This message was deleted.
# terraforms
Slackbot
02/07/2024, 1:32 PMThis message was deleted.
t
Troy Knapp
02/07/2024, 2:17 PMI delegate subdomains to other accounts from a top level account.
My first rule of thumb is to never have things like registered domain in templates that I plan on running much. I'll refer to said domains with remote state lookups or data queries in projects that I iterate on.
For this I'd create a template for your parent account and a template for the child accounts. I'd create workspaces on the child template to satisfy all the accounts that need to be setup (this is mainly to handle provider silliness in a DRY fashion).
In the parent account, I'd setup a registration for the main domain, then delegate authority for subdomains (like *.dev.example.com) to specific name servers.
In the child accounts I'd create a route53 hosted zone with the domain that was delegated to it and ensure that the nameservers I use are the ones defined in the parent account.
From there, I'd do a data query or remote state lookup in any terraform project that used that domain, so it can inherit it without accidently modifying it.
Troy Knapp
02/07/2024, 2:22 PMPersonally speaking, I setup external DNS on a k8s cluster with the ability to create and edit DNS records for an account... so it'll create dns records for *.api.dev.example.com for example. Now I've got a way to deploy new microservices based purely on annotations their services and I don't need to couple dev code and Terraform to handle onboarding new shit.
h
Havard Noren
02/07/2024, 3:28 PMThanks for the input, I normally also prefer external DNS on a k8s cluster
What about customer facing frontend domains, eg a production domain without the environment as subdomain, do you just configure it in the prod account that is going to use it, or setup even that domain in a parent account and delegate the domain to the child account (only reason I could think of doing something like this would so you have one place where you can check all your domains, if this customer facing domain is setup directly in a child prod account, you quickly lose overview of what domains that are in use, though not sure if that is an actual problem though)
t
Troy Knapp
02/07/2024, 3:35 PMYeah, I think that's just an aesthetics choice and what you'd think makes the most sense. I wouldn't fault you for using the prod account as the parent in this case. Hell, you could do the entire thing in one big template if you want (but because a provider for each account is a thing it would mean your code would end up being really not dry).
h
Havard Noren
02/07/2024, 3:42 PMthanks, then I have an idea on how to continue with the setup 👌