Hi again folks :star-struck: my org is transitioni...
# getting-started
Hi again folks 🤩 my org is transitioning into an AWS CT based multi-account strategy centered around OUs. I've glanced through the docs over at -> https://www.pulumi.com/registry/packages/aws/api-docs/organizations/ and have a few questions. Currently, our OUs are structured vertically by environment with sub OUs horizontally per team which in turn contain aws accounts. The use case I'm trying to figure out is how would we use Pulumi to set up Route 53 in a cross-env devops account sitting at SDLC root (same node level as all of our environment OUs) and route different subdomains from it to different environments (more concerned about the actual config from an infra standpoint than the account and OU management aspects here). In short, we're trying to find the best way to go about having Route53 in one account point to ingresses in other accounts. Is there an example of something like this somewhere?
My AWS is rather rusty, but my first thought is perhaps you could leverage subdomains, and delegate those subdomains to these org-specific accounts. AWS has a doc on this: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html
Pulumi should make doing this a breeze
Yup that is the approach we're taking
Thanks for jumping in by the way! What I can't figure out is how to point those zones to an ingress in a different AWS account
Internally we have the following repos for IAC: • global-infrastructure (shared vertically between envs - very few things here. log sinks, stream coalescing, etc. Route53 will be one of them) • core-infrastructure (routers, VPCs, networking and persistent resources shared by multiple services in the same environment) • many service repositories each with their own stack per environment
Oh, I think I better follow what you're trying to do now. Sadly I don't know how this could be done in a way that centralizes all the DNS records and zones in the root (or in this case, global-infrastructure, if I'm understanding correctly). When I was suggesting zone delegation, I meant putting only the subdomain records in the global-infrastructure zone, then creating new hosted zones in each core-infrastructure (I think) that then receive authority via delegation. That way, each core-infrastructure can benefit from all the fancy AWS integrations Route 53 offers, because control of that subdomain lives within the same account as the ones you're trying to link to. I think this blog post better illustrates what I mean: https://notes.paulswail.com/public/How+to+delegate+DNS+for+subdomains+to+a+different+Route53+HostedZone
Which, again, Pulumi should make very straightforward, I imagine
Then I imagine you can use stack dependencies to pass the relevant hosted zone information between stacks