update dns-zone.tf and tf-run.data for shared vpcs

terraform-modules · Jul 11, 2023 · 714448f · 714448f
1 parent bf8d01d
commit 714448f
Show file tree

Hide file tree

Showing 7 changed files with 466 additions and 73 deletions.
diff --git a/examples/full-cluster-tf-upgrade/1.23/dns-zone.tf b/examples/full-cluster-tf-upgrade/1.23/dns-zone.tf
@@ -4,6 +4,7 @@ locals {
 }
 
 resource "aws_route53_zone" "cluster_domain" {
+  count         = var.shared_vpc_label == null ? 1 : 0
   name          = local.cluster_domain_name
   comment       = local.cluster_domain_description
   force_destroy = false
@@ -13,15 +14,6 @@ resource "aws_route53_zone" "cluster_domain" {
     vpc_region = local.region
   }
 
-  ##   dynamic "vpc" {
-  ##     for_each = true ? var.region_map : {}
-  ##     iterator = r
-  ##     content {
-  ##       vpc_id     = var.main_dns_vpcs[r.value]
-  ##       vpc_region = r.value
-  ##     }
-  ##   }
-
   lifecycle {
     ignore_changes = [vpc]
   }
@@ -31,95 +23,162 @@ resource "aws_route53_zone" "cluster_domain" {
     local.common_tags,
     var.tags,
     var.application_tags,
-    tomap({ "Name" = local.cluster_domain_name }),
+    { "Name" = local.cluster_domain_name },
   )
+}
+
+resource "aws_route53_zone" "remote_cluster_domain" {
+  provider      = aws.route53_main
+  count         = var.shared_vpc_label != null ? 1 : 0
+  name          = local.cluster_domain_name
+  comment       = local.cluster_domain_description
+  force_destroy = false
+
+  vpc {
+    vpc_id     = data.aws_vpc.eks_vpc.id
+    vpc_region = local.region
+  }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
 
-  #  depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ]
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.tags,
+    var.application_tags,
+    { "Name" = local.cluster_domain_name },
+  )
 }
 
+## # now we need to add the NS records for the new zone to the parent zone
+## data "aws_route53_zone" "parent" {
+##   name         = var.vpc_domain_name
+##   private_zone = true
+## }
+## 
+## resource "aws_route53_record" "cluster_domain" {
+##   allow_overwrite = true
+##   name            = local.cluster_domain_name
+##   type            = "NS"
+##   ttl             = 900
+##   zone_id         = data.aws_route53_zone.parent.zone_id
+## 
+##   records = aws_route53_zone.cluster_domain.name_servers
+## }
+
 output "cluster_domain_name" {
   description = "DNS Zone Name"
   value       = local.cluster_domain_name
 }
 
 output "cluster_domain_id" {
   description = "DNS Zone ID"
-  value       = aws_route53_zone.cluster_domain.zone_id
+  value       = var.shared_vpc_label == null ? aws_route53_zone.cluster_domain[0].zone_id : aws_route53_zone.remote_cluster_domain[0].zone_id
 }
 
 output "cluster_domain_ns" {
   description = "DNS Zone Nameservers"
-  value       = aws_route53_zone.cluster_domain.name_servers
+  value       = var.shared_vpc_label == null ? aws_route53_zone.cluster_domain[0].name_servers : aws_route53_zone.remote_cluster_domain[0].name_servers
 }
 
 #---
 # associate to main do2-govcloud vpc1-services east and west for inbound resolution
+# and to vpc7-endpoints in network prod
+#---
+
+#---
+# network prod
 #---
 provider "aws" {
-  alias   = "east_main_dns"
+  alias   = "route53_main"
   region  = var.region_map["east"]
-  profile = var.main_dns_profile
+  profile = var.profile
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
 }
 
-provider "aws" {
-  alias   = "west_main_dns"
-  region  = var.region_map["west"]
-  profile = var.main_dns_profile
-}
+module "route53_main_east" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main
+  }
 
-# resource "aws_route53_vpc_association_authorization" "cluster_domain" {
-#   for_each = var.region_map
-# 
-#   zone_id    = aws_route53_zone.cluster_domain.zone_id
-#   vpc_region = each.value
-#   vpc_id     = var.main_dns_vpcs[each.value]
-# }
-
-resource "aws_route53_vpc_association_authorization" "west_cluster_domain" {
-  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
-  zone_id    = each.value.zone_id
-  vpc_region = "us-gov-west-1"
-  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
-}
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = var.route53_endpoints["route53_main"]["us-gov-east-1"]
+  zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)]
 
-resource "aws_route53_vpc_association_authorization" "east_cluster_domain" {
-  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
-  zone_id    = each.value.zone_id
-  vpc_region = "us-gov-east-1"
-  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
 }
 
