From ee6c6913c31eb251c4a4acc80481fdf077a22822 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 3 Apr 2023 16:22:22 -0400 Subject: [PATCH] add route53 for createion central endpoints --- vpc-interface-endpoint/route53.tf | 151 ++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 vpc-interface-endpoint/route53.tf diff --git a/vpc-interface-endpoint/route53.tf b/vpc-interface-endpoint/route53.tf new file mode 100644 index 0000000..391c19d --- /dev/null +++ b/vpc-interface-endpoint/route53.tf @@ -0,0 +1,151 @@ +# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html +# needed for diff accounts +# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-entities-hosted-zones +# should not run into quota problems, associate 300 vpcs per phz +# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html +# docs on this approach +# https://aws.amazon.com/blogs/networking-and-content-delivery/centralize-access-using-vpc-interface-endpoints/ +# https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html +# + +# allow only network-prod, network-sa accounts to run this + +locals { + permitted_accounts = [ + # ent-gov-network-prod + "057405694017", + # ent-gov-network-sa + "057445207498", + ] + r53_create = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint +} + +resource "aws_route53_zone" "vpce" { + count = local.r53_create ? 1 : 0 + name = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name + comment = format("VPCE %v %v", data.aws_vpc_endpoint_service.interface_endpoint.service, local.region) + force_destroy = false + + vpc { + vpc_id = local.vpc_id + vpc_region = local.region + } + + lifecycle { + ignore_changes = [vpc] + } + + tags = merge( + local.tags, + local.common_tags, + { Name = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_nam }, + ) +} + +data "aws_network_interface" "vpce" { + for_each = local.r54_create ? toset(aws_vpc_endpoint.interface_endpoint.network_interface_ids) : toset([]) + id = each.key +} + +## govcloud does not support aliases +## resource "aws_route53_record" "vpce_kms_alias" { +## for_each = module.vpce_kms +## zone_id = aws_route53_zone.vpce_kms[each.key].zone_id +## name = aws_route53_zone.vpce_kms[each.key].name +## type = "A" +## +## alias { +## name = module.vpce_kms[each.key].vpce_service_info.dns_entry[0].dns_name +## zone_id = module.vpce_kms[each.key].vpce_service_info.dns_entry[0].hosted_zone_id +## evaluate_target_health = false +## } +## } + +resource "aws_route53_record" "vpce" { + count = local.r53_create ? 1 : 0 + zone_id = try(aws_route53_zone.vpce[0].zone_id, null) + name = try(aws_route53_zone.vpce[0].name, null) + type = "A" + ttl = "60" + records = [for n in data.aws_network_interface.vpce : n.private_ip] +} + +resource "aws_route53_record" "vpce_info_txt" { + count = local.r53_create ? 1 : 0 + zone_id = try(aws_route53_zone.vpce[0].zone_id, null) + name = format("_info.%v", try(aws_route53_zone.vpce[0].zone_id, "")) + type = "TXT" + ttl = "900" + records = [aws_vpc_endpoint.interface_endpoint.dns_entry[0].dns_name] +} + +resource "time_static" "vpce" { + count = local.r53_create ? 1 : 0 +} + +resource "aws_route53_record" "vpce_kms_txt" { + count = local.r53_create ? 1 : 0 + zone_id = try(aws_route53_zone.vpce[0].zone_id, null) + name = try(aws_route53_zone.vpce[0].name, null) + + type = "TXT" + ttl = "900" + records = [format("heritage=terraform,terraform/account_id=%v,terraform/region=%v,terraform/vpce_id=%v,terraform/create_time=%d", + data.aws_caller_identity.current.account_id, local.region, aws_vpc_endpoint.interface_endpoint.id, try(time_static.vpce[0].unix, ""))] +} + +module "vpce_ips" { + count = local.r53_create ? 1 : 0 + source = "git@github.e.it.census.gov:terraform-modules/dns-lookup.git?ref=tf-upgrade" + hosts = [for n in data.aws_network_interface.vpce : n.private_ip] +} + +locals { + ptr_zones = local.r5_create ? distinct([for k, v in module.vpce_ips[0].results_ipv4 : v.network_ptr_sorted]) : [] +} + +data "aws_route53_zone" "vpce_ptr" { + for_each = toset(local.ptr_zones) + name = each.key + private_zone = true +} + +resource "aws_route53_record" "vpce_ptr" { + for_each = local.r53_create ? module.vpce_ips[0].results_ipv4 : {} + zone_id = data.aws_route53_zone.vpce_ptr[each.value.network_ptr_sorted].zone_id + name = each.value.ptr_sorted + type = "PTR" + ttl = "900" + records = [aws_vpc_endpoint.interface_endpoint.dns_entry[0].dns_name] +} +resource "aws_route53_record" "vpce_ptr_info" { + for_each = local.r53_create ? module.vpce_ips[0].results_ipv4 : {} + zone_id = data.aws_route53_zone.vpce_ptr[each.value.network_ptr_sorted].zone_id + name = each.value.ptr_sorted + type = "TXT" + ttl = "900" + records = [format("heritage=terraform,terraform/account_id=%v,terraform/region=%v,terraform/vpce_id=%v,terraform/create_time=%d", + data.aws_caller_identity.current.account_id, local.region, aws_vpc_endpoint.interface_endpoint.id, try(time_static.vpce[0].unix, ""))] +} + +resource "aws_ssm_parameter" "vpce" { + count = local.r53_create ? 1 : 0 + name = format("/enterprise/%v/vpc-endpoints/%v/%v", data.aws_arn.current.partition, local.region, data.aws_vpc_endpoint_service.interface_endpoint.service) + description = format("VPC Endpoint details for %v", data.aws_vpc_endpoint_service.interface_endpoint.service) + type = "String" + value = jsonencode({ + name = data.aws_vpc_endpoint_service.interface_endpoint.service + region = local.region + dns_name = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name + id = aws_vpc_endpoint.interface_endpoint.id + zone = try(aws_route53_zone.vpce[0].name, null) + zone_id = try(aws_route53_zone.vpce[0].zone_id, null) + create_time = try(time_static.vpce[0].unix, null) + }) + + tags = merge( + local.tags, + local.common_tags, + { "boc:vpc_endpoint" = data.aws_vpc_endpoint_service.interface_endpoint.service }, + ) +}