From e8c301857836e33c148b04890d14a86e1e864707 Mon Sep 17 00:00:00 2001 From: Ulises Tirado Zatarain Date: Fri, 9 Aug 2024 22:34:35 +0100 Subject: [PATCH 1/6] LRNT-020: Adding DNS validation records for Mail Service (#33) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 👨🏽‍💻 Description These changes add the DNS records to validate Mail Service. This will allow us to validate the domain names with the CRM Provider via authentication from their side. ## ✅ Testing - [x] Provisioned the infrastructure to development - [x] Confirm the records were created in Route53 - [x] Validation runs successful from the CRM Provider ## 🖼️ Evidence Following screenshot shows the records created in AWS Route53: ![image](https://github.com/user-attachments/assets/0f869bc5-64fe-473e-8b22-8093fa3aa01f) Following screenshot shows the successful authentication from the CRM Provider: ![image](https://github.com/user-attachments/assets/c74edae9-b913-40db-864b-4f39b72d70aa) --------- Signed-off-by: Ulises Tirado Zatarain --- mail.tf | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/mail.tf b/mail.tf index 6c40908..29d8e24 100644 --- a/mail.tf +++ b/mail.tf @@ -10,3 +10,38 @@ resource "aws_secretsmanager_secret_version" "crm-service" { dmarc = "change me" }) } + +data "aws_secretsmanager_secret_version" "crm-current" { + secret_id = aws_secretsmanager_secret.crm-service.id +} + +locals { + mail-secret = jsondecode(data.aws_secretsmanager_secret_version.crm-current.secret_string) +} + +resource "aws_route53_record" "crm-code" { + for_each = toset(local.configuration.sdlc.environments) + zone_id = local.kingdom.zone_id + name = "" + type = "TXT" + ttl = 172800 + records = [local.mail-secret["code"]] +} + +resource "aws_route53_record" "crm-dkim" { + for_each = toset(local.configuration.sdlc.environments) + zone_id = local.kingdom.zone_id + name = "mail._domainkey" + type = "TXT" + ttl = 172800 + records = [local.mail-secret["dkim"]] +} + +resource "aws_route53_record" "crm-dmarc" { + for_each = toset(local.configuration.sdlc.environments) + zone_id = local.kingdom.zone_id + name = "_dmarc" + type = "TXT" + ttl = 172800 + records = [local.mail-secret["dmarc"]] +} From 8174c3fb628588e3c7c0ccaa38fbd02f10975ba4 Mon Sep 17 00:00:00 2001 From: Ulises Tirado Zatarain Date: Fri, 9 Aug 2024 21:30:14 +0100 Subject: [PATCH 2/6] LRNT-020: Adding DNS validation records for Mail Service Signed-off-by: Ulises Tirado Zatarain --- mail.tf | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/mail.tf b/mail.tf index 29d8e24..c5852e9 100644 --- a/mail.tf +++ b/mail.tf @@ -16,31 +16,35 @@ data "aws_secretsmanager_secret_version" "crm-current" { } locals { + mail-server = terraform.workspace == "production" ? "" : trimsuffix(local.zone_prefix[terraform.workspace], ".") mail-secret = jsondecode(data.aws_secretsmanager_secret_version.crm-current.secret_string) } resource "aws_route53_record" "crm-code" { - for_each = toset(local.configuration.sdlc.environments) - zone_id = local.kingdom.zone_id - name = "" + for_each = toset(local.records-for-kingdoms) + provider = aws.root + zone_id = data.aws_route53_zone.realm[each.value].zone_id + name = local.mail-server == "" ? "@" : local.mail-server type = "TXT" ttl = 172800 records = [local.mail-secret["code"]] } resource "aws_route53_record" "crm-dkim" { - for_each = toset(local.configuration.sdlc.environments) - zone_id = local.kingdom.zone_id - name = "mail._domainkey" + for_each = toset(local.records-for-kingdoms) + provider = aws.root + zone_id = data.aws_route53_zone.realm[each.value].zone_id + name = "mail._domainkey.