-resource "aws_route53_zone_association" "west_cluster_domain" {
-  provider = aws.west_main_dns
-  for_each = aws_route53_vpc_association_authorization.west_cluster_domain
+module "route53_main_west" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main
+  }
 
-  zone_id    = each.value.zone_id
-  vpc_id     = each.value.vpc_id
-  vpc_region = each.value.vpc_region
-}
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = var.route53_endpoints["route53_main"]["us-gov-west-1"]
+  zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)]
 
-resource "aws_route53_zone_association" "east_cluster_domain" {
-  provider = aws.east_main_dns
-  for_each = aws_route53_vpc_association_authorization.east_cluster_domain
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
 
-  zone_id    = each.value.zone_id
-  vpc_id     = each.value.vpc_id
-  vpc_region = each.value.vpc_region
+#---
+# do2-gov ("legacy")
+#---
+provider "aws" {
+  alias   = "route53_main_legacy"
+  region  = var.region_map["east"]
+  profile = var.profile
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
+    session_name = var.os_username
+  }
 }
 
-# now we need to add the NS records for the new zone to the parent zone
+module "route53_main_legacy_east" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_legacy
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"]
+  zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)]
 
-data "aws_route53_zone" "parent" {
-  name         = var.vpc_domain_name
-  private_zone = true
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
 }
 
-resource "aws_route53_record" "cluster_domain" {
-  allow_overwrite = true
-  name            = local.cluster_domain_name
-  type            = "NS"
-  ttl             = 900
-  zone_id         = data.aws_route53_zone.parent.zone_id
+module "route53_main_legacy_west" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_legacy
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"]
+  zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)]
 
-  records = aws_route53_zone.cluster_domain.name_servers
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
 }
+
diff --git a/examples/full-cluster-tf-upgrade/1.23/tf-run.data b/examples/full-cluster-tf-upgrade/1.23/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.4.0
+VERSION 1.4.3
 REMOTE-STATE
 COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md)
 STOP then continue with at step %%NEXT%% (tag:subnets-verified)
@@ -21,8 +21,9 @@ LINKTOP includes.d/variables.application_tags.auto.tfvars
 
 LINK variables.vpc.tf
 LINK variables.vpc.auto.tfvars
+LINK variables.availability_zones.tf
 
-COMMAND tf-init -upgrade
+COMMAND tf-init 
 
 STOP    check variables.vpc.* files and then continue with %%NEXT%% (tag:setup-complete)
 
@@ -34,9 +35,13 @@ COMMENT EC2 key pairs
 null_resource.generate_keypair
 aws_key_pair.cluster_keypair
 COMMAND tf-directory-setup.py -l s3
-
 COMMENT be sure to add the setup/ec2-ssh-eks-{cluster} to git-secret, git-secret hide, add the setup/*secret and setup/*pub got git, and commit the entirety of the change
 
+TAG dns-zone
+aws_route53_zone.cluster_domain aws_route53_zone.remote_cluster_domain
+module.route53_main_east module.route53_main_west module.route53_main_legacy_east module.route53_main_legacy_west
+
+TAG create-cluster
 ALL
 
 COMMENT Assumes setup the includes.d/parent_rs.tf according to the REAMDE.md has been done, will fail if not.  You can answer n at the pause if you are not sure

diff --git a/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf b/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf
@@ -3,13 +3,45 @@ locals {
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
 }
 
+#---
+# network prod
+#---
+provider "aws" {
+  alias  = "route53_main_east"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+provider "aws" {
+  alias  = "route53_main_west"
+  region = var.region_map["west"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+#---
+# dummy vpc, so we can associate the zone to this account
+#---
+data "aws_vpc" "dummy_vpc" {
+  count = var.shared_vpc_label == null ? 1 : 0
+  filter {
+    name   = "tag:Name"
+    values = ["vpc0-dummy"]
+  }
+}
+
 resource "aws_route53_zone" "cluster_domain" {
   name          = local.cluster_domain_name
   comment       = local.cluster_domain_description
   force_destroy = false
 
   vpc {
-    vpc_id     = data.aws_vpc.eks_vpc.id
+    vpc_id     = var.shared_vpc_label == null ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
     vpc_region = local.region
   }
 
@@ -26,6 +58,46 @@ resource "aws_route53_zone" "cluster_domain" {
   )
 }
 
+#---
+# need to also associate with network-prod account and this vpc
+#---
+module "route53_cluster_domain_east" {
+  count = local.region == "us-gov-east-1" && var.shared_vpc_label != null ? 1 : 0
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_east
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "route53_cluster_domain_west" {
+  count = local.region == "us-gov-west-1" && var.shared_vpc_label != null ? 1 : 0
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_west
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+
 ## # now we need to add the NS records for the new zone to the parent zone
 ## data "aws_route53_zone" "parent" {
 ##   name         = var.vpc_domain_name