[root-dns] Use remote state for nameservers (#56)

* Use remote state for nameservers

Author: osterman

aws/accounts/audit.tf

@@ -19,3 +19,11 @@ resource "aws_organizations_account" "audit" {
 output "audit_account_arn" {
   value = "${aws_organizations_account.audit.arn}"
 }
+
+output "audit_account_id" {
+  value = "${aws_organizations_account.audit.id}"
+}
+
+output "audit_organization_account_access_role" {
+  value = "arn:aws:iam::${aws_organizations_account.audit.id}:role/OrganizationAccountAccessRole"
+}

aws/accounts/dev.tf

@@ -19,3 +19,11 @@ resource "aws_organizations_account" "dev" {
 output "dev_account_arn" {
   value = "${aws_organizations_account.dev.arn}"
 }
+
+output "dev_account_id" {
+  value = "${aws_organizations_account.dev.id}"
+}
+
+output "dev_organization_account_access_role" {
+  value = "arn:aws:iam::${aws_organizations_account.dev.id}:role/OrganizationAccountAccessRole"
+}

aws/accounts/prod.tf

@@ -19,3 +19,11 @@ resource "aws_organizations_account" "prod" {
 output "prod_account_arn" {
   value = "${aws_organizations_account.prod.arn}"
 }
+
+output "prod_account_id" {
+  value = "${aws_organizations_account.prod.id}"
+}
+
+output "prod_organization_account_access_role" {
+  value = "arn:aws:iam::${aws_organizations_account.prod.id}:role/OrganizationAccountAccessRole"
+}

aws/accounts/staging.tf

@@ -19,3 +19,11 @@ resource "aws_organizations_account" "staging" {
 output "staging_account_arn" {
   value = "${aws_organizations_account.staging.arn}"
 }
+
+output "staging_account_id" {
+  value = "${aws_organizations_account.staging.id}"
+}
+
+output "staging_organization_account_access_role" {
+  value = "arn:aws:iam::${aws_organizations_account.staging.id}:role/OrganizationAccountAccessRole"
+}

aws/accounts/testing.tf

@@ -19,3 +19,11 @@ resource "aws_organizations_account" "testing" {
 output "testing_account_arn" {
   value = "${aws_organizations_account.testing.arn}"
 }
+
+output "testing_account_id" {
+  value = "${aws_organizations_account.testing.id}"
+}
+
+output "testing_organization_account_access_role" {
+  value = "arn:aws:iam::${aws_organizations_account.testing.id}:role/OrganizationAccountAccessRole"
+}

aws/root-dns/main.tf

@@ -8,8 +8,19 @@ variable "aws_assume_role_arn" {
   type = "string"
 }
 
+variable "namespace" {}
+
 provider "aws" {
   assume_role {
     role_arn = "${var.aws_assume_role_arn}"
   }
 }
+
+data "terraform_remote_state" "root" {
+  backend = "s3"
+
+  config {
+    bucket = "${var.namespace}-root-terraform-state"
+    key    = "accounts/terraform.tfstate"
+  }
+}

aws/root-dns/ns/main.tf

@@ -0,0 +1,34 @@
+module "label" {
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
+  namespace  = "${var.namespace}"
+  stage      = "${var.stage}"
+  name       = "${var.name}"
+  delimiter  = "${var.delimiter}"
+  attributes = "${var.attributes}"
+  tags       = "${var.tags}"
+}
+
+data "terraform_remote_state" "stage" {
+  backend = "s3"
+
+  # This assumes stage is using a `terraform-aws-tfstate-backend`
+  #   https://github.com/cloudposse/terraform-aws-tfstate-backend
+  config {
+    role_arn = "${var.role_arn}"
+    bucket   = "${module.label.id}"
+    key      = "${var.key}"
+  }
+}
+
+locals {
+  name_servers = "${data.terraform_remote_state.stage.name_servers}"
+}
+
+resource "aws_route53_record" "dns_zone_ns" {
+  count   = "${signum(length(local.name_servers))}"
+  zone_id = "${var.zone_id}"
+  name    = "${var.stage}"
+  type    = "NS"
+  ttl     = "${var.ttl}"
+  records = ["${local.name_servers}"]
+}

aws/root-dns/ns/outputs.tf

@@ -0,0 +1,9 @@
+output "stage" {
+  description = "Name of the subaccount corresponding to the name servers"
+  value       = "${var.stage}"
+}
+
+output "name_servers" {
+  description = "Name servers for the account's delegated DNS zone"
+  value       = "${local.name_servers}"
+}

aws/root-dns/ns/variables.tf

@@ -0,0 +1,51 @@
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `eg` or `example`)"
+}
+
+variable "stage" {
+  type        = "string"
+  description = "Stage (e.g. `prod`, `dev`, `staging`)"
+}
+
+variable "name" {
+  type        = "string"
+  default     = "terraform"
+  description = "Name  (e.g. `app` or `cluster`)"
+}
+
+variable "delimiter" {
+  type        = "string"
+  default     = "-"
+  description = "Delimiter to be used between `namespace`, `stage`, `name`, and `attributes`"
+}
+
+variable "attributes" {
+  type        = "list"
+  default     = ["state"]
+  description = "Additional attributes (e.g. `state`)"
+}
+
+variable "tags" {
+  type        = "map"
+  default     = {}
+  description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)"
+}
+
+variable "role_arn" {
+  description = "The role to be assumed in the subaccount"
+}
+
+variable "zone_id" {
+  description = "DNS zone to update"
+}
+
+variable "ttl" {
+  description = "Default TTL for the NS records"
+  default     = "30"
+}
+
+variable "key" {
+  description = "Object in the remote state backend containing the state of `account-dns`"
+  default     = "account-dns/terraform.tfstate"
+}

aws/root-dns/parent-audit-ns.tf

@@ -1,12 +1,11 @@
-variable "audit_name_servers" {
-  type = "list"
+module "audit" {
+  source    = "ns"
+  role_arn  = "${data.terraform_remote_state.root.audit_organization_account_access_role}"
+  namespace = "${var.namespace}"
+  stage     = "audit"
+  zone_id   = "${aws_route53_zone.parent_dns_zone.zone_id}"
 }
 
-resource "aws_route53_record" "audit_dns_zone_ns" {
-  count   = "${signum(length(var.audit_name_servers))}"
-  zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}"
-  name    = "audit"
-  type    = "NS"
-  ttl     = "30"
-  records = ["${var.audit_name_servers}"]
+output "audit_name_servers" {
+  value = "${module.audit.name_servers}"
 }