${local.mail-server}" type = "TXT" ttl = 172800 records = [local.mail-secret["dkim"]] } resource "aws_route53_record" "crm-dmarc" { - for_each = toset(local.configuration.sdlc.environments) - zone_id = local.kingdom.zone_id - name = "_dmarc" + for_each = toset(local.records-for-kingdoms) + provider = aws.root + zone_id = data.aws_route53_zone.realm[each.value].zone_id + name = "_dmarc.${local.mail-server}" type = "TXT" ttl = 172800 records = [local.mail-secret["dmarc"]] From 185b30eb118b3708dbe41554df587c774aa8d0da Mon Sep 17 00:00:00 2001 From: Ulises Tirado Zatarain Date: Fri, 9 Aug 2024 21:57:29 +0100 Subject: [PATCH 3/6] LRNT-020: Fixing record building by correct domain name Signed-off-by: Ulises Tirado Zatarain --- mail.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/mail.tf b/mail.tf index c5852e9..221133d 100644 --- a/mail.tf +++ b/mail.tf @@ -16,14 +16,14 @@ data "aws_secretsmanager_secret_version" "crm-current" { } locals { - mail-server = terraform.workspace == "production" ? "" : trimsuffix(local.zone_prefix[terraform.workspace], ".") + mail-server = terraform.workspace == "production" ? "" : trimsuffix(local.zone_prefix[terraform.workspace], ".zatara.in") mail-secret = jsondecode(data.aws_secretsmanager_secret_version.crm-current.secret_string) } resource "aws_route53_record" "crm-code" { - for_each = toset(local.records-for-kingdoms) + for_each = toset(local.configuration.sdlc.environments) provider = aws.root - zone_id = data.aws_route53_zone.realm[each.value].zone_id + zone_id = local.kingdom.zone_id name = local.mail-server == "" ? "@" : local.mail-server type = "TXT" ttl = 172800 @@ -31,9 +31,9 @@ resource "aws_route53_record" "crm-code" { } resource "aws_route53_record" "crm-dkim" { - for_each = toset(local.records-for-kingdoms) + for_each = toset(local.configuration.sdlc.environments) provider = aws.root - zone_id = data.aws_route53_zone.realm[each.value].zone_id + zone_id = local.kingdom.zone_id name = "mail._domainkey.${local.mail-server}" type = "TXT" ttl = 172800 @@ -41,9 +41,9 @@ resource "aws_route53_record" "crm-dkim" { } resource "aws_route53_record" "crm-dmarc" { - for_each = toset(local.records-for-kingdoms) + for_each = toset(local.configuration.sdlc.environments) provider = aws.root - zone_id = data.aws_route53_zone.realm[each.value].zone_id + zone_id = local.kingdom.zone_id name = "_dmarc.${local.mail-server}" type = "TXT" ttl = 172800 From ce064e5b8e6157a34537dc5714252c23179785f2 Mon Sep 17 00:00:00 2001 From: Ulises Tirado Zatarain Date: Fri, 9 Aug 2024 22:05:19 +0100 Subject: [PATCH 4/6] LRNT-020: Using the correct AWS account Signed-off-by: Ulises Tirado Zatarain --- mail.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/mail.tf b/mail.tf index 221133d..067f72a 100644 --- a/mail.tf +++ b/mail.tf @@ -22,7 +22,6 @@ locals { resource "aws_route53_record" "crm-code" { for_each = toset(local.configuration.sdlc.environments) - provider = aws.root zone_id = local.kingdom.zone_id name = local.mail-server == "" ? "@" : local.mail-server type = "TXT" @@ -32,7 +31,6 @@ resource "aws_route53_record" "crm-code" { resource "aws_route53_record" "crm-dkim" { for_each = toset(local.configuration.sdlc.environments) - provider = aws.root zone_id = local.kingdom.zone_id name = "mail._domainkey.