From ce22f776ff6f5dd5604f71fb5eb45256e1e0a677 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 10:33:13 -0600
Subject: [PATCH] feat(dns): simplify PROD Route 53 by using
 prod-sacc.ccsoft.mx directly

Switch PROD DNS from cross-account Route 53 management to a delegated
subdomain in the PROD AWS account (523761210517).

Changes:
- prod.tfvars: domain_name changed to prod-sacc.ccsoft.mx
- provider.tf: removed aws.route53 cross-account provider
- main.tf: removed prod-specific Route 53 resources and data sources;
  cert_validation and main records now use default provider for all envs
- outputs.tf: removed indexed references to main_prod resource
---
 terraform/environments/prod.tfvars |  2 +-
 terraform/main.tf                  | 48 ++----------------------------
 terraform/outputs.tf               |  2 +-
 terraform/provider.tf              | 17 -----------
 4 files changed, 4 insertions(+), 65 deletions(-)

diff --git a/terraform/environments/prod.tfvars b/terraform/environments/prod.tfvars
index a3fb23d..28e0b09 100644
--- a/terraform/environments/prod.tfvars
+++ b/terraform/environments/prod.tfvars
@@ -21,5 +21,5 @@ db_username            = "sacc_admin_prod"
 db_password            = "<cambiar-por-secret-real>"
 s3_frontend_bucket     = "ccsoft-proyectosacc-frontend-prod"
 s3_artifacts_bucket    = "ccsoft-proyectosacc-artifacts-prod"
-domain_name            = "sacc.ccsoft.mx"
+domain_name            = "prod-sacc.ccsoft.mx"
 cloudfront_price_class = "PriceClass_100"
diff --git a/terraform/main.tf b/terraform/main.tf
index 1abf1fc..3017782 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -445,18 +445,6 @@ resource "aws_acm_certificate" "main" {
 }
 
 resource "aws_route53_record" "cert_validation" {
-  count           = var.environment != "prod" ? 1 : 0
-  allow_overwrite = true
-  name            = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_name
-  records         = [tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_value]
-  ttl             = 60
-  type            = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_type
-  zone_id         = local.route53_zone_id
-}
-
-resource "aws_route53_record" "cert_validation_prod" {
-  provider        = aws.route53
-  count           = var.environment == "prod" ? 1 : 0
   allow_overwrite = true
   name            = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_name
   records         = [tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_value]
@@ -468,40 +456,22 @@ resource "aws_route53_record" "cert_validation_prod" {
 resource "aws_acm_certificate_validation" "main" {
   provider                = aws.us_east_1
   certificate_arn         = aws_acm_certificate.main.arn
-  validation_record_fqdns = local.cert_validation_fqdns
+  validation_record_fqdns = [aws_route53_record.cert_validation.fqdn]
 }
 
 # -------------------------------------------------------------------------------
 # Route 53
 # -------------------------------------------------------------------------------
 data "aws_route53_zone" "main" {
-  count        = var.environment != "prod" ? 1 : 0
-  name         = var.domain_name
-  private_zone = false
-}
-
-data "aws_route53_zone" "main_prod" {
-  provider     = aws.route53
-  count        = var.environment == "prod" ? 1 : 0
   name         = var.domain_name
   private_zone = false
 }
 
 locals {
-  route53_zone_id = coalesce(
-    try(data.aws_route53_zone.main[0].zone_id, ""),
-    try(data.aws_route53_zone.main_prod[0].zone_id, "")
-  )
-
-  cert_validation_fqdns = compact(try(
-    [aws_route53_record.cert_validation[0].fqdn],
-    [aws_route53_record.cert_validation_prod[0].fqdn],
-    []
-  ))
+  route53_zone_id = data.aws_route53_zone.main.zone_id
 }
 
 resource "aws_route53_record" "main" {
-  count   = var.environment != "prod" ? 1 : 0
   zone_id = local.route53_zone_id
   name    = var.domain_name
   type    = "A"
@@ -513,20 +483,6 @@ resource "aws_route53_record" "main" {
   }
 }
 
-resource "aws_route53_record" "main_prod" {
-  provider = aws.route53
-  count    = var.environment == "prod" ? 1 : 0
-  zone_id  = local.route53_zone_id
-  name     = var.domain_name
-  type     = "A"
-
-  alias {
-    name                   = aws_cloudfront_distribution.main.domain_name
-    zone_id                = aws_cloudfront_distribution.main.hosted_zone_id
-    evaluate_target_health = false
-  }
-}
-
 # -------------------------------------------------------------------------------
 # CloudFront Distribution
 # -------------------------------------------------------------------------------
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index 8edbe49..13aa618 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -43,7 +43,7 @@ output "cloudfront_distribution_id" {
 
 output "route53_record" {
   description = "Registro DNS creado en Route 53"
-  value       = try(aws_route53_record.main[0].name, aws_route53_record.main_prod[0].name, "")
+  value       = aws_route53_record.main.name
 }
 
 output "acm_certificate_arn" {
diff --git a/terraform/provider.tf b/terraform/provider.tf
index 9d1ee64..7763c5b 100644
--- a/terraform/provider.tf
+++ b/terraform/provider.tf
@@ -50,21 +50,4 @@ provider "aws" {
   }
 }
 
-# Provider para Route 53 en cuenta cross-account (262270938827)
-# Solo se usa en PROD mediante count condicional en los recursos de Route 53.
-provider "aws" {
-  alias  = "route53"
-  region = "us-east-1"
 
-  assume_role {
-    role_arn = "arn:aws:iam::262270938827:role/Route53ProyectosaccCrossAccountRole"
-  }
-
-  default_tags {
-    tags = {
-      Project     = var.project_name
-      ManagedBy   = "terraform"
-      Environment = var.environment
-    }
-  }
-}