From 35ae6cd81d2c8246a78f1eac66d4a5d9d81fd16a Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 18 Sep 2024 19:02:20 -0400
Subject: [PATCH 1/8] =?UTF-8?q?=F0=9F=90=9B=20fix(dns=5Fzones.tf):=20remov?=
 =?UTF-8?q?ed=20dummy=20vpc=20resource=20added=20precondition=20check=20fo?=
 =?UTF-8?q?r=20aws=5Fec2=5Ftag=20based=20on=20count=20of=20tags=20on=20sub?=
 =?UTF-8?q?net?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md    |  19 ++-
 aws_data.tf  |  11 ++
 dns_zones.tf | 377 ++++++++-------------------------------------------
 outputs.tf   |  14 ++
 variables.tf |   6 -
 5 files changed, 93 insertions(+), 334 deletions(-)

diff --git a/README.md b/README.md
index 33aa2f4..3c36609 100644
--- a/README.md
+++ b/README.md
@@ -85,11 +85,9 @@ Change logs are auto-generated with commitizen.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.14.0 |
-| <a name="provider_aws.route53_main_east"></a> [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | >= 5.14.0 |
-| <a name="provider_aws.route53_main_west"></a> [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | >= 5.14.0 |
-| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | >= 5.14.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.67.0 |
+| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.67.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
 
 ## Modules
 
@@ -99,6 +97,8 @@ Change logs are auto-generated with commitizen.
 | <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.24.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_route53_cluster_domain_east"></a> [route53\_cluster\_domain\_east](#module\_route53\_cluster\_domain\_east) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone | tf-upgrade |
+| <a name="module_route53_cluster_domain_west"></a> [route53\_cluster\_domain\_west](#module\_route53\_cluster\_domain\_west) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone | tf-upgrade |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 
 ## Resources
@@ -106,15 +106,10 @@ Change logs are auto-generated with commitizen.
 | Name | Type |
 |------|------|
 | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
-| [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
-| [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
-| [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
-| [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
 | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
-| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
 | [null_resource.kube_config_create](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -157,7 +152,6 @@ Change logs are auto-generated with commitizen.
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_domain_name"></a> [vpc\_domain\_name](#input\_vpc\_domain\_name) | The DNS domain name of the vpc the cluster is in. | `string` | n/a | yes |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Define the VPC name that will be used by this cluster | `string` | n/a | yes |
-| <a name="input_zone_ids"></a> [zone\_ids](#input\_zone\_ids) | List of Route53 PHZ IDs to associate with a (local/remote) VPC | `list(string)` | `[]` | no |
 
 ## Outputs
 
@@ -169,6 +163,9 @@ Change logs are auto-generated with commitizen.
 | <a name="output_cluster_addons"></a> [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled |
 | <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster |
 | <a name="output_cluster_certificate_authority_data"></a> [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster |
+| <a name="output_cluster_domain_id"></a> [cluster\_domain\_id](#output\_cluster\_domain\_id) | DNS Zone ID |
+| <a name="output_cluster_domain_name"></a> [cluster\_domain\_name](#output\_cluster\_domain\_name) | DNS Zone Name |
+| <a name="output_cluster_domain_ns"></a> [cluster\_domain\_ns](#output\_cluster\_domain\_ns) | DNS Zone Nameservers |
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server |
 | <a name="output_cluster_fqdn"></a> [cluster\_fqdn](#output\_cluster\_fqdn) | The cluster\_name.domain |
 | <a name="output_cluster_iam_role"></a> [cluster\_iam\_role](#output\_cluster\_iam\_role) | The arn/name/unique\_id of the iam role for the cluster |
diff --git a/aws_data.tf b/aws_data.tf
index fb1697a..fd2636d 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -5,3 +5,14 @@ data "aws_region" "current" {}
 data "aws_arn" "current" {
   arn = data.aws_caller_identity.current.arn
 }
+
+data "aws_subnets" "container_subnets" {
+  filter {
+    name   = "tag:Name"
+    values = [local.container_subnets_name]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.eks_vpc.id]
+  }
+}
diff --git a/dns_zones.tf b/dns_zones.tf
index 0c5b1fd..cf1ce39 100644
--- a/dns_zones.tf
+++ b/dns_zones.tf
@@ -5,22 +5,16 @@
 #-------------------------------------------------
 # Locals
 #-------------------------------------------------
-data "aws_subnets" "container_subnets" {
-  filter {
-    name   = "tag:Name"
-    values = [local.container_subnets_name]
-  }
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.eks_vpc.id]
-  }
-}
+
 locals {
-  container_subnets_name     = var.subnets_name
-  cluster_domain_name        = format("%v.%v", var.cluster_name, var.vpc_domain_name)
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
-  zone_ids                   = compact(var.zone_ids)
+  cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
+  container_subnets_name     = var.subnets_name
+  max_tag_count              = 47
+  region                     = var.region
+  vpc_domain_name            = var.vpc_domain_name
 }
+
 #-------------------------------------------------
 # Providers for Cross Account DNS Action
 #-------------------------------------------------
@@ -50,60 +44,48 @@ provider "aws" {
   }
 }
 
