diff --git a/examples/full-cluster-tf-upgrade/1.23/dns-zone.tf b/examples/full-cluster-tf-upgrade/1.23/dns-zone.tf index a7f3f41..098aed8 100644 --- a/examples/full-cluster-tf-upgrade/1.23/dns-zone.tf +++ b/examples/full-cluster-tf-upgrade/1.23/dns-zone.tf @@ -4,6 +4,7 @@ locals { } resource "aws_route53_zone" "cluster_domain" { + count = var.shared_vpc_label == null ? 1 : 0 name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false @@ -13,15 +14,6 @@ resource "aws_route53_zone" "cluster_domain" { vpc_region = local.region } - ## dynamic "vpc" { - ## for_each = true ? var.region_map : {} - ## iterator = r - ## content { - ## vpc_id = var.main_dns_vpcs[r.value] - ## vpc_region = r.value - ## } - ## } - lifecycle { ignore_changes = [vpc] } @@ -31,12 +23,51 @@ resource "aws_route53_zone" "cluster_domain" { local.common_tags, var.tags, var.application_tags, - tomap({ "Name" = local.cluster_domain_name }), + { "Name" = local.cluster_domain_name }, ) +} + +resource "aws_route53_zone" "remote_cluster_domain" { + provider = aws.route53_main + count = var.shared_vpc_label != null ? 1 : 0 + name = local.cluster_domain_name + comment = local.cluster_domain_description + force_destroy = false + + vpc { + vpc_id = data.aws_vpc.eks_vpc.id + vpc_region = local.region + } + + lifecycle { + ignore_changes = [vpc] + } - # depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ] + tags = merge( + local.base_tags, + local.common_tags, + var.tags, + var.application_tags, + { "Name" = local.cluster_domain_name }, + ) } +## # now we need to add the NS records for the new zone to the parent zone +## data "aws_route53_zone" "parent" { +## name = var.vpc_domain_name +## private_zone = true +## } +## +## resource "aws_route53_record" "cluster_domain" { +## allow_overwrite = true +## name = local.cluster_domain_name +## type = "NS" +## ttl = 900 +## zone_id = data.aws_route53_zone.parent.zone_id +## +## records = aws_route53_zone.cluster_domain.name_servers +## } + output "cluster_domain_name" { description = "DNS Zone Name" value = local.cluster_domain_name @@ -44,82 +75,110 @@ output "cluster_domain_name" { output "cluster_domain_id" { description = "DNS Zone ID" - value = aws_route53_zone.cluster_domain.zone_id + value = var.shared_vpc_label == null ? aws_route53_zone.cluster_domain[0].zone_id : aws_route53_zone.remote_cluster_domain[0].zone_id } output "cluster_domain_ns" { description = "DNS Zone Nameservers" - value = aws_route53_zone.cluster_domain.name_servers + value = var.shared_vpc_label == null ? aws_route53_zone.cluster_domain[0].name_servers : aws_route53_zone.remote_cluster_domain[0].name_servers } #--- # associate to main do2-govcloud vpc1-services east and west for inbound resolution +# and to vpc7-endpoints in network prod +#--- + +#--- +# network prod #--- provider "aws" { - alias = "east_main_dns" + alias = "route53_main" region = var.region_map["east"] - profile = var.main_dns_profile + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } } -provider "aws" { - alias = "west_main_dns" - region = var.region_map["west"] - profile = var.main_dns_profile -} +module "route53_main_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } -# resource "aws_route53_vpc_association_authorization" "cluster_domain" { -# for_each = var.region_map -# -# zone_id = aws_route53_zone.cluster_domain.zone_id -# vpc_region = each.value -# vpc_id = var.main_dns_vpcs[each.value] -# } - -resource "aws_route53_vpc_association_authorization" "west_cluster_domain" { - for_each = tomap({ "zone" = aws_route53_zone.cluster_domain }) - zone_id = each.value.zone_id - vpc_region = "us-gov-west-1" - vpc_id = var.main_dns_vpcs["us-gov-west-1"] -} + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)] -resource "aws_route53_vpc_association_authorization" "east_cluster_domain" { - for_each = tomap({ "zone" = aws_route53_zone.cluster_domain }) - zone_id = each.value.zone_id - vpc_region = "us-gov-east-1" - vpc_id = var.main_dns_vpcs["us-gov-east-1"] + tags = merge( + local.common_tags, + var.application_tags, + ) } -resource "aws_route53_zone_association" "west_cluster_domain" { - provider = aws.west_main_dns - for_each = aws_route53_vpc_association_authorization.west_cluster_domain +module "route53_main_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } - zone_id = each.value.zone_id - vpc_id = each.value.vpc_id - vpc_region = each.value.vpc_region -} + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)] -resource "aws_route53_zone_association" "east_cluster_domain" { - provider = aws.east_main_dns - for_each = aws_route53_vpc_association_authorization.east_cluster_domain + tags = merge( + local.common_tags, + var.application_tags, + ) +} - zone_id = each.value.zone_id - vpc_id = each.value.vpc_id - vpc_region = each.value.vpc_region +#--- +# do2-gov ("legacy") +#--- +provider "aws" { + alias = "route53_main_legacy" + region = var.region_map["east"] + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) + session_name = var.os_username + } } -# now we need to add the NS records for the new zone to the parent zone +module "route53_main_legacy_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)] -data "aws_route53_zone" "parent" { - name = var.vpc_domain_name - private_zone = true + tags = merge( + local.common_tags, + var.application_tags, + ) } -resource "aws_route53_record" "cluster_domain" { - allow_overwrite = true - name = local.cluster_domain_name - type = "NS" - ttl = 900 - zone_id = data.aws_route53_zone.parent.zone_id +module "route53_main_legacy_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id, aws_route53_zone.remote_cluster_domain[0].zone_id)] - records = aws_route53_zone.cluster_domain.name_servers + tags = merge( + local.common_tags, + var.application_tags, + ) } + diff --git a/examples/full-cluster-tf-upgrade/1.23/tf-run.data b/examples/full-cluster-tf-upgrade/1.23/tf-run.data index 5aa7ded..67ef318 100644 --- a/examples/full-cluster-tf-upgrade/1.23/tf-run.data +++ b/examples/full-cluster-tf-upgrade/1.23/tf-run.data @@ -1,4 +1,4 @@ -VERSION 1.4.0 +VERSION 1.4.3 REMOTE-STATE COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md) STOP then continue with at step %%NEXT%% (tag:subnets-verified) @@ -21,8 +21,9 @@ LINKTOP includes.d/variables.application_tags.auto.tfvars LINK variables.vpc.tf LINK variables.vpc.auto.tfvars +LINK variables.availability_zones.tf -COMMAND tf-init -upgrade +COMMAND tf-init STOP check variables.vpc.* files and then continue with %%NEXT%% (tag:setup-complete) @@ -34,9 +35,13 @@ COMMENT EC2 key pairs null_resource.generate_keypair aws_key_pair.cluster_keypair COMMAND tf-directory-setup.py -l s3 - COMMENT be sure to add the setup/ec2-ssh-eks-{cluster} to git-secret, git-secret hide, add the setup/*secret and setup/*pub got git, and commit the entirety of the change +TAG dns-zone +aws_route53_zone.cluster_domain aws_route53_zone.remote_cluster_domain +module.route53_main_east module.route53_main_west module.route53_main_legacy_east module.route53_main_legacy_west + +TAG create-cluster ALL COMMENT Assumes setup the includes.d/parent_rs.tf according to the REAMDE.md has been done, will fail if not. You can answer n at the pause if you are not sure diff --git a/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf b/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf index 2ba38aa..4c40e52 100644 --- a/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf +++ b/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf @@ -3,13 +3,45 @@ locals { cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) } +#--- +# network prod +#--- +provider "aws" { + alias = "route53_main_east" + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +provider "aws" { + alias = "route53_main_west" + region = var.region_map["west"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +#--- +# dummy vpc, so we can associate the zone to this account +#--- +data "aws_vpc" "dummy_vpc" { + count = var.shared_vpc_label == null ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] + } +} + resource "aws_route53_zone" "cluster_domain" { name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false vpc { - vpc_id = data.aws_vpc.eks_vpc.id + vpc_id = var.shared_vpc_label == null ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id vpc_region = local.region } @@ -26,6 +58,46 @@ resource "aws_route53_zone" "cluster_domain" { ) } +#--- +# need to also associate with network-prod account and this vpc +#--- +module "route53_cluster_domain_east" { + count = local.region == "us-gov-east-1" && var.shared_vpc_label != null ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_east + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_cluster_domain_west" { + count = local.region == "us-gov-west-1" && var.shared_vpc_label != null ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_west + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + + ## # now we need to add the NS records for the new zone to the parent zone ## data "aws_route53_zone" "parent" { ## name = var.vpc_domain_name diff --git a/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf.old b/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf.old new file mode 100644 index 0000000..8d75888 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.24/dns-zone.tf.old @@ -0,0 +1,184 @@ +locals { + cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) + cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) +} + +resource "aws_route53_zone" "cluster_domain" { + count = var.shared_vpc_label == null ? 1 : 0 + name = local.cluster_domain_name + comment = local.cluster_domain_description + force_destroy = false + + vpc { + vpc_id = data.aws_vpc.eks_vpc.id + vpc_region = local.region + } + + lifecycle { + ignore_changes = [vpc] + } + + tags = merge( + local.base_tags, + local.common_tags, + var.tags, + var.application_tags, + { "Name" = local.cluster_domain_name }, + ) +} + +resource "aws_route53_zone" "remote_cluster_domain" { + provider = aws.route53_main + count = var.shared_vpc_label != null ? 1 : 0 + name = local.cluster_domain_name + comment = local.cluster_domain_description + force_destroy = false + + vpc { + vpc_id = data.aws_vpc.eks_vpc.id + vpc_region = local.region + } + + lifecycle { + ignore_changes = [vpc] + } + + tags = merge( + local.base_tags, + local.common_tags, + var.tags, + var.application_tags, + { "Name" = local.cluster_domain_name }, + ) +} + +## # now we need to add the NS records for the new zone to the parent zone +## data "aws_route53_zone" "parent" { +## name = var.vpc_domain_name +## private_zone = true +## } +## +## resource "aws_route53_record" "cluster_domain" { +## allow_overwrite = true +## name = local.cluster_domain_name +## type = "NS" +## ttl = 900 +## zone_id = data.aws_route53_zone.parent.zone_id +## +## records = aws_route53_zone.cluster_domain.name_servers +## } + +output "cluster_domain_name" { + description = "DNS Zone Name" + value = local.cluster_domain_name +} + +output "cluster_domain_id" { + description = "DNS Zone ID" + value = var.shared_vpc_label == null ? aws_route53_zone.cluster_domain[0].zone_id : aws_route53_zone.remote_cluster_domain[0].zone_id +} + +output "cluster_domain_ns" { + description = "DNS Zone Nameservers" + value = var.shared_vpc_label == null ? aws_route53_zone.cluster_domain[0].name_servers : aws_route53_zone.remote_cluster_domain[0].name_servers +} + +#--- +# associate to main do2-govcloud vpc1-services east and west for inbound resolution +# and to vpc7-endpoints in network prod +#--- + +#--- +# network prod +#--- +provider "aws" { + alias = "route53_main" + region = var.region_map["east"] + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +module "route53_main_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id,aws_route53_zone.remote_cluster_domain[0].zone_id)] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_main_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id,aws_route53_zone.remote_cluster_domain[0].zone_id)] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +#--- +# do2-gov ("legacy") +#--- +provider "aws" { + alias = "route53_main_legacy" + region = var.region_map["east"] + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id) + session_name = var.os_username + } +} + +module "route53_main_legacy_east" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id,aws_route53_zone.remote_cluster_domain[0].zone_id)] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_main_legacy_west" { + providers = { + aws.self = aws + aws.peer = aws.route53_main_legacy + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"] + zone_ids = [try(aws_route53_zone.cluster_domain[0].zone_id,aws_route53_zone.remote_cluster_domain[0].zone_id)] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + diff --git a/examples/full-cluster-tf-upgrade/1.24/tf-run.data b/examples/full-cluster-tf-upgrade/1.24/tf-run.data index ec4f280..260595b 