Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #202 from mdr-engineering/feature/ftd_MSOCI-1590_DNSSEC

Adds dnssec module to enable DNSSEC for hosted domains
Frederick Damstra 4 years ago
parent
6c801516f5 25999d6a07
commit
d1e15a986a
2 changed files with 149 additions and 0 deletions
Split View Show Diff Stats
  1. 15 0
      base/dns/public_dns/README.md
  2. 134 0
      base/dns/public_dns/dnssec.tf

+ 15 - 0
base/dns/public_dns/README.md
View File 

@@ -0,0 +1,15 @@
 
+# Key Rotation
 
+
 
+Keys should be rotated annually.
 
+
 
+To do so:
 
+
 
+1. Update `dnssec.tf`:. Uncomment the `_#` resources, where `#` is an incremental update, but do not update the `aws_route53_hosted_zone_dnssec` or `aws_route53_record` resources yet.
 
+1. `terragrunt apply` those resources to create a new KMS key and DNSSEC signing key.
 
+1. Add the updated Key information as a _second key_ to the domain information in route53: AWS Commercial->MDR Common Sevices->Route 53->Registered Domains->domain->Manage Keys
 
+1. Wait for confirmation email
 
+1. Update `dnssec.tf` with the `aws_route53_hosted_zone_dnssec` and `aws_route53_record` updated the latest `#`.
 
+1. PR and apply.
 
+
 
+In 2-7 days, come back and remove the previous `_#` resources. Do future engineers a favor and create a copy just like you had.
 
+

+ 134 - 0
base/dns/public_dns/dnssec.tf
View File 

@@ -0,0 +1,134 @@
 
+locals {
 
+  domains_to_secure = toset([ "accenturefederalcyber.net", "xdrtest.accenturefederalcyber.net", "accenturefederalcyber.com", "xdrtest.accenturefederalcyber.com" ]) # for testing
 
+  #domains_to_secure = var.hosted_public_dns_zones
 
+}
 
+
 
+resource "aws_kms_key" "dnssec" {
 
+  customer_master_key_spec = "ECC_NIST_P256"
 
+  deletion_window_in_days  = 30
 
+  key_usage                = "SIGN_VERIFY"
 
+  policy = jsonencode({
 
+    Statement = [
 
+      {
 
+        Action = [
 
+          "kms:DescribeKey",
 
+          "kms:GetPublicKey",
 
+          "kms:Sign",
 
+        ],
 
+        Effect = "Allow"
 
+        Principal = {
 
+          Service = "api-service.dnssec.route53.aws.internal"
 
+        }
 
+        Sid = "Route 53 DNSSEC Permissions"
 
+      },
 
+      {
 
+        Action = "kms:*"
 
+        Effect = "Allow"
 
+        Principal = {
 
+          AWS = "*"
 
+        }
 
+        Resource = "*"
 
+        Sid      = "IAM User Permissions"
 
+      },
 
+    ]
 
+    Version = "2012-10-17"
 
+  })
 
+}
 
+
 
+# For rotation, uncomment the following
 
+#resource "aws_kms_key" "dnssec_2" {
 
+#  customer_master_key_spec = "ECC_NIST_P256"
 
+#  deletion_window_in_days  = 30
 
+#  key_usage                = "SIGN_VERIFY"
 
+#  policy = jsonencode({
 
+#    Statement = [
 
+#      {
 
+#        Action = [
 
+#          "kms:DescribeKey",
 
+#          "kms:GetPublicKey",
 
+#          "kms:Sign",
 
+#        ],
 
+#        Effect = "Allow"
 
+#        Principal = {
 
+#          Service = "api-service.dnssec.route53.aws.internal"
 
+#        }
 
+#        Sid = "Route 53 DNSSEC Permissions"
 
+#      },
 
+#      {
 
+#        Action = "kms:*"
 
+#        Effect = "Allow"
 
+#        Principal = {
 
+#          AWS = "*"
 
+#        }
 
+#        Resource = "*"
 
+#        Sid      = "IAM User Permissions"
 
+#      },
 
+#    ]
 
+#    Version = "2012-10-17"
 
+#  })
 
+#}
 
+
 
+resource "aws_route53_key_signing_key" "dnssec" {
 
+  for_each = local.domains_to_secure
 
+  hosted_zone_id             = aws_route53_zone.public[each.value].id
 
+  key_management_service_arn = aws_kms_key.dnssec.arn
 
+  name                       = "202105"
 
+}
 
+
 
+# For rotation, uncomment the following
 
+#resource "aws_route53_key_signing_key" "dnssec_2" {
 
+#  for_each = local.domains_to_secure
 
+#  hosted_zone_id             = aws_route53_zone.public[each.value].id
 
+#  key_management_service_arn = aws_kms_key.dnssec.arn
 
+#  name                       = "UPDATEME"
 
+#}
 
+
 
+output "public_keys_note" {
 
+  value = "You must *MANUALLY* add the public keys to the 'registered domains' page on the route53 console."
 
+}
 
+
 
+output "manually_entered_information" {
 
+  value = { for domain in local.domains_to_secure:
 
+    domain => {
 
+      "KeyType": aws_route53_key_signing_key.dnssec[domain].flag,
 
+      "Algorithm": aws_route53_key_signing_key.dnssec[domain].signing_algorithm_type,
 
+      "PublicKey": aws_route53_key_signing_key.dnssec[domain].public_key
 
+      "DS_Record": aws_route53_key_signing_key.dnssec[domain].ds_record
 
+    }
 
+  }
 
+}
 
+
 
+# For rotation, uncomment the following
 
+#output "manually_entered_information_1" {
 
+#  value = { for domain in local.domains_to_secure:
 
+#    domain => {
 
+#      "KeyType": aws_route53_key_signing_key.dnssec_2[domain].flag,
 
+#      "Algorithm": aws_route53_key_signing_key.dnssec_2[domain].signing_algorithm_type,
 
+#      "PublicKey": aws_route53_key_signing_key.dnssec_2[domain].public_key
 
+#      "DS_Record": aws_route53_key_signing_key.dnssec_2[domain].ds_record
 
+#    }
 
+#  }
 
+#}
 
+
 
+resource "aws_route53_hosted_zone_dnssec" "dnssec" {
 
+  for_each = local.domains_to_secure
 
+  # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
 
+  hosted_zone_id = aws_route53_key_signing_key.dnssec[each.value].hosted_zone_id
 
+}
 
+
 
+resource "aws_route53_record" "ds" {
 
+  #for_each = local.domains_with_parents
 
+  for_each = { 
+    "xdrtest.accenturefederalcyber.net" = "accenturefederalcyber.net",
 
+    "xdrtest.accenturefederalcyber.com" = "accenturefederalcyber.com",
 
+  }
 
+
 
+  allow_overwrite = true
 
+  name            = each.key
 
+  ttl             = 300
 
+  type            = "DS"
 
+  zone_id         = aws_route53_zone.public[each.value].id
 
+
 
+  # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
 
+  records = [ aws_route53_key_signing_key.dnssec[each.key].ds_record ]
 
+}