From d5ea7044cf74469d59dfd72827f203d860eafe91 Mon Sep 17 00:00:00 2001 From: Javier Ramos Date: Tue, 2 Jul 2024 09:39:24 +0200 Subject: [PATCH] feat: Add zone-cross-account-vpc-association submodule --- examples/complete/main.tf | 61 +++++++++++++++ .../README.md | 76 +++++++++++++++++++ .../main.tf | 15 ++++ .../outputs.tf | 14 ++++ .../variables.tf | 15 ++++ .../versions.tf | 11 +++ 6 files changed, 192 insertions(+) create mode 100644 modules/zone-cross-account-vpc-association/README.md create mode 100644 modules/zone-cross-account-vpc-association/main.tf create mode 100644 modules/zone-cross-account-vpc-association/outputs.tf create mode 100644 modules/zone-cross-account-vpc-association/variables.tf create mode 100644 modules/zone-cross-account-vpc-association/versions.tf diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 6d14594..02eedd8 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -2,6 +2,11 @@ provider "aws" { region = "eu-west-1" } +provider "aws" { + alias = "second_account" + region = "us-east-1" +} + locals { zone_name = sort(keys(module.zones.route53_zone_zone_id))[0] # zone_id = module.zones.route53_zone_zone_id["terraform-aws-modules-example.com"] @@ -10,6 +15,10 @@ locals { azs = slice(data.aws_availability_zones.available.names, 0, 3) } +data "aws_region" "second_account_current" { + provider = aws.second_account +} + module "zones" { source = "../../modules/zones" @@ -45,6 +54,21 @@ module "zones" { Name = "private-vpc.terraform-aws-modules-example.com" } } + + "private-vpc.terraform-aws-modules-example2.com" = { + # in case than private and public zones with the same domain name + domain_name = "terraform-aws-modules-example2.com" + comment = "private-vpc.terraform-aws-modules-example2.com" + vpc = [ + { + vpc_id = module.vpc1.vpc_id + }, + ] + tags = { + Name = "private-vpc.terraform-aws-modules-example2.com" + } + } + } tags = { @@ -276,6 +300,28 @@ module "delegation_sets" { } } + +module "zone_cross_account_vpc_association" { + source = "../../modules/zone-cross-account-vpc-association" + providers = { + aws.r53_owner = aws + aws.vpc_owner = aws.second_account + } + + zone_vpc_associations = { + example = { + zone_id = module.zones.route53_zone_zone_id["private-vpc.terraform-aws-modules-example.com"] + vpc_id = module.vpc_otheraccount.vpc_id + }, + example2 = { + zone_id = module.zones.route53_zone_zone_id["private-vpc.terraform-aws-modules-example2.com"] + vpc_id = module.vpc_otheraccount.vpc_id + vpc_region = data.aws_region.second_account_current.name + }, + } +} + + module "resolver_rule_associations" { source = "../../modules/resolver-rule-associations" @@ -324,6 +370,12 @@ module "disabled_records" { create = false } +module "disabled_zone_cross_account_vpc_association" { + source = "../../modules/zone-cross-account-vpc-association" + + create = false +} + ######### # Extras - should be created in advance ######### @@ -392,6 +444,15 @@ module "vpc2" { cidr = "10.1.0.0/16" } +module "vpc_otheraccount" { + source = "terraform-aws-modules/vpc/aws" + provider = aws.second_account + version = "~> 5.0" + + name = "my-second-account-vpc-for-private-route53-zone" + cidr = "172.16.0.0/12" +} + resource "aws_route53_resolver_rule" "sys" { domain_name = "sys-example.com" rule_type = "SYSTEM" diff --git a/modules/zone-cross-account-vpc-association/README.md b/modules/zone-cross-account-vpc-association/README.md new file mode 100644 index 0000000..12380ba --- /dev/null +++ b/modules/zone-cross-account-vpc-association/README.md @@ -0,0 +1,76 @@ +# Route53 Zone cross-account VPC association + +This module creates cross-account Route53 Zone associations. + +It does need two providers to be passed to handle both AWS accounts: +- `aws.r53_owner`: Account owning the Route53 zones to make the cross-account association authorization +- `aws.vpc_owner`: Account owning the VPCs to associate with the Route53 zones + +Many-to-many associations are possible, using the zone_vpc_associations input variable. + +## Usage + +### Create Route53 Zone cross-account VPC association + +```hcl +module "zone_cross_account_vpc_association" { + source = "terraform-aws-modules/route53/aws//modules/zone-cross-account-vpc-association" + version = "~> 3.2" + providers = { + aws.r53_owner = aws + aws.vpc_owner = aws.second_account + } + + zone_vpc_associations = { + example = { + zone_id = "Z111111QQQQQQQ" + vpc_id = "vpc-185a3e2f2d6d2c863" + }, + example2 = { + zone_id = "Z222222VVVVVVV" + vpc_id = "vpc-123456789abcd1234" + vpc_region = "us-east-2" + }, + } +} +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3.2 | +| [aws](#requirement\_aws) | >= 3.56 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.56 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_route53_vpc_association_authorization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | +| [aws_route53_zone_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [create](#input\_create) | Whether to create Route53 Resolver rule associations | `bool` | `true` | no | +| [input\_zone\_vpc\_associations](#zone\_vpc\_association) | Map of associations indicating zone_id and vpc_id to associate. | `map(object)` | `{}` | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [route53\_vpc\_association\_authorization\_id](#output\_route53\_vpc\_association\_authorization\_id) | Unique ID of Route53 VPC association authorizations | +| [route53\_zone\_association\_id](#output\_route53\_zone\_association\_id) | Unique ID of Route53 zone association | + diff --git a/modules/zone-cross-account-vpc-association/main.tf b/modules/zone-cross-account-vpc-association/main.tf new file mode 100644 index 0000000..9f8b160 --- /dev/null +++ b/modules/zone-cross-account-vpc-association/main.tf @@ -0,0 +1,15 @@ +resource "aws_route53_vpc_association_authorization" "this" { + provider = aws.r53_owner + for_each = { for k, v in var.zone_vpc_associations : k => v if var.create } + zone_id = each.value.zone_id + vpc_id = each.value.vpc_id + vpc_region = try(each.value.vpc_region, null) +} + +resource "aws_route53_zone_association" "this" { + provider = aws.vpc_owner + for_each = aws_route53_vpc_association_authorization.this + vpc_id = each.value.vpc_id + zone_id = each.value.zone_id + vpc_region = try(each.value.vpc_region, null) +} diff --git a/modules/zone-cross-account-vpc-association/outputs.tf b/modules/zone-cross-account-vpc-association/outputs.tf new file mode 100644 index 0000000..1871993 --- /dev/null +++ b/modules/zone-cross-account-vpc-association/outputs.tf @@ -0,0 +1,14 @@ +output "aws_route53_vpc_association_authorization_id" { + description = "ID of Route53 VPC association authorizations" + value = { for k, v in aws_route53_vpc_association_authorization.this : k => v.id } +} + +output "aws_route53_zone_association_id" { + description = "ID of Route53 VPC association" + value = { for k, v in aws_route53_zone_association.this : k => v.id } +} + +output "aws_route53_zone_association_owning_account" { + description = "The account ID of the account that created the hosted zone." + value = { for k, v in aws_route53_zone_association.this : k => v.owning_account } +} diff --git a/modules/zone-cross-account-vpc-association/variables.tf b/modules/zone-cross-account-vpc-association/variables.tf new file mode 100644 index 0000000..a6228ed --- /dev/null +++ b/modules/zone-cross-account-vpc-association/variables.tf @@ -0,0 +1,15 @@ +variable "create" { + description = "Whether to create Route53 Zone associations" + type = bool + default = true +} + +variable "zone_vpc_associations" { + description = "Map of associations indicating zone_id and vpc_id to associate." + type = map(object({ + zone_id = string + vpc_id = string + vpc_region = optional(string) + })) + default = {} +} diff --git a/modules/zone-cross-account-vpc-association/versions.tf b/modules/zone-cross-account-vpc-association/versions.tf new file mode 100644 index 0000000..1437fc9 --- /dev/null +++ b/modules/zone-cross-account-vpc-association/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_version = ">= 1.3.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.56" + configuration_aliases = [ aws.r53_owner, aws.vpc_owner ] + } + } +}