From 196af69185b245f7f1cb21faa1e03c61a99a0e0e Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 10 Oct 2025 09:45:56 -0400
Subject: [PATCH] add old-tf setup for route53 (TF < 1.x)

---
 .../dns-zone.route53-profile.tf               |  34 ++++
 examples/old-tf-route53-setup/dns-zone.tf     | 183 ++++++++++++++++++
 .../old-tf-route53-setup/variables.route53.tf |  24 +++
 .../variables.username.tf                     |   5 +
 4 files changed, 246 insertions(+)
 create mode 100644 examples/old-tf-route53-setup/dns-zone.route53-profile.tf
 create mode 100644 examples/old-tf-route53-setup/dns-zone.tf
 create mode 100644 examples/old-tf-route53-setup/variables.route53.tf
 create mode 100644 examples/old-tf-route53-setup/variables.username.tf

diff --git a/examples/old-tf-route53-setup/dns-zone.route53-profile.tf b/examples/old-tf-route53-setup/dns-zone.route53-profile.tf
new file mode 100644
index 0000000..9f995a0
--- /dev/null
+++ b/examples/old-tf-route53-setup/dns-zone.route53-profile.tf
@@ -0,0 +1,34 @@
+data "aws_route53profiles_profiles" "east_vpc_profiles" {
+  provider = aws.east
+}
+data "aws_route53profiles_profiles" "west_vpc_profiles" {
+  provider = aws.west
+}
+
+locals {
+  east_route53_profiles = { for v in data.aws_route53profiles_profiles.east_vpc_profiles.profiles : v.name => v.id }
+  west_route53_profiles = { for v in data.aws_route53profiles_profiles.west_vpc_profiles.profiles : v.name => v.id }
+  route53_profile_mapping = {
+    "shared" = "services"
+    "ite"    = "test"
+    "qa"     = "test"
+    "uat"    = "test"
+  }
+  route53_profile = lookup(local.route53_profile_mapping, var.vpc_environment, var.vpc_environment)
+}
+
+resource "aws_route53profiles_resource_association" "east_zone" {
+  provider     = aws.east
+  region       = "us-gov-east-1"
+  name         = format("%v-%v zone %v", local.route53_profile, "vpc", aws_route53_zone.cluster_domain.zone_id)
+  profile_id   = local.east_route53_profiles[local.route53_profile]
+  resource_arn = aws_route53_zone.cluster_domain.arn
+}
+
+resource "aws_route53profiles_resource_association" "west_zone" {
+  provider     = aws.west
+  region       = "us-gov-west-1"
+  name         = format("%v-%v zone %v", local.route53_profile, "vpc", aws_route53_zone.cluster_domain.zone_id)
+  profile_id   = local.west_route53_profiles[local.route53_profile]
+  resource_arn = aws_route53_zone.cluster_domain.arn
+}
diff --git a/examples/old-tf-route53-setup/dns-zone.tf b/examples/old-tf-route53-setup/dns-zone.tf
new file mode 100644
index 0000000..a7671e8
--- /dev/null
+++ b/examples/old-tf-route53-setup/dns-zone.tf
@@ -0,0 +1,183 @@
+locals {
+  cluster_domain_name        = format("%v.%v", var.cluster_name, var.vpc_domain_name)
+  cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
+}
+
+resource "aws_route53_zone" "cluster_domain" {
+  name          = local.cluster_domain_name
+  comment       = local.cluster_domain_description
+  force_destroy = false
+
+  vpc {
+    vpc_id     = data.aws_vpc.eks_vpc.id
+    vpc_region = local.region
+  }
+
+  ##   dynamic "vpc" {
+  ##     for_each = true ? var.region_map : {}
+  ##     iterator = r
+  ##     content {
+  ##       vpc_id     = var.main_dns_vpcs[r.value]
+  ##       vpc_region = r.value
+  ##     }
+  ##   }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.tags,
+    var.application_tags,
+    tomap({ "Name" = local.cluster_domain_name }),
+  )
+
+  #  depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ]
+}
+
+output "cluster_domain_name" {
+  description = "DNS Zone Name"
+  value       = local.cluster_domain_name
+}
+
+output "cluster_domain_id" {
+  description = "DNS Zone ID"
+  value       = aws_route53_zone.cluster_domain.zone_id
+}
+
+output "cluster_domain_ns" {
+  description = "DNS Zone Nameservers"
+  value       = aws_route53_zone.cluster_domain.name_servers
+}
+
+#---
+# associate to main do2-govcloud vpc1-services east and west for inbound resolution
+#---
+provider "aws" {
+  alias   = "east_main_dns"
+  region  = var.region_map["east"]
+  profile = var.main_dns_profile
+}
+
+provider "aws" {
+  alias   = "west_main_dns"
+  region  = var.region_map["west"]
+  profile = var.main_dns_profile
+}
+
+# resource "aws_route53_vpc_association_authorization" "cluster_domain" {
