From f74d83d2989ed251c794377376a2b9557db0f6d6 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 11 Jul 2023 07:30:09 -0400 Subject: [PATCH] add dummy vpc --- examples/dummy-vpc/vpc0/README.md | 120 ++++++++++++++++++++++++++++ examples/dummy-vpc/vpc0/locals.tf | 5 ++ examples/dummy-vpc/vpc0/region.tf | 3 + examples/dummy-vpc/vpc0/tf-run.data | 19 +++++ examples/dummy-vpc/vpc0/versions.tf | 9 +++ examples/dummy-vpc/vpc0/vpc.tf | 10 +++ 6 files changed, 166 insertions(+) create mode 100644 examples/dummy-vpc/vpc0/README.md create mode 100644 examples/dummy-vpc/vpc0/locals.tf create mode 100644 examples/dummy-vpc/vpc0/region.tf create mode 100644 examples/dummy-vpc/vpc0/tf-run.data create mode 100644 examples/dummy-vpc/vpc0/versions.tf create mode 100644 examples/dummy-vpc/vpc0/vpc.tf diff --git a/examples/dummy-vpc/vpc0/README.md b/examples/dummy-vpc/vpc0/README.md new file mode 100644 index 0000000..d2f5f9e --- /dev/null +++ b/examples/dummy-vpc/vpc0/README.md @@ -0,0 +1,120 @@ +# Dummy VPC + +This VPC is created when a Route53 Private Hosted Zone PHZ is needed in an account which uses shared subnets from a central account. + +A [support case(https://us-gov-west-1.console.amazonaws-us-gov.com/support/home?region=us-gov-west-1#/case/?displayId=13210918551&language=en) was opened with AWS +in account `258852445129-ma50-gov`. + +Initial problem: + +> We have deployed a network account (057405694017-ent-gov-network-prod) with shared VPCs. We shared a VPC to another account (258852445129-ma50-gov). We are trying to create a Route53 private hosted zone in this account (ma50-gov). We use Terraform. Here is what it wants to do. +> +> Terraform will perform the following actions: +> +> # aws_route53_zone.cluster_domain will be created +> + resource "aws_route53_zone" "cluster_domain" { +> + arn = (known after apply) +> + comment = "eks-eis-dev EKS Cluster DNS Zone" +> + force_destroy = false +> + id = (known after apply) +> + name = "eks-eis-dev.dev.csp1.census.gov" +> + name_servers = (known after apply) +> + primary_name_server = (known after apply) +> + tags = { +> + "CostAllocation" = "csvd:infrastructure" +> + "Environment" = "infrastructure" +> + "Name" = "eks-eis-dev.dev.csp1.census.gov" +> + "boc:created_by" = "terraform" +> + "boc:tf_module_version" = "1.0.0" +> + "eks-cluster-name" = "eks-eis-dev" +> } +> + tags_all = { +> + "CostAllocation" = "csvd:infrastructure" +> + "Environment" = "infrastructure" +> + "Name" = "eks-eis-dev.dev.csp1.census.gov" +> + "boc:created_by" = "terraform" +> + "boc:tf_module_version" = "1.0.0" +> + "eks-cluster-name" = "eks-eis-dev" +> } +> + zone_id = (known after apply) +> +> + vpc { +> + vpc_id = "vpc-0c0f6344679b1164e" +> + vpc_region = "us-gov-east-1" +> } +> } +> +> Plan: 1 to add, 0 to change, 0 to destroy.y. +> +> Note this is in account ma50-gov. +> +> The error we get is: +> +> Error: creating Route53 Hosted Zone: InvalidVPCId: The VPC: vpc-0c0f6344679b1164e in region us-gov-east-1 that you provided is not authorized to make the association. +> status code: 400, request id: 734b3129-1ca5-4e06-ab41-e6746c6e1cf7 +> +> with aws_route53_zone.cluster_domain, +> on dns-zone.tf line 6, in resource "aws_route53_zone" "cluster_domain": +> 6: resource "aws_route53_zone" "cluster_domain" { +> +> I can't see to find a way to create a PHZ in this account when using a shared VPC from another account. I can't use a route53 vpc zone authorization as that require the zone to be created. I can't leave off the VPC, because it's required for a PHZ and I can't create a public zone in GovCloud. +> +> I'm stuck. + +AWS Response: + +> Greetings, +> +> Dustin here from AWS Networking Support. I'll be working with you regarding your hosted zone association today. +> +> From what I'm understanding, you're wanting to associate multiple shared VPCs to a single private hosted zone that resides in this account in a GovCloud environment. The intended target VPC for creating this hosted zone is owned by a different account ID. When attempting to create a hosted zone, an InvalidVPCId error is given. If I've missed anything, please let me know. +> +> First, an explanation of the error message InvalidVPCId: this error message most likely happened while attempting to associate a hosted zone with this VPC ID from an account that is not the account owner. [1] Since this VPC ID is owned by a different account ID than this account, triggering this error message. +> +> If the target private hosted zone is to reside in this account, VPC association authorizations must first be set to allow for cross-account VPCs to be associated. Creating associations in this manner for shared, non-owned VPCs will require at least one VPC to be created within this account and be associated with the private hosted zone to be shared. In this case, a "dummy" VPC can be created to accomplish this solution. We have a rePost article that provides a step-by-step walkthrough of how to accomplish this [2]. This solution must be performed either with the AWS CLI or AWS CloudShell. +> +> I tested this solution using CloudShell with accounts in my private environment with successful results by using the following commands: +> +> Create command from the hosted zone account in step 5: +> aws route53 create-vpc-association-authorization --hosted-zone-id --vpc VPCRegion=,VPCId= --region us-east-1 +> +> Associate command from the different account in step 7: +> aws route53 associate-vpc-with-hosted-zone --hosted-zone-id --vpc VPCRegion=,VPCId= --region us-east-1 +> +> It is recommended to follow step 8 in the rePost article to prevent from recreating the same association at a later date. It is also at this step where the "dummy" VPC that was created in the hosted zone account can be disassociated from the hosted zone and deleted entirely. +> +> A few considerations to take with this solution: +> +> - Each VPC to be associated with this hosted zone that isn't owned by this account will need its own authorization request [3]. +> - The private hosted zone must already exist before VPC association can be authorized. +> - If using CloudShell, launching an instance in either VPC is not necessary for following the rePost article. +> - For the 'create-vpc-association-authorization' and 'associate-vpc-with-hosted-zone' commands, the trailing "--region us-east-1" remains the same as this references where the hosted zone information is stored by default. +> - If a dummy VPC was used in the hosted zone account and later deleted, a new VPC will need to be created if any new changes are to be made to hosted zone VPC associations. +> +> I hope this information has helped you build your hosted zone solution. If you have any further questions or feedback, please feel free to reach back out to me and I'll be more than happy to continue working with you. Have a great day! +> +> +> [1] https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html +> [2] https://repost.aws/knowledge-center/route53-private-hosted-zone +> [3] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html +> +> We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence. +> +> Best regards, +> Dustin M. +> Amazon Web Services + +# Solution + +We will need to create a PHZ with every EKS cluster we create. Thus, we will use this special `vpc0-dummy` VPC, with no other resources besides the VPC, and a CIDR block of 192.168.0.0/24 (we reserve 192.168.0.0/23 for local VLANs to clusters +and there is no routing for it anywhere within the Census network. + +This VPC will NOT be used for anything other than creating PHZs. It will not have any routing or subnets. + +The process will work something like this: + +1. create a dummy VPC in account A +2. create PHZ in account A +3. authorize the shared VPC in account B with the PHZ in account A (credentials for account B) +4. associate the shared VPC in account B with the PHZ in account A +5. delete the dummy VPC in account A diff --git a/examples/dummy-vpc/vpc0/locals.tf b/examples/dummy-vpc/vpc0/locals.tf new file mode 100644 index 0000000..6e912e2 --- /dev/null +++ b/examples/dummy-vpc/vpc0/locals.tf @@ -0,0 +1,5 @@ +locals { + base_tags = { + "boc:created_by" = "terraform" + } +} diff --git a/examples/dummy-vpc/vpc0/region.tf b/examples/dummy-vpc/vpc0/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/dummy-vpc/vpc0/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/dummy-vpc/vpc0/tf-run.data b/examples/dummy-vpc/vpc0/tf-run.data new file mode 100644 index 0000000..0e47e9a --- /dev/null +++ b/examples/dummy-vpc/vpc0/tf-run.data @@ -0,0 +1,19 @@ +VERSION 2.0.1 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +LINKTOP includes.d/variables.application_tags.auto.tfvars +# LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars +# LINKTOP provider_configs.d/provider.ldap_new.tf +# LINKTOP provider_configs.d/provider.ldap_new.variables.tf +COMMAND rm provider.ldap.* +COMMAND tf-init -upgrade + +#POLICY +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/dummy-vpc/vpc0/versions.tf b/examples/dummy-vpc/vpc0/versions.tf new file mode 100644 index 0000000..c791e91 --- /dev/null +++ b/examples/dummy-vpc/vpc0/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.0.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } +} diff --git a/examples/dummy-vpc/vpc0/vpc.tf b/examples/dummy-vpc/vpc0/vpc.tf new file mode 100644 index 0000000..f71c821 --- /dev/null +++ b/examples/dummy-vpc/vpc0/vpc.tf @@ -0,0 +1,10 @@ +resource "aws_vpc" "vpc" { + cidr_block = "192.168.0.0/24" + enable_dns_support = false + enable_dns_hostnames = false + + tags = merge( + local.base_tags, + { "Name" = "vpc0-dummy" }, + ) +}