Merge pull request #202 from mdr-engineering/feature/ftd_MSOCI-1590_DNSSEC

Adds dnssec module to enable DNSSEC for hosted domains

base/dns/public_dns/README.md

@@ -0,0 +1,15 @@
+# Key Rotation
+
+Keys should be rotated annually.
+
+To do so:
+
+1. Update `dnssec.tf`:. Uncomment the `_#` resources, where `#` is an incremental update, but do not update the `aws_route53_hosted_zone_dnssec` or `aws_route53_record` resources yet.
+1. `terragrunt apply` those resources to create a new KMS key and DNSSEC signing key.
+1. Add the updated Key information as a _second key_ to the domain information in route53: AWS Commercial->MDR Common Sevices->Route 53->Registered Domains->domain->Manage Keys
+1. Wait for confirmation email
+1. Update `dnssec.tf` with the `aws_route53_hosted_zone_dnssec` and `aws_route53_record` updated the latest `#`.
+1. PR and apply.
+
+In 2-7 days, come back and remove the previous `_#` resources. Do future engineers a favor and create a copy just like you had.
+

base/dns/public_dns/dnssec.tf

@@ -0,0 +1,134 @@
+locals {
+  domains_to_secure = toset([ "accenturefederalcyber.net", "xdrtest.accenturefederalcyber.net", "accenturefederalcyber.com", "xdrtest.accenturefederalcyber.com" ]) # for testing
+  #domains_to_secure = var.hosted_public_dns_zones
+}
+
+resource "aws_kms_key" "dnssec" {
+  customer_master_key_spec = "ECC_NIST_P256"
+  deletion_window_in_days  = 30
+  key_usage                = "SIGN_VERIFY"
+  policy = jsonencode({
+    Statement = [
+      {
+        Action = [
+          "kms:DescribeKey",
+          "kms:GetPublicKey",
+          "kms:Sign",
+        ],
+        Effect = "Allow"
+        Principal = {
+          Service = "api-service.dnssec.route53.aws.internal"
+        }
+        Sid = "Route 53 DNSSEC Permissions"
+      },
+      {
+        Action = "kms:*"
+        Effect = "Allow"
+        Principal = {
+          AWS = "*"
+        }
+        Resource = "*"
+        Sid      = "IAM User Permissions"
+      },
+    ]
+    Version = "2012-10-17"
+  })
+}
+
+# For rotation, uncomment the following
+#resource "aws_kms_key" "dnssec_2" {
+#  customer_master_key_spec = "ECC_NIST_P256"
+#  deletion_window_in_days  = 30
+#  key_usage                = "SIGN_VERIFY"
+#  policy = jsonencode({
+#    Statement = [
+#      {
+#        Action = [
+#          "kms:DescribeKey",
+#          "kms:GetPublicKey",
+#          "kms:Sign",
+#        ],
+#        Effect = "Allow"
+#        Principal = {
+#          Service = "api-service.dnssec.route53.aws.internal"
+#        }
+#        Sid = "Route 53 DNSSEC Permissions"
+#      },
+#      {
+#        Action = "kms:*"
+#        Effect = "Allow"
+#        Principal = {
+#          AWS = "*"
+#        }
+#        Resource = "*"
+#        Sid      = "IAM User Permissions"
+#      },
+#    ]
+#    Version = "2012-10-17"
+#  })
+#}
+
+resource "aws_route53_key_signing_key" "dnssec" {
+  for_each = local.domains_to_secure
+  hosted_zone_id             = aws_route53_zone.public[each.value].id
+  key_management_service_arn = aws_kms_key.dnssec.arn
+  name                       = "202105"
+}
+
+# For rotation, uncomment the following
+#resource "aws_route53_key_signing_key" "dnssec_2" {
+#  for_each = local.domains_to_secure
+#  hosted_zone_id             = aws_route53_zone.public[each.value].id
+#  key_management_service_arn = aws_kms_key.dnssec.arn
+#  name                       = "UPDATEME"
+#}
+
+output "public_keys_note" {
+  value = "You must *MANUALLY* add the public keys to the 'registered domains' page on the route53 console."
+}
+
+output "manually_entered_information" {
+  value = { for domain in local.domains_to_secure:
+    domain => {
+      "KeyType": aws_route53_key_signing_key.dnssec[domain].flag,
+      "Algorithm": aws_route53_key_signing_key.dnssec[domain].signing_algorithm_type,
+      "PublicKey": aws_route53_key_signing_key.dnssec[domain].public_key
+      "DS_Record": aws_route53_key_signing_key.dnssec[domain].ds_record
+    }
+  }
+}
+
+# For rotation, uncomment the following
+#output "manually_entered_information_1" {
+#  value = { for domain in local.domains_to_secure:
+#    domain => {
+#      "KeyType": aws_route53_key_signing_key.dnssec_2[domain].flag,
+#      "Algorithm": aws_route53_key_signing_key.dnssec_2[domain].signing_algorithm_type,
+#      "PublicKey": aws_route53_key_signing_key.dnssec_2[domain].public_key
+#      "DS_Record": aws_route53_key_signing_key.dnssec_2[domain].ds_record
+#    }
+#  }
+#}
+
+resource "aws_route53_hosted_zone_dnssec" "dnssec" {
+  for_each = local.domains_to_secure
+  # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
+  hosted_zone_id = aws_route53_key_signing_key.dnssec[each.value].hosted_zone_id
+}
+
+resource "aws_route53_record" "ds" {
+  #for_each = local.domains_with_parents
+  for_each = { 
+    "xdrtest.accenturefederalcyber.net" = "accenturefederalcyber.net",
+    "xdrtest.accenturefederalcyber.com" = "accenturefederalcyber.com",
+  }
+
+  allow_overwrite = true
+  name            = each.key
+  ttl             = 300
+  type            = "DS"
+  zone_id         = aws_route53_zone.public[each.value].id
+
+  # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
+  records = [ aws_route53_key_signing_key.dnssec[each.key].ds_record ]
+}