-#-------------------------------------------------
-# network prod for shared vpcs zones
-#-------------------------------------------------
-
-## Associate between self (vpc8) and network-prod-west
-resource "aws_route53_vpc_association_authorization" "self_zone" {
-  provider   = aws.self
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_region = var.region_map["west"]
-  vpc_id     = data.aws_vpc.eks_vpc.id
-}
-
-resource "aws_route53_zone_association" "self_zone_west" {
-  provider   = aws.route53_main_west
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_id     = data.aws_vpc.eks_vpc.id
-  vpc_region = var.region_map["west"]
-  depends_on = [aws_route53_vpc_association_authorization.self_zone]
-}
-
-## Associate between self (vpc8) and network-prod-east
-resource "aws_route53_vpc_association_authorization" "self_zone_east" {
-  provider   = aws.self
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_region = var.region_map["east"]
-  vpc_id     = data.aws_vpc.eks_vpc.id
+#---
+# dummy vpc, so we can associate the zone to this account
+#---
+data "aws_vpc" "dummy_vpc" {
+  count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  filter {
+    name   = "tag:Name"
+    values = ["vpc0-dummy"]
+  }
 }
 
-resource "aws_route53_zone_association" "self_zone_east" {
-  provider   = aws.route53_main_east
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_id     = data.aws_vpc.eks_vpc.id
-  vpc_region = var.region_map["east"]
-  depends_on = [aws_route53_vpc_association_authorization.self_zone]
+# Tag existing subnets for EKS
+resource "aws_ec2_tag" "container_subnets" {
+  for_each    = toset(data.aws_subnets.container_subnets.ids)
+  resource_id = each.value
+  key         = "kubernetes.io/cluster/${var.cluster_name}"
+  value       = "shared"
+  lifecycle {
+    precondition {
+      condition     = length(data.aws_subnet.subnets[each.value].tags) < local.max_tag_count
+      error_message = "Subnet has ${length(data.aws_subnet.subnets[each.value].tags)} tags applied of ${local.max_tag_count} allowed."
+    }
+  }
 }
 
 resource "aws_route53_zone" "cluster_domain" {
+  provider      = aws.self
   name          = local.cluster_domain_name
   comment       = local.cluster_domain_description
   force_destroy = false
-  depends_on = [
-    data.aws_vpc.dummy_vpc
-  ]
+
   vpc {
-    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id
-    vpc_region = var.region
+    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
+    vpc_region = local.region
   }
 
   lifecycle {
     ignore_changes = [vpc]
+    precondition {
+      condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
+      error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
+    }
   }
 
   tags = merge(
@@ -112,276 +94,37 @@ resource "aws_route53_zone" "cluster_domain" {
   )
 }
 
-## Dummy VPC
-
 #---
-# dummy vpc, so we can associate the zone to this account
+# need to also associate with network-prod account and this vpc
 #---
-data "aws_vpc" "dummy_vpc" {
-  depends_on = [aws_vpc.vpc]
-  count      = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  filter {
-    name   = "tag:Name"
-    values = ["vpc0-dummy"]
+module "route53_cluster_domain_east" {
+
+  count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  providers = {
+    aws.self = aws.self
+    aws.peer = aws.route53_main_east
   }
-}
 
-resource "aws_vpc" "vpc" {
-  cidr_block           = "192.168.0.0/24"
-  enable_dns_support   = false
-  enable_dns_hostnames = false
-  tags = merge(
-    var.tags,
-    { "Name" = "vpc0-dummy" }
-  )
-}
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
 
-# Tag existing subnets for EKS
-# Container subnets under data.aws_subnets.container-subnets
-# Load Balance subnets under data.aws_subnets.lb-subnets
-resource "aws_ec2_tag" "container_subnets" {
-  for_each    = toset(data.aws_subnets.container_subnets.ids)
-  resource_id = each.value
-  key         = "kubernetes.io/cluster/${var.cluster_name}"
-  value       = "shared"
+  tags = var.tags
 }
 
