Skip to content

TF Module for creating a R53 zone with DNSSEC, optional GitHub verified domain/org, Protonmail support, dmarc and mx records and Amazon CAA record support.

License

Notifications You must be signed in to change notification settings

Lupus-Metallum/terraform-aws-r53-zone

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

terraform-aws-r53-zone

TF Module for creating a R53 zone with DNSSEC, should be used in conjunction with lupus-metallum/dnssec-kms to create a key. This can be looped for unique keys per zone if desired. If a var.kms_key_arn is not specified, a zone with be created without DNSSEC.

Example

module "dnssec_key" {
  source   = "Lupus-Metallum/dnssec-kms/aws"
  version  = "1.0.4"
  
  name     = "my-dnssec-key"
}

module "r53_zone_example_net" {
  source  = "Lupus-Metallum/r53-zone/aws"
  version = "1.7.0"

  domain_name           = "example.net"
  dnssec                = true
  caa_record            = {
    aws          = true
    lets_encrypt = true
  }
  outlook_autodiscover  = true
  kms_key_arn           = module.dnssec_key.key_arn
  signing_key_name      = "ExampleDefaultKey"
  root_txt              = [
    "protonmail-verification=0000000000000000000000",
    "v=spf1 include:_spf.protonmail.ch -all",
    "stripe-verification=000000000000",
  ]
  root_mx               = [
    "10 mail.protonmail.ch.",
    "20 mailsec.protonmail.ch."
    ]
  dmarc_value           = ["v=DMARC1; p=quarantine; sp=quarantine; pct=100; rua=mailto:[email protected]"]
  protonmail_domainkey  = "protonmail.domainkey.00000000000000000000000000000000000000000000000000000.domains.proton.ch."
  protonmail2_domainkey = "protonmail2.domainkey.00000000000000000000000000000000000000000000000000000.domains.proton.ch."
  protonmail3_domainkey = "protonmail3.domainkey.00000000000000000000000000000000000000000000000000000.domains.proton.ch."
  ms_domainkey          = "selector1-0000000._domainkey.0000000.onmicrosoft.com"
  ms_domainkey2         = "selector2-0000000._domainkey.0000000.onmicrosoft.com"
  github_verification_record = "000000000000"
  github_org_name            = "Lupus-Metallum"
  stripe_domainkey1          = "000000000000"
  stripe_domainkey2          = "000000000000"
  stripe_domainkey3          = "000000000000"
  stripe_domainkey4          = "000000000000"
  stripe_domainkey5          = "000000000000"
  stripe_domainkey6          = "000000000000"
  stripe_bounce              = true
  atlassian_cloud_dkim       = true
}

Providers

Name Version
aws n/a

Resources

Name Type
aws_route53_hosted_zone_dnssec.this resource
aws_route53_key_signing_key.this resource
aws_route53_record.atlassian_cloud_bounce resource
aws_route53_record.atlassian_cloud_fallback_dkim resource
aws_route53_record.atlassian_cloud_primary_dkim resource
aws_route53_record.caa_this resource
aws_route53_record.dmarc_this resource
aws_route53_record.github_this resource
aws_route53_record.mx_this resource
aws_route53_record.o365_domainkey_this resource
aws_route53_record.o365_domainkey_this2 resource
aws_route53_record.outlook_autodiscover_this resource
aws_route53_record.protonmail2_domainkey_this resource
aws_route53_record.protonmail3_domainkey_this resource
aws_route53_record.protonmail_domainkey_this resource
aws_route53_record.stripe_bounce_this resource
aws_route53_record.stripe_domainkey1_this resource
aws_route53_record.stripe_domainkey2_this resource
aws_route53_record.stripe_domainkey3_this resource
aws_route53_record.stripe_domainkey4_this resource
aws_route53_record.stripe_domainkey5_this resource
aws_route53_record.stripe_domainkey6_this resource
aws_route53_record.this resource
aws_route53_record.txt_this resource
aws_route53_zone.this resource

Inputs

Name Description Type Default Required
domain_name The name/fqdn of the Route53 Zone. string n/a yes
atlassian_cloud_bounce Should we create the Atlassian Cloud bounce cname record bool false no
atlassian_cloud_fallback_dkim Should we create the Atlassian Cloud DKIM fallback cname record string "" no
atlassian_cloud_primary_dkim Should we create the Atlassian Cloud DKIM primary cname record string "" no
caa_record Should we add a Certificate Authority Authorization Record for commonly used CA's?
object({
aws = optional(bool, false),
lets_encrypt = optional(bool, false)
})
{} no
dmarc_value Values to put in the root/apex dmarc record of the zone? list(string) [] no
dnssec Should DNSSEC be enabled for this domain bool true no
github_org_name Name of the GitHub org to add the record for? string "" no
github_verification_record Value of the GitHub verification record? string "" no
kms_key_arn The arn of the KMS key to sign this zone with. string "" no
ms_domainkey Value to use for the first Microsoft 365 DKIM CNAME Record, this is given in the https://security.microsoft.com/dkimv2 setup page. string "" no
ms_domainkey2 Value to use for the second Microsoft 365 DKIM CNAME Record, this is given in the https://security.microsoft.com/dkimv2 setup page. string "" no
outlook_autodiscover Should we create the autodiscover CNAME record that points to autodiscover.outlook.com? bool false no
protonmail2_domainkey Value to use for the second Protonmail DKIM CNAME Record, this is given in the custom domain setup page. string "" no
protonmail3_domainkey Value to use for the third Protonmail DKIM CNAME Record, this is given in the custom domain setup page string "" no
protonmail_domainkey Value to use for the first Protonmail DKIM CNAME Record, this is given in the custom domain setup page. string "" no
root_mx Values to put in the root/apex MX record of the zone? list(string) [] no
root_txt Values to put in the root/apex TXT of the zone? list(string) [] no
signing_key_name The name to use for the DNSSEC signing key, must be alphanumeric only, no -, _, or spaces. string "DefaultSigningKey" no
stripe_bounce Should we create the Stripe boune cname record bool false no
stripe_domainkey1 Value to use for the first Stripe DKIM CNAME Record, this is given in the custom domain setup page. This should be the auto-generated text prior to '._domainkey.example.com' string "" no
stripe_domainkey2 Value to use for the second Stripe DKIM CNAME Record, this is given in the custom domain setup page. This should be the auto-generated text prior to '._domainkey.example.com' string "" no
stripe_domainkey3 Value to use for the third Stripe DKIM CNAME Record, this is given in the custom domain setup page. This should be the auto-generated text prior to '._domainkey.example.com' string "" no
stripe_domainkey4 Value to use for the fourth Stripe DKIM CNAME Record, this is given in the custom domain setup page. This should be the auto-generated text prior to '._domainkey.example.com' string "" no
stripe_domainkey5 Value to use for the fifth Stripe DKIM CNAME Record, this is given in the custom domain setup page. This should be the auto-generated text prior to '._domainkey.example.com' string "" no
stripe_domainkey6 Value to use for the sixth Stripe DKIM CNAME Record, this is given in the custom domain setup page. This should be the auto-generated text prior to '._domainkey.example.com' string "" no
tags Tags to apply to tag-able resources map(string) {} no
ttl The value to use in seconds for TTL of the DS records number 300 no

Outputs

Name Description
name n/a
name_servers n/a
zone_id n/a