From 204b98f2423831cd5dfeca9eaeb1f5c64c4d68d8 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 1 May 2023 13:44:11 -0400 Subject: [PATCH] add new config for dns-zone --- .../full-cluster-tf-upgrade/1.24/dns-zone.tf | 157 +++++++++++------- .../1.24/variables.route53.tf | 16 ++ .../1.24/variables.username.tf | 5 + 3 files changed, 115 insertions(+), 63 deletions(-) create mode 100644 examples/full-cluster-tf-upgrade/1.24/variables.route53.tf create mode 100644 examples/full-cluster-tf-upgrade/1.24/variables.username.tf diff --git a/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf b/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf index a7f3f41..508b39a 100644 --- a/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf +++ b/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf @@ -13,15 +13,6 @@ resource "aws_route53_zone" "cluster_domain" { vpc_region = local.region } - ## dynamic "vpc" { - ## for_each = true ? var.region_map : {} - ## iterator = r - ## content { - ## vpc_id = var.main_dns_vpcs[r.value] - ## vpc_region = r.value - ## } - ## } - lifecycle { ignore_changes = [vpc] } @@ -31,12 +22,26 @@ resource "aws_route53_zone" "cluster_domain" { local.common_tags, var.tags, var.application_tags, - tomap({ "Name" = local.cluster_domain_name }), + { "Name" = local.cluster_domain_name }, ) - - # depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ] } +## # now we need to add the NS records for the new zone to the parent zone +## data "aws_route53_zone" "parent" { +## name = var.vpc_domain_name +## private_zone = true +## } +## +## resource "aws_route53_record" "cluster_domain" { +## allow_overwrite = true +## name = local.cluster_domain_name +## type = "NS" +## ttl = 900 +## zone_id = data.aws_route53_zone.parent.zone_id +## +## records = aws_route53_zone.cluster_domain.name_servers +## } + output "cluster_domain_name" { description = "DNS Zone Name" value = local.cluster_domain_name @@ -54,72 +59,98 @@ output "cluster_domain_ns" { #--- # associate to main do2-govcloud vpc1-services east and west for inbound resolution +# and to vpc7-endpoints in network prod #--- -provider "aws" { - alias = "east_main_dns" - region = var.region_map["east"] - profile = var.main_dns_profile -} +#--- +# network prod +#--- provider "aws" { - alias = "west_main_dns" - region = var.region_map["west"] - profile = var.main_dns_profile + alias = "route53_main" + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } } -# resource "aws_route53_vpc_association_authorization" "cluster_domain" { -# for_each = var.region_map -# -# zone_id = aws_route53_zone.cluster_domain.zone_id -# vpc_region = each.value -# vpc_id = var.main_dns_vpcs[each.value] -# } - -resource "aws_route53_vpc_association_authorization" "west_cluster_domain" { - for_each = tomap({ "zone" = aws_route53_zone.cluster_domain }) - zone_id = each.value.zone_id - vpc_region = "us-gov-west-1" - vpc_id = var.main_dns_vpcs["us-gov-west-1"] -} +module "route53_main_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } -resource "aws_route53_vpc_association_authorization" "east_cluster_domain" { - for_each = tomap({ "zone" = aws_route53_zone.cluster_domain }) - zone_id = each.value.zone_id - vpc_region = "us-gov-east-1" - vpc_id = var.main_dns_vpcs["us-gov-east-1"] + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) } -resource "aws_route53_zone_association" "west_cluster_domain" { - provider = aws.west_main_dns - for_each = aws_route53_vpc_association_authorization.west_cluster_domain +module "route53_main_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } - zone_id = each.value.zone_id - vpc_id = each.value.vpc_id - vpc_region = each.value.vpc_region -} + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] -resource "aws_route53_zone_association" "east_cluster_domain" { - provider = aws.east_main_dns - for_each = aws_route53_vpc_association_authorization.east_cluster_domain + tags = merge( + local.common_tags, + var.application_tags, + ) +} - zone_id = each.value.zone_id - vpc_id = each.value.vpc_id - vpc_region = each.value.vpc_region +#--- +# do2-gov ("legacy") +#--- +provider "aws" { + alias = "route53_main_legacy" + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) + session_name = var.os_username + } } -# now we need to add the NS records for the new zone to the parent zone +module "route53_main_legacy_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] -data "aws_route53_zone" "parent" { - name = var.vpc_domain_name - private_zone = true + tags = merge( + local.common_tags, + var.application_tags, + ) } -resource "aws_route53_record" "cluster_domain" { - allow_overwrite = true - name = local.cluster_domain_name - type = "NS" - ttl = 900 - zone_id = data.aws_route53_zone.parent.zone_id +module "route53_main_legacy_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } - records = aws_route53_zone.cluster_domain.name_servers + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) } + diff --git a/examples/full-cluster-tf-upgrade/1.24/variables.route53.tf b/examples/full-cluster-tf-upgrade/1.24/variables.route53.tf new file mode 100644 index 0000000..140e7f2 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.24/variables.route53.tf @@ -0,0 +1,16 @@ +variable "route53_endpoints" { + description = "Map of target route53 endpoints (for inbound) central VPCs" + type = map(map(string)) + default = { + route53_main = { + "account_id" = "057405694017" + "us-gov-east-1" = "vpc-0871ba8a6040d623a" + "us-gov-west-1" = "vpc-0f03ea065333f72c5" + } + route53_main_legacy = { + "account_id" = "107742151971" + "us-gov-east-1" = "vpc-099a991da7c4eb8a5" + "us-gov-west-1" = "vpc-77877a12" + } + } +} diff --git a/examples/full-cluster-tf-upgrade/1.24/variables.username.tf b/examples/full-cluster-tf-upgrade/1.24/variables.username.tf new file mode 100644 index 0000000..46f8f47 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.24/variables.username.tf @@ -0,0 +1,5 @@ +variable "os_username" { + description = "OS username from environment variable, ideally as $USER" + type = string + default = null +}