-#### This is the correct way, it's commented because
-#### the module is throwing an error on the for_each
-#### in the module.
-# locals {
-#   vpc_domain_name            = var.vpc_domain_name
-#   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
-#   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
-#   region                     = var.region
-#   zone_ids = compact(var.zone_ids)
-# }
-
-# #---
-# # network prod
-# #---
-# provider "aws" {
-#   alias   = "route53_main_east"
-#   region  = var.region_map["east"]
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-#     session_name = var.os_username
-#   }
-# }
-
-# provider "aws" {
-#   alias   = "route53_main_west"
-#   region  = var.region_map["west"]
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-#     session_name = var.os_username
-#   }
-# }
-
-# provider "aws" {
-#   alias = "self"
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
-#     session_name = var.os_username
-#   }
-# }
-# #---
-# # dummy vpc, so we can associate the zone to this account
-# #---
-# data "aws_vpc" "dummy_vpc" {
-#   provider   = aws.self
-#   depends_on = [aws_vpc.vpc]
-#   count      = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-#   filter {
-#     name   = "tag:Name"
-#     values = ["vpc0-dummy"]
-#   }
-#   filter {
-#     name   = "tag:eks-cluster-name"
-#     values = [var.cluster_name]
-#   }
-# }
-
-# ## Dummy VPC
-# resource "aws_vpc" "vpc" {
-#   provider   = aws.self
-#   cidr_block           = "192.168.0.0/24"
-#   enable_dns_support   = false
-#   enable_dns_hostnames = false
-#   tags = merge(
-#     var.tags,
-#     { "Name" = "vpc0-dummy" },
-#   )
-# }
-
-# #---
-# # zone list
-# #---
-# data "aws_route53_zone" "zones" {
-#   provider     = aws.self
-#   for_each     = toset(local.zone_ids)
-#   zone_id      = each.key
-#   private_zone = true
-# }
-
-# resource "aws_route53_zone" "cluster_domain" {
-#   provider   = aws.self
-#   name          = local.cluster_domain_name
-#   comment       = local.cluster_domain_description
-#   force_destroy = false
-
-#   vpc {
-#     vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
-#     vpc_region = local.region
-#   }
-
-#   lifecycle {
-#     ignore_changes = [vpc]
-#     precondition {
-#       condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
-#       error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
-#     }
-#   }
-
-#   tags = merge(
-#     var.tags,
-#     { "Name" = local.cluster_domain_name },
-#   )
-# }
-
-# #---
-# # need to also associate with network-prod account and this vpc
-# #---
-# module "route53_cluster_domain_east" {
-
-#   count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-#   providers = {
-#     aws.self = aws
-#     aws.peer = aws.route53_main_east
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-east-1"
-#   vpc_id   = data.aws_vpc.eks_vpc.id
-#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-#   tags = var.tags
-# }
+module "route53_cluster_domain_west" {
 
-# module "route53_cluster_domain_west" {
-
-#   count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-#   providers = {
-#     aws.self = aws
-#     aws.peer = aws.route53_main_west
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-west-1"
-#   vpc_id   = data.aws_vpc.eks_vpc.id
-#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-#   tags = var.tags
-# }
-
-# output "cluster_domain_name" {
-#   description = "DNS Zone Name"
-#   value       = local.cluster_domain_name
-# }
-
-# output "cluster_domain_id" {
-#   description = "DNS Zone ID"
-#   value       = aws_route53_zone.cluster_domain.zone_id
-# }
-
-# output "cluster_domain_ns" {
-#   description = "DNS Zone Nameservers"
-#   value       = aws_route53_zone.cluster_domain.name_servers
-# }
-
-# #---
-# # associate to main do2-govcloud vpc1-services east and west for inbound resolution
-# # and to vpc7-endpoints in network prod
-# #---
-
-# # #---
-# # # network prod
-# # #---
-# # provider "aws" {
-# #   alias   = "route53_main"
-# #   region  = var.region_map["east"]
-# #   profile = var.profile
-# #   assume_role {
-# #     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-# #     session_name = var.os_username
-# #   }
-# # }
-
-# # module "route53_main_east" {
-# #   providers = {
-# #     aws.self = aws
-# #     aws.peer = aws.route53_main
-# #   }
-
-# #   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-# #   region   = "us-gov-east-1"
-# #   vpc_id   = var.route53_endpoints["route53_main"]["us-gov-east-1"]
-# #   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-# #   tags = var.tags
-# # }
-
-# # module "route53_main_west" {
-# #   providers = {
-# #     aws.self = aws
-# #     aws.peer = aws.route53_main
-# #   }
-
-# #   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-# #   region   = "us-gov-west-1"
-# #   vpc_id   = var.route53_endpoints["route53_main"]["us-gov-west-1"]
-# #   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-# #   tags = var.tags
-# # }
-
-# #---
-# # do2-gov ("legacy")
-# #---
-# # provider "aws" {
-# #   alias   = "route53_main_legacy"
-# #   region  = var.region_map["east"]
-# #   profile = var.profile
-# #   assume_role {
-# #     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
-# #     session_name = var.os_username
-# #   }
-# # }
-
-# # module "route53_main_legacy_east" {
-# #   providers = {
-# #     aws.self = aws
-# #     aws.peer = aws.route53_main_legacy
-# #   }
-
-# #   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-# #   region   = "us-gov-east-1"
-# #   vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"]
-# #   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-# #   tags = var.tags
-# # }
-
-# # module "route53_main_legacy_west" {
-# #   providers = {
-# #     aws.self = aws
-# #     aws.peer = aws.route53_main_legacy
-# #   }
+  count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  providers = {
+    aws.self = aws.self
+    aws.peer = aws.route53_main_west
+  }
 
-# #   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-# #   region   = "us-gov-west-1"
-# #   vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"]
-# #   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
 
-# #   tags = var.tags
-# # }
+  tags = var.tags
+}
diff --git a/outputs.tf b/outputs.tf
index 2275ab9..b131256 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -44,6 +44,20 @@ output "cluster_fqdn" {
   description = "The cluster_name.domain"
   value       = format("%v.%v", var.cluster_name, var.vpc_domain_name)
 }
+output "cluster_domain_name" {
+  description = "DNS Zone Name"
+  value       = local.cluster_domain_name
+}
+
+output "cluster_domain_id" {
+  description = "DNS Zone ID"
+  value       = aws_route53_zone.cluster_domain.zone_id
+}
+
+output "cluster_domain_ns" {
+  description = "DNS Zone Nameservers"
+  value       = aws_route53_zone.cluster_domain.name_servers
+}
 
