without modules

SCT-Engineering · Jul 30, 2024 · fc42c4b · fc42c4b
1 parent af7ec5f
commit fc42c4b
Showing 1 changed file with 76 additions and 179 deletions.
diff --git a/dns_zones.tf b/dns_zones.tf
@@ -1,66 +1,72 @@
+#-------------------------------------------------
+# DNS Zone for EKS 
+#-------------------------------------------------
 locals {
-  vpc_domain_name            = var.vpc_domain_name
-  cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
+  cluster_domain_name        = format("%v.%v", var.cluster_name, var.vpc_domain_name)
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
-  region                     = var.region
-  zone_ids = compact(var.zone_ids)
+  account_environment        = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region_short               = join("", [for c in split("-", var.region) : substr(c, 0, 1)])
+  zone_ids                   = compact(var.zone_ids)
 }
-
-#---
-# network prod
-#---
+#-------------------------------------------------
+# Providers for Cross Account DNS Action 
+#-------------------------------------------------
 provider "aws" {
-  alias   = "route53_main_east"
-  region  = var.region_map["east"]
+  alias  = "route53_main_east"
+  region = var.region_map["east"]
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
     session_name = var.os_username
   }
 }
 
 provider "aws" {
-  alias   = "route53_main_west"
-  region  = var.region_map["west"]
+  alias  = "route53_main_west"
+  region = var.region_map["west"]
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
     session_name = var.os_username
   }
 }
 
-provider "aws" {
-  alias = "self"
-  assume_role {
-    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
-    session_name = var.os_username
-  }
-}
-#---
-# dummy vpc, so we can associate the zone to this account
-#---
-data "aws_vpc" "dummy_vpc" {
+#-------------------------------------------------
+# network prod for shared vpcs zones
+#-------------------------------------------------
+
+## Associate between self (vpc8) and network-prod-west
+resource "aws_route53_vpc_association_authorization" "self_zone" {
   provider   = aws.self
-  depends_on = [aws_vpc.vpc]
-  count      = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  filter {
-    name   = "tag:Name"
-    values = ["vpc0-dummy"]
-  }
-  filter {
-    name   = "tag:eks-cluster-name"
-    values = [var.cluster_name]
-  }
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_region = var.region_map["west"]
+  vpc_id     = var.vpc_id
 }
 
-## Dummy VPC
-resource "aws_vpc" "vpc" {
+resource "aws_route53_zone_association" "self_zone_west" {
+  provider   = aws.route53_main_west
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_id     = var.vpc_id
+  vpc_region = var.region_map["west"]
+  depends_on = [aws_route53_vpc_association_authorization.self_zone]
+}
+
+## Associate between self (vpc8) and network-prod-east
+resource "aws_route53_vpc_association_authorization" "self_zone_east" {
   provider   = aws.self
-  cidr_block           = "192.168.0.0/24"
-  enable_dns_support   = false
-  enable_dns_hostnames = false
-  tags = merge(
-    var.tags,
-    { "Name" = "vpc0-dummy" },
-  )
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_region = var.region_map["east"]
+  vpc_id     = var.vpc_id
+}
+
+resource "aws_route53_zone_association" "self_zone_east" {
+  provider   = aws.route53_main_east
+  for_each   = toset(local.zone_ids)
+  zone_id    = each.key
+  vpc_id     = var.vpc_id
+  vpc_region = var.region_map["east"]
+  depends_on = [aws_route53_vpc_association_authorization.self_zone]
 }
 
 #---
@@ -74,163 +80,54 @@ data "aws_route53_zone" "zones" {
 }
 
 resource "aws_route53_zone" "cluster_domain" {
-  provider   = aws.self
   name          = local.cluster_domain_name
   comment       = local.cluster_domain_description
   force_destroy = false
-
+  depends_on = [
+    data.aws_vpc.dummy_vpc
+  ]
   vpc {
-    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
-    vpc_region = local.region
+    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id
+    vpc_region = var.region
   }
 
   lifecycle {
     ignore_changes = [vpc]
-    precondition {
-      condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
-      error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
-    }
   }
 
   tags = merge(
+    local.base_tags,
+    local.common_tags,
     var.tags,
+    var.application_tags,
     { "Name" = local.cluster_domain_name },
   )
 }
 
