Feat/migrate to route53 (#16)

* feat: migrate to route53 from cloudflare
* feat: add DNS SEC
* todo: remove cloudflare provider after upgrading all usages of this module
* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

README.md

@@ -1,6 +1,5 @@
 # terraform-module-cloud-aws-multiple-route53-zones
 <!-- BEGIN_TF_DOCS -->
-# terraform-module-cloud-multy-prerequisites
 
 This Terraform module creates various resources for managing multi-cloud prerequisites, such as Route53 zones, IAM credentials, and S3 buckets.
 
@@ -30,14 +29,15 @@ This Terraform module creates various resources for managing multi-cloud prerequ
 | Name | Version |
 |------|---------|
 | <a name="provider_aws.clientaccount"></a> [aws.clientaccount](#provider\_aws.clientaccount) | 4.59.0 |
+| <a name="provider_aws.management-tenant-dns"></a> [aws.management-tenant-dns](#provider\_aws.management-tenant-dns) | 4.59.0 |
 | <a name="provider_aws.primaryregion"></a> [aws.primaryregion](#provider\_aws.primaryregion) | 4.59.0 |
-| <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | 4.2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_common_s3"></a> [common\_s3](#module\_common\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
+| <a name="module_dnssec_key"></a> [dnssec\_key](#module\_dnssec\_key) | git::https://github.com/GlueOps/terraform-module-cloud-aws-dnssec-kms-key.git | v0.1.0 |
 | <a name="module_loki_s3"></a> [loki\_s3](#module\_loki\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
 | <a name="module_opsgenie_teams"></a> [opsgenie\_teams](#module\_opsgenie\_teams) | ./modules/opsgenie/0.1.0 | n/a |
 
@@ -60,16 +60,19 @@ This Terraform module creates various resources for managing multi-cloud prerequ
 | [aws_iam_user_policy_attachment.externaldns](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_iam_user_policy_attachment.loki_s3](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_iam_user_policy_attachment.vault_s3](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/iam_user_policy_attachment) | resource |
-| [aws_route53_record.cluster_subdomain_ns_records](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_record) | resource |
+| [aws_route53_hosted_zone_dnssec.cluster_zones](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_hosted_zone_dnssec) | resource |
+| [aws_route53_hosted_zone_dnssec.parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_hosted_zone_dnssec) | resource |
+| [aws_route53_key_signing_key.cluster_zones](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_key_signing_key) | resource |
+| [aws_route53_key_signing_key.parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_key_signing_key) | resource |
+| [aws_route53_record.cluster_zone_dnssec_records](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_record) | resource |
+| [aws_route53_record.cluster_zone_ns_records](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_record) | resource |
+| [aws_route53_record.delegation_to_parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_record) | resource |
+| [aws_route53_record.enable_dnssec_for_parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_record) | resource |
 | [aws_route53_record.wildcard_for_apps](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_record) | resource |
 | [aws_route53_zone.clusters](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_zone) | resource |
 | [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/route53_zone) | resource |
-| [aws_s3_bucket_object.combined_outputs](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/s3_bucket_object) | resource |
-| [cloudflare_record.delegation_ns_record_first](https://registry.terraform.io/providers/cloudflare/cloudflare/4.2.0/docs/resources/record) | resource |
-| [cloudflare_record.delegation_ns_record_fourth](https://registry.terraform.io/providers/cloudflare/cloudflare/4.2.0/docs/resources/record) | resource |
-| [cloudflare_record.delegation_ns_record_second](https://registry.terraform.io/providers/cloudflare/cloudflare/4.2.0/docs/resources/record) | resource |
-| [cloudflare_record.delegation_ns_record_third](https://registry.terraform.io/providers/cloudflare/cloudflare/4.2.0/docs/resources/record) | resource |
-| [cloudflare_zone.delegator](https://registry.terraform.io/providers/cloudflare/cloudflare/4.2.0/docs/data-sources/zone) | data source |
+| [aws_s3_object.combined_outputs](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/resources/s3_object) | resource |
+| [aws_route53_zone.management_tenant_dns](https://registry.terraform.io/providers/hashicorp/aws/4.59.0/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 
@@ -79,7 +82,8 @@ This Terraform module creates various resources for managing multi-cloud prerequ
 | <a name="input_cluster_environments"></a> [cluster\_environments](#input\_cluster\_environments) | The cluster environments | `list(string)` | n/a | yes |
 | <a name="input_company_account_id"></a> [company\_account\_id](#input\_company\_account\_id) | The company AWS account id | `string` | n/a | yes |
 | <a name="input_company_key"></a> [company\_key](#input\_company\_key) | The company key | `string` | n/a | yes |
-| <a name="input_domain_to_delegate_from"></a> [domain\_to\_delegate\_from](#input\_domain\_to\_delegate\_from) | The domain name of the domain that all delegation is coming from | `string` | n/a | yes |
+| <a name="input_management_tenant_dns_aws_account_id"></a> [management\_tenant\_dns\_aws\_account\_id](#input\_management\_tenant\_dns\_aws\_account\_id) | The company AWS account id for the management-tenant-dns account | `string` | n/a | yes |
+| <a name="input_management_tenant_dns_zoneid"></a> [management\_tenant\_dns\_zoneid](#input\_management\_tenant\_dns\_zoneid) | The Route53 ZoneID that all the delegation is coming from | `string` | n/a | yes |
 | <a name="input_opsgenie_emails"></a> [opsgenie\_emails](#input\_opsgenie\_emails) | List of user email addresses | `list(string)` | n/a | yes |
 | <a name="input_primary_region"></a> [primary\_region](#input\_primary\_region) | The primary S3 region to create S3 bucket in used for backups. This should be the same region as the one where the cluster is being deployed. | `string` | n/a | yes |
 | <a name="input_this_is_development"></a> [this\_is\_development](#input\_this\_is\_development) | The development cluster environment and data/resources can be destroyed! | `string` | `false` | no |