 ################################################################################
 # IRSA Roles Created
diff --git a/variables.tf b/variables.tf
index ee06e02..9a47eab 100644
--- a/variables.tf
+++ b/variables.tf
@@ -143,9 +143,3 @@ variable "route53_endpoints" {
     }
   }
 }
-
-variable "zone_ids" {
-  description = "List of Route53 PHZ IDs to associate with a (local/remote) VPC"
-  type        = list(string)
-  default     = []
-}

From 1472bd4c5de69618782d9659f66709397528c6c2 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 18 Sep 2024 19:21:31 -0400
Subject: [PATCH 2/8] =?UTF-8?q?=F0=9F=90=9B=20fix(cluster=5Fdomain):=20res?=
 =?UTF-8?q?ource=20aws=5Froute53=5Fzone.cluster=5Fdomain=20wants=20update?=
 =?UTF-8?q?=20every=20plan=20so=20ignore=20changes=20to=20tags?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 dns_zones.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dns_zones.tf b/dns_zones.tf
index cf1ce39..e26fbf1 100644
--- a/dns_zones.tf
+++ b/dns_zones.tf
@@ -48,7 +48,8 @@ provider "aws" {
 # dummy vpc, so we can associate the zone to this account
 #---
 data "aws_vpc" "dummy_vpc" {
-  count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  provider = aws.self
+  count    = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
   filter {
     name   = "tag:Name"
     values = ["vpc0-dummy"]
@@ -57,6 +58,7 @@ data "aws_vpc" "dummy_vpc" {
 
 # Tag existing subnets for EKS
 resource "aws_ec2_tag" "container_subnets" {
+  provider    = aws.self
   for_each    = toset(data.aws_subnets.container_subnets.ids)
   resource_id = each.value
   key         = "kubernetes.io/cluster/${var.cluster_name}"

From 9e3b9de3991a863970561474d5bf07db1680f819 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 18 Sep 2024 20:40:59 -0400
Subject: [PATCH 3/8] =?UTF-8?q?=F0=9F=90=9B=20fix(dns):=20remove=20prodive?=
 =?UTF-8?q?r=20from=20data=20call=20for=20dummy-vpc?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 dns_zones.tf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns_zones.tf b/dns_zones.tf
index e26fbf1..2478013 100644
--- a/dns_zones.tf
+++ b/dns_zones.tf
@@ -48,8 +48,7 @@ provider "aws" {
 # dummy vpc, so we can associate the zone to this account
 #---
 data "aws_vpc" "dummy_vpc" {
-  provider = aws.self
-  count    = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
   filter {
     name   = "tag:Name"
     values = ["vpc0-dummy"]

From 21e07c51a7c20f9a34c172a0fd1bda591106a5a2 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 19 Sep 2024 14:41:09 -0400
Subject: [PATCH 4/8] =?UTF-8?q?=E2=9C=A8=20feat(dns):=20dns=20removed=20fr?=
 =?UTF-8?q?om=20this=20module=20to=20facilitate=20the=20creation=20of=20tf?=
 =?UTF-8?q?mod-eks-dns?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md    |  13 ---
 aws_data.tf  |  11 ---
 dns_zones.tf | 263 ++++++++++++++++++++++++++-------------------------
 main.tf      |  15 +++
 outputs.tf   |  14 ---
 variables.tf |  52 +++-------
 6 files changed, 158 insertions(+), 210 deletions(-)

