feat: move route53 dns BBs to meshstack-hub

Author: malhussan

modules/aws/route53-dns-alias-record/backplane/README.md

@@ -0,0 +1,82 @@
+---
+name: AWS Route53 DNS Alias Record Buildingblock Backplane
+summary: |
+  Deploys an IAM user with Route53 access for managing DNS alias records
+---
+
+# AWS Route53 DNS Alias Record Backplane
+
+This will deploy an IAM user (or role only in case of using `workload_identity_federation`) with Route53 access for managing DNS alias records.
+
+## Usage
+
+```hcl
+provider "aws" {
+  region = "eu-central-1" # or any other region
+}
+
+module "aws_route53_dns_alias_record_backplane" {
+  source = "git::https://github.com/meshcloud/meshstack-hub.git//modules/aws/route53-dns-alias-record/backplane"
+
+  # List of Route53 hosted zone IDs that the building block can manage
+  hosted_zone_ids = [
+    "Z07734711DJ9F80W7IUV9",
+    "ZVJQRTFA77CTX",
+    "Z24AXR0TAO4HY4"
+  ]
+
+  workload_identity_federation = {
+    issuer   = "https://your-oidc-issuer"
+    audience = "your-audience"
+    subjects = [
+      "system:serviceaccount:your-namespace:your-service-account-name",  # Exact match
+      "system:serviceaccount:your-namespace:*",                          # Wildcard match
+    ]
+  } # Optional, if not provided, IAM access keys will be created instead
+}
+
+output "aws_route53_dns_alias_record_backplane" {
+  value = module.aws_route53_dns_alias_record_backplane
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_access_key.buildingblock_route53_alias_record_access_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_openid_connect_provider.buildingblock_oidc_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
+| [aws_iam_policy.buildingblock_route53_alias_record_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.assume_federated_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.buildingblock_route53_alias_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_user.buildingblock_route53_alias_record_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_policy_attachment.buildingblock_route53_alias_record_user_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.route53_alias_record_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.workload_identity_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects and wildcard patterns (e.g., 'system:serviceaccount:namespace:*'). | <pre>object({<br>    issuer   = string,<br>    audience = string,<br>    subjects = list(string)<br>  })</pre> | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_credentials"></a> [credentials](#output\_credentials) | n/a |
+| <a name="output_workload_identity_federation_role"></a> [workload\_identity\_federation\_role](#output\_workload\_identity\_federation\_role) | n/a |
+<!-- END_TF_DOCS -->

modules/aws/route53-dns-alias-record/backplane/main.tf

@@ -0,0 +1,103 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_iam_user" "buildingblock_route53_alias_record_user" {
+  count = var.workload_identity_federation == null ? 1 : 0
+
+  name = "buildingblock-route53-alias-record-user"
+}
+
+data "aws_iam_policy_document" "route53_alias_record_access" {
+  # Global Route53 actions that don't support resource-level permissions
+  statement {
+    effect = "Allow"
+    actions = [
+      "route53:GetChange",
+      "route53:ListHostedZones"
+    ]
+    resources = ["*"]
+  }
+
+  # Zone-specific actions scoped to specific hosted zones
+  statement {
+    effect = "Allow"
+    actions = [
+      "route53:ListTagsForResource",
+      "route53:GetHostedZone",
+      "route53:ChangeResourceRecordSets",
+      "route53:ListResourceRecordSets"
+    ]
+    resources = [
+      for zone_id in var.hosted_zone_ids : "arn:aws:route53:::hostedzone/${zone_id}"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "buildingblock_route53_alias_record_policy" {
+  name        = var.workload_identity_federation == null ? "Route53AliasRecordBuildingBlockPolicy" : "Route53AliasRecordBuildingBlockFederatedPolicy"
+  description = "Policy for the Route53 DNS Alias Record Building Block"
+  policy      = data.aws_iam_policy_document.route53_alias_record_access.json
+}
+
+resource "aws_iam_user_policy_attachment" "buildingblock_route53_alias_record_user_policy_attachment" {
+  count = var.workload_identity_federation == null ? 1 : 0
+
+  user       = aws_iam_user.buildingblock_route53_alias_record_user[0].name
+  policy_arn = aws_iam_policy.buildingblock_route53_alias_record_policy.arn
+}
+
+resource "aws_iam_access_key" "buildingblock_route53_alias_record_access_key" {
+  count = var.workload_identity_federation == null ? 1 : 0
+
+  user = aws_iam_user.buildingblock_route53_alias_record_user[0].name
+}
+
+# Workload Identity Federation
+
+resource "aws_iam_openid_connect_provider" "buildingblock_oidc_provider" {
+  count = var.workload_identity_federation != null ? 1 : 0
+
+  url            = var.workload_identity_federation.issuer
+  client_id_list = [var.workload_identity_federation.audience]
+}
+
+data "aws_iam_policy_document" "workload_identity_federation" {
+  count   = var.workload_identity_federation != null ? 1 : 0
+  version = "2012-10-17"
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.buildingblock_oidc_provider[0].arn]
+    }
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:aud"
+
+      values = [var.workload_identity_federation.audience]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:sub"
+
+      values = var.workload_identity_federation.subjects
+    }
+  }
+}
+
+resource "aws_iam_role" "assume_federated_role" {
+  count = var.workload_identity_federation != null ? 1 : 0
+
+  name               = "BuildingBlockRoute53AliasRecordIdentityFederation"
+  assume_role_policy = data.aws_iam_policy_document.workload_identity_federation[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "buildingblock_route53_alias_record" {
+  count = var.workload_identity_federation != null ? 1 : 0
+
+  role       = aws_iam_role.assume_federated_role[0].name
+  policy_arn = aws_iam_policy.buildingblock_route53_alias_record_policy.arn
+}