docs/.header.md

@@ -1,4 +1,3 @@
-# terraform-module-cloud-multy-prerequisites
 
 This Terraform module creates various resources for managing multi-cloud prerequisites, such as Route53 zones, IAM credentials, and S3 buckets.
 

main.tf

@@ -1,29 +1,99 @@
+data "aws_route53_zone" "management_tenant_dns" {
+  provider = aws.management-tenant-dns
+  zone_id  = local.management_tenant_dns_zoneid
+}
+
 resource "aws_route53_zone" "main" {
   provider = aws.clientaccount
-  name     = "${local.company_key}.${local.domain_to_delegate_from}"
+  name     = "${local.company_key}.${data.aws_route53_zone.management_tenant_dns.name}"
 }
 
-resource "aws_route53_record" "wildcard_for_apps" {
+resource "aws_route53_record" "delegation_to_parent_tenant_zone" {
+  provider = aws.management-tenant-dns
+  zone_id  = data.aws_route53_zone.management_tenant_dns.zone_id
+  name     = aws_route53_zone.main.name
+  type     = local.ns_record_type
+  ttl      = local.record_ttl
+  records  = aws_route53_zone.main.name_servers
+}
+
+
+
+module "dnssec_key" {
+  source         = "git::https://github.com/GlueOps/terraform-module-cloud-aws-dnssec-kms-key.git?ref=v0.1.0"
+  aws_account_id = var.company_account_id
+}
+
+resource "aws_route53_key_signing_key" "parent_tenant_zone" {
+  provider                   = aws.clientaccount
+  hosted_zone_id             = aws_route53_zone.main.zone_id
+  key_management_service_arn = module.dnssec_key.kms_key_arn
+  name                       = "primary"
+  status                     = "ACTIVE"
+}
+
+resource "aws_route53_hosted_zone_dnssec" "parent_tenant_zone" {
   provider = aws.clientaccount
-  for_each = aws_route53_zone.clusters
-  zone_id  = each.value.zone_id
-  name     = "*.apps.${each.value.name}"
-  type     = "CNAME"
+  depends_on = [
+    aws_route53_key_signing_key.parent_tenant_zone
+  ]
+  hosted_zone_id = aws_route53_key_signing_key.parent_tenant_zone.hosted_zone_id
+}
+
+resource "aws_route53_record" "enable_dnssec_for_parent_tenant_zone" {
+  provider = aws.management-tenant-dns
+  zone_id  = data.aws_route53_zone.management_tenant_dns.zone_id
+  name     = aws_route53_zone.main.name
+  type     = "DS"
   ttl      = local.record_ttl
-  records  = ["ingress.${each.value.name}"]
+  records  = [aws_route53_key_signing_key.parent_tenant_zone.ds_record]
 }
 