diff --git a/README.md b/README.md
index 3c36609..609c783 100644
--- a/README.md
+++ b/README.md
@@ -97,8 +97,6 @@ Change logs are auto-generated with commitizen.
 | <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.24.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_route53_cluster_domain_east"></a> [route53\_cluster\_domain\_east](#module\_route53\_cluster\_domain\_east) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone | tf-upgrade |
-| <a name="module_route53_cluster_domain_west"></a> [route53\_cluster\_domain\_west](#module\_route53\_cluster\_domain\_west) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone | tf-upgrade |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 
 ## Resources
@@ -106,7 +104,6 @@ Change logs are auto-generated with commitizen.
 | Name | Type |
 |------|------|
 | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
-| [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -121,9 +118,7 @@ Change logs are auto-generated with commitizen.
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
-| [aws_subnets.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
-| [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
@@ -141,12 +136,7 @@ Change logs are auto-generated with commitizen.
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Node Group maximum size | `number` | `15` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no |
 | <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no |
-| <a name="input_os_username"></a> [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | `""` | no |
-| <a name="input_region"></a> [region](#input\_region) | AWS config region | `string` | `""` | no |
-| <a name="input_region_map"></a> [region\_map](#input\_region\_map) | AWS region map | `map(string)` | <pre>{<br>  "east": "us-gov-east-1",<br>  "west": "us-gov-west-1"<br>}</pre> | no |
-| <a name="input_route53_endpoints"></a> [route53\_endpoints](#input\_route53\_endpoints) | Map of target route53 endpoints (for inbound) central VPCs | `map(map(string))` | <pre>{<br>  "route53_main": {<br>    "account_id": "269244441389",<br>    "alias": "lab-gov-network-nonprod",<br>    "us-gov-east-1": "vpc-070595c5b133243dd",<br>    "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"<br>  }<br>}</pre> | no |
-| <a name="input_shared_vpc_label"></a> [shared\_vpc\_label](#input\_shared\_vpc\_label) | Label to use for shared VPC for flowlogs and other things | `string` | `null` | no |
 | <a name="input_subnets_name"></a> [subnets\_name](#input\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-container-*"` | no |
 | <a name="input_tag_costallocation"></a> [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
@@ -163,9 +153,6 @@ Change logs are auto-generated with commitizen.
 | <a name="output_cluster_addons"></a> [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled |
 | <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster |
 | <a name="output_cluster_certificate_authority_data"></a> [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster |
-| <a name="output_cluster_domain_id"></a> [cluster\_domain\_id](#output\_cluster\_domain\_id) | DNS Zone ID |
-| <a name="output_cluster_domain_name"></a> [cluster\_domain\_name](#output\_cluster\_domain\_name) | DNS Zone Name |
-| <a name="output_cluster_domain_ns"></a> [cluster\_domain\_ns](#output\_cluster\_domain\_ns) | DNS Zone Nameservers |
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server |
 | <a name="output_cluster_fqdn"></a> [cluster\_fqdn](#output\_cluster\_fqdn) | The cluster\_name.domain |
 | <a name="output_cluster_iam_role"></a> [cluster\_iam\_role](#output\_cluster\_iam\_role) | The arn/name/unique\_id of the iam role for the cluster |
diff --git a/aws_data.tf b/aws_data.tf
index fd2636d..fb1697a 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -5,14 +5,3 @@ data "aws_region" "current" {}
 data "aws_arn" "current" {
   arn = data.aws_caller_identity.current.arn
 }
-
-data "aws_subnets" "container_subnets" {
-  filter {
-    name   = "tag:Name"
-    values = [local.container_subnets_name]
-  }
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.eks_vpc.id]
-  }
-}
diff --git a/dns_zones.tf b/dns_zones.tf
index 2478013..10ee67c 100644
--- a/dns_zones.tf
+++ b/dns_zones.tf
@@ -1,131 +1,132 @@
-#-------------------------------------------------
-# DNS Zone for EKS
-#-------------------------------------------------
-
-#-------------------------------------------------
-# Locals
-#-------------------------------------------------
-
-locals {
-  cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
-  cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
-  container_subnets_name     = var.subnets_name
-  max_tag_count              = 47
-  region                     = var.region
-  vpc_domain_name            = var.vpc_domain_name
-}
-
-#-------------------------------------------------
-# Providers for Cross Account DNS Action
-#-------------------------------------------------
-provider "aws" {
-  alias  = "route53_main_east"
-  region = var.region_map["east"]
-  assume_role {
-    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-    session_name = var.os_username
-  }
-}
-
-provider "aws" {
-  alias  = "route53_main_west"
-  region = var.region_map["west"]
-  assume_role {
-    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-    session_name = var.os_username
-  }
-}
-
-provider "aws" {
-  alias = "self"
-  assume_role {
-    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
-    session_name = var.os_username
-  }
-}
-
-#---
-# dummy vpc, so we can associate the zone to this account
-#---
-data "aws_vpc" "dummy_vpc" {
-  count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  filter {
-    name   = "tag:Name"
-    values = ["vpc0-dummy"]
-  }
-}
-
-# Tag existing subnets for EKS
-resource "aws_ec2_tag" "container_subnets" {
-  provider    = aws.self
-  for_each    = toset(data.aws_subnets.container_subnets.ids)
-  resource_id = each.value
-  key         = "kubernetes.io/cluster/${var.cluster_name}"
-  value       = "shared"
-  lifecycle {
-    precondition {
-      condition     = length(data.aws_subnet.subnets[each.value].tags) < local.max_tag_count
-      error_message = "Subnet has ${length(data.aws_subnet.subnets[each.value].tags)} tags applied of ${local.max_tag_count} allowed."
-    }
-  }
-}
-
-resource "aws_route53_zone" "cluster_domain" {
-  provider      = aws.self
-  name          = local.cluster_domain_name
-  comment       = local.cluster_domain_description
-  force_destroy = false
-
-  vpc {
-    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
-    vpc_region = local.region
-  }
-
-  lifecycle {
-    ignore_changes = [vpc]
-    precondition {
-      condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
-      error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
-    }
-  }
-
-  tags = merge(
-    var.tags,
-    { "Name" = local.cluster_domain_name },
-  )
-}
-
-#---
-# need to also associate with network-prod account and this vpc
-#---
-module "route53_cluster_domain_east" {
-
-  count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  providers = {
-    aws.self = aws.self
-    aws.peer = aws.route53_main_east
-  }
-
-  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-  region   = "us-gov-east-1"
-  vpc_id   = data.aws_vpc.eks_vpc.id
-  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-  tags = var.tags
-}
-
-module "route53_cluster_domain_west" {
-
-  count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  providers = {
-    aws.self = aws.self
-    aws.peer = aws.route53_main_west
-  }
-
-  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-  region   = "us-gov-west-1"
-  vpc_id   = data.aws_vpc.eks_vpc.id
-  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-  tags = var.tags
-}
+# #-------------------------------------------------
+# # DNS Zone for EKS
+# #-------------------------------------------------
+
+# #-------------------------------------------------
+# # Locals
+# #-------------------------------------------------
+
+# locals {
+#   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
+#   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
+#   container_subnets_name     = var.subnets_name
+#   max_tag_count              = 47
+#   region                     = var.region
+#   vpc_domain_name            = var.vpc_domain_name
+# }
+
+# #-------------------------------------------------
+# # Providers for Cross Account DNS Action
+# #-------------------------------------------------
+# provider "aws" {
+#   alias  = "route53_main_east"
+#   region = var.region_map["east"]
+#   assume_role {
+#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+#     session_name = var.os_username
+#   }
+# }
+
+# provider "aws" {
+#   alias  = "route53_main_west"
+#   region = var.region_map["west"]
+#   assume_role {
+#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+#     session_name = var.os_username
+#   }
+# }
+
+# provider "aws" {
+#   alias = "self"
+#   assume_role {
+#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+#     session_name = var.os_username
+#   }
+# }
+
+# #---
+# # dummy vpc, so we can associate the zone to this account
+# #---
+# data "aws_vpc" "dummy_vpc" {
+#   count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+#   filter {
+#     name   = "tag:Name"
+#     values = ["vpc0-dummy"]
+#   }
+# }
+
+# # Tag existing subnets for EKS
+# resource "aws_ec2_tag" "container_subnets" {
+#   provider    = aws.self
+#   for_each    = data.aws_subnet.subnets
+#   resource_id = each.key
+#   key         = "kubernetes.io/cluster/${var.cluster_name}"
+#   value       = "shared"
+#   lifecycle {
+#     precondition {
+#       condition     = length(each.value.tags) < local.max_tag_count
+#       error_message = "Subnet has ${length(each.value.tags)} tags applied of ${local.max_tag_count} allowed."
+#     }
+#   }
+# }
+
+
+# resource "aws_route53_zone" "cluster_domain" {
+#   provider      = aws.self
+#   name          = local.cluster_domain_name
+#   comment       = local.cluster_domain_description
+#   force_destroy = false
+
+#   vpc {
+#     vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
+#     vpc_region = local.region
+#   }
+
+#   lifecycle {
+#     ignore_changes = [vpc]
+#     precondition {
+#       condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
+#       error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
+#     }
+#   }
+
+#   tags = merge(
+#     var.tags,
+#     { "Name" = local.cluster_domain_name },
+#   )
+# }
+
+# #---
+# # need to also associate with network-prod account and this vpc
+# #---
+# module "route53_cluster_domain_east" {
+
+#   count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+#   providers = {
+#     aws.self = aws.self
+#     aws.peer = aws.route53_main_east
+#   }
+
+#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+#   region   = "us-gov-east-1"
+#   vpc_id   = data.aws_vpc.eks_vpc.id
+#   zone_ids = try([aws_route53_zone.cluster_domain.zone_id])
+
+#   tags = var.tags
+# }
+
+# module "route53_cluster_domain_west" {
+
+#   count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+#   providers = {
+#     aws.self = aws.self
+#     aws.peer = aws.route53_main_west
+#   }
+
+#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+#   region   = "us-gov-west-1"
+#   vpc_id   = data.aws_vpc.eks_vpc.id
+#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+#   tags = var.tags
+# }
diff --git a/main.tf b/main.tf
index 6f929ed..d8c5744 100644
--- a/main.tf
+++ b/main.tf
@@ -134,6 +134,21 @@ module "cluster" {
   tags = local.tags
 }
 
