Skip to content

Commit

Permalink
feat: Add zone-cross-account-vpc-association submodule
Browse files Browse the repository at this point in the history
  • Loading branch information
@jramosf
jramosf committed Aug 19, 2024
1 parent bbbe69c commit d5ea704
Show file tree
Hide file tree
Showing 6 changed files with 192 additions and 0 deletions.
61 changes: 61 additions & 0 deletions examples/complete/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@ provider "aws" {
region = "eu-west-1"
}

provider "aws" {
alias = "second_account"
region = "us-east-1"
}

locals {
zone_name = sort(keys(module.zones.route53_zone_zone_id))[0]
# zone_id = module.zones.route53_zone_zone_id["terraform-aws-modules-example.com"]
Expand All @@ -10,6 +15,10 @@ locals {
azs = slice(data.aws_availability_zones.available.names, 0, 3)
}

data "aws_region" "second_account_current" {
provider = aws.second_account
}

module "zones" {
source = "../../modules/zones"

Expand Down Expand Up @@ -45,6 +54,21 @@ module "zones" {
Name = "private-vpc.terraform-aws-modules-example.com"
}
}

"private-vpc.terraform-aws-modules-example2.com" = {
# in case than private and public zones with the same domain name
domain_name = "terraform-aws-modules-example2.com"
comment = "private-vpc.terraform-aws-modules-example2.com"
vpc = [
{
vpc_id = module.vpc1.vpc_id
},
]
tags = {
Name = "private-vpc.terraform-aws-modules-example2.com"
}
}

}

tags = {
Expand Down Expand Up @@ -276,6 +300,28 @@ module "delegation_sets" {
}
}


module "zone_cross_account_vpc_association" {
source = "../../modules/zone-cross-account-vpc-association"
providers = {
aws.r53_owner = aws
aws.vpc_owner = aws.second_account
}

zone_vpc_associations = {
example = {
zone_id = module.zones.route53_zone_zone_id["private-vpc.terraform-aws-modules-example.com"]
vpc_id = module.vpc_otheraccount.vpc_id
},
example2 = {
zone_id = module.zones.route53_zone_zone_id["private-vpc.terraform-aws-modules-example2.com"]
vpc_id = module.vpc_otheraccount.vpc_id
vpc_region = data.aws_region.second_account_current.name
},
}
}


module "resolver_rule_associations" {
source = "../../modules/resolver-rule-associations"

Expand Down Expand Up @@ -324,6 +370,12 @@ module "disabled_records" {
create = false
}

module "disabled_zone_cross_account_vpc_association" {
source = "../../modules/zone-cross-account-vpc-association"

create = false
}

#########
# Extras - should be created in advance
#########
Expand Down Expand Up @@ -392,6 +444,15 @@ module "vpc2" {
cidr = "10.1.0.0/16"
}

module "vpc_otheraccount" {
source = "terraform-aws-modules/vpc/aws"
provider = aws.second_account
version = "~> 5.0"

name = "my-second-account-vpc-for-private-route53-zone"
cidr = "172.16.0.0/12"
}

resource "aws_route53_resolver_rule" "sys" {
domain_name = "sys-example.com"
rule_type = "SYSTEM"
Expand Down
76 changes: 76 additions & 0 deletions modules/zone-cross-account-vpc-association/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Route53 Zone cross-account VPC association

This module creates cross-account Route53 Zone associations.

It does need two providers to be passed to handle both AWS accounts:
- `aws.r53_owner`: Account owning the Route53 zones to make the cross-account association authorization
- `aws.vpc_owner`: Account owning the VPCs to associate with the Route53 zones

Many-to-many associations are possible, using the zone_vpc_associations input variable.

## Usage

### Create Route53 Zone cross-account VPC association

```hcl
module "zone_cross_account_vpc_association" {
source = "terraform-aws-modules/route53/aws//modules/zone-cross-account-vpc-association"
version = "~> 3.2"
providers = {
aws.r53_owner = aws
aws.vpc_owner = aws.second_account
}
zone_vpc_associations = {
example = {
zone_id = "Z111111QQQQQQQ"
vpc_id = "vpc-185a3e2f2d6d2c863"
},
example2 = {
zone_id = "Z222222VVVVVVV"
vpc_id = "vpc-123456789abcd1234"
vpc_region = "us-east-2"
},
}
}
```

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.56 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.56 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_route53_vpc_association_authorization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
| [aws_route53_zone_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_create"></a> [create](#input\_create) | Whether to create Route53 Resolver rule associations | `bool` | `true` | no |
| <a name="input_zone_vpc_associations"></a> [input\_zone\_vpc\_associations](#zone\_vpc\_association) | Map of associations indicating zone_id and vpc_id to associate. | `map(object)` | `{}` | yes |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_route53_vpc_association_authorization_id"></a> [route53\_vpc\_association\_authorization\_id](#output\_route53\_vpc\_association\_authorization\_id) | Unique ID of Route53 VPC association authorizations |
| <a name="output_aws_route53_zone_association_id"></a> [route53\_zone\_association\_id](#output\_route53\_zone\_association\_id) | Unique ID of Route53 zone association |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
15 changes: 15 additions & 0 deletions modules/zone-cross-account-vpc-association/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
resource "aws_route53_vpc_association_authorization" "this" {
provider = aws.r53_owner
for_each = { for k, v in var.zone_vpc_associations : k => v if var.create }
zone_id = each.value.zone_id
vpc_id = each.value.vpc_id
vpc_region = try(each.value.vpc_region, null)
}

resource "aws_route53_zone_association" "this" {
provider = aws.vpc_owner
for_each = aws_route53_vpc_association_authorization.this
vpc_id = each.value.vpc_id
zone_id = each.value.zone_id
vpc_region = try(each.value.vpc_region, null)
}
14 changes: 14 additions & 0 deletions modules/zone-cross-account-vpc-association/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
output "aws_route53_vpc_association_authorization_id" {
description = "ID of Route53 VPC association authorizations"
value = { for k, v in aws_route53_vpc_association_authorization.this : k => v.id }
}

output "aws_route53_zone_association_id" {
description = "ID of Route53 VPC association"
value = { for k, v in aws_route53_zone_association.this : k => v.id }
}

output "aws_route53_zone_association_owning_account" {
description = "The account ID of the account that created the hosted zone."
value = { for k, v in aws_route53_zone_association.this : k => v.owning_account }
}
15 changes: 15 additions & 0 deletions modules/zone-cross-account-vpc-association/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
variable "create" {
description = "Whether to create Route53 Zone associations"
type = bool
default = true
}

variable "zone_vpc_associations" {
description = "Map of associations indicating zone_id and vpc_id to associate."
type = map(object({
zone_id = string
vpc_id = string
vpc_region = optional(string)
}))
default = {}
}
11 changes: 11 additions & 0 deletions modules/zone-cross-account-vpc-association/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
terraform {
required_version = ">= 1.3.2"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.56"
configuration_aliases = [ aws.r53_owner, aws.vpc_owner ]
}
}
}

0 comments on commit d5ea704

Please sign in to comment.