|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * networking/external_dns_operator/nw-creating-dns-records-on-aws.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="nw-control-dns-records-public-aws-with-VPC_{context}"] |
| 7 | += Creating DNS records in a different AWS Account using a shared VPC |
| 8 | + |
| 9 | +You can use the ExternalDNS Operator to create DNS records in a different AWS account using a shared Virtual Private Cloud (VPC). By using a shared VPC, an organization can connect resources from multiple projects to a common VPC network. Organizations can then use VPC sharing to use a single Route 53 instance across multiple AWS accounts. |
| 10 | + |
| 11 | +.Prerequisites |
| 12 | +* You have created two Amazon AWS accounts: one with a VPC and a Route 53 private hosted zone configured (Account A), and another for installing a cluster (Account B). |
| 13 | +* You have created an IAM Policy and IAM Role with the appropriate permissions in Account A for Account B to create DNS records in the Route 53 hosted zone of Account A. |
| 14 | +* You have installed a cluster in Account B into the existing VPC for Account A. |
| 15 | +* You have installed the ExternalDNS Operator in the cluster in Account B. |
| 16 | +
|
| 17 | +.Procedure |
| 18 | + |
| 19 | +. Get the Role ARN of the IAM Role that you created to allow Account B to access Account A's Route 53 hosted zone by running the following command: |
| 20 | ++ |
| 21 | +[source,terminal] |
| 22 | +---- |
| 23 | +$ aws --profile account-a iam get-role --role-name user-rol1 | head -1 |
| 24 | +---- |
| 25 | ++ |
| 26 | +.Example output |
| 27 | ++ |
| 28 | +[source,terminal] |
| 29 | +---- |
| 30 | +ROLE arn:aws:iam::1234567890123:role/user-rol1 2023-09-14T17:21:54+00:00 3600 / AROA3SGB2ZRKRT5NISNJN user-rol1 |
| 31 | +---- |
| 32 | + |
| 33 | +. Locate the private hosted zone to use with Account A's credentials by running the following command: |
| 34 | ++ |
| 35 | +[source,terminal] |
| 36 | +---- |
| 37 | +$ aws --profile account-a route53 list-hosted-zones | grep testextdnsoperator.apacshift.support |
| 38 | +---- |
| 39 | ++ |
| 40 | +.Example output |
| 41 | ++ |
| 42 | +[source,terminal] |
| 43 | +---- |
| 44 | +HOSTEDZONES terraform /hostedzone/Z02355203TNN1XXXX1J6O testextdnsoperator.apacshift.support. 5 |
| 45 | +---- |
| 46 | + |
| 47 | +. Create the `ExternalDNS` object by running the following command: |
| 48 | ++ |
| 49 | +[source,terminal] |
| 50 | +---- |
| 51 | +$ cat <<EOF | oc create -f - |
| 52 | +apiVersion: externaldns.olm.openshift.io/v1beta1 |
| 53 | +kind: ExternalDNS |
| 54 | +metadata: |
| 55 | + name: sample-aws |
| 56 | +spec: |
| 57 | + domains: |
| 58 | + - filterType: Include |
| 59 | + matchType: Exact |
| 60 | + name: testextdnsoperator.apacshift.support |
| 61 | + provider: |
| 62 | + type: AWS |
| 63 | + aws: |
| 64 | + assumeRole: |
| 65 | + arn: arn:aws:iam::12345678901234:role/user-rol1 <1> |
| 66 | + source: |
| 67 | + type: OpenShiftRoute |
| 68 | + openshiftRouteOptions: |
| 69 | + routerName: default |
| 70 | +EOF |
| 71 | +---- |
| 72 | +<1> Specify the Role ARN to have DNS records created in Account A. |
| 73 | + |
| 74 | +. Check the records created for OpenShift Container Platform (OCP) routes by using the following command: |
| 75 | ++ |
| 76 | +[source,terminal] |
| 77 | +---- |
| 78 | +$ aws --profile account-a route53 list-resource-record-sets --hosted-zone-id Z02355203TNN1XXXX1J6O --query "ResourceRecordSets[?Type == 'CNAME']" | grep console-openshift-console |
| 79 | +---- |
0 commit comments