Anyone have any tips & tricks or resources on ...
# terraform
h
Anyone have any tips & tricks or resources on how to best handle domains and certificate in aws for multiple accounts? Things are pretty straight forward when you have a single top domain and use subdomains per environment for separate accounts, but as soon as you start introducing custom domains, things can quickly become messy. • do you try to keep the top level domains in a shared account • do you use wildcard certificates and reuse them or create separate per service • etc For me, this all seems to boil down to something that makes the setup manageable in the end, it becomes problematic when people don’t know where a record should be placed in the terraform setup
t
I delegate subdomains to other accounts from a top level account. My first rule of thumb is to never have things like registered domain in templates that I plan on running much. I'll refer to said domains with remote state lookups or data queries in projects that I iterate on. For this I'd create a template for your parent account and a template for the child accounts. I'd create workspaces on the child template to satisfy all the accounts that need to be setup (this is mainly to handle provider silliness in a DRY fashion). In the parent account, I'd setup a registration for the main domain, then delegate authority for subdomains (like *.dev.example.com) to specific name servers. In the child accounts I'd create a route53 hosted zone with the domain that was delegated to it and ensure that the nameservers I use are the ones defined in the parent account. From there, I'd do a data query or remote state lookup in any terraform project that used that domain, so it can inherit it without accidently modifying it.
Personally speaking, I setup external DNS on a k8s cluster with the ability to create and edit DNS records for an account... so it'll create dns records for *.api.dev.example.com for example. Now I've got a way to deploy new microservices based purely on annotations their services and I don't need to couple dev code and Terraform to handle onboarding new shit.
h
Thanks for the input, I normally also prefer external DNS on a k8s cluster What about customer facing frontend domains, eg a production domain without the environment as subdomain, do you just configure it in the prod account that is going to use it, or setup even that domain in a parent account and delegate the domain to the child account (only reason I could think of doing something like this would so you have one place where you can check all your domains, if this customer facing domain is setup directly in a child prod account, you quickly lose overview of what domains that are in use, though not sure if that is an actual problem though)
t
Yeah, I think that's just an aesthetics choice and what you'd think makes the most sense. I wouldn't fault you for using the prod account as the parent in this case. Hell, you could do the entire thing in one big template if you want (but because a provider for each account is a thing it would mean your code would end up being really not dry).
h
thanks, then I have an idea on how to continue with the setup 👌