fix wildcards

terraform-modules · Apr 7, 2023 · fbea430 · fbea430
1 parent ed80995
commit fbea430
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 10 deletions.
diff --git a/vpc-interface-endpoint/README.md b/vpc-interface-endpoint/README.md
@@ -67,6 +67,7 @@ These are not included in the module because they don't exist until the resource
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
 | <a name="provider_time"></a> [time](#provider\_time) | n/a |
 
 ## Modules
@@ -84,9 +85,11 @@ These are not included in the module because they don't exist until the resource
 | [aws_route53_record.vpce_kms_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_ptr_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.vpce_wildcard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_zone.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_ssm_parameter.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_vpc_endpoint.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [null_resource.vpce](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_static.vpce](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

diff --git a/vpc-interface-endpoint/route53.tf b/vpc-interface-endpoint/route53.tf
@@ -17,12 +17,16 @@ locals {
     # ent-gov-network-sa
     "057445207498",
   ]
-  r53_create = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint
+  r53_create           = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint
+  endpoint_exists      = fileexists(format("%v/setup/.vpce.%v", path.root, data.aws_vpc_endpoint_service.interface_endpoint.service))
+  service_domain_parts = split(".", data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name)
+  is_wildcard          = local.service_domain_parts[0] == "*"
+  domain_name          = local.is_wildcard ? join(".", slice(local.service_domain_parts, 1, length(local.service_domain_parts))) : data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name
 }
 
 resource "aws_route53_zone" "vpce" {
   count         = local.r53_create ? 1 : 0
-  name          = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name
+  name          = local.domain_name
   comment       = format("VPCE %v %v", data.aws_vpc_endpoint_service.interface_endpoint.service, local.region)
   force_destroy = false
 
@@ -38,12 +42,28 @@ resource "aws_route53_zone" "vpce" {
   tags = merge(
     local.base_tags,
     var.tags,
-    { Name = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name },
+    #    { Name = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name },
+    { Name = local.domain_name },
   )
 }
 
+resource "null_resource" "vpce" {
+  triggers = {
+    vpce_id            = aws_vpc_endpoint.interface_endpoint.id
+    vpce_interface_ids = join(",", aws_vpc_endpoint.interface_endpoint.network_interface_ids)
+  }
+
+  provisioner "local-exec" {
+    command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
+  }
+  provisioner "local-exec" {
+    command = format("touch %v/setup/.vpce.%v", path.root, data.aws_vpc_endpoint_service.interface_endpoint.service)
+  }
+}
+
 data "aws_network_interface" "vpce" {
-  for_each = local.r53_create ? toset(aws_vpc_endpoint.interface_endpoint.network_interface_ids) : toset([])
+  #  for_each = local.r53_create ? toset(aws_vpc_endpoint.interface_endpoint.network_interface_ids) : toset([])
+  for_each = local.r53_create && local.endpoint_exists ? toset(split(",", null_resource.vpce.triggers.vpce_interface_ids)) : toset([])
   id       = each.key
 }
 
@@ -62,14 +82,23 @@ data "aws_network_interface" "vpce" {
 ## }
 
 resource "aws_route53_record" "vpce" {
-  count   = local.r53_create ? 1 : 0
+  count   = local.r53_create && local.endpoint_exists ? 1 : 0
   zone_id = try(aws_route53_zone.vpce[0].zone_id, null)
   name    = try(aws_route53_zone.vpce[0].name, null)
   type    = "A"
   ttl     = "60"
   records = [for n in data.aws_network_interface.vpce : n.private_ip]
 }
 
+resource "aws_route53_record" "vpce_wildcard" {
+  count   = local.r53_create && local.endpoint_exists && local.is_wildcard ? 1 : 0
+  zone_id = try(aws_route53_zone.vpce[0].zone_id, null)
+  name    = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name
+  type    = "A"
+  ttl     = "60"
+  records = [for n in data.aws_network_interface.vpce : n.private_ip]
+}
+
 resource "aws_route53_record" "vpce_info_txt" {
   count   = local.r53_create ? 1 : 0
   zone_id = try(aws_route53_zone.vpce[0].zone_id, null)
@@ -95,13 +124,13 @@ resource "aws_route53_record" "vpce_kms_txt" {
 }
 
 module "vpce_ips" {
-  count  = local.r53_create ? 1 : 0
+  count  = local.r53_create && local.endpoint_exists ? 1 : 0
   source = "git@github.e.it.census.gov:terraform-modules/dns-lookup.git?ref=tf-upgrade"
   hosts  = [for n in data.aws_network_interface.vpce : n.private_ip]
 }
 
 locals {
-  ptr_zones = local.r53_create ? distinct([for k, v in module.vpce_ips[0].results_ipv4 : v.network_ptr_sorted]) : []
+  ptr_zones = local.r53_create && local.endpoint_exists ? distinct([for k, v in module.vpce_ips[0].results_ipv4 : v.network_ptr_sorted]) : []
 }
 
 data "aws_route53_zone" "vpce_ptr" {
@@ -111,15 +140,15 @@ data "aws_route53_zone" "vpce_ptr" {
 }
 
 resource "aws_route53_record" "vpce_ptr" {
-  for_each = local.r53_create ? module.vpce_ips[0].results_ipv4 : {}
+  for_each = local.r53_create && local.endpoint_exists ? module.vpce_ips[0].results_ipv4 : {}
   zone_id  = data.aws_route53_zone.vpce_ptr[each.value.network_ptr_sorted].zone_id
   name     = each.value.ptr_sorted
   type     = "PTR"
   ttl      = "900"
   records  = [aws_vpc_endpoint.interface_endpoint.dns_entry[0].dns_name]
 }
 resource "aws_route53_record" "vpce_ptr_info" {
-  for_each = local.r53_create ? module.vpce_ips[0].results_ipv4 : {}
+  for_each = local.r53_create && local.endpoint_exists ? module.vpce_ips[0].results_ipv4 : {}
   zone_id  = data.aws_route53_zone.vpce_ptr[each.value.network_ptr_sorted].zone_id
   name     = each.value.ptr_sorted
   type     = "TXT"
@@ -136,7 +165,7 @@ resource "aws_ssm_parameter" "vpce" {
   value = jsonencode({
     name        = data.aws_vpc_endpoint_service.interface_endpoint.service
     region      = local.region
-    dns_name    = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name
+    dns_name    = local.domain_name
     id          = aws_vpc_endpoint.interface_endpoint.id
     zone        = try(aws_route53_zone.vpce[0].name, null)
     zone_id     = try(aws_route53_zone.vpce[0].zone_id, null)