add route53 for createion central endpoints

vpc-interface-endpoint/route53.tf

@@ -0,0 +1,151 @@
+# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html
+#   needed for diff accounts
+# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-entities-hosted-zones
+#   should not run into quota problems, associate 300 vpcs per phz
+# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html
+# docs on this approach
+#   https://aws.amazon.com/blogs/networking-and-content-delivery/centralize-access-using-vpc-interface-endpoints/
+#   https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html
+# 
+
+# allow only network-prod, network-sa accounts to run this
+
+locals {
+  permitted_accounts = [
+    # ent-gov-network-prod
+    "057405694017",
+    # ent-gov-network-sa
+    "057445207498",
+  ]
+  r53_create = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint
+}
+
+resource "aws_route53_zone" "vpce" {
+  count         = local.r53_create ? 1 : 0
+  name          = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name
+  comment       = format("VPCE %v %v", data.aws_vpc_endpoint_service.interface_endpoint.service, local.region)
+  force_destroy = false
+
+  vpc {
+    vpc_id     = local.vpc_id
+    vpc_region = local.region
+  }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
+
+  tags = merge(
+    local.tags,
+    local.common_tags,
+    { Name = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_nam },
+  )
+}
+
+data "aws_network_interface" "vpce" {
+  for_each = local.r54_create ? toset(aws_vpc_endpoint.interface_endpoint.network_interface_ids) : toset([])
+  id       = each.key
+}
+
+## govcloud does not support aliases
+## resource "aws_route53_record" "vpce_kms_alias" {
+##   for_each = module.vpce_kms
+##   zone_id  = aws_route53_zone.vpce_kms[each.key].zone_id
+##   name     = aws_route53_zone.vpce_kms[each.key].name
+##   type     = "A"
+## 
+##   alias {
+##     name                   = module.vpce_kms[each.key].vpce_service_info.dns_entry[0].dns_name
+##     zone_id                = module.vpce_kms[each.key].vpce_service_info.dns_entry[0].hosted_zone_id
+##     evaluate_target_health = false
+##   }
+## }
+
+resource "aws_route53_record" "vpce" {
+  count   = local.r53_create ? 1 : 0
+  zone_id = try(aws_route53_zone.vpce[0].zone_id, null)
+  name    = try(aws_route53_zone.vpce[0].name, null)
+  type    = "A"
+  ttl     = "60"
+  records = [for n in data.aws_network_interface.vpce : n.private_ip]
+}
+
+resource "aws_route53_record" "vpce_info_txt" {
+  count   = local.r53_create ? 1 : 0
+  zone_id = try(aws_route53_zone.vpce[0].zone_id, null)
+  name    = format("_info.%v", try(aws_route53_zone.vpce[0].zone_id, ""))
+  type    = "TXT"
+  ttl     = "900"
+  records = [aws_vpc_endpoint.interface_endpoint.dns_entry[0].dns_name]
+}
+
+resource "time_static" "vpce" {
+  count = local.r53_create ? 1 : 0
+}
+
+resource "aws_route53_record" "vpce_kms_txt" {
+  count   = local.r53_create ? 1 : 0
+  zone_id = try(aws_route53_zone.vpce[0].zone_id, null)
+  name    = try(aws_route53_zone.vpce[0].name, null)
+
+  type = "TXT"
+  ttl  = "900"
+  records = [format("heritage=terraform,terraform/account_id=%v,terraform/region=%v,terraform/vpce_id=%v,terraform/create_time=%d",
+  data.aws_caller_identity.current.account_id, local.region, aws_vpc_endpoint.interface_endpoint.id, try(time_static.vpce[0].unix, ""))]
+}
+
+module "vpce_ips" {
+  count  = local.r53_create ? 1 : 0
+  source = "git@github.e.it.census.gov:terraform-modules/dns-lookup.git?ref=tf-upgrade"
+  hosts  = [for n in data.aws_network_interface.vpce : n.private_ip]
+}
+
+locals {
+  ptr_zones = local.r5_create ? distinct([for k, v in module.vpce_ips[0].results_ipv4 : v.network_ptr_sorted]) : []
+}
+
+data "aws_route53_zone" "vpce_ptr" {
+  for_each     = toset(local.ptr_zones)
+  name         = each.key
+  private_zone = true
+}
+
+resource "aws_route53_record" "vpce_ptr" {
+  for_each = local.r53_create ? module.vpce_ips[0].results_ipv4 : {}
+  zone_id  = data.aws_route53_zone.vpce_ptr[each.value.network_ptr_sorted].zone_id
+  name     = each.value.ptr_sorted
+  type     = "PTR"
+  ttl      = "900"
+  records  = [aws_vpc_endpoint.interface_endpoint.dns_entry[0].dns_name]
+}
+resource "aws_route53_record" "vpce_ptr_info" {
+  for_each = local.r53_create ? module.vpce_ips[0].results_ipv4 : {}
+  zone_id  = data.aws_route53_zone.vpce_ptr[each.value.network_ptr_sorted].zone_id
+  name     = each.value.ptr_sorted
+  type     = "TXT"
+  ttl      = "900"
+  records = [format("heritage=terraform,terraform/account_id=%v,terraform/region=%v,terraform/vpce_id=%v,terraform/create_time=%d",
+  data.aws_caller_identity.current.account_id, local.region, aws_vpc_endpoint.interface_endpoint.id, try(time_static.vpce[0].unix, ""))]
+}
+
+resource "aws_ssm_parameter" "vpce" {
+  count       = local.r53_create ? 1 : 0
+  name        = format("/enterprise/%v/vpc-endpoints/%v/%v", data.aws_arn.current.partition, local.region, data.aws_vpc_endpoint_service.interface_endpoint.service)
+  description = format("VPC Endpoint details for %v", data.aws_vpc_endpoint_service.interface_endpoint.service)
+  type        = "String"
+  value = jsonencode({
+    name        = data.aws_vpc_endpoint_service.interface_endpoint.service
+    region      = local.region
+    dns_name    = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name
+    id          = aws_vpc_endpoint.interface_endpoint.id
+    zone        = try(aws_route53_zone.vpce[0].name, null)
+    zone_id     = try(aws_route53_zone.vpce[0].zone_id, null)
+    create_time = try(time_static.vpce[0].unix, null)
+  })
+
+  tags = merge(
+    local.tags,
+    local.common_tags,
+    { "boc:vpc_endpoint" = data.aws_vpc_endpoint_service.interface_endpoint.service },
+  )
+}