+# Tag existing subnets for EKS
+resource "aws_ec2_tag" "container_subnets" {
+  provider    = aws.self
+  for_each    = data.aws_subnet.subnets
+  resource_id = each.key
+  key         = "kubernetes.io/cluster/${var.cluster_name}"
+  value       = "shared"
+  lifecycle {
+    precondition {
+      condition     = length(each.value.tags) < local.max_tag_count
+      error_message = "Subnet has ${length(each.value.tags)} tags applied of ${local.max_tag_count} allowed."
+    }
+  }
+}
+
 resource "aws_security_group_rule" "allow_sidecar_injection" {
   description = "Webhook container port, from Control Plane"
   protocol    = "tcp"
diff --git a/outputs.tf b/outputs.tf
index b131256..2275ab9 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -44,20 +44,6 @@ output "cluster_fqdn" {
   description = "The cluster_name.domain"
   value       = format("%v.%v", var.cluster_name, var.vpc_domain_name)
 }
-output "cluster_domain_name" {
-  description = "DNS Zone Name"
-  value       = local.cluster_domain_name
-}
-
-output "cluster_domain_id" {
-  description = "DNS Zone ID"
-  value       = aws_route53_zone.cluster_domain.zone_id
-}
-
-output "cluster_domain_ns" {
-  description = "DNS Zone Nameservers"
-  value       = aws_route53_zone.cluster_domain.name_servers
-}
 
 ################################################################################
 # IRSA Roles Created
diff --git a/variables.tf b/variables.tf
index 9a47eab..ca08449 100644
--- a/variables.tf
+++ b/variables.tf
@@ -102,44 +102,14 @@ variable "profile" {
   default     = ""
 }
 
