-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
166 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| # Dummy VPC | ||
|
|
||
| This VPC is created when a Route53 Private Hosted Zone PHZ is needed in an account which uses shared subnets from a central account. | ||
|
|
||
| A [support case(https://us-gov-west-1.console.amazonaws-us-gov.com/support/home?region=us-gov-west-1#/case/?displayId=13210918551&language=en) was opened with AWS | ||
| in account `258852445129-ma50-gov`. | ||
|
|
||
| Initial problem: | ||
|
|
||
| > We have deployed a network account (057405694017-ent-gov-network-prod) with shared VPCs. We shared a VPC to another account (258852445129-ma50-gov). We are trying to create a Route53 private hosted zone in this account (ma50-gov). We use Terraform. Here is what it wants to do. | ||
| > | ||
| > Terraform will perform the following actions: | ||
| > | ||
| > # aws_route53_zone.cluster_domain will be created | ||
| > + resource "aws_route53_zone" "cluster_domain" { | ||
| > + arn = (known after apply) | ||
| > + comment = "eks-eis-dev EKS Cluster DNS Zone" | ||
| > + force_destroy = false | ||
| > + id = (known after apply) | ||
| > + name = "eks-eis-dev.dev.csp1.census.gov" | ||
| > + name_servers = (known after apply) | ||
| > + primary_name_server = (known after apply) | ||
| > + tags = { | ||
| > + "CostAllocation" = "csvd:infrastructure" | ||
| > + "Environment" = "infrastructure" | ||
| > + "Name" = "eks-eis-dev.dev.csp1.census.gov" | ||
| > + "boc:created_by" = "terraform" | ||
| > + "boc:tf_module_version" = "1.0.0" | ||
| > + "eks-cluster-name" = "eks-eis-dev" | ||
| > } | ||
| > + tags_all = { | ||
| > + "CostAllocation" = "csvd:infrastructure" | ||
| > + "Environment" = "infrastructure" | ||
| > + "Name" = "eks-eis-dev.dev.csp1.census.gov" | ||
| > + "boc:created_by" = "terraform" | ||
| > + "boc:tf_module_version" = "1.0.0" | ||
| > + "eks-cluster-name" = "eks-eis-dev" | ||
| > } | ||
| > + zone_id = (known after apply) | ||
| > | ||
| > + vpc { | ||
| > + vpc_id = "vpc-0c0f6344679b1164e" | ||
| > + vpc_region = "us-gov-east-1" | ||
| > } | ||
| > } | ||
| > | ||
| > Plan: 1 to add, 0 to change, 0 to destroy.y. | ||
| > | ||
| > Note this is in account ma50-gov. | ||
| > | ||
| > The error we get is: | ||
| > | ||
| > Error: creating Route53 Hosted Zone: InvalidVPCId: The VPC: vpc-0c0f6344679b1164e in region us-gov-east-1 that you provided is not authorized to make the association. | ||
| > status code: 400, request id: 734b3129-1ca5-4e06-ab41-e6746c6e1cf7 | ||
| > | ||
| > with aws_route53_zone.cluster_domain, | ||
| > on dns-zone.tf line 6, in resource "aws_route53_zone" "cluster_domain": | ||
| > 6: resource "aws_route53_zone" "cluster_domain" { | ||
| > | ||
| > I can't see to find a way to create a PHZ in this account when using a shared VPC from another account. I can't use a route53 vpc zone authorization as that require the zone to be created. I can't leave off the VPC, because it's required for a PHZ and I can't create a public zone in GovCloud. | ||
| > | ||
| > I'm stuck. | ||
| AWS Response: | ||
|
|
||
| > Greetings, | ||
| > | ||
| > Dustin here from AWS Networking Support. I'll be working with you regarding your hosted zone association today. | ||
| > | ||
| > From what I'm understanding, you're wanting to associate multiple shared VPCs to a single private hosted zone that resides in this account in a GovCloud environment. The intended target VPC for creating this hosted zone is owned by a different account ID. When attempting to create a hosted zone, an InvalidVPCId error is given. If I've missed anything, please let me know. | ||
| > | ||
| > First, an explanation of the error message InvalidVPCId: this error message most likely happened while attempting to associate a hosted zone with this VPC ID from an account that is not the account owner. [1] Since this VPC ID is owned by a different account ID than this account, triggering this error message. | ||
| > | ||
| > If the target private hosted zone is to reside in this account, VPC association authorizations must first be set to allow for cross-account VPCs to be associated. Creating associations in this manner for shared, non-owned VPCs will require at least one VPC to be created within this account and be associated with the private hosted zone to be shared. In this case, a "dummy" VPC can be created to accomplish this solution. We have a rePost article that provides a step-by-step walkthrough of how to accomplish this [2]. This solution must be performed either with the AWS CLI or AWS CloudShell. | ||
| > | ||
| > I tested this solution using CloudShell with accounts in my private environment with successful results by using the following commands: | ||