+#   for_each = var.region_map
+# 
+#   zone_id    = aws_route53_zone.cluster_domain.zone_id
+#   vpc_region = each.value
+#   vpc_id     = var.main_dns_vpcs[each.value]
+# }
+
+resource "aws_route53_vpc_association_authorization" "west_cluster_domain" {
+  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-west-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_vpc_association_authorization" "east_cluster_domain" {
+  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-east-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "west_cluster_domain" {
+  provider = aws.west_main_dns
+  for_each = aws_route53_vpc_association_authorization.west_cluster_domain
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+resource "aws_route53_zone_association" "east_cluster_domain" {
+  provider = aws.east_main_dns
+  for_each = aws_route53_vpc_association_authorization.east_cluster_domain
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+# now we need to add the NS records for the new zone to the parent zone
+
+data "aws_route53_zone" "parent" {
+  name         = var.vpc_domain_name
+  private_zone = true
+}
+
+resource "aws_route53_record" "cluster_domain" {
+  allow_overwrite = true
+  name            = local.cluster_domain_name
+  type            = "NS"
+  ttl             = 900
+  zone_id         = data.aws_route53_zone.parent.zone_id
+
+  records = aws_route53_zone.cluster_domain.name_servers
+}
+
+#---
+# network-prod provider
+#---
+provider "aws" {
+  alias   = "route53_main_east"
+  profile = var.profile
+  region  = "us-gov-east-1"
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+provider "aws" {
+  alias   = "route53_main_west"
+  profile = var.profile
+  region  = "us-gov-west-1"
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+#---
+# associate to network-prod (can't use modules until this is upgrade to 1.x)
+#---
+resource "aws_route53_vpc_association_authorization" "network_main_west_cluster_domain" {
+  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-west-1"
+  vpc_id     = var.route53_endpoints["route53_main"]["us-gov-west-1"]
+}
+
+resource "aws_route53_vpc_association_authorization" "network_main_east_cluster_domain" {
+  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-east-1"
+  vpc_id     = var.route53_endpoints["route53_main"]["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "network_main_west_cluster_domain" {
+  provider = aws.route53_main_west
+  for_each = aws_route53_vpc_association_authorization.network_main_west_cluster_domain
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+resource "aws_route53_zone_association" "network_main_east_cluster_domain" {
+  provider = aws.route53_main_east
+  for_each = aws_route53_vpc_association_authorization.network_main_east_cluster_domain
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
diff --git a/examples/old-tf-route53-setup/variables.route53.tf b/examples/old-tf-route53-setup/variables.route53.tf
new file mode 100644
index 0000000..fc70623
--- /dev/null
+++ b/examples/old-tf-route53-setup/variables.route53.tf
@@ -0,0 +1,24 @@
+variable "route53_endpoints" {
+  description = "Map of target route53 endpoints (for inbound) central VPCs"
+  type        = map(map(string))
+  default = {
+    route53_main = {
+      "account_id"    = "057405694017"
+      "alias"         = "ent-gov-network-prod"
+      "us-gov-east-1" = "vpc-0871ba8a6040d623a"
+      "us-gov-west-1" = "vpc-0f03ea065333f72c5"
+    }
+    route53_main_legacy = {
+      "account_id"    = "107742151971"
+      "alias"         = "do2-govcloud"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+    route53_main_dmz = {
+      "account_id"    = "273715889907"
+      "alias"         = "ent-gov-dmz-network-prod"
+      "us-gov-east-1" = "vpc-02f1a0a3b40843e4e"
+      "us-gov-west-1" = "vpc-0ce5930e94e434889"
+    }
+  }
+}
diff --git a/examples/old-tf-route53-setup/variables.username.tf b/examples/old-tf-route53-setup/variables.username.tf
new file mode 100644
index 0000000..46f8f47
--- /dev/null
+++ b/examples/old-tf-route53-setup/variables.username.tf
@@ -0,0 +1,5 @@
+variable "os_username" {
+  description = "OS username from environment variable, ideally as $USER"
+  type        = string
+  default     = null
+}