+
 resource "aws_route53_zone" "clusters" {
   provider = aws.clientaccount
   for_each = toset(var.cluster_environments)
-  name     = "${each.value}.${local.company_key}.${local.domain_to_delegate_from}"
+  name     = "${each.value}.${local.company_key}.${data.aws_route53_zone.management_tenant_dns.name}"
   depends_on = [
     aws_route53_zone.main
   ]
   force_destroy = var.this_is_development ? true : false
 }
 
-resource "aws_route53_record" "cluster_subdomain_ns_records" {
+resource "aws_route53_key_signing_key" "cluster_zones" {
+  provider                   = aws.clientaccount
+  for_each                   = aws_route53_zone.clusters
+  hosted_zone_id             = aws_route53_zone.clusters[each.key].zone_id
+  key_management_service_arn = module.dnssec_key.kms_key_arn
+  name                       = "primary"
+  status                     = "ACTIVE"
+}
+
+resource "aws_route53_hosted_zone_dnssec" "cluster_zones" {
+  provider = aws.clientaccount
+
+  for_each = aws_route53_zone.clusters
+
+  depends_on = [
+    aws_route53_key_signing_key.cluster_zones
+  ]
+  hosted_zone_id = aws_route53_key_signing_key.cluster_zones[each.key].hosted_zone_id
+}
+
+resource "aws_route53_record" "cluster_zone_dnssec_records" {
+  provider = aws.clientaccount
+  for_each = aws_route53_zone.clusters
+  zone_id  = aws_route53_zone.main.zone_id
+  name     = each.value.name
+  type     = "DS"
+  ttl      = local.record_ttl
+  records  = [aws_route53_key_signing_key.cluster_zones[each.key].ds_record]
+  depends_on = [
+    aws_route53_hosted_zone_dnssec.cluster_zones
+  ]
+}
+
+resource "aws_route53_record" "cluster_zone_ns_records" {
   provider = aws.clientaccount
   for_each = aws_route53_zone.clusters
   zone_id  = aws_route53_zone.main.zone_id
@@ -34,3 +104,13 @@ resource "aws_route53_record" "cluster_subdomain_ns_records" {
 }
 
 
+resource "aws_route53_record" "wildcard_for_apps" {
+  provider = aws.clientaccount
+  for_each = aws_route53_zone.clusters
+  zone_id  = each.value.zone_id
+  name     = "*.apps.${each.value.name}"
+  type     = "CNAME"
+  ttl      = local.record_ttl
+  records  = ["ingress.${each.value.name}"]
+}
+

providers.tf

@@ -23,6 +23,14 @@ provider "aws" {
   }
 }
 
+provider "aws" {
+  alias  = "management-tenant-dns"
+  region = var.primary_region
+  assume_role {
+    role_arn = "arn:aws:iam::${var.management_tenant_dns_aws_account_id}:role/OrganizationAccountAccessRole"
+  }
+}
+
 provider "aws" {
   alias  = "primaryregion"
   region = var.primary_region

