Skip to content

Commit

Permalink
chore: enabling dnssec
Browse files Browse the repository at this point in the history
  • Loading branch information
kiraum committed Oct 5, 2024
1 parent 9432e97 commit 3590fa6
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 2 deletions.
6 changes: 6 additions & 0 deletions environments/prod/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,12 @@ module "route53" {
]
}
}

# Specify providers for this module
providers = {
aws = aws
aws.us_east_1 = aws.us_east_1
}
}

# Static website module
Expand Down
58 changes: 56 additions & 2 deletions modules/route53/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,72 @@ terraform {
required_version = ">= 1.0.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0.0"
source = "hashicorp/aws"
configuration_aliases = [aws.us_east_1]
version = ">= 4.0.0"
}
}
}

data "aws_caller_identity" "current" {}

resource "aws_route53_zone" "zones" {
for_each = var.domains
name = each.value.domain_name
comment = each.value.comment
}

resource "aws_kms_key" "dnssec_key" {
provider = aws.us_east_1
for_each = var.domains
customer_master_key_spec = "ECC_NIST_P256"
deletion_window_in_days = 7
key_usage = "SIGN_VERIFY"
policy = jsonencode({
Statement = [
{
Action = [
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
"kms:Verify",
],
Effect = "Allow"
Principal = {
Service = "dnssec-route53.amazonaws.com"
}
Resource = "*"
Sid = "Allow Route 53 DNSSEC Service"
},
{
Action = "kms:*"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Resource = "*"
Sid = "Enable IAM User Permissions"
},
]
Version = "2012-10-17"
})
}

resource "aws_route53_key_signing_key" "key_signing_key" {
for_each = var.domains
hosted_zone_id = aws_route53_zone.zones[each.key].id
key_management_service_arn = aws_kms_key.dnssec_key[each.key].arn
name = "${each.value.domain_name}-key"
}

resource "aws_route53_hosted_zone_dnssec" "dnssec" {
for_each = var.domains
depends_on = [
aws_route53_key_signing_key.key_signing_key
]
hosted_zone_id = aws_route53_zone.zones[each.key].id
}

resource "aws_route53_record" "records" {
for_each = { for record in flatten([
for domain, zone in var.domains : [
Expand Down

0 comments on commit 3590fa6

Please sign in to comment.