+## Dummy VPC
+
 #---
-# need to also associate with network-prod account and this vpc
+# dummy vpc, so we can associate the zone to this account
 #---
-module "route53_cluster_domain_east" {
-
-  count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  providers = {
-    aws.self = aws
-    aws.peer = aws.route53_main_east
+data "aws_vpc" "dummy_vpc" {
+  depends_on = [aws_vpc.vpc]
+  count      = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  filter {
+    name   = "tag:Name"
+    values = ["vpc0-dummy"]
   }
-
-  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-  region   = "us-gov-east-1"
-  vpc_id   = data.aws_vpc.eks_vpc.id
-  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-  tags = var.tags
-}
-
-module "route53_cluster_domain_west" {
-
-  count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  providers = {
-    aws.self = aws
-    aws.peer = aws.route53_main_west
+  filter {
+    name   = "tag:eks-cluster-name"
+    values = [var.cluster_name]
   }
-
-  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-  region   = "us-gov-west-1"
-  vpc_id   = data.aws_vpc.eks_vpc.id
-  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-  tags = var.tags
 }
 
-output "cluster_domain_name" {
-  description = "DNS Zone Name"
-  value       = local.cluster_domain_name
-}
-
-output "cluster_domain_id" {
-  description = "DNS Zone ID"
-  value       = aws_route53_zone.cluster_domain.zone_id
-}
-
-output "cluster_domain_ns" {
-  description = "DNS Zone Nameservers"
-  value       = aws_route53_zone.cluster_domain.name_servers
+resource "aws_vpc" "vpc" {
+  cidr_block           = "192.168.0.0/24"
+  enable_dns_support   = false
+  enable_dns_hostnames = false
+  tags = merge(
+    local.base_tags,
+    { "Name" = "vpc0-dummy" },
+  )
 }
-
-#---
-# associate to main do2-govcloud vpc1-services east and west for inbound resolution
-# and to vpc7-endpoints in network prod
-#---
-
-# #---
-# # network prod
-# #---
-# provider "aws" {
-#   alias   = "route53_main"
-#   region  = var.region_map["east"]
-#   profile = var.profile
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-#     session_name = var.os_username
-#   }
-# }
-
-# module "route53_main_east" {
-#   providers = {
-#     aws.self = aws
-#     aws.peer = aws.route53_main
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-east-1"
-#   vpc_id   = var.route53_endpoints["route53_main"]["us-gov-east-1"]
-#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-#   tags = var.tags
-# }
-
-# module "route53_main_west" {
-#   providers = {
-#     aws.self = aws
-#     aws.peer = aws.route53_main
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-west-1"
-#   vpc_id   = var.route53_endpoints["route53_main"]["us-gov-west-1"]
-#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-#   tags = var.tags
-# }
-
-#---
-# do2-gov ("legacy")
-#---
-# provider "aws" {
-#   alias   = "route53_main_legacy"
-#   region  = var.region_map["east"]
-#   profile = var.profile
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
-#     session_name = var.os_username
-#   }
-# }
-
-# module "route53_main_legacy_east" {
-#   providers = {
-#     aws.self = aws
-#     aws.peer = aws.route53_main_legacy
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-east-1"
-#   vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"]
-#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-#   tags = var.tags
-# }
-
-# module "route53_main_legacy_west" {
-#   providers = {
-#     aws.self = aws
-#     aws.peer = aws.route53_main_legacy
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-west-1"
-#   vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"]
-#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-#   tags = var.tags
-# }