save-credentials-to-s3.tf

@@ -1,32 +1,19 @@
-locals {
-  combined_outputs = {
-    opsgenie_credentials    = module.opsgenie_teams.opsgenie_prometheus_api_keys
-    certmanager_credentials = { for user, keys in aws_iam_access_key.certmanager : aws_route53_zone.clusters[user].name => keys }
-    externaldns_credentials = { for user, keys in aws_iam_access_key.externaldns : aws_route53_zone.clusters[user].name => keys }
-    loki_credentials        = { for user, keys in aws_iam_access_key.loki_s3 : aws_route53_zone.clusters[user].name => keys }
-    vault_credentials       = { for user, keys in aws_iam_access_key.vault_s3 : aws_route53_zone.clusters[user].name => keys }
-  }
-
-
-  cluster_names = toset([for k in keys(local.combined_outputs.certmanager_credentials) : k])
-
-  updated_combined_outputs = {
-    for name in local.cluster_names :
+resource "aws_s3_object" "combined_outputs" {
+  for_each = {
+    for name in var.cluster_environments :
     name => {
-      certmanager_credentials = local.combined_outputs.certmanager_credentials[name]
-      externaldns_credentials = local.combined_outputs.externaldns_credentials[name]
-      loki_credentials        = local.combined_outputs.loki_credentials[name]
-      opsgenie_credentials    = lookup(local.combined_outputs.opsgenie_credentials, split(".", name)[0], null)
-      vault_credentials       = local.combined_outputs.vault_credentials[name]
+      certmanager_credentials = { for user, keys in aws_iam_access_key.certmanager : aws_route53_zone.clusters[user].name => keys }
+      externaldns_credentials = { for user, keys in aws_iam_access_key.externaldns : aws_route53_zone.clusters[user].name => keys }
+      loki_credentials        = { for user, keys in aws_iam_access_key.loki_s3 : aws_route53_zone.clusters[user].name => keys }
+      opsgenie_credentials    = lookup(module.opsgenie_teams.opsgenie_prometheus_api_keys, split(".", name)[0], null)
+      vault_credentials       = { for user, keys in aws_iam_access_key.vault_s3 : aws_route53_zone.clusters[user].name => keys }
     }
   }
-}
-
-resource "aws_s3_bucket_object" "combined_outputs" {
-  for_each     = local.updated_combined_outputs
-  provider     = aws.primaryregion
-  bucket       = module.common_s3.primary_s3_bucket_id
-  key          = "${each.key}/configurations/credentials.json"
-  content      = jsonencode(each.value)
-  content_type = "application/json"
+  provider               = aws.primaryregion
+  bucket                 = module.common_s3.primary_s3_bucket_id
+  key                    = "${each.key}/configurations/credentials.json"
+  content                = jsonencode(each.value)
+  content_type           = "application/json"
+  server_side_encryption = "AES256"
+  acl                    = "private"
 }

variables.tf

@@ -1,6 +1,6 @@
 
-variable "domain_to_delegate_from" {
-  description = "The domain name of the domain that all delegation is coming from"
+variable "management_tenant_dns_zoneid" {
+  description = "The Route53 ZoneID that all the delegation is coming from"
   type        = string
   nullable    = false
 }
@@ -25,6 +25,12 @@ variable "company_account_id" {
   nullable    = false
 }
 
+variable "management_tenant_dns_aws_account_id" {
+  description = "The company AWS account id for the management-tenant-dns account"
+  type        = string
+  nullable    = false
+}
+
 variable "cluster_environments" {
   description = "The cluster environments"
   type        = list(string)
@@ -44,11 +50,11 @@ variable "backup_region" {
 }
 
 locals {
-  domain_to_delegate_from = var.domain_to_delegate_from
-  company_key             = var.company_key
-  record_ttl              = "60"
-  ns_record_type          = "NS"
-  bucket_name             = "glueops-tenant-${local.company_key}"
+  management_tenant_dns_zoneid = var.management_tenant_dns_zoneid
+  company_key                  = var.company_key
+  record_ttl                   = "60"
+  ns_record_type               = "NS"
+  bucket_name                  = "glueops-tenant-${local.company_key}"
 }
 
 variable "opsgenie_emails" {