Created
May 6, 2020 20:52
-
-
Save earzur/da6e5205b38ae3d35c52b4132c327e6f to your computer and use it in GitHub Desktop.
délégation sur deux zones privées sur des comptes / VPC différends
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provider "aws" { | |
alias = "target" | |
region = var.aws_region | |
version = ">= 2.7.0" | |
assume_role { | |
role_arn = "arn:aws:iam::${var.account_id}:role/OrganizationAccountAccessRole" | |
} | |
} | |
locals { | |
normalized_name = lower(replace(var.account_name, "/[\\.\\s]/", "-")) | |
private_domain = "${local.normalized_name}.xxxxxxx.xxx." # ${data.aws_route53_zone.root_zone.name}" | |
} | |
# zone racine (une zone privée dans un vpc) | |
data "aws_route53_zone" "root_zone" { | |
zone_id = var.private_root_zone_id | |
vpc_id = var.root_vpc_id | |
} | |
### ... | |
module "bootstrap" { | |
source = "../bootstrap_account" | |
environment_context = module.label.context | |
aws_vpc_cidr = var.aws_vpc_cidr | |
private_domain = local.private_domain | |
providers = { | |
aws = aws.target | |
} | |
} | |
data "aws_iam_role" "target_organization_access_role" { | |
name = "OrganizationAccountAccessRole" | |
provider = aws.target | |
} | |
# now, allow the new VPC to resolve names in the root private DNS zone | |
# the aws provider doesn't allow to create a VPCAssociationAuthorization (yet ?), so we resort to calling | |
# aws-cli directly through a specialized module (with support for destroy, too !) | |
locals { | |
cli_flags = "--hosted-zone-id ${var.private_root_zone_id} --vpc VPCRegion=${local.region},VPCId=${module.bootstrap.vpc_id}" | |
} | |
## HACK HACK HACK see https://github.com/hashicorp/terraform/issues/10208#issuecomment-369460656 | |
module "create_vpc_authorization" { | |
source = "../terraform-aws-cli-resource" | |
cmd = "aws route53 create-vpc-association-authorization ${local.cli_flags}" | |
destroy_cmd = "aws route53 delete-vpc-association-authorization ${local.cli_flags}" | |
dependency_ids = [module.bootstrap.vpc_id] | |
} | |
# # allow children account to resolve in the root_zone | |
# resource "aws_route53_zone_association" "bootstrap" { | |
# provider = aws.target | |
# zone_id = var.private_root_zone_id | |
# vpc_id = module.bootstrap.vpc_id | |
# depends_on = [ | |
# module.create_vpc_authorization.id | |
# ] | |
# } | |
module "associate_vpc" { | |
source = "../terraform-aws-cli-resource" | |
account_id = data.aws_caller_identity.target.account_id | |
role_arn = data.aws_iam_role.target_organization_access_role.arn | |
cmd = "aws route53 associate-vpc-with-hosted-zone ${local.cli_flags}" | |
destroy_cmd = "aws route53 dissassociate-vpc-from-hosted-zone ${local.cli_flags}" | |
dependency_ids = [module.create_vpc_authorization.id, module.bootstrap.vpc_id] | |
} | |
# setup NS delegation for the new zone | |
resource "aws_route53_record" "child" { | |
name = local.private_domain | |
records = module.bootstrap.private_zone_name_servers # i.e. data.route53_zone.children.name_servers | |
ttl = 900 | |
type = "NS" | |
zone_id = var.private_root_zone_id | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment