Skip to content

Commit

Permalink
Adding additional CAAs
Browse files Browse the repository at this point in the history
  • Loading branch information
@skyfox675
skyfox675 committed Oct 11, 2024
1 parent 1ea5084 commit d18b703
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 37 deletions.
11 changes: 8 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
# terraform-aws-r53-zone

TF Module for creating a R53 zone with DNSSEC, should be used in conjunction with lupus-metallum/dnssec-kms to create a key. This can be looped for unique keys per zone if desired. If a var.kms_key_arn is not specified, a zone with be created without DNSSEC.

## Example

``` Terraform
module "dnssec_key" {
source = "Lupus-Metallum/dnssec-kms/aws"
Expand All @@ -12,11 +14,14 @@ module "dnssec_key" {
module "r53_zone_example_net" {
source = "Lupus-Metallum/r53-zone/aws"
version = "1.2.1"
version = "1.7.0"
domain_name = "example.net"
dnssec = true
amazon_caa_record = true
caa_record = {
aws = true
lets_encrypt = true
}
outlook_autodiscover = true
kms_key_arn = module.dnssec_key.key_arn
signing_key_name = "ExampleDefaultKey"
Expand Down Expand Up @@ -95,10 +100,10 @@ module "r53_zone_example_net" {
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The name/fqdn of the Route53 Zone. | `string` | n/a | yes |
| <a name="input_amazon_caa_record"></a> [amazon\_caa\_record](#input\_amazon\_caa\_record) | Should we add a Certificate Authority Authorization Record for Amazon CA's? | `bool` | `true` | no |
| <a name="input_atlassian_cloud_bounce"></a> [atlassian\_cloud\_bounce](#input\_atlassian\_cloud\_bounce) | Should we create the Atlassian Cloud bounce cname record | `bool` | `false` | no |
| <a name="input_atlassian_cloud_fallback_dkim"></a> [atlassian\_cloud\_fallback\_dkim](#input\_atlassian\_cloud\_fallback\_dkim) | Should we create the Atlassian Cloud DKIM fallback cname record | `string` | `""` | no |
| <a name="input_atlassian_cloud_primary_dkim"></a> [atlassian\_cloud\_primary\_dkim](#input\_atlassian\_cloud\_primary\_dkim) | Should we create the Atlassian Cloud DKIM primary cname record | `string` | `""` | no |
| <a name="input_caa_record"></a> [caa\_record](#input\_caa\_record) | Should we add a Certificate Authority Authorization Record for commonly used CA's? | <pre>object({<br> aws = optional(bool, false),<br> lets_encrypt = optional(bool, false)<br> })</pre> | `{}` | no |
| <a name="input_dmarc_value"></a> [dmarc\_value](#input\_dmarc\_value) | Values to put in the root/apex dmarc record of the zone? | `list(string)` | `[]` | no |
| <a name="input_dnssec"></a> [dnssec](#input\_dnssec) | Should DNSSEC be enabled for this domain | `bool` | `true` | no |
| <a name="input_github_org_name"></a> [github\_org\_name](#input\_github\_org\_name) | Name of the GitHub org to add the record for? | `string` | `""` | no |
Expand Down
93 changes: 63 additions & 30 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,26 @@ resource "aws_route53_zone" "this" {
}

resource "aws_route53_key_signing_key" "this" {
count = var.dnssec == true ? 1 : 0
count = var.dnssec == true ? 1 : 0

hosted_zone_id = aws_route53_zone.this.id
key_management_service_arn = var.kms_key_arn
name = var.signing_key_name
}

resource "aws_route53_hosted_zone_dnssec" "this" {
count = var.dnssec == true ? 1 : 0
count = var.dnssec == true ? 1 : 0

hosted_zone_id = aws_route53_key_signing_key.this[0].hosted_zone_id

depends_on = [
aws_route53_key_signing_key.example
]
}

resource "aws_route53_record" "this" {
count = var.dnssec == true ? 1 : 0
count = var.dnssec == true ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "@.${aws_route53_zone.this.name}"
type = "DS"
Expand All @@ -26,7 +33,8 @@ resource "aws_route53_record" "this" {
}

resource "aws_route53_record" "txt_this" {
count = length(var.root_txt) > 0 ? 1 : 0
count = length(var.root_txt) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = aws_route53_zone.this.name
type = "TXT"
Expand All @@ -36,7 +44,8 @@ resource "aws_route53_record" "txt_this" {
}

resource "aws_route53_record" "mx_this" {
count = length(var.root_mx) > 0 ? 1 : 0
count = length(var.root_mx) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = aws_route53_zone.this.name
type = "MX"
Expand All @@ -46,7 +55,8 @@ resource "aws_route53_record" "mx_this" {
}

resource "aws_route53_record" "dmarc_this" {
count = length(var.dmarc_value) > 0 ? 1 : 0
count = length(var.dmarc_value) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "_dmarc.${aws_route53_zone.this.name}"
type = "TXT"
Expand All @@ -55,21 +65,28 @@ resource "aws_route53_record" "dmarc_this" {
}

resource "aws_route53_record" "caa_this" {
count = var.amazon_caa_record == true ? 1 : 0
count = var.caa_record != {} ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = aws_route53_zone.this.name
type = "CAA"
ttl = var.ttl
records = [
"0 issue \"amazon.com\"",
"0 issue \"amazonaws.com\"",
"0 issue \"amazontrust.com\"",
"0 issue \"awstrust.com\""
]
records = flatten(
var.caa_record.aws == true ? [
"0 issue \"amazon.com\"",
"0 issue \"amazonaws.com\"",
"0 issue \"amazontrust.com\"",
"0 issue \"awstrust.com\""
] : [],
var.caa_record.lets_encrypt == true ? [
"0 issue \"letsencrypt.org\""
] : []
)
}

resource "aws_route53_record" "outlook_autodiscover_this" {
count = var.outlook_autodiscover == true ? 1 : 0
count = var.outlook_autodiscover == true ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "autodiscover.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -80,7 +97,8 @@ resource "aws_route53_record" "outlook_autodiscover_this" {
}

resource "aws_route53_record" "github_this" {
count = var.github_verification_record != "" && var.github_org_name != "" ? 1 : 0
count = var.github_verification_record != "" && var.github_org_name != "" ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "_github-challenge-${var.github_org_name}.${aws_route53_zone.this.name}"
type = "TXT"
Expand All @@ -91,7 +109,8 @@ resource "aws_route53_record" "github_this" {
}

resource "aws_route53_record" "protonmail_domainkey_this" {
count = length(var.protonmail_domainkey) > 0 ? 1 : 0
count = length(var.protonmail_domainkey) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "protonmail._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -100,7 +119,8 @@ resource "aws_route53_record" "protonmail_domainkey_this" {
records = [var.protonmail_domainkey]
}
resource "aws_route53_record" "protonmail2_domainkey_this" {
count = length(var.protonmail2_domainkey) > 0 ? 1 : 0
count = length(var.protonmail2_domainkey) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "protonmail2._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -109,7 +129,8 @@ resource "aws_route53_record" "protonmail2_domainkey_this" {
records = [var.protonmail2_domainkey]
}
resource "aws_route53_record" "protonmail3_domainkey_this" {
count = length(var.protonmail3_domainkey) > 0 ? 1 : 0
count = length(var.protonmail3_domainkey) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "protonmail3._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -118,7 +139,8 @@ resource "aws_route53_record" "protonmail3_domainkey_this" {
records = [var.protonmail3_domainkey]
}
resource "aws_route53_record" "stripe_domainkey1_this" {
count = length(var.stripe_domainkey1) > 0 ? 1 : 0
count = length(var.stripe_domainkey1) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "${var.stripe_domainkey1}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -127,7 +149,8 @@ resource "aws_route53_record" "stripe_domainkey1_this" {
records = ["${var.stripe_domainkey1}.dkim.custom-email-domain.stripe.com."]
}
resource "aws_route53_record" "stripe_domainkey2_this" {
count = length(var.stripe_domainkey2) > 0 ? 1 : 0
count = length(var.stripe_domainkey2) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "${var.stripe_domainkey2}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -136,7 +159,8 @@ resource "aws_route53_record" "stripe_domainkey2_this" {
records = ["${var.stripe_domainkey2}.dkim.custom-email-domain.stripe.com."]
}
resource "aws_route53_record" "stripe_domainkey3_this" {
count = length(var.stripe_domainkey3) > 0 ? 1 : 0
count = length(var.stripe_domainkey3) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "${var.stripe_domainkey3}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -145,7 +169,8 @@ resource "aws_route53_record" "stripe_domainkey3_this" {
records = ["${var.stripe_domainkey3}.dkim.custom-email-domain.stripe.com."]
}
resource "aws_route53_record" "stripe_domainkey4_this" {
count = length(var.stripe_domainkey4) > 0 ? 1 : 0
count = length(var.stripe_domainkey4) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "${var.stripe_domainkey4}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -154,7 +179,8 @@ resource "aws_route53_record" "stripe_domainkey4_this" {
records = ["${var.stripe_domainkey4}.dkim.custom-email-domain.stripe.com."]
}
resource "aws_route53_record" "stripe_domainkey5_this" {
count = length(var.stripe_domainkey5) > 0 ? 1 : 0
count = length(var.stripe_domainkey5) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "${var.stripe_domainkey5}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -163,7 +189,8 @@ resource "aws_route53_record" "stripe_domainkey5_this" {
records = ["${var.stripe_domainkey5}.dkim.custom-email-domain.stripe.com."]
}
resource "aws_route53_record" "stripe_domainkey6_this" {
count = length(var.stripe_domainkey6) > 0 ? 1 : 0
count = length(var.stripe_domainkey6) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "${var.stripe_domainkey6}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -172,7 +199,8 @@ resource "aws_route53_record" "stripe_domainkey6_this" {
records = ["${var.stripe_domainkey6}.dkim.custom-email-domain.stripe.com."]
}
resource "aws_route53_record" "stripe_bounce_this" {
count = var.stripe_bounce == true ? 1 : 0
count = var.stripe_bounce == true ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "bounce.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -181,7 +209,8 @@ resource "aws_route53_record" "stripe_bounce_this" {
records = ["custom-email-domain.stripe.com."]
}
resource "aws_route53_record" "o365_domainkey_this" {
count = length(var.ms_domainkey) > 0 ? 1 : 0
count = length(var.ms_domainkey) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "selector1._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -190,7 +219,8 @@ resource "aws_route53_record" "o365_domainkey_this" {
records = [var.ms_domainkey]
}
resource "aws_route53_record" "o365_domainkey_this2" {
count = length(var.ms_domainkey2) > 0 ? 1 : 0
count = length(var.ms_domainkey2) > 0 ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "selector2._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -199,7 +229,8 @@ resource "aws_route53_record" "o365_domainkey_this2" {
records = [var.ms_domainkey2]
}
resource "aws_route53_record" "atlassian_cloud_primary_dkim" {
count = var.atlassian_cloud_primary_dkim != "" ? 1 : 0
count = var.atlassian_cloud_primary_dkim != "" ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "atlassian-${var.atlassian_cloud_primary_dkim}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -208,7 +239,8 @@ resource "aws_route53_record" "atlassian_cloud_primary_dkim" {
records = ["atlassian-${var.atlassian_cloud_primary_dkim}.dkim.atlassian.net."]
}
resource "aws_route53_record" "atlassian_cloud_fallback_dkim" {
count = var.atlassian_cloud_fallback_dkim != "" ? 1 : 0
count = var.atlassian_cloud_fallback_dkim != "" ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "atlassian-${var.atlassian_cloud_fallback_dkim}._domainkey.${aws_route53_zone.this.name}"
type = "CNAME"
Expand All @@ -218,7 +250,8 @@ resource "aws_route53_record" "atlassian_cloud_fallback_dkim" {
}

resource "aws_route53_record" "atlassian_cloud_bounce" {
count = var.atlassian_cloud_bounce == true ? 1 : 0
count = var.atlassian_cloud_bounce == true ? 1 : 0

zone_id = aws_route53_zone.this.zone_id
name = "atlassian-bounces.${aws_route53_zone.this.name}"
type = "CNAME"
Expand Down
11 changes: 7 additions & 4 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,13 @@ variable "ttl" {
type = number
}

variable "amazon_caa_record" {
description = "Should we add a Certificate Authority Authorization Record for Amazon CA's?"
default = true
type = bool
variable "caa_record" {
description = "Should we add a Certificate Authority Authorization Record for commonly used CA's?"
default = {}
type = object({
aws = optional(bool, false),
lets_encrypt = optional(bool, false)
})
}

variable "outlook_autodiscover" {
Expand Down

0 comments on commit d18b703

Please sign in to comment.