${local.mail-server}" type = "TXT" @@ -42,7 +40,6 @@ resource "aws_route53_record" "crm-dkim" { resource "aws_route53_record" "crm-dmarc" { for_each = toset(local.configuration.sdlc.environments) - provider = aws.root zone_id = local.kingdom.zone_id name = "_dmarc.${local.mail-server}" type = "TXT" From f7e3bc3fb6a37bf6c81b6cfc7aa8eee3c5e63c55 Mon Sep 17 00:00:00 2001 From: Ulises Tirado Zatarain Date: Fri, 9 Aug 2024 22:27:36 +0100 Subject: [PATCH 5/6] LRNT-020: Use empty string for the domain itself rather than '@' Signed-off-by: Ulises Tirado Zatarain --- mail.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mail.tf b/mail.tf index 067f72a..29d8e24 100644 --- a/mail.tf +++ b/mail.tf @@ -16,14 +16,13 @@ data "aws_secretsmanager_secret_version" "crm-current" { } locals { - mail-server = terraform.workspace == "production" ? "" : trimsuffix(local.zone_prefix[terraform.workspace], ".zatara.in") mail-secret = jsondecode(data.aws_secretsmanager_secret_version.crm-current.secret_string) } resource "aws_route53_record" "crm-code" { for_each = toset(local.configuration.sdlc.environments) zone_id = local.kingdom.zone_id - name = local.mail-server == "" ? "@" : local.mail-server + name = "" type = "TXT" ttl = 172800 records = [local.mail-secret["code"]] @@ -32,7 +31,7 @@ resource "aws_route53_record" "crm-code" { resource "aws_route53_record" "crm-dkim" { for_each = toset(local.configuration.sdlc.environments) zone_id = local.kingdom.zone_id - name = "mail._domainkey.${local.mail-server}" + name = "mail._domainkey" type = "TXT" ttl = 172800 records = [local.mail-secret["dkim"]] @@ -41,7 +40,7 @@ resource "aws_route53_record" "crm-dkim" { resource "aws_route53_record" "crm-dmarc" { for_each = toset(local.configuration.sdlc.environments) zone_id = local.kingdom.zone_id - name = "_dmarc.${local.mail-server}" + name = "_dmarc" type = "TXT" ttl = 172800 records = [local.mail-secret["dmarc"]] From e1511767328d421eaf1b46a3d37d090e64993c34 Mon Sep 17 00:00:00 2001 From: Ulises Tirado Zatarain Date: Fri, 9 Aug 2024 22:54:47 +0100 Subject: [PATCH 6/6] LRNT-020: Adding CRM/DNS authentication records for all environments Signed-off-by: Ulises Tirado Zatarain --- mail.tf | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/mail.tf b/mail.tf index 29d8e24..66f4d0e 100644 --- a/mail.tf +++ b/mail.tf @@ -20,28 +20,25 @@ locals { } resource "aws_route53_record" "crm-code" { - for_each = toset(local.configuration.sdlc.environments) - zone_id = local.kingdom.zone_id - name = "" - type = "TXT" - ttl = 172800 - records = [local.mail-secret["code"]] + zone_id = local.kingdom.zone_id + name = "" + type = "TXT" + ttl = 172800 + records = [local.mail-secret["code"]] } resource "aws_route53_record" "crm-dkim" { - for_each = toset(local.configuration.sdlc.environments) - zone_id = local.kingdom.zone_id - name = "mail._domainkey" - type = "TXT" - ttl = 172800 - records = [local.mail-secret["dkim"]] + zone_id = local.kingdom.zone_id + name = "mail._domainkey" + type = "TXT" + ttl = 172800 + records = [local.mail-secret["dkim"]] } resource "aws_route53_record" "crm-dmarc" { - for_each = toset(local.configuration.sdlc.environments) - zone_id = local.kingdom.zone_id - name = "_dmarc" - type = "TXT" - ttl = 172800 - records = [local.mail-secret["dmarc"]] + zone_id = local.kingdom.zone_id + name = "_dmarc" + type = "TXT" + ttl = 172800 + records = [local.mail-secret["dmarc"]] }