100644 --- a/examples/full-cluster-tf-upgrade/1.24/tf-run.data +++ b/examples/full-cluster-tf-upgrade/1.24/tf-run.data @@ -1,4 +1,4 @@ -VERSION 1.4.2 +VERSION 1.4.4 REMOTE-STATE COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md) STOP then continue with at step %%NEXT%% (tag:subnets-verified) @@ -39,11 +39,12 @@ COMMENT be sure to add the setup/ec2-ssh-eks-{cluster} to git-secret, git-secret TAG dns-zone aws_route53_zone.cluster_domain +module.route53_cluster_domain_east module.route53_cluster_domain_west TAG create-cluster ALL -COMMENT Assumes setup the includes.d/parent_rs.tf according to the REAMDE.md has been done, will fail if not. You can answer n at the pause if you are not sure +COMMENT Assumes setup the includes.d/parent_rs.tf according to the REAMDE.md has been done, will fail if not. You can answer no at the pause if you are not sure PAUSE TAG setup-aws-auth diff --git a/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf b/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf index 2ba38aa..4c40e52 100644 --- a/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf +++ b/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf @@ -3,13 +3,45 @@ locals { cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) } +#--- +# network prod +#--- +provider "aws" { + alias = "route53_main_east" + region = var.region_map["east"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +provider "aws" { + alias = "route53_main_west" + region = var.region_map["west"] + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id) + session_name = var.os_username + } +} + +#--- +# dummy vpc, so we can associate the zone to this account +#--- +data "aws_vpc" "dummy_vpc" { + count = var.shared_vpc_label == null ? 1 : 0 + filter { + name = "tag:Name" + values = ["vpc0-dummy"] + } +} + resource "aws_route53_zone" "cluster_domain" { name = local.cluster_domain_name comment = local.cluster_domain_description force_destroy = false vpc { - vpc_id = data.aws_vpc.eks_vpc.id + vpc_id = var.shared_vpc_label == null ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id vpc_region = local.region } @@ -26,6 +58,46 @@ resource "aws_route53_zone" "cluster_domain" { ) } +#--- +# need to also associate with network-prod account and this vpc +#--- +module "route53_cluster_domain_east" { + count = local.region == "us-gov-east-1" && var.shared_vpc_label != null ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_east + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-east-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + +module "route53_cluster_domain_west" { + count = local.region == "us-gov-west-1" && var.shared_vpc_label != null ? 1 : 0 + providers = { + aws.self = aws + aws.peer = aws.route53_main_west + } + + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade" + region = "us-gov-west-1" + vpc_id = data.aws_vpc.eks_vpc.id + zone_ids = [aws_route53_zone.cluster_domain.zone_id] + + tags = merge( + local.common_tags, + var.application_tags, + ) +} + + ## # now we need to add the NS records for the new zone to the parent zone ## data "aws_route53_zone" "parent" { ## name = var.vpc_domain_name diff --git a/examples/full-cluster-tf-upgrade/1.25/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/tf-run.data index cdaa245..260595b 100644 --- a/examples/full-cluster-tf-upgrade/1.25/tf-run.data +++ b/examples/full-cluster-tf-upgrade/1.25/tf-run.data @@ -1,4 +1,4 @@ -VERSION 1.4.2 +VERSION 1.4.4 REMOTE-STATE COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md) STOP then continue with at step %%NEXT%% (tag:subnets-verified) @@ -39,12 +39,12 @@ COMMENT be sure to add the setup/ec2-ssh-eks-{cluster} to git-secret, git-secret TAG dns-zone aws_route53_zone.cluster_domain -module.route53_main_east module.route53_main_west module.route53_main_legacy_east module.route53_main_legacy_west +module.route53_cluster_domain_east module.route53_cluster_domain_west TAG create-cluster ALL -COMMENT Assumes setup the includes.d/parent_rs.tf according to the REAMDE.md has been done, will fail if not. You can answer n at the pause if you are not sure +COMMENT Assumes setup the includes.d/parent_rs.tf according to the REAMDE.md has been done, will fail if not. You can answer no at the pause if you are not sure PAUSE TAG setup-aws-auth