cross-account external-dns on EKS with private Route53 zone

external-dns.tf

locals {
  eks_oidc_issuer_url = "https://${module.eks_blueprints.eks_oidc_issuer_url}"
  name = "external-dns"
}

data "tls_certificate" "eks_cluster" {
  url = local.eks_oidc_issuer_url
}

resource "aws_iam_openid_connect_provider" "eks_provider" {
  provider = aws.network-prod # acct where rt53 zone lives
  url      = local.eks_oidc_issuer_url
  client_id_list = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.eks_cluster.certificates[0].sha1_fingerprint]
}

module "external_dns_irsa_role" {
  providers                     = { aws = aws.network-prod } # acct where rt53 zone lives
  source                        = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version                       = "4.24.0"
  role_name                     = "${var.cluster_name}-external-dns"
  attach_external_dns_policy    = true
  external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/${var.private_zone_id}"]

  oidc_providers = {
    ex = {
      provider_arn               = aws_iam_openid_connect_provider.eks_provider.arn
      namespace_service_accounts = ["${local.name}:${local.name}"]
    }
  }
}

resource "helm_release" "external_dns" {
  name            = local.name
  repository      = "https://charts.bitnami.com/bitnami"
  version         = "6.11.2"
  chart           = local.name
  namespace       = local.name
  create_namespace = true

  values = [
    templatefile("${path.module}/helm-values/external_dns.yaml", {
      sa_name = local.name
      private_zone_id = var.private_zone_id
      region = data.aws_region.current.name
      external_dns_irsa_role = module.external_dns_irsa_role.iam_role_arn
    })
  ]
}

external_dns_values.yaml

zoneIdFilters:
  - ${private_zone_id}
aws:
  zoneType: private
  region: ${region}
serviceAccount:
  name: ${sa_name}
  annotations:
    "eks.amazonaws.com/role-arn" : ${external_dns_irsa_role}