feat(external-dns): Add Route53 component

contexts/aws-example/blueprint.yaml

@@ -16,7 +16,10 @@ sources:
 terraform:
 - path: network/aws-vpc
 - path: cluster/aws-eks
+- path: cluster/aws-eks/additions
+  destroy: false
 - path: gitops/flux
+  destroy: false
 kustomize:
 - name: telemetry-base
   path: telemetry/base
@@ -53,7 +56,6 @@ kustomize:
   source: core
   dependsOn:
   - pki-resources
-  force: true
   components:
   - nginx
   - nginx/flux-webhook
@@ -66,7 +68,6 @@ kustomize:
   source: core
   dependsOn:
   - policy-resources
-  force: true
   components:
   - cert-manager
   - trust-manager
@@ -75,18 +76,15 @@ kustomize:
   source: core
   dependsOn:
   - pki-base
-  force: true
   components:
   - private-issuer/ca
   - public-issuer/selfsigned
-- name: gitops
-  path: gitops/flux
+- name: dns
+  path: dns
   source: core
-  dependsOn:
-  - ingress-base
-  force: true
   components:
-  - webhook
+  - external-dns
+  - external-dns/route53
 - name: observability
   path: observability
   source: core

contexts/aws-example/terraform/cluster/aws-eks/additions.tfvars

@@ -0,0 +1,10 @@
+# Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+
+# ARN of the IAM role for external-dns. If not provided, will be looked up from the cluster.
+# external_dns_role_arn = null
+
+# AWS region where the Route53 hosted zone is located. If not provided, will use the cluster's region.
+# route53_region = null
+
+# Name of the EKS cluster.
+# cluster_name = ""

kustomize/dns/external-dns/route53/README.md

@@ -0,0 +1,43 @@
+# External DNS Route53 Configuration
+
+This component configures external-dns to use AWS Route53 for DNS management in EKS clusters.
+
+## Dependencies
+
+This component requires the `aws-eks/additions` Terraform module to be applied first, as it creates a ConfigMap with required configuration values:
+
+```hcl
+resource "kubernetes_config_map" "external_dns" {
+  metadata {
+    name      = "external-dns"
+    namespace = "system-dns"
+  }
+
+  data = {
+    aws_role_arn = "arn:aws:iam::${account_id}:role/${cluster_name}-external-dns"
+    aws_region   = "us-west-2"  # or cluster's region
+    txt_owner_id = "${cluster_name}-${context_id}"
+  }
+}
+```
+
+## Configuration Values
+
+The HelmRelease uses the following values from the ConfigMap:
+
+| ConfigMap Key | Helm Value Path | Description |
+|---------------|----------------|-------------|
+| aws_role_arn | aws.role_arn | IAM role ARN for external-dns |
+| aws_region | aws.region | AWS region for Route53 operations |
+| txt_owner_id | txtOwnerId | Unique identifier for TXT records |
+
+## Usage
+
+1. Apply the `aws-eks/additions` Terraform module to create the ConfigMap
+2. Apply this kustomization to deploy external-dns with Route53 configuration
+
+## Notes
+
+- The ConfigMap must exist in the `system-dns` namespace
+- The IAM role referenced by `aws_role_arn` must have appropriate Route53 permissions
+- The `txt_owner_id` is constructed as `${cluster_name}-${context_id}` to ensure uniqueness across clusters

kustomize/dns/external-dns/route53/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: external-dns
+      namespace: system-dns
+    path: patches/helm-release.yaml 

kustomize/dns/external-dns/route53/patches/helm-release.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: system-dns
+spec:
+  valuesFrom:
+    - kind: ConfigMap
+      name: external-dns
+      valuesKey: aws_region
+      targetPath: aws.region
+    - kind: ConfigMap
+      name: external-dns
+      valuesKey: txt_owner_id
+      targetPath: txtOwnerId
+  values:
+    provider:
+      aws:
+        usePodIdentity: true
+    sources:
+      - ingress
+      - service
+    policy: sync
+    registry: txt
+    domainFilters:
+      - ${DOMAIN}
+    serviceAccount:
+      create: true
+      name: external-dns
+      annotations: {} 

terraform/cluster/aws-eks/README.md

@@ -67,6 +67,7 @@ No modules.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster. | `string` | `""` | no |
 | <a name="input_context_id"></a> [context\_id](#input\_context\_id) | The windsor context id for this deployment | `string` | `""` | no |
 | <a name="input_context_path"></a> [context\_path](#input\_context\_path) | The path to the context folder, where kubeconfig is stored | `string` | `""` | no |
+| <a name="input_endpoint_private_access"></a> [endpoint\_private\_access](#input\_endpoint\_private\_access) | Whether to enable private access to the EKS cluster. | `bool` | `false` | no |
 | <a name="input_endpoint_public_access"></a> [endpoint\_public\_access](#input\_endpoint\_public\_access) | Whether to enable public access to the EKS cluster. | `bool` | `true` | no |
 | <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | Map of EKS Fargate profile definitions to create. | <pre>map(object({<br/>    selectors = list(object({<br/>      namespace = string<br/>      labels    = optional(map(string), {})<br/>    }))<br/>    tags = optional(map(string), {})<br/>  }))</pre> | `{}` | no |
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | The kubernetes version to deploy. | `string` | `"1.32"` | no |

terraform/cluster/aws-eks/_templates/kubeconfig.tpl

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Config
+clusters:
+- name: ${cluster_name}
+  cluster:
+    server: ${cluster_endpoint}
+    certificate-authority-data: ${cluster_ca}
+contexts:
+- name: ${cluster_name}
+  context:
+    cluster: ${cluster_name}
+    user: ${cluster_name}
+current-context: ${cluster_name}
+users:
+- name: ${cluster_name}
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: aws
+      args:
+        - eks
+        - get-token
+        - --cluster-name
+        - ${cluster_name}
+        - --region
+        - ${region}

terraform/cluster/aws-eks/additions/README.md

@@ -0,0 +1,43 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.97.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | 2.27.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.97.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.27.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_config_map.external_dns](https://registry.terraform.io/providers/hashicorp/kubernetes/2.27.0/docs/resources/config_map) | resource |
+| [kubernetes_namespace.system_dns](https://registry.terraform.io/providers/hashicorp/kubernetes/2.27.0/docs/resources/namespace) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.current](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/data-sources/eks_cluster) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster. | `string` | `""` | no |
+| <a name="input_context_id"></a> [context\_id](#input\_context\_id) | The windsor context id for this deployment | `string` | `""` | no |
+| <a name="input_external_dns_role_arn"></a> [external\_dns\_role\_arn](#input\_external\_dns\_role\_arn) | ARN of the IAM role for external-dns. If not provided, will be looked up from the cluster. | `string` | `null` | no |
+| <a name="input_route53_region"></a> [route53\_region](#input\_route53\_region) | AWS region where the Route53 hosted zone is located. If not provided, will use the cluster's region. | `string` | `null` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

terraform/cluster/aws-eks/additions/main.tf

@@ -0,0 +1,71 @@
+# The AWS EKS Config module manages Kubernetes resources for AWS EKS clusters
+# It provides configuration for system components like external-dns
+# This module bridges Terraform and Kubernetes resources
+# Key features: namespace management, configmap creation, auto-import of existing resources
+
+terraform {
+  required_version = ">=1.8"
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.27.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.97.0"
+    }
+  }
+}
+
+locals {
+  cluster_name = var.cluster_name != "" ? var.cluster_name : "cluster-${var.context_id}"
+}
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_eks_cluster" "current" {
+  name = local.cluster_name
+}
+
+# =============================================================================
+# Namespace Resources
+# =============================================================================
+
+# The system-dns namespace hosts DNS-related components
+# It provides isolation and security context for DNS services
+resource "kubernetes_namespace" "system_dns" {
+  metadata {
+    name = "system-dns"
+    labels = {
+      "pod-security.kubernetes.io/enforce" = "baseline"
+      "pod-security.kubernetes.io/audit"   = "baseline"
+      "pod-security.kubernetes.io/warn"    = "baseline"
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].labels
+    ]
+  }
+}
+
+# =============================================================================
+# ConfigMap Resources
+# =============================================================================
+
+# The external-dns configmap provides configuration for the external-dns service
+# It contains AWS-specific settings and credentials
+resource "kubernetes_config_map" "external_dns" {
+  metadata {
+    name      = "external-dns"
+    namespace = kubernetes_namespace.system_dns.metadata[0].name
+  }
+
+  data = {
+    aws_region   = var.route53_region != null ? var.route53_region : data.aws_region.current.name
+    txt_owner_id = local.cluster_name
+  }
+}