-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
132 lines (113 loc) · 4.03 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
data "aws_route53_zone" "management_tenant_dns" {
provider = aws.management-tenant-dns
zone_id = local.management_tenant_dns_zoneid
}
resource "aws_route53_zone" "main" {
provider = aws.clientaccount
name = "${var.tenant_key}.${data.aws_route53_zone.management_tenant_dns.name}"
}
resource "aws_route53_record" "delegation_to_parent_tenant_zone" {
provider = aws.management-tenant-dns
zone_id = data.aws_route53_zone.management_tenant_dns.zone_id
name = aws_route53_zone.main.name
type = local.ns_record_type
ttl = local.record_ttl
records = aws_route53_zone.main.name_servers
depends_on = [aws_route53_zone.main]
}
module "dnssec_key" {
source = "git::https://github.com/GlueOps/terraform-module-cloud-aws-dnssec-kms-key.git?ref=v0.3.0"
aws_account_id = var.tenant_account_id
}
resource "aws_route53_key_signing_key" "parent_tenant_zone" {
provider = aws.clientaccount
hosted_zone_id = aws_route53_zone.main.zone_id
key_management_service_arn = module.dnssec_key.kms_key_arn
name = "primary"
status = "ACTIVE"
depends_on = [aws_route53_zone.main]
}
resource "aws_route53_hosted_zone_dnssec" "parent_tenant_zone" {
provider = aws.clientaccount
depends_on = [
aws_route53_key_signing_key.parent_tenant_zone,
aws_route53_zone.main
]
hosted_zone_id = aws_route53_key_signing_key.parent_tenant_zone.hosted_zone_id
}
resource "aws_route53_record" "enable_dnssec_for_parent_tenant_zone" {
provider = aws.management-tenant-dns
zone_id = data.aws_route53_zone.management_tenant_dns.zone_id
name = aws_route53_zone.main.name
type = "DS"
ttl = local.record_ttl
records = [aws_route53_key_signing_key.parent_tenant_zone.ds_record]
}
resource "aws_route53_zone" "clusters" {
provider = aws.clientaccount
for_each = local.cluster_environments
name = "${each.value}.${var.tenant_key}.${data.aws_route53_zone.management_tenant_dns.name}"
depends_on = [
aws_route53_zone.main
]
force_destroy = var.this_is_development ? true : false
}
resource "aws_route53_key_signing_key" "cluster_zones" {
provider = aws.clientaccount
for_each = aws_route53_zone.clusters
hosted_zone_id = aws_route53_zone.clusters[each.key].zone_id
key_management_service_arn = module.dnssec_key.kms_key_arn
name = "primary"
status = "ACTIVE"
depends_on = [
aws_route53_zone.clusters
]
}
resource "aws_route53_hosted_zone_dnssec" "cluster_zones" {
provider = aws.clientaccount
for_each = aws_route53_zone.clusters
depends_on = [
aws_route53_key_signing_key.cluster_zones,
aws_route53_zone.clusters
]
hosted_zone_id = aws_route53_key_signing_key.cluster_zones[each.key].hosted_zone_id
}
resource "aws_route53_record" "cluster_zone_dnssec_records" {
provider = aws.clientaccount
for_each = aws_route53_zone.clusters
zone_id = aws_route53_zone.main.zone_id
name = each.value.name
type = "DS"
ttl = local.record_ttl
records = [aws_route53_key_signing_key.cluster_zones[each.key].ds_record]
depends_on = [
aws_route53_hosted_zone_dnssec.cluster_zones,
aws_route53_zone.main,
aws_route53_zone.clusters
]
}
resource "aws_route53_record" "cluster_zone_ns_records" {
provider = aws.clientaccount
for_each = aws_route53_zone.clusters
zone_id = aws_route53_zone.main.zone_id
name = each.value.name
type = local.ns_record_type
ttl = local.record_ttl
records = aws_route53_zone.clusters[each.key].name_servers
depends_on = [
aws_route53_zone.main,
aws_route53_zone.clusters
]
}
resource "aws_route53_record" "wildcard_for_apps" {
provider = aws.clientaccount
for_each = aws_route53_zone.clusters
zone_id = each.value.zone_id
name = "*.apps.${each.value.name}"
type = "CNAME"
ttl = local.record_ttl
records = ["ingress.${each.value.name}"]
depends_on = [
aws_route53_zone.clusters
]
}