-variable "region" {
-  description = "AWS config region"
-  type        = string
-  default     = ""
-}
-
-variable "os_username" {
-  description = "OS username from environment variable, ideally as $USER"
-  type        = string
-  default     = null
-}
-
-###################################################################
-# DNS variables
-###################################################################
-
-
-variable "shared_vpc_label" {
-  description = "Label to use for shared VPC for flowlogs and other things"
-  type        = string
-  default     = null
-}
-
-variable "region_map" {
-  description = "AWS region map"
-  type        = map(string)
-  default     = { "east" : "us-gov-east-1", "west" : "us-gov-west-1" }
-}
-
-variable "route53_endpoints" {
-  description = "Map of target route53 endpoints (for inbound) central VPCs"
-  type        = map(map(string))
-  default = {
-    route53_main = {
-      "account_id"    = "269244441389"
-      "alias"         = "lab-gov-network-nonprod"
-      "us-gov-east-1" = "vpc-070595c5b133243dd"
-      "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1"
-    }
-  }
-}
+# variable "region" {
+#   description = "AWS config region"
+#   type        = string
+#   default     = ""
+# }
+
+# variable "os_username" {
+#   description = "OS username from environment variable, ideally as $USER"
+#   type        = string
+#   default     = null
+# }

From c237916a5d657df29686b7ec90465eb8c750c1bc Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 19 Sep 2024 14:45:04 -0400
Subject: [PATCH 5/8] =?UTF-8?q?=F0=9F=90=9B=20fix(dns):=20add=20local.max?=
 =?UTF-8?q?=5Ftag=5Fcount?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md | 1 -
 main.tf   | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 609c783..424b859 100644
--- a/README.md
+++ b/README.md
@@ -86,7 +86,6 @@ Change logs are auto-generated with commitizen.
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.67.0 |
-| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | 5.67.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
 
 ## Modules
diff --git a/main.tf b/main.tf
index d8c5744..d3ea1ad 100644
--- a/main.tf
+++ b/main.tf
@@ -36,6 +36,7 @@ locals {
     "boc:created_by"        = "terraform"
     CostAllocation          = var.tag_costallocation
   }
+  max_tag_count  = 45
   ng_name        = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
   subnets        = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
   tags           = merge(local.base_tags, var.tags)
@@ -136,7 +137,6 @@ module "cluster" {
 
 # Tag existing subnets for EKS
 resource "aws_ec2_tag" "container_subnets" {
-  provider    = aws.self
   for_each    = data.aws_subnet.subnets
   resource_id = each.key
   key         = "kubernetes.io/cluster/${var.cluster_name}"

From 5c110ca9e7a534192017d008076fd2eb75b984a2 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 19 Sep 2024 20:39:30 -0400
Subject: [PATCH 6/8] =?UTF-8?q?=F0=9F=90=9B=20fix(variables):=20remove=20u?=
 =?UTF-8?q?nused=20vpc=5Fdomain=5Fname=20var?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md    | 2 --
 outputs.tf   | 5 -----
 variables.tf | 5 -----
 3 files changed, 12 deletions(-)

diff --git a/README.md b/README.md
index 424b859..1ef09e4 100644
--- a/README.md
+++ b/README.md
@@ -139,7 +139,6 @@ Change logs are auto-generated with commitizen.
 | <a name="input_subnets_name"></a> [subnets\_name](#input\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-container-*"` | no |
 | <a name="input_tag_costallocation"></a> [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
-| <a name="input_vpc_domain_name"></a> [vpc\_domain\_name](#input\_vpc\_domain\_name) | The DNS domain name of the vpc the cluster is in. | `string` | n/a | yes |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Define the VPC name that will be used by this cluster | `string` | n/a | yes |
 
 ## Outputs
@@ -153,7 +152,6 @@ Change logs are auto-generated with commitizen.
 | <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster |
 | <a name="output_cluster_certificate_authority_data"></a> [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster |
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server |
-| <a name="output_cluster_fqdn"></a> [cluster\_fqdn](#output\_cluster\_fqdn) | The cluster\_name.domain |
 | <a name="output_cluster_iam_role"></a> [cluster\_iam\_role](#output\_cluster\_iam\_role) | The arn/name/unique\_id of the iam role for the cluster |
 | <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts |
 | <a name="output_cluster_identity_providers"></a> [cluster\_identity\_providers](#output\_cluster\_identity\_providers) | Map of attribute maps for all EKS identity providers enabled |
diff --git a/outputs.tf b/outputs.tf
index 2275ab9..66a9aaa 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -40,11 +40,6 @@ output "security_group_all_worker_mgmt_id" {
   value       = aws_security_group.all_worker_mgmt.id
 }
 
-output "cluster_fqdn" {
-  description = "The cluster_name.domain"
-  value       = format("%v.%v", var.cluster_name, var.vpc_domain_name)
-}
-
 ################################################################################
 # IRSA Roles Created
 ################################################################################
diff --git a/variables.tf b/variables.tf
index ca08449..6cf7c30 100644
--- a/variables.tf
+++ b/variables.tf
@@ -32,11 +32,6 @@ variable "subnets_name" {
   default     = "*-container-*"
 }
 
-variable "vpc_domain_name" {
-  description = "The DNS domain name of the vpc the cluster is in."
-  type        = string
-}
-
 variable "eks_instance_disk_size" {
   description = "The size of the disk of the worker nodes in gigabytes. 40 is the approximate minimum.  Needs to hold the all of the normal operating system files plus every image that will be used in the cluster."
   type        = number

From dd4f5b00940ffcc6c5d85710e042047ed444c1e5 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 19 Sep 2024 21:03:14 -0400
Subject: [PATCH 7/8] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20=20dep-bump(module-clu?=
 =?UTF-8?q?ster):=20bump=20dep=20version?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md | 2 +-
 main.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1ef09e4..ce2fe87 100644
--- a/README.md
+++ b/README.md
@@ -93,7 +93,7 @@ Change logs are auto-generated with commitizen.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.24.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.24.1 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index d3ea1ad..3ab29b3 100644
--- a/main.tf
+++ b/main.tf
@@ -45,7 +45,7 @@ locals {
 }
 
 module "cluster" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.24.0"
+  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.24.1"
 
   cluster_name                             = var.cluster_name
   cluster_version                          = var.cluster_version

From 0e9df795a52acda66d82b56a94b74b17892e77df Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 19 Sep 2024 21:24:22 -0400
Subject: [PATCH 8/8] =?UTF-8?q?=F0=9F=90=9B=20fix(dns=5Fzones.tf):=20remov?=
 =?UTF-8?q?ed=20dns=5Fzones.tf=20for=20new=20tfmod-eks-dns?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 dns_zones.tf | 132 ---------------------------------------------------
 1 file changed, 132 deletions(-)
 delete mode 100644 dns_zones.tf

diff --git a/dns_zones.tf b/dns_zones.tf
deleted file mode 100644
index 10ee67c..0000000
--- a/dns_zones.tf
+++ /dev/null
@@ -1,132 +0,0 @@
-# #-------------------------------------------------
-# # DNS Zone for EKS
-# #-------------------------------------------------
-
-# #-------------------------------------------------
-# # Locals
-# #-------------------------------------------------
-
-# locals {
-#   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
-#   cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
-#   container_subnets_name     = var.subnets_name
-#   max_tag_count              = 47
-#   region                     = var.region
-#   vpc_domain_name            = var.vpc_domain_name
-# }
-
-# #-------------------------------------------------
-# # Providers for Cross Account DNS Action
-# #-------------------------------------------------
-# provider "aws" {
-#   alias  = "route53_main_east"
-#   region = var.region_map["east"]
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-#     session_name = var.os_username
-#   }
-# }
-
-# provider "aws" {
-#   alias  = "route53_main_west"
-#   region = var.region_map["west"]
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
-#     session_name = var.os_username
-#   }
-# }
-
-# provider "aws" {
-#   alias = "self"
-#   assume_role {
-#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
-#     session_name = var.os_username
-#   }
-# }
-
-# #---
-# # dummy vpc, so we can associate the zone to this account
-# #---
-# data "aws_vpc" "dummy_vpc" {
-#   count = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-#   filter {
-#     name   = "tag:Name"
-#     values = ["vpc0-dummy"]
-#   }
-# }
-
-# # Tag existing subnets for EKS
-# resource "aws_ec2_tag" "container_subnets" {
-#   provider    = aws.self
-#   for_each    = data.aws_subnet.subnets
-#   resource_id = each.key
-#   key         = "kubernetes.io/cluster/${var.cluster_name}"
-#   value       = "shared"
-#   lifecycle {
-#     precondition {
-#       condition     = length(each.value.tags) < local.max_tag_count
-#       error_message = "Subnet has ${length(each.value.tags)} tags applied of ${local.max_tag_count} allowed."
-#     }
-#   }
-# }
-
-
-# resource "aws_route53_zone" "cluster_domain" {
-#   provider      = aws.self
-#   name          = local.cluster_domain_name
-#   comment       = local.cluster_domain_description
-#   force_destroy = false
-
-#   vpc {
-#     vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
-#     vpc_region = local.region
-#   }
-
-#   lifecycle {
-#     ignore_changes = [vpc]
-#     precondition {
-#       condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
-#       error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
-#     }
-#   }
-
-#   tags = merge(
-#     var.tags,
-#     { "Name" = local.cluster_domain_name },
-#   )
-# }
-
-# #---
-# # need to also associate with network-prod account and this vpc
-# #---
-# module "route53_cluster_domain_east" {
-
-#   count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-#   providers = {
-#     aws.self = aws.self
-#     aws.peer = aws.route53_main_east
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-east-1"
-#   vpc_id   = data.aws_vpc.eks_vpc.id
-#   zone_ids = try([aws_route53_zone.cluster_domain.zone_id])
-
-#   tags = var.tags
-# }
-
-# module "route53_cluster_domain_west" {
-
-#   count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-#   providers = {
-#     aws.self = aws.self
-#     aws.peer = aws.route53_main_west
-#   }
-
-#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
-#   region   = "us-gov-west-1"
-#   vpc_id   = data.aws_vpc.eks_vpc.id
-#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
-
-#   tags = var.tags
-# }