| > | ||
| > Create command from the hosted zone account in step 5: | ||
| > aws route53 create-vpc-association-authorization --hosted-zone-id <id> --vpc VPCRegion=<region of other account's VPC>,VPCId=<vpc-id> --region us-east-1 | ||
| > | ||
| > Associate command from the different account in step 7: | ||
| > aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <id> --vpc VPCRegion=<region of other account's VPC>,VPCId=<vpc-id> --region us-east-1 | ||
| > | ||
| > It is recommended to follow step 8 in the rePost article to prevent from recreating the same association at a later date. It is also at this step where the "dummy" VPC that was created in the hosted zone account can be disassociated from the hosted zone and deleted entirely. | ||
| > | ||
| > A few considerations to take with this solution: | ||
| > | ||
| > - Each VPC to be associated with this hosted zone that isn't owned by this account will need its own authorization request [3]. | ||
| > - The private hosted zone must already exist before VPC association can be authorized. | ||
| > - If using CloudShell, launching an instance in either VPC is not necessary for following the rePost article. | ||
| > - For the 'create-vpc-association-authorization' and 'associate-vpc-with-hosted-zone' commands, the trailing "--region us-east-1" remains the same as this references where the hosted zone information is stored by default. | ||
| > - If a dummy VPC was used in the hosted zone account and later deleted, a new VPC will need to be created if any new changes are to be made to hosted zone VPC associations. | ||
| > | ||
| > I hope this information has helped you build your hosted zone solution. If you have any further questions or feedback, please feel free to reach back out to me and I'll be more than happy to continue working with you. Have a great day! | ||
| > | ||
| > | ||
| > [1] https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html | ||
| > [2] https://repost.aws/knowledge-center/route53-private-hosted-zone | ||
| > [3] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html | ||
| > | ||
| > We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence. | ||
| > | ||
| > Best regards, | ||
| > Dustin M. | ||
| > Amazon Web Services | ||
| # Solution | ||
|
|
||
| We will need to create a PHZ with every EKS cluster we create. Thus, we will use this special `vpc0-dummy` VPC, with no other resources besides the VPC, and a CIDR block of 192.168.0.0/24 (we reserve 192.168.0.0/23 for local VLANs to clusters | ||
| and there is no routing for it anywhere within the Census network. | ||
|
|
||
| This VPC will NOT be used for anything other than creating PHZs. It will not have any routing or subnets. | ||
|
|
||
| The process will work something like this: | ||
|
|
||
| 1. create a dummy VPC in account A | ||
| 2. create PHZ in account A | ||
| 3. authorize the shared VPC in account B with the PHZ in account A (credentials for account B) | ||
| 4. associate the shared VPC in account B with the PHZ in account A | ||
| 5. delete the dummy VPC in account A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| locals { | ||
| base_tags = { | ||
| "boc:created_by" = "terraform" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| locals { | ||
| region = var.region | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| VERSION 2.0.1 | ||
| REMOTE-STATE | ||
| COMMAND tf-directory-setup.py -l none -f | ||
| COMMAND setup-new-directory.sh | ||
| LINKTOP includes.d/variables.account_tags.tf | ||
| LINKTOP includes.d/variables.account_tags.auto.tfvars | ||
| LINKTOP includes.d/variables.infrastructure_tags.tf | ||
| LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars | ||
| LINKTOP includes.d/variables.application_tags.tf | ||
| LINKTOP includes.d/variables.application_tags.auto.tfvars | ||
| # LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars | ||
| # LINKTOP provider_configs.d/provider.ldap_new.tf | ||
| # LINKTOP provider_configs.d/provider.ldap_new.variables.tf | ||
| COMMAND rm provider.ldap.* | ||
| COMMAND tf-init -upgrade | ||
|
|
||
| #POLICY | ||
| ALL | ||
| COMMAND tf-directory-setup.py -l s3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| terraform { | ||
| required_version = ">= 1.0.0" | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = ">= 4.0" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| resource "aws_vpc" "vpc" { | ||
| cidr_block = "192.168.0.0/24" | ||
| enable_dns_support = false | ||
| enable_dns_hostnames = false | ||
|
|
||
| tags = merge( | ||
| local.base_tags, | ||
| { "Name" = "vpc0-dummy" }, | ||
| ) | ||
| } |