modules/aws/route53-dns-alias-record/backplane/outputs.tf

@@ -0,0 +1,11 @@
+output "credentials" {
+  sensitive = true
+  value = {
+    AWS_ACCESS_KEY_ID     = var.workload_identity_federation == null ? aws_iam_access_key.buildingblock_route53_alias_record_access_key[0].id : "N/A; workload identity federation in use"
+    AWS_SECRET_ACCESS_KEY = var.workload_identity_federation == null ? aws_iam_access_key.buildingblock_route53_alias_record_access_key[0].secret : "N/A; workload identity federation in use"
+  }
+}
+
+output "workload_identity_federation_role" {
+  value = var.workload_identity_federation == null ? null : aws_iam_role.assume_federated_role[0].arn
+}

modules/aws/route53-dns-alias-record/backplane/variables.tf

@@ -0,0 +1,14 @@
+variable "hosted_zone_ids" {
+  type        = list(string)
+  description = "List of Route53 hosted zone IDs that the building block can manage. Example: ['Z07734711DJ9F80W7IUV9', 'ZVJQRTFA77CTX']"
+}
+
+variable "workload_identity_federation" {
+  type = object({
+    issuer   = string,
+    audience = string,
+    subjects = list(string)
+  })
+  default     = null
+  description = "Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects and wildcard patterns (e.g., 'system:serviceaccount:namespace:*')."
+}

modules/aws/route53-dns-alias-record/backplane/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}

modules/aws/route53-dns-alias-record/buildingblock/APP_TEAM_README.md

@@ -0,0 +1,22 @@
+# AWS Route53 DNS Alias Record
+
+## Description
+This building block creates Route53 alias records, which are AWS-specific DNS records that can only route traffic to AWS resources (load balancers, CloudFront distributions, S3 websites, etc.).
+
+## When to Use
+- Point custom domains to AWS load balancers (ALB/NLB)
+- Route traffic to CloudFront distributions
+- Create apex/root domain records (e.g., example.com)
+
+## Shared Responsibility
+
+| Responsibility | Platform Team | Application Team |
+|----------------|---------------|------------------|
+| Managing Route53 hosted zones | ✅ | ❌ |
+| Provisioning DNS alias records | ❌ | ✅ |
+| Managing record names and target resources | ❌ | ✅ |
+
+## Key Recommendations
+- Use descriptive DNS names (e.g., `api.example.com`, `www.example.com`)
+- Enable health checks for automatic failover when appropriate
+- Coordinate with your platform team before modifying production DNS records

modules/aws/route53-dns-alias-record/buildingblock/README.md

@@ -0,0 +1,35 @@
+---
+name: AWS Route53 DNS Alias Record
+description: Provides AWS Route53 DNS alias records
+---
+
+# AWS Route53 DNS Alias Record
+
+This Terraform module provisions AWS Route53 DNS alias records.
+
+## Requirements
+- Terraform `>= 1.3.0`
+- AWS Provider `~> 5.0`
+
+## Providers
+
+```hcl
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region              = var.region
+  allowed_account_ids = var.allowed_account_ids  # Optional
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+
+## Backend configuration
+Here you can find an example of how to create a backend.tf file on this [Wiki Page](https://github.com/meshcloud/building-blocks/wiki/%5BUser-Guide%5D-Setting-up-the-Backend-for-terraform-state#how-to-configure-backendtf-file-for-these-providers)

modules/aws/route53-dns-alias-record/buildingblock/logo.png

@@ -0,0 +1,22 @@
+data "aws_route53_zone" "zone" {
+  name         = var.zone_name
+  private_zone = var.private_zone
+}
+
+locals {
+  # meshStack doesn't support empty strings as inputs right now, so we treat @ (which is common to denote apex records
+  # in zonefiles) as a special value to indicate "empty" 
+  record_name = var.sub == "@" ? "" : var.sub
+}
+
+resource "aws_route53_record" "record" {
+  zone_id = data.aws_route53_zone.zone.zone_id
+  name    = join(".", compact([local.record_name, data.aws_route53_zone.zone.name]))
+  type    = var.type
+
+  alias {
+    name                   = var.alias_name
+    evaluate_target_health = var.alias_evaluate_target_health
+    zone_id                = var.alias_zone_id
+  }  
+}

modules/aws/route53-dns-alias-record/buildingblock/main.tf

@@ -0,0 +1,43 @@
+output "record_name" {
+  description = "The FQDN of the DNS record"
+  value       = aws_route53_record.record.name
+}
+
+output "record_type" {
+  description = "The type of the DNS record"
+  value       = aws_route53_record.record.type
+}
+
+output "alias_target" {
+  description = "The alias target"
+  value       = var.alias_name
+}
+
+output "summary" {
+  description = "Summary of the created DNS alias record"
+  value       = <<-EOT
+# Route53 DNS Alias Record Created
+
+✅ **Your DNS alias record is ready!**
+
+## Record Details
+
+| Property | Value |
+|----------|-------|
+| **DNS Name** | `${aws_route53_record.record.name}` |
+| **Type** | `${var.type}` |
+| **Alias Target** | `${var.alias_name}` |
+| **Health Check** | ${var.alias_evaluate_target_health ? "✅ Enabled" : "⚠️ Disabled"} |
+| **Zone** | `${var.zone_name}` |
+
+---
+
+## Resolution
+
+```
+${aws_route53_record.record.name}  →  ${var.alias_name}
+```
+
+${var.private_zone ? "⚠️ **Note:** This is a private hosted zone record, only resolvable within your VPC." : "🌐 **Note:** This is a public DNS record, resolvable globally."}
+EOT
+}