|
|
@@ -0,0 +1,104 @@
|
|
|
+locals {
|
|
|
+ first_vpc = var.vpcs[0]
|
|
|
+ remaining_vpcs = [ for vpc in var.vpcs: vpc if vpc != local.first_vpc ]
|
|
|
+
|
|
|
+ other_partition = var.aws_partition == "aws-us-gov" ? "aws" : "aws-us-gov"
|
|
|
+}
|
|
|
+
|
|
|
+# debug
|
|
|
+#output remaining_vpcs {
|
|
|
+# value = local.remaining_vpcs
|
|
|
+#}
|
|
|
+
|
|
|
+# Create the private zones
|
|
|
+resource "aws_route53_zone" "private" {
|
|
|
+ name = var.private_dns[var.aws_partition].name
|
|
|
+ tags = merge(var.standard_tags, var.tags)
|
|
|
+
|
|
|
+ vpc {
|
|
|
+ vpc_id = local.first_vpc
|
|
|
+ }
|
|
|
+
|
|
|
+ # For the rationale here, see the notes at:
|
|
|
+ # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association
|
|
|
+ #
|
|
|
+ # tldr; We can't create without an association, but we can't add associations without changing this record.
|
|
|
+ # So we add one, and then we add it again and ignore any further changes.
|
|
|
+ lifecycle {
|
|
|
+ ignore_changes = [vpc]
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_route53_zone_association" "associations" {
|
|
|
+ for_each = toset(local.remaining_vpcs)
|
|
|
+
|
|
|
+ zone_id = aws_route53_zone.private.zone_id
|
|
|
+ vpc_id = each.value
|
|
|
+}
|
|
|
+
|
|
|
+output "zone_id" {
|
|
|
+ value = aws_route53_zone.private.id
|
|
|
+}
|
|
|
+
|
|
|
+###################################
|
|
|
+# Resolver
|
|
|
+resource "aws_route53_resolver_endpoint" "private_resolver" {
|
|
|
+ name = "xdr_private_dns_resolver"
|
|
|
+ direction = "INBOUND"
|
|
|
+
|
|
|
+ security_group_ids = [ aws_security_group.resolver_security_group.id ]
|
|
|
+
|
|
|
+ dynamic "ip_address" {
|
|
|
+ for_each = var.subnets
|
|
|
+
|
|
|
+ content {
|
|
|
+ subnet_id = ip_address.value
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ tags = merge(var.standard_tags, var.tags)
|
|
|
+}
|
|
|
+
|
|
|
+output dns_servers {
|
|
|
+ value = [ for ipblock in aws_route53_resolver_endpoint.private_resolver.ip_address: ipblock["ip"] ]
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_security_group" "resolver_security_group" {
|
|
|
+ name = "route53_resolver"
|
|
|
+ description = "Allow DNS inbound traffic"
|
|
|
+ vpc_id = local.first_vpc
|
|
|
+
|
|
|
+ ingress {
|
|
|
+ description = "DNS_UDP"
|
|
|
+ from_port = 53
|
|
|
+ to_port = 53
|
|
|
+ protocol = "udp"
|
|
|
+ cidr_blocks = [ "10.0.0.0/8" ]
|
|
|
+ }
|
|
|
+
|
|
|
+ ingress {
|
|
|
+ description = "DNS_TCP"
|
|
|
+ from_port = 53
|
|
|
+ to_port = 53
|
|
|
+ protocol = "tcp"
|
|
|
+ cidr_blocks = [ "10.0.0.0/8" ]
|
|
|
+ }
|
|
|
+
|
|
|
+ egress {
|
|
|
+ description = "DNS_UDP"
|
|
|
+ from_port = 53
|
|
|
+ to_port = 53
|
|
|
+ protocol = "udp"
|
|
|
+ cidr_blocks = [ "10.0.0.0/8" ]
|
|
|
+ }
|
|
|
+
|
|
|
+ egress {
|
|
|
+ description = "DNS_TCP"
|
|
|
+ from_port = 53
|
|
|
+ to_port = 53
|
|
|
+ protocol = "tcp"
|
|
|
+ cidr_blocks = [ "10.0.0.0/8" ]
|
|
|
+ }
|
|
|
+
|
|
|
+ tags = merge(var.standard_tags, var.tags)
|
|
|
+}
|
Frederick Damstra