53_zone" "parent" { +## name = var.vpc_domain_name +## private_zone = true +## } +## +## resource "aws_route53_record" "cluster_domain" { +## allow_overwrite = true +## name = local.cluster_domain_name +## type = "NS" +## ttl = 900 +## zone_id = data.aws_route53_zone.parent.zone_id +## +## records = aws_route53_zone.cluster_domain.name_servers +## } + +output "cluster_domain_name" { + description = "DNS Zone Name" + value = local.cluster_domain_name +} + +output "cluster_domain_id" { + description = "DNS Zone ID" + value = aws_route53_zone.cluster_domain.zone_id +} + +output "cluster_domain_ns" { + description = "DNS Zone Nameservers" + value = aws_route53_zone.cluster_domain.name_servers +} + +#--- +# associate to main do2-govcloud vpc1-services east and west for inbound resolution +# and to vpc7-endpoints in network prod +#--- + +#--- +# network prod +#--- +provider "aws" { + alias = "route53_main" + region = var.region_map["east"] + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +module "route53_main_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_main_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +#--- +# do2-gov ("legacy") +#--- +provider "aws" { + alias = "route53_main_legacy" + region = var.region_map["east"] + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) + session_name = var.os_username + } +} + +module "route53_main_legacy_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_main_legacy_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} diff --git a/dns_zones.tf.off b/dns_zones.tf.off deleted file mode 100644 index 20022e8..0000000 --- a/dns_zones.tf.off +++ /dev/null @@ -1,142 +0,0 @@ -#------------------------------------------------- -# DNS Zone for EKS -#------------------------------------------------- -locals { - cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) - cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) - zone_ids = compact(var.zone_ids) -} -#------------------------------------------------- -# Providers for Cross Account DNS Action -#------------------------------------------------- -provider "aws" { - alias = "self" - region = var.region_map["east"] - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} - -provider "aws" { - alias = "route53_main_east" - region = var.region_map["east"] - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} - -provider "aws" { - alias = "route53_main_west" - region = var.region_map["west"] - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) - session_name = var.os_username - } -} - -#------------------------------------------------- -# network prod for shared vpcs zones -#------------------------------------------------- - -## Associate between self (vpc8) and network-prod-west -resource "aws_route53_vpc_association_authorization" "self_zone" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_region = var.region_map["west"] - vpc_id = local.vpc_id -} - -resource "aws_route53_zone_association" "self_zone_west" { - provider = aws.route53_main_west - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_id = local.vpc_id - vpc_region = var.region_map["west"] - depends_on = [aws_route53_vpc_association_authorization.self_zone] -} - -## Associate between self (vpc8) and network-prod-east -resource "aws_route53_vpc_association_authorization" "self_zone_east" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_region = var.region_map["east"] - vpc_id = local.vpc_id -} - -resource "aws_route53_zone_association" "self_zone_east" { - provider = aws.route53_main_east - for_each = toset(local.zone_ids) - zone_id = each.key - vpc_id = local.vpc_id - vpc_region = var.region_map["east"] - depends_on = [aws_route53_vpc_association_authorization.self_zone] -} - -#--- -# zone list -#--- -data "aws_route53_zone" "zones" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - private_zone = true -} - -resource "aws_route53_zone" "cluster_domain" { - name = local.cluster_domain_name - comment = local.cluster_domain_description - force_destroy = false - depends_on = [ - data.aws_vpc.dummy_vpc - ] - vpc { - vpc_id = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id - vpc_region = var.region - } - - lifecycle { - ignore_changes = [vpc] - } - - tags = merge( - # local.base_tags, - # local.common_tags, - var.tags, - # var.application_tags, - { "Name" = local.cluster_domain_name }, - ) -} - -## Dummy VPC - -#--- -# dummy vpc, so we can associate the zone to this account -#--- -data "aws_vpc" "dummy_vpc" { - depends_on = [aws_vpc.vpc] - count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0 - filter { - name = "tag:Name" - values = ["vpc0-dummy"] - } - filter { - name = "tag:eks-cluster-name" - values = [var.cluster_name] - } -} - -resource "aws_vpc" "vpc" { - cidr_block = "192.168.0.0/24" - enable_dns_support = false - enable_dns_hostnames = false - tags = merge( - local.tags, - { "Name" = "vpc0-dummy" }, - ) -} diff --git a/variables.tf b/variables.tf index 7de4c47..aea4b07 100644 --- a/variables.tf +++ b/variables.tf @@ -123,28 +123,6 @@ variable "aws_environment" { # DNS variables ################################################################### -# variable "main_dns_vpcs" { -# description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" -# type = map(string) -# default = { -# "us-gov-west-1" = "vpc-77877a12" -# "us-gov-east-1" = "vpc-099a991da7c4eb8a5" -# } -# } - -# variable "main_dns_profile" { -# description = "Profile name for AWS for the main DNS central account" -# type = string -# default = "107742151971-do2-govcloud" -# } - - -# variable "dns_zone_description_prefix" { -# description = "Zone description with the org-project-program-environment" -# type = string -# default = "" -# } - variable "region_map" { description = "AWS region map" type = map(string) @@ -163,3 +141,12 @@ variable "route53_endpoints" { } } } + +#-- +# lab-gov +#-- +main_dns_vpcs = { + "us-gov-east-1" = "vpc-070595c5b133243dd" + "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" +} +main_dns_profile = " "269244441389-lab-gov-network-nonprod"