CCL-2176: Isolated AWS Accounts ingress

modules/aws/networking/ingress/dns-isolated/route53-public-zone/README.md

@@ -0,0 +1 @@
+# Configures Wildcard DNS records pointing to NLB

modules/aws/networking/ingress/dns-isolated/route53-public-zone/main.tf

@@ -0,0 +1,34 @@
+
+# Define a local map for conditional execution
+locals {
+  nlb_map = var.apply_only ? { "nlb" = "${var.nlb_name}-external" } : {}
+}
+
+# Lookup NLB only if apply_only = true
+data "aws_lb" "existing_nlb" {
+  for_each = local.nlb_map
+  name     = each.value
+}
+
+# Create Route53 A Record Alias for External NLB (Only If NLB Exists)
+resource "aws_route53_record" "external_nlb" {
+  count   = length(local.nlb_map) > 0 ? 1 : 0
+  zone_id = var.hosted_zone_id # This is for the Route 53 hosted zone
+  name    = "*.${var.domain_name}"
+  type    = "A"
+
+  alias {
+    name                   = try(data.aws_lb.existing_nlb["nlb"].dns_name, "")
+    zone_id                = try(data.aws_lb.existing_nlb["nlb"].zone_id, "") # Extracted from NLB, not var.hosted_zone_id
+    evaluate_target_health = true
+  }
+}
+
+# Output the resolved NLB DNS Name & Hosted Zone ID (Avoid Failure If Missing)
+output "nlb_dns_name" {
+  value = length(local.nlb_map) > 0 ? try(data.aws_lb.existing_nlb["nlb"].dns_name, "NLB not found") : "NLB not found"
+}
+
+output "nlb_hosted_zone_id" {
+  value = length(local.nlb_map) > 0 ? try(data.aws_lb.existing_nlb["nlb"].zone_id, "Hosted Zone ID not found") : "Hosted Zone ID not found"
+}

modules/aws/networking/ingress/dns-isolated/route53-public-zone/variables.tf

@@ -0,0 +1,24 @@
+
+variable "hosted_zone_id" {
+  description = "Workload account hosted zone id"
+  type        = string
+  default     = ""
+}
+
+
+
+variable "domain_name" {
+  description = "The domain name for the Route 53 record"
+  type        = string
+}
+
+variable "nlb_name" {
+  description = "nlb name"
+  type        = string
+}
+
+variable "apply_only" {
+  description = "Execute during apply"
+  type        = bool
+  default     = false
+}

modules/aws/networking/ingress/nlb-isolated/README.md

@@ -0,0 +1 @@
+# Configures NLB in public subnets

modules/aws/networking/ingress/nlb-isolated/data.tf

@@ -0,0 +1,30 @@
+# Fetch VPC ID based on its Name tag
+data "aws_vpcs" "filtered_vpcs" {
+  filter {
+    name   = "tag:Name"
+    values = [var.vpc_name]
+  }
+}
+
+# Fetch private subnets based on the Name tag
+data "aws_subnets" "filtered_subnets" {
+  filter {
+    name   = "tag:Name"
+    values = [var.public_subnet_filter]
+  }
+
+  filter {
+    name   = "vpc-id"
+    values = data.aws_vpcs.filtered_vpcs.ids
+  }
+}
+
+output "vpc_id" {
+  value = data.aws_vpcs.filtered_vpcs.ids[0]
+}
+
+output "public_subnets" {
+  value = data.aws_subnets.filtered_subnets.ids
+}
+
+

modules/aws/networking/ingress/nlb-isolated/external.tf

@@ -0,0 +1,68 @@
+# external NLB
+resource "aws_lb" "external_nlb" {
+  name               = "${var.ingress_lb_group_name}-external"
+  internal           = false
+  load_balancer_type = "network"
+  enable_deletion_protection = false
+
+  subnet_mapping {
+    subnet_id     = data.aws_subnets.filtered_subnets.ids[0]
+  }
+
+  subnet_mapping {
+    subnet_id     = data.aws_subnets.filtered_subnets.ids[1]
+      }
+
+
+  # Attach the security group
+  security_groups = [aws_security_group.external_nlb_sg.id]
+
+  tags = merge(
+    var.tags,
+    {
+      "ingress_lb_group_name" = "${var.ingress_lb_group_name}-external"
+    }
+  )
+}
+
+
+resource "aws_security_group" "external_nlb_sg" {
+  name        = "${var.ingress_lb_group_name}-external-sg"
+  description = "Security group for external NLB"
+  vpc_id      = data.aws_vpcs.filtered_vpcs.ids[0]
+
+  # Allow traffic from the VPC for external communication
+  ingress {
+    description = "Allow traffic from private subnets"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "TCP"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Allow traffic from other instances using the same security group
+  ingress {
+    description = "Allow traffic from NLB for health checks"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "TCP"
+    self        = true
+  }
+
+  # Allow all egress traffic
+  egress {
+    description = "Allow Outbound traffic from NLB"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.ingress_lb_group_name}-external-sg"
+    }
+  )
+}
+

modules/aws/networking/ingress/nlb-isolated/outputs.tf

@@ -0,0 +1,4 @@
+output "nlb_dns_name" {
+  value = aws_lb.external_nlb.dns_name
+  description = "The DNS name of the Network Load Balancer"
+}

modules/aws/networking/ingress/nlb-isolated/variables.tf

@@ -0,0 +1,25 @@
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to AWS resources"
+}
+
+variable "vpc_name" {
+  type        = string
+  description = "Name of the VPC"
+}
+
+variable "public_subnet_filter" {
+  type        = string
+  description = "Name tag filter for public subnets"
+}
+
+variable "tenant" {
+  description = "The tenant name"
+  type        = string
+}
+
+variable "ingress_lb_group_name" {
+  description = "Tag value used for Phoenix Lambda to locate NLB"
+  type        = string
+}
+